From: Fiete Ostkamp Date: Mon, 23 Jun 2025 11:05:46 +0000 (+0200) Subject: [SO] update cnf-adapter X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=refs%2Fheads%2Fmaster;hp=8c26e59d30a185186cf33988a0dbb859409f73eb [SO] update cnf-adapter - update cnf-adapter + cnfm-lcm (1.12.3 -> 1.13.0) - this release brings tracing for the cnf-adapter service - do not export traces for scheduled dns lookups and client checks in openstack-adapter and sdc-controller Issue-ID: SO-4178 Change-Id: I3f74eeea418d79a85fbcd2682ac3068b16a85111 Signed-off-by: Fiete Ostkamp --- diff --git a/.ci/check-bashisms.sh b/.ci/check-bashisms.sh index 0915725bae..8fc43aadf7 100755 --- a/.ci/check-bashisms.sh +++ b/.ci/check-bashisms.sh @@ -25,7 +25,7 @@ fi find . -not -path '*/.*' -name '*.sh' -exec checkbashisms {} + || exit 3 find . -not -path '*/.*' -name '*.failover' -exec checkbashisms -f \{\} + || exit 4 -! find . -not -path '*/.*' -name '*.sh' -exec grep 'local .*=' {} + || exit 5 +# ! find . -not -path '*/.*' -name '*.sh' -exec grep 'local .*=' {} + || exit 5 ! find . -not -path '*/.*' -name '*.failover' -exec grep 'local .*=' {} + || exit 6 exit 0 diff --git a/.gitignore b/.gitignore index bb11f06df9..e7726292f1 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ kubernetes/common/dist/* Chart.lock **/charts/*.tgz *.orig +*_build # AAI Schema **/schema/* diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 980093a7a5..8fc05aff2c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,18 +1,18 @@ --- repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 + rev: v5.0.0 hooks: - id: trailing-whitespace #exclude: '^ordmodels/' - repo: https://github.com/jorisroovers/gitlint - rev: v0.17.0 + rev: v0.19.1 hooks: - id: gitlint stages: [commit-msg] - repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.1.10 + rev: v1.5.5 hooks: - id: remove-tabs - stages: [commit] + stages: [pre-commit] exclude: '^(.git/|docs/make.bat|.*/Makefile$)' diff --git a/.readthedocs.yaml b/.readthedocs.yaml index 40e9e991d2..78491afc51 100644 --- a/.readthedocs.yaml +++ b/.readthedocs.yaml @@ -7,15 +7,15 @@ version: 2 build: - image: latest + os: ubuntu-20.04 + tools: + python: "3.8" + apt_packages: + - graphviz python: - version: 3.7 install: - requirements: docs/requirements-docs.txt -submodules: - include: all - sphinx: - configuration: docs/conf.py \ No newline at end of file + configuration: docs/conf.py diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index e16772ddc1..f736f079e4 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -19,36 +19,41 @@ limitations under the License. Thanks for taking the time to contribute to OOM! Please see some information on how to do it. -## How to become a contributor and submit your own code +## Local setup -### Environment setup -In order to be able to check on your side before submitting, you'll need to install some binaries: +### Install helm-push plugin -* helm (satisfying the targeted version as seen in [setup guide]( -docs/oom_cloud_setup_guide.rst#software-requirements)). -* chartmuseum (in order to push dependency charts) -* helm push (version 0.10.1 as of today) -* make +In order to push locally built charts to chartmuseum, the `helm-push` plugin must be installed. You can do that with: -### Linting and testing -OOM uses helm linting in order to check that the template rendering is correct with default values. +```sh +$ helm plugin install https://github.com/chartmuseum/helm-push +Downloading and installing helm-push v0.10.4 ... +https://github.com/chartmuseum/helm-push/releases/download/v0.10.3/helm-push_0.10.4_linux_amd64.tar.gz +Installed plugin: cm-push +``` -The first step is to start chartmuseum: +### Run chartmuseum ``` shell -nohup chartmuseum --storage="local" --storage-local-rootdir="/tmp/chartstorage" \ - --port 6464 & +mkdir -p charts && docker-compose up ``` or ``` shell -docker-compose up +nohup chartmuseum --storage="local" --storage-local-rootdir="/tmp/chartstorage" \ + --port 6464 & ``` -then you add a `local` repository to helm: +### Add a `local` chart repository + +OOM contains `make` files that build the charts and push them to the local chartmuseum. +For that to work, helm needs to know about the `local` helm repository. ```shell -helm repo remove local || helm repo add local http://localhost:6464 +helm repo remove local; helm repo add local http://localhost:6464 ``` +### Linting and testing +OOM uses helm linting in order to check that the template rendering is correct with default values. + As full rendering may be extremely long (~9h), you may only want to lint the common part and the component you're working on. Here's an example with AAI: ```shell diff --git a/INFO.yaml b/INFO.yaml index f9244ec2ac..47f6da4fe6 100644 --- a/INFO.yaml +++ b/INFO.yaml @@ -31,6 +31,11 @@ repositories: - 'oom' committers: - <<: *onap_releng_ptl + - name: 'Fiete Ostkamp' + email: 'fiete.ostkamp@telekom.de' + id: 'fostkamp' + company: 'Deutsche Telekom' + timezone: 'Europe/Berlin' - name: 'Mike Elliott' email: 'mike.elliott@amdocs.com' id: 'melliott' @@ -89,3 +94,7 @@ tsc: name: 'Andreas Geissler' # yamllint disable-line rule:line-length link: 'https://wiki.onap.org/display/DW/Committer+Promotion+Request+for+%5BOOM%5D+%3A+Andreas+Geissler' + - type: 'Addition' + name: 'Fiete Ostkamp' + # yamllint disable-line rule:line-length + link: 'https://lists.onap.org/g/onap-tsc/message/9600' diff --git a/TOSCA/ONAP_TOSCA/onap_tosca.yaml b/TOSCA/ONAP_TOSCA/onap_tosca.yaml index e63901d35f..46e6ffa966 100644 --- a/TOSCA/ONAP_TOSCA/onap_tosca.yaml +++ b/TOSCA/ONAP_TOSCA/onap_tosca.yaml @@ -50,7 +50,7 @@ node_templates: chart-version: { get_input: chart-version } namespace: { get_input: namespace } stable-repo-url: { get_input: stable-repo-url} - config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "appc": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vid": {"enabled": false}, "vnfsdk": {"enabled": false} }' + config: '{ "aaf": {"enabled": false}, "aai": {"enabled": false}, "clamp": {"enabled": false}, "cli": {"enabled": false}, "consul": {"enabled": false}, "dcaegen2": {"enabled": false}, "dmaap": {"enabled": false}, "log": {"enabled": false}, "sniro-emulator": {"enabled": false}, "msb": {"enabled": false}, "multicloud": {"enabled": false}, "nbi": {"enabled": false}, "oof": {"enabled": false}, "policy": {"enabled": false}, "pomba": {"enabled": false}, "portal": {"enabled": false}, "robot": {"enabled": false}, "sdc": {"enabled": false}, "sdnc": {"enabled": false}, "so": {"enabled": false}, "uui": {"enabled": false}, "vfc": {"enabled": false}, "vnfsdk": {"enabled": false} }' aaf: type: onap.nodes.component @@ -80,20 +80,6 @@ node_templates: - type: cloudify.relationships.connected_to target: onap_env - appc: - type: onap.nodes.component - properties: - tiller-server-ip: { get_input: tiller-server-ip } - tiller-server-port: { get_input: tiller-server-port } - component-name: appc - chart-repo-url: { get_input: chart-repo-url } - chart-version: { get_input: chart-version } - namespace: { get_input: namespace } - stable-repo-url: { get_input: stable-repo-url} - relationships: - - type: cloudify.relationships.connected_to - target: onap_env - clamp: type: onap.nodes.component properties: @@ -389,20 +375,6 @@ node_templates: - type: cloudify.relationships.connected_to target: onap_env - vid: - type: onap.nodes.component - properties: - tiller-server-ip: { get_input: tiller-server-ip } - tiller-server-port: { get_input: tiller-server-port } - component-name: vid - chart-repo-url: { get_input: chart-repo-url } - chart-version: { get_input: chart-version } - namespace: { get_input: namespace } - stable-repo-url: { get_input: stable-repo-url} - relationships: - - type: cloudify.relationships.connected_to - target: onap_env - vnfsdk: type: onap.nodes.component properties: diff --git a/kubernetes/aaf/components/aaf-fs/.helmignore b/archive/cli/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-fs/.helmignore rename to archive/cli/.helmignore diff --git a/archive/cli/Chart.yaml b/archive/cli/Chart.yaml new file mode 100644 index 0000000000..956a923e0d --- /dev/null +++ b/archive/cli/Chart.yaml @@ -0,0 +1,34 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Command Line Interface +name: cli +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/cli/resources/configuration/lighttpd.conf b/archive/cli/resources/configuration/lighttpd.conf new file mode 100644 index 0000000000..f1735a1e5d --- /dev/null +++ b/archive/cli/resources/configuration/lighttpd.conf @@ -0,0 +1,44 @@ +{{/* +# Copyright 2018 Huawei Technologies Co., Ltd. +# Copyright 2021 Huawei Technologies Co., Ltd. +# Modifications Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +server.document-root = "/var/www-data/servers/open-cli/" +server.username = "www-data" +server.groupname = "www-data" +server.port = {{ .Values.containerPort }} + +mimetype.assign = ( + ".html" => "text/html", + ".txt" => "text/plain", + ".jpg" => "image/jpeg", + ".png" => "image/png" +) + +index-file.names = ( "index.html" ) +dir-listing.activate = "disable" + + +server.modules = ( + "mod_access", + "mod_proxy", + "mod_alias", + "mod_compress", + "mod_redirect" +) + +server.errorlog = "/var/log/lighttpd/error.log" +server.pid-file = "/var/run/lighttpd.pid" diff --git a/archive/cli/templates/configmap.yaml b/archive/cli/templates/configmap.yaml new file mode 100644 index 0000000000..a4c636f0e4 --- /dev/null +++ b/archive/cli/templates/configmap.yaml @@ -0,0 +1,22 @@ +{{/* +# Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: +{{ tpl (.Files.Glob "resources/configuration/*").AsConfig . | indent 2 }} diff --git a/archive/cli/templates/deployment.yaml b/archive/cli/templates/deployment.yaml new file mode 100644 index 0000000000..9f8d71c332 --- /dev/null +++ b/archive/cli/templates/deployment.yaml @@ -0,0 +1,67 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - name: lighttpd + mountPath: /etc/lighttpd/lighttpd.conf + subPath: lighttpd.conf + readOnly: true + env: + - name: OPEN_CLI_MODE + value: "{{ .Values.config.climode }}" + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: lighttpd + configMap: + name: {{ include "common.fullname" . }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/archive/cli/templates/ingress.yaml b/archive/cli/templates/ingress.yaml new file mode 100644 index 0000000000..0deb6ce481 --- /dev/null +++ b/archive/cli/templates/ingress.yaml @@ -0,0 +1,16 @@ +{{/* +# Modifications Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.ingress" . }} diff --git a/archive/cli/templates/service.yaml b/archive/cli/templates/service.yaml new file mode 100644 index 0000000000..b33db211f9 --- /dev/null +++ b/archive/cli/templates/service.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/archive/cli/values.yaml b/archive/cli/values.yaml new file mode 100644 index 0000000000..8ad2240ee4 --- /dev/null +++ b/archive/cli/values.yaml @@ -0,0 +1,100 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/cli:6.0.1 +pullPolicy: IfNotPresent + +# flag to enable debugging - application support required +debugEnabled: false + +nodeSelector: {} +affinity: {} + +# Resource Limit flavor -By Default using small +flavor: small +# default number of instances +replicaCount: 1 + +# application configuration +config: + climode: daemon + +containerPort: &svc_port 8080 +service: + type: ClusterIP + name: cli + ports: + - name: http + port: *svc_port + targetPort: *svc_port + +ingress: + enabled: true + service: + - baseaddr: "cli-api" + path: "/" + name: "cps" + port: *svc_port + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: *svc_port + path: / + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + port: *svc_port + path: / + + +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +resources: + small: + limits: + cpu: "1" + memory: "2Gi" + requests: + cpu: "10m" + memory: "500Mi" + large: + limits: + cpu: "4" + memory: "8Gi" + requests: + cpu: "2" + memory: "4Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: cli + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml new file mode 100644 index 0000000000..d5cc948cb4 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml @@ -0,0 +1,45 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +apiVersion: v2 +appVersion: "London" +description: DCAE DataFile Collector Helm charts +name: dcae-datafile-collector +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: certManagerCertificate + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/certificates.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/certificates.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/certificates.yaml rename to archive/dcaegen2-services/components/dcae-datafile-collector/templates/certificates.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-datafile-collector/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-datafile-collector/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/ingress.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/ingress.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/ingress.yaml rename to archive/dcaegen2-services/components/dcae-datafile-collector/templates/ingress.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-datafile-collector/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/service.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-datafile-collector/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-datafile-collector/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/archive/dcaegen2-services/components/dcae-datafile-collector/values.yaml new file mode 100644 index 0000000000..30da823e60 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-datafile-collector/values.yaml @@ -0,0 +1,228 @@ +# ================================ LICENSE_START ========================== +# ========================================================================= +# Copyright (c) 2021 Nordix Foundation. +# Copyright (c) 2022 Nokia. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ========================================================================= +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END =========================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Secrets Configuration. +################################################################# +secrets: + - uid: &drPubCredsUID drpubcreds + type: basicAuth + login: '{{ .Values.drPubscriberCreds.username }}' + password: '{{ .Values.drPubscriberCreds.password }}' + passwordPolicy: required + +################################################################# +# InitContainer Images. +################################################################# +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.10.0 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /var/log/ONAP +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Directory where TLS certs should be stored +# if absent, no certs will be retrieved and stored +certDirectory: /opt/app/datafile/etc/cert + +# CMPv2 certificate +# It is used only when: +# - certDirectory is set +# - global cmpv2Enabled flag is set to true +# - flag useCmpv2Certificates is set to true +# Disabled by default +useCmpv2Certificates: false +certificates: + - mountPath: /opt/app/datafile/etc/cert/external + commonName: dcae-datafile-collector + dnsNames: + - dcae-datafile-collector + - datafile-collector + - datafile + keystore: + outputType: + - p12 + passwordSecretRef: + name: datafile-collector-cmpv2-keystore-password + key: password + create: true + +# Dependencies +# Waiting for dmaap-dr-node (which depends on dmaap-dr-prov) +# to be sure that we can provision the DR feed that's needed +readinessCheck: + wait_for: + services: + - dmaap-dr-node + - message-router + +# Probe Configuration +readiness: + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 1 + path: /heartbeat + scheme: HTTP + port: 8100 + +# Service Configuration +service: + type: ClusterIP + name: datafile-collector + ports: + - name: http + port: 8443 + plain_port: 8100 + port_protocol: http + +ingress: + enabled: false + service: + - baseaddr: "dcae-datafile-collector-api" + name: "datafile-collector" + port: 8443 + plain_port: 8100 + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: message-router-read + - serviceAccount: istio-ingress + namespace: istio-ingress + +# Data Router Publisher Credentials +drPubscriberCreds: + username: username + password: password + +credentials: +- name: DR_USERNAME + uid: *drPubCredsUID + key: login +- name: DR_PASSWORD + uid: *drPubCredsUID + key: password + +# Initial Application Configuration +applicationConfig: + dmaap.certificateConfig.keyCert: /opt/app/datafile/etc/cert/cert.p12 + dmaap.certificateConfig.keyPasswordPath: /opt/app/datafile/etc/cert/p12.pass + dmaap.certificateConfig.trustedCa: /opt/app/datafile/etc/cert/trust.jks + dmaap.certificateConfig.trustedCaPasswordPath: /opt/app/datafile/etc/cert/trust.pass + dmaap.certificateConfig.enableCertAuth: false + dmaap.dmaapConsumerConfiguration.consumerGroup: OpenDcae-c12 + dmaap.dmaapConsumerConfiguration.consumerId: C12 + dmaap.dmaapConsumerConfiguration.timeoutMs: -1 + dmaap.security.enableDmaapCertAuth: false + dmaap.security.keyStorePasswordPath: /opt/app/datafile/etc/cert/jks.pass + dmaap.security.keyStorePath: /opt/app/datafile/etc/cert/cert.jks + dmaap.security.trustStorePasswordPath: /opt/app/datafile/etc/cert/trust.pass + dmaap.security.trustStorePath: /opt/app/datafile/etc/cert/trust.jks + service_calls: [] + sftp.security.strictHostKeyChecking: true + streams_publishes: + PM_MEAS_FILES: + dmaap_info: + publisher_id: "dummy_id" + location: loc00 + log_url: ${DR_FEED_LOGURL_0} + publish_url: ${DR_FEED_PUBURL_0} + username: ${DR_USERNAME} + password: ${DR_PASSWORD} + type: data_router + streams_subscribes: + dmaap_subscriber: + dmaap_info: + topic_url: "http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT" + type: message_router + +applicationEnv: + #CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + +# DataRouter Feed Configuration +drFeedConfig: + - feedName: bulk_pm_feed + feedVersion: "0.0" + classification: unclassified + feedDescription: DFC Feed Creation + publisher: + username: ${DR_USERNAME} + password: ${DR_PASSWORD} + +# ConfigMap Configuration for Feed, Dr_Publisher +volumes: + - name: feeds-config + path: /opt/app/config/feeds + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcae-datafile-collector + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-heartbeat/Chart.yaml b/archive/dcaegen2-services/components/dcae-heartbeat/Chart.yaml new file mode 100644 index 0000000000..6ff60f4de5 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-heartbeat/Chart.yaml @@ -0,0 +1,44 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021 AT&T Intellectual Property +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +apiVersion: v2 +appVersion: "Kohn" +description: DCAE Heartbeat Microservice +name: dcae-heartbeat +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-heartbeat/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-heartbeat/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-heartbeat/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-heartbeat/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-heartbeat/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-heartbeat/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-heartbeat/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/service.yaml b/archive/dcaegen2-services/components/dcae-heartbeat/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-heartbeat/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-heartbeat/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-heartbeat/values.yaml b/archive/dcaegen2-services/components/dcae-heartbeat/values.yaml new file mode 100644 index 0000000000..da8f2c6561 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-heartbeat/values.yaml @@ -0,0 +1,179 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021-2023 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Secrets Configuration. +################################################################# +secrets: + - uid: &pgUserCredsSecretUid pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-heartbeat-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "heartbeat-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.services.heartbeat:2.6.1 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /var/log/ONAP/dcaegen2/services/heartbeat +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Probe Configuration +readiness: + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 1 + path: / + scheme: HTTP + port: 10002 + +# Service Configuration +service: + type: ClusterIP + name: dcae-heartbeat + ports: + - name: http + port: 10002 + port_protocol: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-heartbeat-read + +credentials: +- name: HEARTBEAT_PG_USERNAME + uid: *pgUserCredsSecretUid + key: login +- name: HEARTBEAT_PG_PASSWORD + uid: *pgUserCredsSecretUid + key: password + + +# Initial Application Configuration +applicationConfig: + CBS_polling_allowed: "True" + CBS_polling_interval: "300" + consumerID: "1" + groupID: "hbgrpID" + pg_ipAddress: dcae-heartbeat-pg-primary + pg_passwd: ${HEARTBEAT_PG_PASSWORD} + pg_portNum: 5432 + pg_userName: ${HEARTBEAT_PG_USERNAME} + pg_dbName: heartbeat + heartbeat_config: '{"vnfs": [{"eventName": "Heartbeat_vDNS","heartbeatcountmissed": 3,"heartbeatinterval": 60,"closedLoopControlName": "ControlLoopEvent1", "policyVersion": "1.0.0.5", "policyName":"vFireWall","policyScope": "resource=sampleResource,type=sampletype,CLName=sampleCLName","target_type": "VNF", "target": "genVnfName", "version": "1.0"}, {"eventName": "Heartbeat_vFW","heartbeatcountmissed": 3, "heartbeatinterval": 60,"closedLoopControlName": "ControlLoopEvent1","policyVersion": "1.0.0.5","policyName": "vFireWall","policyScope": "resource=sampleResource,type=sampletype,CLName=sampleCLName", "target_type":"VNF", "target": "genVnfName", "version": "1.0"}, {"eventName": "Heartbeat_xx","heartbeatcountmissed": 3, "heartbeatinterval": 60,"closedLoopControlName": "ControlLoopEvent1","policyVersion": "1.0.0.5","policyName": "vFireWall", "policyScope": "resource=sampleResource,type=sampletype,CLName=sampleCLName","target_type": "VNF","target": "genVnfName","version": "1.0"}]}' + streams_publishes: + dcae_cl_out: + dmaap_info: + topic_url: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.DCAE_CL_OUTPUT" + type: message_router + streams_subscribes: + ves-heartbeat: + dmaap_info: + topic_url: "http://message-router:3904/events/unauthenticated.SEC_HEARTBEAT_OUTPUT" + type: message_router + +#applicationEnv: +# HEARTBEAT_PG_URL: &dcaeheartbeatPgPrimary dcae-heartbeat-pg-primary +# HEARTBEAT_PG_USERNAME: +# secretUid: *pgUserCredsSecretUid +# key: login +# HEARTBEAT_PG_PASSWORD: +# secretUid: *pgUserCredsSecretUid +# key: password + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +################################################################# +# Application configuration Overriding Defaults in the Postgres. +################################################################# +postgres: + nameOverride: &postgresName dcae-heartbeat-postgres + service: + name: *postgresName + name2: dcae-heartbeat-pg-primary + name3: dcae-heartbeat-pg-replica + container: + name: + primary: dcae-heartbeat-pg-primary + replica: dcae-heartbeat-pg-replica + persistence: + mountSubPath: heartbeat/data + mountInitPath: heartbeat + config: + pgUserName: heartbeat + pgDatabase: heartbeat + pgUserExternalSecret: *pgUserCredsSecretName + +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + +#Pods Service Account +serviceAccount: + nameOverride: dcae-heartbeat + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml b/archive/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml new file mode 100644 index 0000000000..b4c79c915b --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml @@ -0,0 +1,42 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021 Wipro Limited. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: v2 +appVersion: "London" +description: DCAE KPI MS chart +name: dcae-kpi-ms +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-kpi-ms/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-kpi-ms/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-kpi-ms/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-kpi-ms/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-kpi-ms/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-kpi-ms/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-kpi-ms/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/service.yaml b/archive/dcaegen2-services/components/dcae-kpi-ms/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-kpi-ms/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-kpi-ms/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/archive/dcaegen2-services/components/dcae-kpi-ms/values.yaml new file mode 100644 index 0000000000..61b78fa01f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-kpi-ms/values.yaml @@ -0,0 +1,138 @@ +# ============= LICENSE_START ================================================ +# ============================================================================ +# Copyright (C) 2021-2022 Wipro Limited. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============= LICENSE_END ================================================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.2.1 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /var/log/ONAP/dcaegen2/services/kpims +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Optional Policy configuration properties +# if present, policy-sync side car will be deployed +#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +#policies: +# policyID: | +# '["com.Config_KPIMS_CONFIG_POLICY"]' + +# Dependencies +readinessCheck: + wait_for: + services: + - message-router + +# Probe Configuration +readiness: + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 1 + path: /healthcheck + scheme: HTTP + port: 8080 + +# Service Configuration +service: + type: ClusterIP + name: dcae-kpi-ms + ports: + - name: http + port: 8080 + port_protocol: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + +# Initial Application Configuration +applicationConfig: + trust_store_path: '/opt/app/kpims/etc/cert/trust.jks' + trust_store_pass_path: '/opt/app/kpims/etc/cert/trust.pass' + pollingInterval: 20 + pollingTimeout: 60 + cbsPollingInterval: 60 + dmaap.server: ["message-router"] + cg: kpi-cg + cid: kpi-cid + streams_subscribes: + performance_management_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS + streams_publishes: + kpi_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.DCAE_KPI_OUTPUT + kpi.policy: '{"domain":"measurementsForKpi","methodForKpi":[{"eventName":"perf3gpp_CORE-AMF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"AMFRegNbr","operation":"SUM","operands":"RM.RegisteredSubNbrMean"}]},{"eventName":"perf3gpp_CORE-UPF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"UpstreamDownstreamThr","operation":"SUM","operands":["GTP.InDataOctN3UPF","GTP.OutDataOctN3UPF"]}]}]' + +applicationEnv: + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + STANDALONE: 'false' + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "500Mi" + requests: + cpu: "1" + memory: "500Mi" + large: + limits: + cpu: "4" + memory: "1Gi" + requests: + cpu: "2" + memory: "1Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcae-kpi-ms + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml b/archive/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml new file mode 100644 index 0000000000..30cb9cfe6c --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml @@ -0,0 +1,42 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +apiVersion: v2 +appVersion: "London" +description: DCAE PM-Mapper Helm charts +name: dcae-pm-mapper +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: 'file://../../common/dcaegen2-services-common' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-pm-mapper/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-pm-mapper/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-pm-mapper/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-pm-mapper/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-pm-mapper/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-pm-mapper/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-pm-mapper/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/service.yaml b/archive/dcaegen2-services/components/dcae-pm-mapper/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pm-mapper/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-pm-mapper/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/archive/dcaegen2-services/components/dcae-pm-mapper/values.yaml new file mode 100644 index 0000000000..290c313b52 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-pm-mapper/values.yaml @@ -0,0 +1,187 @@ +# ================================ LICENSE_START ========================== +# ========================================================================= +# Copyright (C) 2021 Nordix Foundation. +# Copyright (c) 2022 Nokia. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ========================================================================= +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END =========================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Secrets Configuration. +################################################################# +secrets: + - uid: &drSubCredsUID drsubcreds + type: basicAuth + login: '{{ .Values.drSubscriberCreds.username }}' + password: '{{ .Values.drSubscriberCreds.password }}' + passwordPolicy: required + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.services.pm-mapper:1.10.1 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /var/log/ONAP/dcaegen2/services/pm-mapper +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Dependencies +# Depend on the datafile-collector, which guarantees that +# the DR feed that pm-mapper susbscribes to will be created +# already by the datafile-collector DMaaP provisioning init +# container. Also guarantees that DR provisioning will be +# available for pm-mapper initContainter to create the +# subscription to the feed. +readinessCheck: + wait_for: + services: + - datafile-collector + +# Probe Configuration +readiness: + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 1 + path: /healthcheck + scheme: HTTP + port: 8081 + +# Service Configuration +service: + type: ClusterIP + name: dcae-pm-mapper + both_tls_and_plain: true + ports: + - name: http + port: 8443 + plain_port: 8081 + port_protocol: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + +# Data Router Subscriber Credentials +drSubscriberCreds: + username: username + password: password + +credentials: +- name: DR_USERNAME + uid: *drSubCredsUID + key: login +- name: DR_PASSWORD + uid: *drSubCredsUID + key: password + +# Initial Application Configuration +applicationConfig: + enable_tls: false + enable_http: true + aaf_identity: "" + aaf_password: "" + pm-mapper-filter: "{ \"filters\":[] }" + #key_store_path: /opt/app/pm-mapper/etc/cert/cert.jks + #key_store_pass_path: /opt/app/pm-mapper/etc/cert/jks.pass + trust_store_path: /opt/app/pm-mapper/etc/cert/trust.jks + trust_store_pass_path: /opt/app/pm-mapper/etc/cert/trust.pass + dmaap_dr_delete_endpoint: http://dmaap-dr-node:8080/delete + streams_publishes: + dmaap_publisher: + type: message_router + dmaap_info: + client_id: "dummy_id" + location: san-francisco + client_role: org.onap.dcae.pmPublisher + topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS + streams_subscribes: + dmaap_subscriber: + type: data_router + dmaap_info: + subscriber_id: "dummy_id" + decompress: true + privileged: true + username: ${DR_USERNAME} + password: ${DR_PASSWORD} + location: san-francisco + delivery_url: http://dcae-pm-mapper:8081/delivery + +applicationEnv: + #CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + +# DataRouter Subscriber Configuration +drSubConfig: + - feedName: bulk_pm_feed + feedVersion: "0.0" + decompress: true + username: ${DR_USERNAME} + userpwd: ${DR_PASSWORD} + privilegedSubscriber: true + deliveryURL: http://dcae-pm-mapper:8081/delivery + +# ConfigMap Configuration for DR Subscriber +volumes: + - name: drsub-config + path: /opt/app/config/dr_subs + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcae-pm-mapper + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-pmsh/Chart.yaml b/archive/dcaegen2-services/components/dcae-pmsh/Chart.yaml new file mode 100644 index 0000000000..f721f0aba4 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-pmsh/Chart.yaml @@ -0,0 +1,45 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (C) 2021 Nordix Foundation. +# Copyright (c) 2021 AT&T. All rights reserved. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +apiVersion: v2 +appVersion: "Kohn" +description: DCAE PMSH Service +name: dcae-pmsh +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-pmsh/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-pmsh/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pmsh/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-pmsh/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-pmsh/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pmsh/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-pmsh/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-pmsh/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pmsh/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-pmsh/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/templates/service.yaml b/archive/dcaegen2-services/components/dcae-pmsh/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-pmsh/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-pmsh/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-pmsh/values.yaml b/archive/dcaegen2-services/components/dcae-pmsh/values.yaml new file mode 100644 index 0000000000..0f7289cc07 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-pmsh/values.yaml @@ -0,0 +1,182 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (C) 2021 Nordix Foundation. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Secrets Configuration. +################################################################# +secrets: + - uid: &pgUserCredsSecretUid pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-pmsh-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "pmsh-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.services.pmsh:2.2.3 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /var/log/ONAP/dcaegen2/services/pmsh +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Probe Configuration +readiness: + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 1 + path: /healthcheck + scheme: HTTP + port: 8080 + +# Service Configuration +service: + type: ClusterIP + name: dcae-pmsh + ports: + - name: http + port: 8080 + plain_port: 8080 + port_protocol: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-pmsh-read + +# Initial Application Configuration +applicationConfig: + enable_tls: false + aaf_identity: dummy_value + aaf_password: dummy_value + key_path: /opt/app/pmsh/etc/certs/key.pem + cert_path: /opt/app/pmsh/etc/certs/cert.pem + ca_cert_path: /opt/app/pmsh/etc/certs/cacert.pem + control_loop_name: pmsh-control-loop + operational_policy_name: pmsh-operational-policy + pmsh_policy: + subscription: + subscriptionName: ExtraPM-All-gNB-R2B + administrativeState: LOCKED + fileBasedGP: 15 + fileLocation: "/pm/pm.xml" + nfFilter: { "nfNames": [ "^pnf.*","^vnf.*" ],"modelInvariantIDs": [ ],"modelVersionIDs": [ ],"modelNames": [ ] } + measurementGroups: [ { "measurementGroup": { "measurementTypes": [ { "measurementType": "countera" },{ "measurementType": "counterb" } ],"managedObjectDNsBasic": [ { "DN": "dna" },{ "DN": "dnb" } ] } },{ "measurementGroup": { "measurementTypes": [ { "measurementType": "counterc" },{ "measurementType": "counterd" } ],"managedObjectDNsBasic": [ { "DN": "dnc" },{ "DN": "dnd" } ] } } ] + streams_publishes: + policy_pm_publisher: + type: message_router + dmaap_info: + topic_url: "http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT" + streams_subscribes: + policy_pm_subscriber: + type: message_router + dmaap_info: + topic_url: "http://message-router:3904/events/unauthenticated.PMSH_CL_INPUT" + aai_subscriber: + type: message_router + dmaap_info: + topic_url: "http://message-router:3904/events/AAI-EVENT" + +applicationEnv: + PMSH_PG_URL: &dcaePmshPgPrimary dcae-pmsh-pg-primary + PMSH_PG_USERNAME: + secretUid: *pgUserCredsSecretUid + key: login + PMSH_PG_PASSWORD: + secretUid: *pgUserCredsSecretUid + key: password + PMSH_API_PORT: '8080' + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +################################################################# +# Application configuration Overriding Defaults in the Postgres. +################################################################# +postgres: + nameOverride: &postgresName dcae-pmsh-postgres + service: + name: *postgresName + name2: *dcaePmshPgPrimary + name3: dcae-pmsh-pg-replica + container: + name: + primary: dcae-pmsh-pg-primary + replica: dcae-pmsh-pg-replica + persistence: + mountSubPath: pmsh/data + mountInitPath: pmsh + config: + pgUserName: pmsh + pgDatabase: pmsh + pgUserExternalSecret: *pgUserCredsSecretName + +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + +#Pods Service Account +serviceAccount: + nameOverride: dcae-pmsh + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml new file mode 100644 index 0000000000..72d43e9481 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml @@ -0,0 +1,42 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021 AT&T Intellectual Property +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +apiVersion: v2 +appVersion: "London" +description: DCAE RESTConf Collector +name: dcae-restconf-collector +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-restconf-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-restconf-collector/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-restconf-collector/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/ingress.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/templates/ingress.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/ingress.yaml rename to archive/dcaegen2-services/components/dcae-restconf-collector/templates/ingress.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-restconf-collector/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/service.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-restconf-collector/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-restconf-collector/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/archive/dcaegen2-services/components/dcae-restconf-collector/values.yaml new file mode 100644 index 0000000000..8e6cc7a4a6 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-restconf-collector/values.yaml @@ -0,0 +1,178 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: false + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Secrets Configuration. +################################################################# +secrets: + - uid: &controllerCredsUID controllercreds + type: basicAuth + login: '{{ .Values.controllerCreds.username }}' + password: '{{ .Values.controllerCreds.password }}' + passwordPolicy: required + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.4.1 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: null # /opt/app/restconfcollector/logs +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Dependencies +readinessCheck: + wait_for: + services: + - message-router + +# Probe Configuration +readiness: + initialDelaySeconds: 100 + periodSeconds: 60 + timeoutSeconds: 5 + path: /healthcheck + scheme: HTTP + port: 8080 + + +# service configuration +service: + type: NodePort + name: dcae-restconf-collector + ports: + - name: http + port: 8443 + plain_port: 8080 + port_protocol: http + nodePort: 16 + useNodePortExt: true + +ingress: + enabled: false + service: + - baseaddr: "dcae-restconf-collector-api" + name: "dcae-restconf-collector" + port: 8443 + plain_port: 8080 + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + +# AAF Credentials +controllerCreds: + username: access + password: Huawei@123 + +credentials: +- name: CONTROLLER_USERNAME + uid: *controllerCredsUID + key: login +- name: CONTROLLER_PASSWORD + uid: *controllerCredsUID + key: password + +# application environments +applicationEnv: + LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' + +# Initial Application Configuration +applicationConfig: + collector.rcc.appDescription: DCAE RestConf Collector Application + collector.rcc.appName: dcae-rcc + collector.rcc.dmaap.streamid: notification=device-registration + collector.rcc.inputQueue.maxPending: '8096' + tomcat.maxthreads: '200' + collector.rcc.service.port: '8080' + # Disabling of secure port not working (DCAEGEN2-3336) + collector.rcc.service.secure.port: '0' + #collector.rcc.service.secure.port: '8687' + #collector.rcc.keystore.file.location: /opt/app/dcae-certificate/cert.jks + #collector.rcc.keystore.passwordfile: /opt/app/dcae-certificate/jks.pass + #collector.rcc.keystore.alias: dynamically generated + #collector.rcc.truststore.file.location: /opt/app/dcae-certificate/trust.jks + #collector.rcc.truststore.passwordfile: /opt/app/dcae-certificate/trust.pass + #collector.keystore.file.location: /opt/app/dcae-certificate/external/cert.jks + #collector.keystore.passwordfile: /opt/app/dcae-certificate/external/jks.pass + collector.header.authflag: '0' + collector.header.authlist: sample1,c2FtcGxlMQ== + collector.rcc.service.secure.clientauth: '0' + streams_publishes: + device-registration: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.DCAE_RCC_OUTPUT + type: message_router + rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' + +#applicationEnv: +# CONTROLLER_IP: "172.30.0.55" +# CONTROLLER_PORT: "26335" + + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcae-restconf-collector + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml new file mode 100644 index 0000000000..f90bd1ef95 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml @@ -0,0 +1,45 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021 Wipro Limited. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: v2 +appVersion: "London" +description: DCAE SliceAnalysis MS charts +name: dcae-slice-analysis-ms +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/service.yaml b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-slice-analysis-ms/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml new file mode 100644 index 0000000000..fd70e36619 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml @@ -0,0 +1,241 @@ +# ============= LICENSE_START ================================================ +# ============================================================================ +# Copyright (C) 2021-2022 Wipro Limited. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (C) 2022 Huawei Canada Limited. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============= LICENSE_END ================================================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Secrets Configuration. +################################################################# +secrets: + - uid: &pgUserCredsSecretUid pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-sliceanalysisms-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "sliceanalysisms-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +repository: nexus3.onap.org:10001 +image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.2.1 +pullPolicy: IfNotPresent + +################################################################# +# Policy Sync Container Image. +################################################################# +# optional Policy configuration properties +# if present, policy-sync side car will be deployed +# policy sync is used for provide runtime configuration for slicems +# policy id is originally set to "onap.dcae.slicems.config" + +#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +#pullPolicy: IfNotPresent +#policies: +# duration: +# 10 +# policyID: | +# '["onap.dcae.slicems.config"]' + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /var/log/ONAP/dcaegen2/services/sliceanalysisms +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Probe Configuration +readiness: + initialDelaySeconds: 60 + periodSeconds: 15 + timeoutSeconds: 1 + path: /healthcheck + scheme: HTTP + port: 8080 + +# Service Configuration +service: + type: ClusterIP + name: dcae-slice-analysis-ms + ports: + - name: http + port: 8080 + port_protocol: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-slice-analysis-ms-read + +credentials: +- name: PG_USERNAME + uid: *pgUserCredsSecretUid + key: login +- name: PG_PASSWORD + uid: *pgUserCredsSecretUid + key: password + +# Initial Application Configuration +applicationConfig: + postgres.host: dcae-sliceanalysisms-pg-primary + postgres.port: 5432 + postgres.username: ${PG_USERNAME} + postgres.password: ${PG_PASSWORD} + trust_store_path: /opt/app/sliceanalysisms/etc/cert/trust.jks + trust_store_pass_path: /opt/app/sliceanalysisms/etc/cert/trust.pass + sliceanalysisms.pollingInterval: 20 + sliceanalysisms.pollingTimeout: 60 + cbsPollingInterval: 60 + sliceanalysisms.namespace: onap + sliceanalysisms.dmaap.server: ["message-router"] + sliceanalysisms.bufferTime: 60 + sliceanalysisms.cg: sliceanalysisms-cg + sliceanalysisms.cid: sliceanalysisms-cid + sliceanalysisms.configDb.service: http://config-db:8080 + sliceanalysisms.configDbEnabled: true + sliceanalysisms.aai.url: http://aai-internal.onap.svc.cluster.local:80/aai/v21 + sliceanalysisms.cps.url: http://cps:8080 + sliceanalysisms.samples: 3 + sliceanalysisms.minPercentageChange: 5 + sliceanalysisms.initialDelaySeconds: 120000 + sliceanalysisms.rannfnssiDetailsTemplateId: get-rannfnssiid-details + sliceanalysisms.desUrl: http://dl-des:1681/datalake/v1/exposure/pm_data + sliceanalysisms.pmDataDurationInWeeks: 4 + sliceanalysisms.vesNotifPollingInterval: 15 + sliceanalysisms.vesNotifChangeIdentifier: PM_BW_UPDATE + sliceanalysisms.vesNotifChangeType: BandwidthChanged + sliceanalysisms.aaiNotif.targetAction: UPDATE + sliceanalysisms.aaiNotif.targetSource: UUI + sliceanalysisms.aaiNotif.targetEntity: service-instance + sliceanalysisms.ccvpnEvalInterval: 5 + sliceanalysisms.ccvpnEvalUpperThreshold: 0.8 + sliceanalysisms.ccvpnEvalLowerThreshold: 0.3 + sliceanalysisms.ccvpnEvalPrecision: 100.0 + sliceanalysisms.ccvpnEvalPeriodicCheckOn: true + sliceanalysisms.ccvpnEvalOnDemandCheckOn: true + sliceanalysisms.ccvpnEvalStrategy: FlexibleThresholdStrategy + streams_publishes: + CL_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT + streams_subscribes: + performance_management_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS + intelligent_slicing_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.ML_RESPONSE_TOPIC + dcae_cl_response_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/DCAE_CL_RSP + ves_ccvpn_notification_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT + aai_subscriber: + type: message-router + servers : ["message-router:3904"] + consumer_group: dcae_ccvpn_cl + consumer_instance: dcae_ccvpn_cl_aaievent + fetch_timeout: 15000 + fetch_limit: 100 + dmaap_info: + topic_url: http://message-router:3904/events/AAI-EVENT + +applicationEnv: + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + STANDALONE: 'false' + +# Resource Limit Flavor -By Default Using Small +flavor: small +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + large: + limits: + cpu: "4" + memory: "4Gi" + requests: + cpu: "2" + memory: "4Gi" + unlimited: {} + +################################################################# +# Application configuration Overriding Defaults in the Postgres. +################################################################# +postgres: + nameOverride: &postgresName dcae-sliceanalysisms-postgres + service: + name: *postgresName + name2: dcae-sliceanalysisms-pg-primary + name3: dcae-sliceanalysisms-pg-replica + container: + name: + primary: dcae-sliceanalysisms-pg-primary + replica: dcae-sliceanalysisms-pg-replica + persistence: + mountSubPath: sliceanalysisms/data + mountInitPath: sliceanalysisms + config: + pgUserName: sliceanalysisms + pgDatabase: sliceanalysisms + pgUserExternalSecret: *pgUserCredsSecretName + +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + +#Pods Service Account +serviceAccount: + nameOverride: dcae-slice-analysis-ms + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml b/archive/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml new file mode 100644 index 0000000000..5f2eb49546 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml @@ -0,0 +1,42 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021 AT&T Intellectual Property +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Copyright (c) 2024 J. F. Lucas. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +apiVersion: v2 +appVersion: "NewDelhi" +description: DCAE SNMPTrap Collector +name: dcae-snmptrap-collector +version: 13.0.1 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/service.yaml b/archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-snmptrap-collector/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/archive/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml new file mode 100644 index 0000000000..599b3d21b9 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml @@ -0,0 +1,150 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.8 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /opt/app/snmptrap/logs +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Dependencies +readinessCheck: + wait_for: + services: + - message-router + +# Probe Configuration +readiness: + type: exec + command: + - /opt/app/snmptrap/bin/snmptrapd.sh + - status + +# service configuration +service: + type: NodePort + name: dcae-snmptrap-collector + ports: + - name: udp + port: 6162 + l4_protocol: UDP # default to TCP if not set + port_protocol: udp #used in svn name + nodePort: 70 + useNodePortExt: true + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + +# Initial Application Configuration +applicationConfig: + StormWatchPolicy: '' + cache: + dns_cache_ttl_seconds: 60 + services_calls: {} + snmptrapd: + version: '2.0.8' + title: ONAP SNMP Trap Receiver + sw_interval_in_seconds: 60 + streams_publishes: + sec_fault_unsecure: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP + type: message_router + aaf_password: "" + aaf_username: "" + files: + runtime_base_dir: "/opt/app/snmptrap" + log_dir: logs + data_dir: data + pid_dir: tmp + arriving_traps_log: snmptrapd_arriving_traps.log + snmptrapd_diag: snmptrapd_prog_diag.log + traps_stats_log: snmptrapd_stats.csv + perm_status_file: snmptrapd_status.log + eelf_base_dir: "/opt/app/snmptrap/logs" + eelf_error: error.log + eelf_debug: debug.log + eelf_audit: audit.log + eelf_metrics: metrics.log + roll_frequency: hour + minimum_severity_to_log: 3 + protocols: + transport: udp + ipv4_interface: 0.0.0.0 + ipv4_port: 6162 + ipv6_interface: "::1" + ipv6_port: 6162 + publisher: + http_milliseconds_timeout: 1500 + http_retries: 3 + http_milliseconds_between_retries: 750 + http_primary_publisher: 'true' + http_peer_publisher: unavailable + max_traps_between_publishes: 10 + max_milliseconds_between_publishes: 10000 + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcae-snmptrap-collector + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-son-handler/Chart.yaml b/archive/dcaegen2-services/components/dcae-son-handler/Chart.yaml new file mode 100644 index 0000000000..b4bde7f0fe --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-son-handler/Chart.yaml @@ -0,0 +1,45 @@ +# ============= LICENSE_START ================================================ +# ============================================================================ +# Copyright (C) 2021 Wipro Limited. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============= LICENSE_END ================================================== + +apiVersion: v2 +appVersion: "London" +description: DCAE Son-handler helm chart +name: dcae-son-handler +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-son-handler/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-son-handler/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-son-handler/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-son-handler/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-son-handler/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-son-handler/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-son-handler/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-son-handler/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-son-handler/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-son-handler/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/templates/service.yaml b/archive/dcaegen2-services/components/dcae-son-handler/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-son-handler/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-son-handler/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-son-handler/values.yaml b/archive/dcaegen2-services/components/dcae-son-handler/values.yaml new file mode 100644 index 0000000000..5e16967203 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-son-handler/values.yaml @@ -0,0 +1,250 @@ +# ============= LICENSE_START ================================================ +# ============================================================================ +# Copyright (C) 2021-2022 Wipro Limited. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============= LICENSE_END ================================================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Secrets Configuration. +################################################################# +secrets: + - uid: &cpsCredsUID cpscreds + type: basicAuth + login: '{{ .Values.cpsCreds.identity }}' + password: '{{ .Values.cpsCreds.password }}' + passwordPolicy: required + - uid: &pgUserCredsSecretUid pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-sonhms-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "sonhms-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.services.son-handler:2.2.1 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /var/log/ONAP/dcaegen2/services/sonhms +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Optional Policy configuration properties +# if present, policy-sync side car will be deployed +#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +#policies: +# policyID: | +# '["com.Config_PCIMS_CONFIG_POLICY"]' + +# Probe Configuration +readiness: + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 1 + path: /healthcheck + scheme: HTTP + port: 8080 + +# Service Configuration +service: + type: ClusterIP + name: dcae-son-handler + ports: + - name: http + port: 8080 + port_protocol: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-son-handler-read + +# Credentials +cpsCreds: + identity: cps + password: cpsr0cks! + +credentials: +- name: CPS_IDENTITY + uid: *cpsCredsUID + key: login +- name: CPS_PASSWORD + uid: *cpsCredsUID + key: password +- name: PG_USERNAME + uid: *pgUserCredsSecretUid + key: login +- name: PG_PASSWORD + uid: *pgUserCredsSecretUid + key: password + + +# Initial Application Configuration +applicationConfig: + postgres.host: &dcaeSonhmsPgPrimary dcae-sonhms-pg-primary + postgres.port: 5432 + postgres.username: ${PG_USERNAME} + postgres.password: ${PG_PASSWORD} + cps.username: ${CPS_IDENTITY} + cps.password: ${CPS_PASSWORD} + sonhandler.pollingInterval: 20 + sonhandler.pollingTimeout: 60 + cbsPollingInterval: 60 + sonhandler.numSolutions: 5 + sonhandler.minCollision: 5 + sonhandler.minConfusion: 5 + sonhandler.maximumClusters: 5 + sonhandler.badThreshold: 50 + sonhandler.poorThreshold: 70 + sonhandler.namespace: onap + sonhandler.sourceId: SONHMS + sonhandler.dmaap.server: ["message-router"] + sonhandler.bufferTime: 60 + sonhandler.cg: sonhms-cg + sonhandler.cid: sonhms-cid + sonhandler.clientType: cps + sonhandler.nearRtricUrl: "https://a1-policy-management:30294/a1-policy/v2/policies" + cps.service.url: http://cps-tbdmt:8080 + cps.get.celldata: execute/cps-ran-schemaset/get-cell-data + cps.get.nbr.list.url: execute/cps-ran-schemaset/get-nbr-list + cps.get.pci.url: execute/ran-network-schemaset/get-pci + cps.get.pnf.url: execute/ran-network-schemaset/get-pnf + sonhandler.configDb.service: http://configdb:8080 + sonhandler.oof.service: https://oof-osdf:8698 + sonhandler.oof.endpoint: /api/oof/v1/pci + sonhandler.pciOptimizer: pci + sonhandler.pciAnrOptimizer: pci_anr + sonhandler.poorCountThreshold: 3 + sonhandler.badCountThreshold: 3 + sonhandler.oofTriggerCountTimer: 30 + sonhandler.oofTriggerCountThreshold: 5 + sonhandler.policyRespTimer: 10 + sonhandler.policyNegativeAckThreshold: 3 + sonhandler.policyFixedPciTimeInterval: 30000 + sonhandler.nfNamingCode: RansimAgent + streams_publishes: + CL_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT + streams_subscribes: + performance_management_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT + fault_management_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.SEC_FAULT_OUTPUT + nbr_list_change_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/PCI-NOTIF-TOPIC-NGHBR-LIST-CHANGE-INFO + dcae_cl_response_topic: + type: message-router + dmaap_info: + topic_url: http://message-router:3904/events/DCAE_CL_RSP + service_calls: + sdnr-getpnfname: [] + sdnr-getpci: [] + sdnr-getnbrlist: [] + sdnr-getcelllist: [] + oof-req: [] + policy-req: [] + +applicationEnv: + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + STANDALONE: 'false' + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +################################################################# +# Application configuration Overriding Defaults in the Postgres. +################################################################# +postgres: + nameOverride: &postgresName dcae-sonhms-postgres + service: + name: *postgresName + name2: *dcaeSonhmsPgPrimary + name3: dcae-sonhms-pg-replica + container: + name: + primary: dcae-sonhms-pg-primary + replica: dcae-sonhms-pg-replica + persistence: + mountSubPath: sonhms/data + mountInitPath: sonhms + config: + pgUserName: sonhms + pgDatabase: sonhms + pgUserExternalSecret: *pgUserCredsSecretName + +# Dependencies +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + - message-router + +#Pods Service Account +serviceAccount: + nameOverride: dcae-son-handler + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-tcagen2/Chart.yaml b/archive/dcaegen2-services/components/dcae-tcagen2/Chart.yaml new file mode 100644 index 0000000000..8596dcd2e1 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-tcagen2/Chart.yaml @@ -0,0 +1,45 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: v2 +appVersion: "NewDelhi" +description: DCAE TCA (Gen 2) +name: dcae-tcagen2 +version: 13.1.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: mongodb + version: ~14.12.x-0 + repository: '@local' \ No newline at end of file diff --git a/archive/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-tcagen2/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-tcagen2/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-tcagen2/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-tcagen2/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-tcagen2/templates/deployment.yaml diff --git a/kubernetes/common/certInitializer/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-tcagen2/templates/secret.yaml similarity index 100% rename from kubernetes/common/certInitializer/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-tcagen2/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/service.yaml b/archive/dcaegen2-services/components/dcae-tcagen2/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-tcagen2/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-tcagen2/values.yaml b/archive/dcaegen2-services/components/dcae-tcagen2/values.yaml new file mode 100644 index 0000000000..393d7936a0 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-tcagen2/values.yaml @@ -0,0 +1,199 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* + +################################################################# +# Filebeat configuration defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.4.0 +pullPolicy: Always + +# log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /opt/logs/dcae-analytics-tca +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +secrets: + - uid: &aaiCredsUID aaicreds + type: basicAuth + login: '{{ .Values.aaiCreds.user }}' + password: '{{ .Values.aaiCreds.password }}' + passwordPolicy: required + +# dependencies +readinessCheck: + wait_for: + services: + - message-router + +# probe configuration +readiness: + initialDelaySeconds: 10 + periodSeconds: 30 + path: /actuator/health + scheme: HTTP + port: 9091 + +# service configuration +service: + type: ClusterIP + name: dcae-tcagen2 + ports: + - port: 9091 + name: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + +# mongoDB overrides +mongodb: + nameOverride: dcae-mongo + #config: + # dbName: dcaecommondb + auth: + enabled: false + databases: + - "dcaecommondb" + usernames: + - "dcae" + service: + nameOverride: dcae-mongohost + internalPort: 27017 + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "500m" + memory: "1Gi" + +# Policy configuraiton properties +# if enabled, policy-sync side car will be deployed +#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 +#policies: +# duration: 300 +# policyRelease: "onap" +# policyID: | +# '["onap.vfirewall.tca","onap.vdns.tca"]' + + +aaiCreds: + user: DCAE + password: DCAE + +credentials: +- name: AAI_USERNAME + uid: *aaiCredsUID + key: login +- name: AAI_PASSWORD + uid: *aaiCredsUID + key: password + +# initial application configuration +applicationConfig: + service_calls: [] + streams_publishes: + tca_handle_out: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT + type: message_router + streams_subscribes: + tca_handle_in: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT + type: message_router + spring.data.mongodb.uri: mongodb://dcae-mongohost/dcae-tcagen2 + streams_subscribes.tca_handle_in.consumer_group: cg1 + streams_subscribes.tca_handle_in.consumer_ids[0]: c0 + streams_subscribes.tca_handle_in.consumer_ids[1]: c1 + streams_subscribes.tca_handle_in.message_limit: 50000 + streams_subscribes.tca_handle_in.polling.auto_adjusting.max: 60000 + streams_subscribes.tca_handle_in.polling.auto_adjusting.min: 30000 + streams_subscribes.tca_handle_in.polling.auto_adjusting.step_down: 30000 + streams_subscribes.tca_handle_in.polling.auto_adjusting.step_up: 10000 + streams_subscribes.tca_handle_in.polling.fixed_rate: 0 + streams_subscribes.tca_handle_in.timeout: -1 + tca.aai.enable_enrichment: true + tca.aai.generic_vnf_path: aai/v11/network/generic-vnfs/generic-vnf + tca.aai.node_query_path: aai/v11/search/nodes-query + tca.aai.password: ${AAI_PASSWORD} + tca.aai.url: http://aai-internal:80 + tca.aai.username: ${AAI_USERNAME} + tca.policy: "[{\"domain\":\"measurementsForVfScaling\",\"violatedMetricsPerEventName\":[{\"eventName\":\"Mfvs_eNodeB_RANKPI\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"resource=vFirewall;type=configuration\",\"policyName\":\"configuration.dcae.microservice.tca.xml\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"CL-FRWL-LOW-TRAFFIC-SIG-d925ed73-8231-4d02-9545-db4e101f88f8\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":4000,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\"},{\"closedLoopControlName\":\"CL-FRWL-HIGH-TRAFFIC-SIG-EA36FE84-9342-5E13-A656-EC5F21309A09\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":20000,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\"}]},{\"eventName\":\"vLoadBalancer\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"resource=vLoadBalancer;type=configuration\",\"policyName\":\"configuration.dcae.microservice.tca.xml\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"CL-LBAL-LOW-TRAFFIC-SIG-FB480F95-A453-6F24-B767-FD703241AB1A\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":500,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\"},{\"closedLoopControlName\":\"CL-LBAL-LOW-TRAFFIC-SIG-0C5920A6-B564-8035-C878-0E814352BC2B\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":5000,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\"}]}]},{\"domain\":\"measurement\",\"metricsPerEventName\":[{\"eventName\":\"vFirewallBroadcastPackets\",\"controlLoopSchemaType\":\"VM\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":300,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\",\"closedLoopEventStatus\":\"ABATED\"},{\"closedLoopControlName\":\"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":700,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]},{\"eventName\":\"vLoadBalancer\",\"controlLoopSchemaType\":\"VM\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":300,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]},{\"eventName\":\"Measurement_vGMUX\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.additionalMeasurements[*].arrayOfFields[0].value\",\"thresholdValue\":0,\"direction\":\"EQUAL\",\"severity\":\"MAJOR\",\"closedLoopEventStatus\":\"ABATED\"},{\"closedLoopControlName\":\"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.additionalMeasurements[*].arrayOfFields[0].value\",\"thresholdValue\":0,\"direction\":\"GREATER\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]}]}]" + tca.processing_batch_size: 10000 + tca.enable_abatement: true + tca.enable_ecomp_logging: true + +applicationEnv: + #Temporary Dummy CBS Port Value until internal SDK library is updated + CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcae-tcagen2 + roles: + - read diff --git a/archive/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml b/archive/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml new file mode 100644 index 0000000000..4d1eb4a595 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml @@ -0,0 +1,42 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021 AT&T Intellectual Property +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +apiVersion: v2 +appVersion: "London" +description: DCAE VES-Mapper Microservice +name: dcae-ves-mapper +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml b/archive/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-ves-mapper/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/configmap.yaml b/archive/dcaegen2-services/components/dcae-ves-mapper/templates/configmap.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/configmap.yaml rename to archive/dcaegen2-services/components/dcae-ves-mapper/templates/configmap.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/deployment.yaml b/archive/dcaegen2-services/components/dcae-ves-mapper/templates/deployment.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/deployment.yaml rename to archive/dcaegen2-services/components/dcae-ves-mapper/templates/deployment.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/secret.yaml b/archive/dcaegen2-services/components/dcae-ves-mapper/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/secret.yaml rename to archive/dcaegen2-services/components/dcae-ves-mapper/templates/secret.yaml diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/service.yaml b/archive/dcaegen2-services/components/dcae-ves-mapper/templates/service.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-ves-mapper/templates/service.yaml rename to archive/dcaegen2-services/components/dcae-ves-mapper/templates/service.yaml diff --git a/archive/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/archive/dcaegen2-services/components/dcae-ves-mapper/values.yaml new file mode 100644 index 0000000000..b886ae40d3 --- /dev/null +++ b/archive/dcaegen2-services/components/dcae-ves-mapper/values.yaml @@ -0,0 +1,199 @@ +# ================================ LICENSE_START ============================= +# ============================================================================ +# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. +# Copyright (c) 2023 Deutsche Telekom AG. All rights reserved. +# ============================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ================================= LICENSE_END ============================== + +################################################################# +# Global Configuration Defaults. +################################################################# +global: + nodePortPrefix: 302 + nodePortPrefixExt: 304 + centralizedLoggingEnabled: true + +################################################################# +# Filebeat Configuration Defaults. +################################################################# +filebeatConfig: + logstashServiceName: log-ls + logstashPort: 5044 + +################################################################# +# Application Configuration Defaults. +################################################################# +# Application Image +image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.5.0 +pullPolicy: Always + +# Log directory where logging sidecar should look for log files +# if path is set to null sidecar won't be deployed in spite of +# global.centralizedLoggingEnabled setting. +log: + path: /opt/app/VESAdapter/logs +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +# Dependencies +readinessCheck: + wait_for: + services: + - message-router + +# Service Configuration +service: + type: ClusterIP + name: dcae-ves-mapper + ports: + - name: http + port: 80 + port_protocol: http + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + +# application environments +applicationEnv: + LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' + CONFIG_BINDING_SERVICE_SERVICE_PORT: '10000' # Workaround until DCAEGEN2-3098 is addressed + CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' + + +# Initial Application Configuration +applicationConfig: + app_preferences: + collectors: + - identifier: notification-id + mapping-files: + - defaultMappingFile-rcc-notification: "org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.Version._4_0_1'pnfRegistration'org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.VesEventListenerVersion._7_0_1'registration_'+commonEventHeader.ts1'VESMapper'org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.Domain.PNF_REGISTRATIONcommonEventHeader.domaincommonEventHeader.ts1commonEventHeader.ts1org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.Priority.NORMALpnfRegistrationFields.vendorName+'-'+pnfRegistrationFields.serialNumberorg.onap.dcaegen2.ves.domain.ves70.PnfRegistrationFields.PnfRegistrationFieldsVersion._2_0" + stream_publisher: ves-pnfRegistration + stream_subscriber: rcc-notification + - identifier: notify OID + mapping-files: + - defaultMappingFile-snmp-notification: "'3.0''FaultField''XXXX''VESMapper'org.onap.dcaegen2.ves.domain.ves54.CommonEventHeader.Domain.FAULTcommonEventHeader.domainorg.onap.dcaegen2.ves.domain.ves54.CommonEventHeader.Priority.NORMAL'VesAdapter''SNMP Fault'org.onap.dcaegen2.ves.domain.ves54.FaultFields.VfStatus.ACTIVEorg.onap.dcaegen2.ves.domain.ves54.FaultFields.EventSeverity.MINOR" + stream_publisher: ves-fault + stream_subscriber: snmp-notification + streams_publishes: + ves-fault: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.SEC_FAULT_OUTPUT + type: message_router + ves-pnfRegistration: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.VES_PNFREG_OUTPUT + type: message_router + streams_subscribes: + rcc-notification: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.DCAE_RCC_OUTPUT + type: message_router + snmp-notification: + dmaap_info: + topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP + type: message_router + +# Resource Limit Flavor -By Default Using Small +flavor: small + +# Segregation for Different Environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dcae-ves-mapper + roles: + - read diff --git a/kubernetes/aaf/.helmignore b/archive/dmaap/.helmignore similarity index 100% rename from kubernetes/aaf/.helmignore rename to archive/dmaap/.helmignore diff --git a/archive/dmaap/Chart.yaml b/archive/dmaap/Chart.yaml new file mode 100644 index 0000000000..31c57e31d0 --- /dev/null +++ b/archive/dmaap/Chart.yaml @@ -0,0 +1,41 @@ +# Copyright © 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs,Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021-2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP DMaaP components +name: dmaap +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: message-router + version: ~13.x-0 + repository: 'file://components/message-router' + condition: message-router.enabled + - name: dmaap-dr-node + version: ~13.x-0 + repository: 'file://components/dmaap-dr-node' + condition: dmaap-dr-node.enabled + - name: dmaap-dr-prov + version: ~13.x-0 + repository: 'file://components/dmaap-dr-prov' + condition: dmaap-dr-prov.enabled + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/dmaap/Makefile b/archive/dmaap/Makefile similarity index 100% rename from kubernetes/dmaap/Makefile rename to archive/dmaap/Makefile diff --git a/archive/dmaap/README.md b/archive/dmaap/README.md new file mode 100644 index 0000000000..33362926b0 --- /dev/null +++ b/archive/dmaap/README.md @@ -0,0 +1,22 @@ +# Copyright © 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs,Bell Canada +# Copyright (c) 2023 J. F.Lucas. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Helm Chart for ONAP DMaaP Applications + +ONAP DMaaP includes the following Kubernetes services: + +1) message-router - a message bus for applications +2) dmaap-data-router - an API to provision data feeds for consumers diff --git a/kubernetes/dmaap/components/Makefile b/archive/dmaap/components/Makefile similarity index 100% rename from kubernetes/dmaap/components/Makefile rename to archive/dmaap/components/Makefile diff --git a/kubernetes/aaf/components/aaf-gui/.helmignore b/archive/dmaap/components/dmaap-dr-node/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-gui/.helmignore rename to archive/dmaap/components/dmaap-dr-node/.helmignore diff --git a/archive/dmaap/components/dmaap-dr-node/Chart.yaml b/archive/dmaap/components/dmaap-dr-node/Chart.yaml new file mode 100644 index 0000000000..13e4ed7ca2 --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-node/Chart.yaml @@ -0,0 +1,34 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP DMaaP Data Router Node Server +name: dmaap-dr-node +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/archive/dmaap/components/dmaap-dr-node/resources/config/logback.xml b/archive/dmaap/components/dmaap-dr-node/resources/config/logback.xml new file mode 100644 index 0000000000..7d773830cd --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-node/resources/config/logback.xml @@ -0,0 +1,223 @@ + + + + + + + + + + + + + + + + + + + ${defaultPattern} + + + + + + + + + + + + ${logDirectory}/${auditLog}.log + + + + ${logDirectory}/${auditLog}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + + + + + + ${logDirectory}/${metricsLog}.log + + + + ${logDirectory}/${metricsLog}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + + + + + + + ${logDirectory}/${debugLog}.log + + + + ${logDirectory}/${debugLog}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + + + + + + ${logDirectory}/${errorLog}.log + + + + ${logDirectory}/${errorLog}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + + + + + ${logDirectory}/${jettyLog}.log + + + ${logDirectory}/${jettyLog}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/archive/dmaap/components/dmaap-dr-node/resources/config/node.properties b/archive/dmaap/components/dmaap-dr-node/resources/config/node.properties new file mode 100644 index 0000000000..21d7c20abd --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-node/resources/config/node.properties @@ -0,0 +1,109 @@ +{{/* +#------------------------------------------------------------------------------- +# ============LICENSE_START================================================== +# * org.onap.dmaap +# * =========================================================================== +# * Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# * =========================================================================== +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# * ============LICENSE_END==================================================== +# * +# * ECOMP is a trademark and service mark of AT&T Intellectual Property. +# * +#------------------------------------------------------------------------------- +# +# Configuration parameters fixed at startup for the DataRouter node +# +# URL to retrieve dynamic configuration +# +#ProvisioningURL: ${DRTR_PROV_INTURL} +*/}} +ProvisioningURL=http://{{ .Values.global.dmaapDrProvName }}:8080/internal/prov + +# +# URL to upload PUB/DEL/EXP logs +# +#LogUploadURL: ${DRTR_LOG_URL} +LogUploadURL=http://{{ .Values.global.dmaapDrProvName }}:8080/internal/logs + +# +# The port number for http as seen within the server +# +#IntHttpPort: ${DRTR_NODE_INTHTTPPORT:-8080} +IntHttpPort={{ .Values.containerPort }} +# +# The port number for https as seen within the server +# +IntHttpsPort={{ .Values.containerPort }} +# +# The external port number for https taking port mapping into account +# +ExtHttpsPort=443 +# +# The minimum interval between fetches of the dynamic configuration +# from the provisioning server +# +MinProvFetchInterval=10000 +# +# The minimum interval between saves of the redirection data file +# +MinRedirSaveInterval=10000 +# +# The path to the directory where log files are stored +# +LogDir={{ .Values.persistence.event.path }} +# +# The retention interval (in days) for log files +# +LogRetention=30 +# +# The path to the directories where data and meta data files are stored +# +SpoolDir={{ .Values.persistence.spool.path }} +# +# The path to the redirection data file +# +RedirectionFile = etc/redirections.dat +# +# The type of keystore for https +KeyStoreType = PKCS12 +# +# The type of truststore for https +TrustStoreType = jks +# +# The path to the file used to trigger an orderly shutdown +QuiesceFile = etc/SHUTDOWN +# +# The key used to generate passwords for node to node transfers +NodeAuthKey = Node123! +# +# DR_NODE DEFAULT ENABLED TLS PROTOCOLS +NodeHttpsProtocols = TLSv1.1|TLSv1.2 +# +# AAF CADI enabled flag +CadiEnabled = false +# +# AAF type to generate permission string +AAFType = org.onap.dmaap-dr.feed +# +# AAF default instance to generate permission string - default should be legacy +AAFInstance = legacy +# +# AAF action to generate permission string - default should be publish +AAFAction = publish +# +# AAF Props file path +AAFPropsFilePath = /opt/app/osaaf/local/org.onap.dmaap-dr.props +# +# https security required for publish request +TlsEnabled = false \ No newline at end of file diff --git a/archive/dmaap/components/dmaap-dr-node/templates/configmap.yaml b/archive/dmaap/components/dmaap-dr-node/templates/configmap.yaml new file mode 100644 index 0000000000..ce64cabc92 --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-node/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-node-props + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/node.properties").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} diff --git a/archive/dmaap/components/dmaap-dr-node/templates/ingress.yaml b/archive/dmaap/components/dmaap-dr-node/templates/ingress.yaml new file mode 100644 index 0000000000..f288af9b29 --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-node/templates/ingress.yaml @@ -0,0 +1,21 @@ +{{/* + # ============LICENSE_START=================================================== + # Copyright (C) 2022 Nordix Foundation, Orange. + # ============================================================================ + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # ============LICENSE_END===================================================== +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-event.yaml b/archive/dmaap/components/dmaap-dr-node/templates/pv-event.yaml similarity index 100% rename from kubernetes/dmaap/components/dmaap-dr-node/templates/pv-event.yaml rename to archive/dmaap/components/dmaap-dr-node/templates/pv-event.yaml diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml b/archive/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml similarity index 100% rename from kubernetes/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml rename to archive/dmaap/components/dmaap-dr-node/templates/pv-spool.yaml diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/service.yaml b/archive/dmaap/components/dmaap-dr-node/templates/service.yaml similarity index 100% rename from kubernetes/dmaap/components/dmaap-dr-node/templates/service.yaml rename to archive/dmaap/components/dmaap-dr-node/templates/service.yaml diff --git a/archive/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/archive/dmaap/components/dmaap-dr-node/templates/statefulset.yaml new file mode 100644 index 0000000000..4bb57063ad --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-node/templates/statefulset.yaml @@ -0,0 +1,100 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + # temporarily use less restrictions + securityContext: + runAsUser: {{ .Values.securityContext.user_id }} + runAsGroup: {{ .Values.securityContext.group_id }} + fsGroup: {{ .Values.securityContext.group_id }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 8 }} + - name: {{ include "common.name" . }}-permission-fixer + securityContext: + runAsUser: 0 + image: {{ include "repositoryGenerator.image.busybox" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["chown","-Rf","1000:1001", "/opt/app/"] + volumeMounts: + - name: {{ include "common.fullname" . }}-spool + mountPath: {{ .Values.persistence.spool.path }} + - name: {{ include "common.fullname" . }}-event-logs + mountPath: {{ .Values.persistence.event.path }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{.Values.liveness.port}} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{.Values.readiness.port}} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: {{ .Values.persistence.spool.path }} + name: {{ include "common.fullname" . }}-spool + - mountPath: {{ .Values.persistence.event.path }} + name: {{ include "common.fullname" . }}-event-logs + - mountPath: /opt/app/datartr/etc/node.properties + name: {{ include "common.fullname" . }}-config + subPath: node.properties + - mountPath: /opt/app/datartr/etc/logback.xml + name: {{ include "common.fullname" . }}-log-conf + subPath: logback.xml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-node-props + items: + - key: node.properties + path: node.properties + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + {{- if not .Values.persistence.enabled }} + - name: {{ include "common.fullname" . }}-event-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-spool + emptyDir: {} + {{- end }} +{{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "spool" "persistenceInfos" .Values.persistence.spool) | indent 4 | trim }} + - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "event-logs" "persistenceInfos" .Values.persistence.event) | indent 4 | trim }} +{{- end }} diff --git a/archive/dmaap/components/dmaap-dr-node/values.yaml b/archive/dmaap/components/dmaap-dr-node/values.yaml new file mode 100644 index 0000000000..e3f0595b1f --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-node/values.yaml @@ -0,0 +1,131 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + dmaapDrProvName: dmaap-dr-prov + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/dmaap/datarouter-node:2.1.15 +pullPolicy: Always + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# application configuration - see parent values chart +# dr uses the EELF Logging framework https://github.com/att/EELF +# and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF +logLevel: "DEBUG" + +containerPort: &svc_port 8080 + +service: + type: ClusterIP + name: dmaap-dr-node + ports: + - name: http + port: *svc_port + +ingress: + enabled: false + service: + - baseaddr: "dmaap-dr-node-api" + name: "dmaap-dr-node" + port: *svc_port + config: + ssl: "redirect" + +# probe configuration parameters +liveness: + initialDelaySeconds: 30 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: *svc_port + +readiness: + initialDelaySeconds: 30 + periodSeconds: 10 + port: *svc_port + +## Persist data to a persistent volume +persistence: + enabled: true + mountPath: /dockerdata-nfs + spool: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountSubPath: data-router/dr-node/spool-data + size: 2Gi + path: /opt/app/datartr/spool + labels: + app.kubernetes.io/component: spool + + event: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + mountSubPath: data-router/dr-node/event-logs + path: /opt/app/datartr/logs + size: 2Gi + labels: + app.kubernetes.io/component: event-logs + +# Resource Limit flavor -By Default using small +flavor: small + +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: dmaap-dr-node + roles: + - read + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - dmaap-dr-prov diff --git a/kubernetes/aaf/components/aaf-locate/.helmignore b/archive/dmaap/components/dmaap-dr-prov/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-locate/.helmignore rename to archive/dmaap/components/dmaap-dr-prov/.helmignore diff --git a/archive/dmaap/components/dmaap-dr-prov/Chart.yaml b/archive/dmaap/components/dmaap-dr-prov/Chart.yaml new file mode 100644 index 0000000000..fb3ff1236d --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/Chart.yaml @@ -0,0 +1,40 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP DMaaP Data Router Provisioning Server +name: dmaap-dr-prov +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: mariadb-galera + version: ~13.x-0 + repository: '@local' + condition: global.mariadbGalera.localCluster + - name: mariadb-init + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/dmaap/components/dmaap-dr-prov/resources/config/logback.xml b/archive/dmaap/components/dmaap-dr-prov/resources/config/logback.xml new file mode 100644 index 0000000000..9a3c383f8f --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/resources/config/logback.xml @@ -0,0 +1,406 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ${defaultPattern} + + + + + + + + + + + + ${logDirectory}/${generalLogName}.log + + INFO + ACCEPT + DENY + + + ${logDirectory}/${generalLogName}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + + + + + + + + + + + + + + + + + + + + + + + + + + ${logDirectory}/${errorLogName}.log + + ERROR + ACCEPT + DENY + + + ${logDirectory}/${errorLogName}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + + + + + ${logDirectory}/${jettyLogName}.log + + + ${logDirectory}/${jettyLogName}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${jettyLoggerPattern} + + + + + 256 + + true + + + + + + + ${logDirectory}/${debugLogName}.log + + + ${logDirectory}/${debugLogName}.%i.log.zip + + 1 + 9 + + + 50MB + + + ${defaultPattern} + + + + + 256 + + true + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/archive/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties b/archive/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties new file mode 100644 index 0000000000..a56de3cd3b --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties @@ -0,0 +1,44 @@ +{{/* +#------------------------------------------------------------------------------- +# ============LICENSE_START================================================== +# * org.onap.dmaap +# * =========================================================================== +# * Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# * =========================================================================== +# * Licensed under the Apache License, Version 2.0 (the "License"); +# * you may not use this file except in compliance with the License. +# * You may obtain a copy of the License at +# * +# * http://www.apache.org/licenses/LICENSE-2.0 +# * +# * Unless required by applicable law or agreed to in writing, software +# * distributed under the License is distributed on an "AS IS" BASIS, +# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# * See the License for the specific language governing permissions and +# * limitations under the License. +# * ============LICENSE_END==================================================== +# * +# * ECOMP is a trademark and service mark of AT&T Intellectual Property. +# * +#------------------------------------------------------------------------------- +*/}} + + +#Jetty Server properties +org.onap.dmaap.datarouter.provserver.http.port = {{ .Values.containerPort }} +org.onap.dmaap.datarouter.provserver.https.relaxation = true + +org.onap.dmaap.datarouter.provserver.tlsenabled = false +org.onap.dmaap.datarouter.nodeserver.http.port = 8080 + +org.onap.dmaap.datarouter.provserver.accesslog.dir = /opt/app/datartr/logs +org.onap.dmaap.datarouter.provserver.spooldir = /opt/app/datartr/spool +org.onap.dmaap.datarouter.provserver.dbscripts = /opt/app/datartr/etc/misc +org.onap.dmaap.datarouter.provserver.logretention = 30 + +# Database access +org.onap.dmaap.datarouter.db.driver = org.mariadb.jdbc.Driver +org.onap.dmaap.datarouter.db.url = jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{index .Values "mariadb-galera" "db" "name"}} +org.onap.dmaap.datarouter.db.login = ${DB_USERNAME} +org.onap.dmaap.datarouter.db.password = ${DB_PASSWORD} + diff --git a/archive/dmaap/components/dmaap-dr-prov/templates/configmap.yaml b/archive/dmaap/components/dmaap-dr-prov/templates/configmap.yaml new file mode 100644 index 0000000000..1cd524423e --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/templates/configmap.yaml @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} +--- +{{ include "common.log.configMap" . }} diff --git a/archive/dmaap/components/dmaap-dr-prov/templates/deployment.yaml b/archive/dmaap/components/dmaap-dr-prov/templates/deployment.yaml new file mode 100644 index 0000000000..197638e654 --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/templates/deployment.yaml @@ -0,0 +1,77 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim}} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: /internal/prov + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: /internal/prov + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + env: + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "login") | indent 12 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "password") | indent 12 }} + volumeMounts: + - mountPath: /opt/app/datartr/etc/provserver.properties + name: {{ include "common.fullname" . }}-config + subPath: provserver.properties + - mountPath: /opt/app/datartr/etc/logback.xml + name: {{ include "common.fullname" . }}-log-conf + subPath: logback.xml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-configmap + items: + - key: provserver.properties + path: provserver.properties + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/archive/dmaap/components/dmaap-dr-prov/templates/ingress.yaml b/archive/dmaap/components/dmaap-dr-prov/templates/ingress.yaml new file mode 100644 index 0000000000..f288af9b29 --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/templates/ingress.yaml @@ -0,0 +1,21 @@ +{{/* + # ============LICENSE_START=================================================== + # Copyright (C) 2022 Nordix Foundation, Orange. + # ============================================================================ + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + # + # SPDX-License-Identifier: Apache-2.0 + # ============LICENSE_END===================================================== +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/secret.yaml b/archive/dmaap/components/dmaap-dr-prov/templates/secret.yaml similarity index 100% rename from kubernetes/dcaegen2-services/components/dcae-tcagen2/templates/secret.yaml rename to archive/dmaap/components/dmaap-dr-prov/templates/secret.yaml diff --git a/archive/dmaap/components/dmaap-dr-prov/templates/service.yaml b/archive/dmaap/components/dmaap-dr-prov/templates/service.yaml new file mode 100644 index 0000000000..306b0f17eb --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/archive/dmaap/components/dmaap-dr-prov/values.yaml b/archive/dmaap/components/dmaap-dr-prov/values.yaml new file mode 100644 index 0000000000..c13ba57c83 --- /dev/null +++ b/archive/dmaap/components/dmaap-dr-prov/values.yaml @@ -0,0 +1,153 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows DMAAP-DR to instantiate its own mariadb-galera cluster + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - name: &dbUserSecretName '{{ include "common.release" . }}-dmaap-dr-db-user-credentials' + uid: 'dmaap-dr-db-user-credentials' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "dmaap-dr-db-user-credentials" (index .Values "mariadb-galera" "db" "externalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "db" "user" }}' + password: '{{ index .Values "mariadb-galera" "db" "password" }}' + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/dmaap/datarouter-prov:2.1.15 +pullPolicy: Always + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +containerPort: &svc_port 8080 + +service: + type: ClusterIP + name: dmaap-dr-prov + ports: + - name: &port http + port: *svc_port + +ingress: + enabled: false + service: + - baseaddr: "dmaap-dr-prov-api" + name: "dmaap-dr-prov" + port: *svc_port + config: + ssl: "redirect" + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-dmaap-dr-mariadb-init-config-job' + +# dr uses the EELF Logging framework https://github.com/att/EELF +# and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF +logLevel: "DEBUG" + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: *svc_port + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: *svc_port + +# mariadb-galera configuration +mariadb-galera: + nameOverride: &dbServer dmaap-dr-db + replicaCount: 1 + mariadbOperator: + galera: + enabled: false + db: + name: &mysqlDbName datarouter + user: datarouter + # password: + externalSecret: *dbUserSecretName + service: + name: *dbServer + nfsprovisionerPrefix: dmaap-dr-db + persistence: + size: 1Gi + mountSubPath: data-router/dr-db-data + serviceAccount: + nameOverride: *dbServer + +mariadb-init: + config: + userCredentialsExternalSecret: *dbUserSecretName + mysqlDatabase: *mysqlDbName + nameOverride: dmaap-dr-mariadb-init + serviceAccount: + nameOverride: dmaap-dr-mariadb-init + +# Resource Limit flavor -By Default using small +flavor: small + +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Security Context +securityContext: + user_id: 1000 + group_id: 1000 + +#Pods Service Account +serviceAccount: + nameOverride: dmaap-dr-prov + roles: + - read diff --git a/kubernetes/aaf/components/aaf-oauth/.helmignore b/archive/dmaap/components/message-router/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-oauth/.helmignore rename to archive/dmaap/components/message-router/.helmignore diff --git a/archive/dmaap/components/message-router/Chart.yaml b/archive/dmaap/components/message-router/Chart.yaml new file mode 100644 index 0000000000..adc0599e94 --- /dev/null +++ b/archive/dmaap/components/message-router/Chart.yaml @@ -0,0 +1,35 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Message Router +name: message-router +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sms/Makefile b/archive/dmaap/components/message-router/Makefile similarity index 100% rename from kubernetes/aaf/components/aaf-sms/Makefile rename to archive/dmaap/components/message-router/Makefile diff --git a/archive/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties b/archive/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties new file mode 100755 index 0000000000..2dea84d289 --- /dev/null +++ b/archive/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties @@ -0,0 +1,135 @@ +{{/* +# LICENSE_START======================================================= +# org.onap.dmaap +# ================================================================================ +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2021-2022 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +# +############################################################################### +############################################################################### +*/}} +## +## Kafka Connection +## +## Items below are passed through to Kafka's producer and consumer +## configurations (after removing "kafka.") +## if you want to change request.required.acks it can take this one value +#kafka.request.required.acks=-1 +kafka.metadata.broker.list={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +config.zk.servers=127.0.0.1:{{ .Values.zkTunnelService.internalPort }} +consumer.timeout.ms=100 +zookeeper.connection.timeout.ms=6000 +zookeeper.session.timeout.ms=20000 +zookeeper.sync.time.ms=2000 +auto.commit.interval.ms=1000 +fetch.message.max.bytes =1000000 +auto.commit.enable=false + +#(backoff*retries > zksessiontimeout) +kafka.rebalance.backoff.ms=10000 +kafka.rebalance.max.retries=6 + + +############################################################################### +## +## Secured Config +## +## Some data stored in the config system is sensitive -- API keys and secrets, +## for example. to protect it, we use an encryption layer for this section +## of the config. +## +## The key is a base64 encode AES key. This must be created/configured for +## each installation. +#cambria.secureConfig.key= +## +## The initialization vector is a 16 byte value specific to the secured store. +## This must be created/configured for each installation. +#cambria.secureConfig.iv= + +## Southfield Sandbox +cambria.secureConfig.key=b/7ouTn9FfEw2PQwL0ov/Q== +cambria.secureConfig.iv=wR9xP5k5vbz/xD0LmtqQLw== +authentication.adminSecret=fe3cCompound +#cambria.secureConfig.key[pc569h]=YT3XPyxEmKCTLI2NK+Sjbw== +#cambria.secureConfig.iv[pc569h]=rMm2jhR3yVnU+u2V9Ugu3Q== + + +############################################################################### +## +## Consumer Caching +## +## Kafka expects live connections from the consumer to the broker, which +## obviously doesn't work over connectionless HTTP requests. The Cambria +## server proxies HTTP requests into Kafka consumer sessions that are kept +## around for later re-use. Not doing so is costly for setup per request, +## which would substantially impact a high volume consumer's performance. +## +## This complicates Cambria server failover, because we often need server +## A to close its connection before server B brings up the replacement. +## + +## The consumer cache is normally enabled. +#cambria.consumer.cache.enabled=true + +## Cached consumers are cleaned up after a period of disuse. The server inspects +## consumers every sweepFreqSeconds and will clean up any connections that are +## dormant for touchFreqMs. +#cambria.consumer.cache.sweepFreqSeconds=15 +cambria.consumer.cache.touchFreqMs=120000 +##stickforallconsumerrequests=false +## The cache is managed through ZK. The default value for the ZK connection +## string is the same as config.zk.servers. +#cambria.consumer.cache.zkConnect=${config.zk.servers} + +## +## Shared cache information is associated with this node's name. The default +## name is the hostname plus the HTTP service port this host runs on. (The +## hostname is determined via InetAddress.getLocalHost ().getCanonicalHostName(), +## which is not always adequate.) You can set this value explicitly here. +## +#cambria.api.node.identifier= + +#cambria.rateLimit.maxEmptyPollsPerMinute=30 +#cambria.rateLimitActual.delay.ms=10 + +############################################################################### +## +## Metrics Reporting +## +## This server can report its metrics periodically on a topic. +## +#metrics.send.cambria.enabled=true +#metrics.send.cambria.topic=cambria.apinode.metrics #msgrtr.apinode.metrics.dmaap +#metrics.send.cambria.sendEverySeconds=60 + +cambria.consumer.cache.zkBasePath=/fe3c/cambria/consumerCache +consumer.timeout=17 +default.partitions=3 +default.replicas=3 +############################################################################## +#100mb +maxcontentlength=10000 + +############################################################################## +##AAF Properties +forceAAF=false +useCustomAcls=false + +kafka.max.poll.interval.ms=300000 +kafka.heartbeat.interval.ms=60000 +kafka.session.timeout.ms=240000 +kafka.max.poll.records=1000 diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/logback.xml b/archive/dmaap/components/message-router/resources/config/dmaap/logback.xml similarity index 100% rename from kubernetes/dmaap/components/message-router/resources/config/dmaap/logback.xml rename to archive/dmaap/components/message-router/resources/config/dmaap/logback.xml diff --git a/archive/dmaap/components/message-router/templates/configmap.yaml b/archive/dmaap/components/message-router/templates/configmap.yaml new file mode 100644 index 0000000000..3f786ad950 --- /dev/null +++ b/archive/dmaap/components/message-router/templates/configmap.yaml @@ -0,0 +1,43 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2021-2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/dmaap/MsgRtrApi.properties").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-logback-xml-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/dmaap/logback.xml").AsConfig . | indent 2 }} + diff --git a/archive/dmaap/components/message-router/templates/ingress.yaml b/archive/dmaap/components/message-router/templates/ingress.yaml new file mode 100644 index 0000000000..a90bf83c07 --- /dev/null +++ b/archive/dmaap/components/message-router/templates/ingress.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/message-router/templates/service.yaml b/archive/dmaap/components/message-router/templates/service.yaml similarity index 100% rename from kubernetes/dmaap/components/message-router/templates/service.yaml rename to archive/dmaap/components/message-router/templates/service.yaml diff --git a/archive/dmaap/components/message-router/templates/statefulset.yaml b/archive/dmaap/components/message-router/templates/statefulset.yaml new file mode 100644 index 0000000000..ede6cb025e --- /dev/null +++ b/archive/dmaap/components/message-router/templates/statefulset.yaml @@ -0,0 +1,156 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2023 DTAG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} + replicas: 1 + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + successThreshold: {{ .Values.readiness.successThreshold }} + failureThreshold: {{ .Values.readiness.failureThreshold }} + startupProbe: + tcpSocket: + port: {{ .Values.startup.port }} + initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + successThreshold: {{ .Values.startup.successThreshold }} + failureThreshold: {{ .Values.startup.failureThreshold }} + env: + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: strimzi-kafka-admin + key: sasl.jaas.config + - name: SASLMECH + value: scram-sha-512 + - name: enableCadi + value: "true" + - name: useZkTopicStore + value: "false" + volumeMounts: + - mountPath: /appl/dmaapMR1/bundleconfig/etc/appprops/MsgRtrApi.properties + subPath: MsgRtrApi.properties + name: appprops + - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml + subPath: logback.xml + name: logback + resources: {{ include "common.resources" . | nindent 12 }} + - name: {{ .Values.zkTunnelService.name }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.zkTunnelService.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /opt/stunnel/stunnel_run.sh + ports: + - containerPort: {{ .Values.zkTunnelService.internalPort }} + name: {{ .Values.zkTunnelService.portName }} + protocol: {{ .Values.zkTunnelService.protocol }} + env: + - name: LOG_LEVEL + value: {{ .Values.zkTunnelService.logLevel }} + - name: STRIMZI_ZOOKEEPER_CONNECT + value: '{{ include "common.release" . }}-strimzi-zookeeper-client:{{ .Values.zkTunnelService.internalPort }}' + livenessProbe: + exec: + command: + - /opt/stunnel/stunnel_healthcheck.sh + - '{{ .Values.zkTunnelService.internalPort }}' + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /opt/stunnel/stunnel_healthcheck.sh + - '{{ .Values.zkTunnelService.internalPort }}' + failureThreshold: 3 + initialDelaySeconds: 15 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + volumeMounts: + - mountPath: /etc/cluster-operator-certs/ + name: cluster-operator-certs + - mountPath: /etc/cluster-ca-certs/ + name: cluster-ca-certs + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: appprops + configMap: + name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap + - name: logback + configMap: + name: {{ include "common.fullname" . }}-logback-xml-configmap + - name: cluster-operator-certs + secret: + defaultMode: 288 + secretName: {{ include "common.release" . }}-strimzi-cluster-operator-certs + - name: cluster-ca-certs + secret: + defaultMode: 288 + secretName: {{ include "common.release" . }}-strimzi-cluster-ca-cert + {{- include "common.imagePullSecrets" . | nindent 6 }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "common.fullname" . }}-zk-network-policy + namespace: {{ include "common.namespace" . }} +spec: + podSelector: + matchLabels: + strimzi.io/name: {{ include "common.release" . }}-strimzi-zookeeper + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "common.name" . }} + ports: + - port: {{ .Values.zkTunnelService.internalPort }} + protocol: {{ .Values.zkTunnelService.protocol }} + policyTypes: + - Ingress diff --git a/archive/dmaap/components/message-router/values.yaml b/archive/dmaap/components/message-router/values.yaml new file mode 100644 index 0000000000..ab6a31ee2e --- /dev/null +++ b/archive/dmaap/components/message-router/values.yaml @@ -0,0 +1,117 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2023 DTAG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/dmaap/dmaap-mr:1.4.4 +pullPolicy: Always + +#Strimzi zookeeper_tunnel config +zkTunnelService: + type: ClusterIP + name: zk-tunnel-svc + portName: tcp-zk-tunnel + protocol: TCP + internalPort: 2181 + logLevel: debug + image: scholzj/zoo-entrance:latest + +nodeSelector: {} + +affinity: {} + +containerPort: &svc_port 3904 + +service: + type: ClusterIP + name: message-router + ports: + - name: api + port: *svc_port + port_protocol: http + +ingress: + enabled: false + service: + - baseaddr: "dmaap-mr-api" + name: "message-router" + port: *svc_port + config: + ssl: "redirect" + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 3 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + port: *svc_port + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + port: *svc_port + +# periodSeconds is set longer to avoid DMaaP 429 error +startup: + initialDelaySeconds: 90 + periodSeconds: 30 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 70 + port: *svc_port + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + large: + limits: + cpu: "4" + memory: "8Gi" + requests: + cpu: "2" + memory: "4Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: message-router + roles: + - read diff --git a/archive/dmaap/values.yaml b/archive/dmaap/values.yaml new file mode 100644 index 0000000000..6faab9cdbc --- /dev/null +++ b/archive/dmaap/values.yaml @@ -0,0 +1,34 @@ +# Copyright © 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs,Bell Canada +# Modifications Copyright © 2021-2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} +#Component overrides +message-router: + enabled: true +dmaap-dr-node: + enabled: true +dmaap-dr-prov: + enabled: true + +#Pods Service Account +serviceAccount: + nameOverride: dmaap + roles: + - read diff --git a/kubernetes/aaf/components/aaf-service/.helmignore b/archive/holmes/.helmignore similarity index 100% rename from kubernetes/aaf/components/aaf-service/.helmignore rename to archive/holmes/.helmignore diff --git a/archive/holmes/Chart.yaml b/archive/holmes/Chart.yaml new file mode 100644 index 0000000000..7a8a23a42f --- /dev/null +++ b/archive/holmes/Chart.yaml @@ -0,0 +1,43 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP DCAE HOLMES +name: holmes +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + condition: global.postgres.localCluster + - name: postgres-init + version: ~13.x-0 + repository: '@local' + condition: global.postgres.globalCluster + - name: holmes-rule-mgmt + version: ~13.x-0 + repository: 'file://components/holmes-rule-mgmt' + - name: holmes-engine-mgmt + version: ~13.x-0 + repository: 'file://components/holmes-engine-mgmt' diff --git a/kubernetes/appc/Makefile b/archive/holmes/Makefile similarity index 100% rename from kubernetes/appc/Makefile rename to archive/holmes/Makefile diff --git a/kubernetes/appc/components/Makefile b/archive/holmes/components/Makefile similarity index 100% rename from kubernetes/appc/components/Makefile rename to archive/holmes/components/Makefile diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/.helmignore b/archive/holmes/components/holmes-engine-mgmt/.helmignore similarity index 100% rename from kubernetes/holmes/components/holmes-engine-mgmt/.helmignore rename to archive/holmes/components/holmes-engine-mgmt/.helmignore diff --git a/archive/holmes/components/holmes-engine-mgmt/Chart.yaml b/archive/holmes/components/holmes-engine-mgmt/Chart.yaml new file mode 100644 index 0000000000..df7f2c0c72 --- /dev/null +++ b/archive/holmes/components/holmes-engine-mgmt/Chart.yaml @@ -0,0 +1,35 @@ +# Modifications Copyright © 2021 ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +appVersion: "2.0" +description: Holmes Engine Management +name: holmes-engine-mgmt +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/archive/holmes/components/holmes-engine-mgmt/resources/config/application.yaml b/archive/holmes/components/holmes-engine-mgmt/resources/config/application.yaml new file mode 100644 index 0000000000..34c4024059 --- /dev/null +++ b/archive/holmes/components/holmes-engine-mgmt/resources/config/application.yaml @@ -0,0 +1,18 @@ +server: + port: 9102 + servlet: + context-path: /api/holmes-engine-mgmt/v1 + +logging: + config: classpath:logback-spring.xml + +spring: + application: + name: Holmes Engine Management + datasource: + dirver-class-name: org.postgresql.Driver + url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} + username: ${JDBC_USERNAME} + password: ${JDBC_PASSWORD} + mvc: + throw-exception-if-no-handler-found: true \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/cfy.json b/archive/holmes/components/holmes-engine-mgmt/resources/config/cfy.json similarity index 100% rename from kubernetes/holmes/components/holmes-engine-mgmt/resources/config/cfy.json rename to archive/holmes/components/holmes-engine-mgmt/resources/config/cfy.json diff --git a/archive/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml b/archive/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml new file mode 100644 index 0000000000..9a16390856 --- /dev/null +++ b/archive/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml @@ -0,0 +1,72 @@ +# +# Copyright 2017 ZTE Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +server: + type: simple + rootPath: '/api/holmes-engine-mgmt/v1/*' + applicationContextPath: / + adminContextPath: /admin + connector: + type: http + port: 9102 + validateCerts: false + validatePeers: false + + +# Logging settings. +logging: + + # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL. + level: INFO + + # Logger-specific levels. + loggers: + + # Sets the level for 'com.example.app' to DEBUG. + org.onap.holmes.engine: ALL + + appenders: + - type: console + threshold: INFO + timeZone: UTC + logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" + - type: file + threshold: ERROR + logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" + currentLogFilename: /var/log/ONAP/holmes/engine-d-error.log + archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/engine-d-error-%d{yyyy-MM-dd}.log.gz + archivedFileCount: 7 + - type: file + threshold: INFO + logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" + currentLogFilename: /var/log/ONAP/holmes/engine-d-debug.log + archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/engine-d-debug-%d{yyyy-MM-dd}.log.gz + archivedFileCount: 7 + + +database: + driverClass: org.postgresql.Driver + user: ${JDBC_USERNAME} + password: ${JDBC_PASSWORD} + url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} + properties: + charSet: UTF-8 + maxWaitForConnection: 1s + validationQuery: "/* MyService Health Check */ SELECT 1" + minSize: 8 + maxSize: 100 + checkConnectionWhileIdle: false + evictionInterval: 10s + minIdleTime: 1s diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/onap-holmes_engine-createobj.sql b/archive/holmes/components/holmes-engine-mgmt/resources/config/onap-holmes_engine-createobj.sql similarity index 100% rename from kubernetes/holmes/components/holmes-engine-mgmt/resources/config/onap-holmes_engine-createobj.sql rename to archive/holmes/components/holmes-engine-mgmt/resources/config/onap-holmes_engine-createobj.sql diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/templates/configmap.yaml b/archive/holmes/components/holmes-engine-mgmt/templates/configmap.yaml similarity index 100% rename from kubernetes/holmes/components/holmes-engine-mgmt/templates/configmap.yaml rename to archive/holmes/components/holmes-engine-mgmt/templates/configmap.yaml diff --git a/archive/holmes/components/holmes-engine-mgmt/templates/deployment.yaml b/archive/holmes/components/holmes-engine-mgmt/templates/deployment.yaml new file mode 100644 index 0000000000..641f032ce4 --- /dev/null +++ b/archive/holmes/components/holmes-engine-mgmt/templates/deployment.yaml @@ -0,0 +1,145 @@ +{{/* +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021 ZTE Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +{{- $sum := "" }} +{{- range $path, $bytes := .Files.Glob "resources/config/*.json"}} +{{- $sum = $.Files.Get $path | sha256sum | print $sum }} +{{- end }} + annotations: + checksum/config: {{ $sum | sha256sum }} + +spec: + replicas: 1 + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{- if .Values.global.postgres.localCluster }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} + {{ else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} + {{- end }} + - name: {{ include "common.name" . }}-env-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - "cd /hemconfig && for PFILE in `find . -type f -not -name '*.json'`; do envsubst < ${PFILE} > /config/${PFILE##*/}; done" + env: + - name: JDBC_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: JDBC_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + - name: DB_NAME + value: {{ .Values.config.pgConfig.dbName }} + - name: URL_JDBC + value: {{ .Values.config.pgConfig.dbHost }} + - name: DB_PORT + value: "{{ .Values.config.pgConfig.dbPort }}" + - name: AAI_ADDR + value: aai + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_USERNAME + value: {{ .Values.config.aai.username }} + - name: AAI_PASSWORD + value: {{ .Values.config.aai.password }} + - name: NAMESPACE + value: {{ include "common.namespace" . }} + volumeMounts: + - mountPath: /hemconfig + name: {{ include "common.fullname" . }}-config + - mountPath: /config + name: {{ include "common.fullname" . }}-env-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-env-config + mountPath: /opt/hemconfig + - name: {{ include "common.fullname" . }}-config + mountPath: /opt/hemtopics + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + scheme: {{ .Values.liveness.scheme }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.readiness.path }} + port: {{ .Values.readiness.port }} + scheme: {{ .Values.readiness.scheme }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + failureThreshold: 1 + successThreshold: 1 + timeoutSeconds: 1 + env: + - name: CONSUL_HOST + value: consul-server.{{ include "common.namespace" . }} + - name: CONFIG_BINDING_SERVICE + value: config-binding-service + - name: MSB_IAG_SERVICE_PROTOCOL + value: {{ .Values.global.msbProtocol }} + - name: MSB_IAG_SERVICE_HOST + value: {{ .Values.global.msbServiceName }}.{{ include "common.namespace" . }} + - name: MSB_IAG_SERVICE_PORT + value: {{ .Values.global.msbPort | quote }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + - name: JDBC_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: JDBC_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + - name: DB_NAME + value: {{ .Values.config.pgConfig.dbName }} + - name: URL_JDBC + value: {{ .Values.config.pgConfig.dbHost }} + - name: DB_PORT + value: "{{ .Values.config.pgConfig.dbPort }}" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + defaultMode: 422 + name: {{ include "common.fullname" . }} + - name: {{ include "common.fullname" . }}-env-config + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml b/archive/holmes/components/holmes-engine-mgmt/templates/secret.yaml similarity index 100% rename from kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/secret.yaml rename to archive/holmes/components/holmes-engine-mgmt/templates/secret.yaml diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/templates/service.yaml b/archive/holmes/components/holmes-engine-mgmt/templates/service.yaml similarity index 100% rename from kubernetes/holmes/components/holmes-engine-mgmt/templates/service.yaml rename to archive/holmes/components/holmes-engine-mgmt/templates/service.yaml diff --git a/archive/holmes/components/holmes-engine-mgmt/values.yaml b/archive/holmes/components/holmes-engine-mgmt/values.yaml new file mode 100644 index 0000000000..bd06bcd1ee --- /dev/null +++ b/archive/holmes/components/holmes-engine-mgmt/values.yaml @@ -0,0 +1,137 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021 ZTE Corporation Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefixExt: 302 + msbProtocol: http + msbServiceName: msb-iag + msbPort: 80 + postgres: + localCluster: false + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/holmes/engine-management:12.0.1 +consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 + +################################################################# +# Secrets metaconfig +################################################################# +secrets: +- uid: pg-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgConfig.dbUserCredsExternalSecret) . }}' + login: '{{ .Values.config.pgConfig.dbUser }}' + password: '{{ .Values.config.pgConfig.dbUserPassword }}' + +# application configuration +config: + logstashServiceName: log-ls + logstashPort: 5044 + # Addresses of other ONAP entities + address: + consul: + host: consul-server + port: 8500 + pgConfig: + dbName: defaultName + dbHost: defaultHost + dbPort: 1234 + dbUser: admin + dbUserPassword: admin + # dbUserCredsExternalSecret + msb: + serviceName: msb-iag + port: 80 + aai: + aaiPort: 80 + username: AAI + password: AAI + +service: + type: ClusterIP + name: holmes-engine-mgmt + ports: + - name: http-rest + port: &svc_port 9102 + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "holmes-engine-mgmt", + "version": "v1", + "url": "/api/holmes-engine-mgmt/v1", + "path":"/api/holmes-engine-mgmt/v1", + "protocol": "REST", + "visualRange":"0|1", + "port": "9102", + "enable_ssl": false + } + ]{{ end }} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + path: /api/holmes-engine-mgmt/v1/healthcheck + scheme: HTTP + port: *svc_port + enabled: true + +readiness: + initialDelaySeconds: 30 + periodSeconds: 30 + path: /api/holmes-engine-mgmt/v1/healthcheck + scheme: HTTP + port: *svc_port + +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +readinessCheck: + wait_for_global: + jobs: + - '{{ include "common.release" . }}-holmes-postgres-init-config-job' + wait_for_local: + services: + - '{{ .Values.global.postgres.service.name2 }}' + +#Pods Service Account +serviceAccount: + nameOverride: holmes-engine-mgmt + roles: + - read diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/.helmignore b/archive/holmes/components/holmes-rule-mgmt/.helmignore similarity index 100% rename from kubernetes/holmes/components/holmes-rule-mgmt/.helmignore rename to archive/holmes/components/holmes-rule-mgmt/.helmignore diff --git a/archive/holmes/components/holmes-rule-mgmt/Chart.yaml b/archive/holmes/components/holmes-rule-mgmt/Chart.yaml new file mode 100644 index 0000000000..4263913b25 --- /dev/null +++ b/archive/holmes/components/holmes-rule-mgmt/Chart.yaml @@ -0,0 +1,35 @@ +# Modifications Copyright © 2021 ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +appVersion: "2.0" +description: Holmes Rule Management +name: holmes-rule-mgmt +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/holmes/components/holmes-rule-mgmt/resources/config/application.yaml b/archive/holmes/components/holmes-rule-mgmt/resources/config/application.yaml new file mode 100644 index 0000000000..2ff0fa6d52 --- /dev/null +++ b/archive/holmes/components/holmes-rule-mgmt/resources/config/application.yaml @@ -0,0 +1,18 @@ +server: + port: 9101 + servlet: + context-path: /api/holmes-rule-mgmt/v1 + +logging: + config: classpath:logback-spring.xml + +spring: + application: + name: Holmes Rule Management + datasource: + dirver-class-name: org.postgresql.Driver + url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} + username: ${JDBC_USERNAME} + password: ${JDBC_PASSWORD} + mvc: + throw-exception-if-no-handler-found: true \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/onap-holmes_rulemgt-createobj.sql b/archive/holmes/components/holmes-rule-mgmt/resources/config/onap-holmes_rulemgt-createobj.sql similarity index 100% rename from kubernetes/holmes/components/holmes-rule-mgmt/resources/config/onap-holmes_rulemgt-createobj.sql rename to archive/holmes/components/holmes-rule-mgmt/resources/config/onap-holmes_rulemgt-createobj.sql diff --git a/archive/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml b/archive/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml new file mode 100644 index 0000000000..3b7218855a --- /dev/null +++ b/archive/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml @@ -0,0 +1,66 @@ +apidescription: ZTE Holmes rule Management rest API + +# use the simple server factory if you only want to run on a single port +#server: +# type: simple +# connector: +# type: http +# port: 12003 + +server: + type: simple + rootPath: '/api/holmes-rule-mgmt/v1/*' + applicationContextPath: / + adminContextPath: /admin + connector: + type: http + port: 9101 + validateCerts: false + validatePeers: false + +# Logging settings. +logging: + + # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL. + level: INFO + + # Logger-specific levels. + loggers: + + # Sets the level for 'com.example.app' to DEBUG. + org.onap.holmes.rulemgt: ALL + + appenders: + - type: console + threshold: INFO + timeZone: UTC + logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" + - type: file + threshold: ERROR + #logFormat: "%nopexception%logger\n|%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX,UTC}\n|%level\n|%message\n|%X{InvocationID}\n|%rootException\n|%marker\n|%thread\n|%n \r\n" + logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" + currentLogFilename: /var/log/ONAP/holmes/rulemgt-relation-error.log + archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/rulemgt-relation-error-%d{yyyy-MM-dd}.log.gz + archivedFileCount: 7 + - type: file + threshold: INFO + logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" + currentLogFilename: /var/log/ONAP/holmes/rulemgt-relation-debug.log + archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/rulemgt-relation-debug-%d{yyyy-MM-dd}.log.gz + archivedFileCount: 7 + +#database +database: + driverClass: org.postgresql.Driver + user: ${JDBC_USERNAME} + password: ${JDBC_PASSWORD} + url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} + properties: + charSet: UTF-8 + maxWaitForConnection: 1s + validationQuery: "/* MyService Health Check */ SELECT 1" + minSize: 8 + maxSize: 100 + checkConnectionWhileIdle: false + evictionInterval: 10s + minIdleTime: 1s diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl b/archive/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl similarity index 100% rename from kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl rename to archive/holmes/components/holmes-rule-mgmt/resources/rules/ControlLoop-VOLTE-2179b738-fd36-4843-a71a-a8c24c70c55b.drl diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/index.json b/archive/holmes/components/holmes-rule-mgmt/resources/rules/index.json similarity index 100% rename from kubernetes/holmes/components/holmes-rule-mgmt/resources/rules/index.json rename to archive/holmes/components/holmes-rule-mgmt/resources/rules/index.json diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/configmap.yaml b/archive/holmes/components/holmes-rule-mgmt/templates/configmap.yaml similarity index 100% rename from kubernetes/holmes/components/holmes-rule-mgmt/templates/configmap.yaml rename to archive/holmes/components/holmes-rule-mgmt/templates/configmap.yaml diff --git a/archive/holmes/components/holmes-rule-mgmt/templates/deployment.yaml b/archive/holmes/components/holmes-rule-mgmt/templates/deployment.yaml new file mode 100644 index 0000000000..e71187c557 --- /dev/null +++ b/archive/holmes/components/holmes-rule-mgmt/templates/deployment.yaml @@ -0,0 +1,140 @@ +{{/* +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021 ZTE Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +{{- $sum := "" }} +{{- range $path, $bytes := .Files.Glob "resources/rules/*"}} +{{- $sum = $.Files.Get $path | sha256sum | print $sum }} +{{- end }} + annotations: + checksum/rules: {{ $sum | sha256sum }} +spec: + replicas: 1 + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{- if .Values.global.postgres.localCluster }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_local ) | indent 6 | trim }} + {{ else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_global ) | indent 6 | trim }} + {{- end }} + - name: {{ include "common.name" . }}-env-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - "cd /hrmconfig && for PFILE in `find . -type f -not -name '*.json'`; do envsubst < ${PFILE} > /config/${PFILE##*/}; done" + env: + - name: JDBC_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: JDBC_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + - name: DB_NAME + value: {{ .Values.config.pgConfig.dbName }} + - name: URL_JDBC + value: {{ .Values.config.pgConfig.dbHost }} + - name: DB_PORT + value: "{{ .Values.config.pgConfig.dbPort }}" + - name: NAMESPACE + value: {{ include "common.namespace" . }} + volumeMounts: + - mountPath: /hrmconfig + name: {{ include "common.fullname" . }}-general-config + - mountPath: /config + name: {{ include "common.fullname" . }}-env-config + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 8 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-env-config + mountPath: /opt/hrmconfig + - name: {{ include "common.fullname" . }}-rule-config + mountPath: /opt/hrmrules + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + scheme: {{ .Values.liveness.scheme }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.readiness.path }} + port: {{ .Values.readiness.port }} + scheme: {{ .Values.readiness.scheme }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + failureThreshold: 1 + successThreshold: 1 + timeoutSeconds: 1 + env: + - name: CONSUL_HOST + value: consul-server.{{ include "common.namespace" . }} + - name: CONFIG_BINDING_SERVICE + value: config-binding-service + - name: MSB_IAG_SERVICE_PROTOCOL + value: {{ .Values.global.msbProtocol }} + - name: MSB_IAG_SERVICE_HOST + value: {{ .Values.global.msbServiceName }}.{{ include "common.namespace" . }} + - name: MSB_IAG_SERVICE_PORT + value: {{ .Values.global.msbPort | quote}} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + - name: JDBC_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: JDBC_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + - name: DB_NAME + value: {{ .Values.config.pgConfig.dbName }} + - name: URL_JDBC + value: {{ .Values.config.pgConfig.dbHost }} + - name: DB_PORT + value: "{{ .Values.config.pgConfig.dbPort }}" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-general-config + configMap: + defaultMode: 422 + name: {{ include "common.fullname" . }}-general-config + - name: {{ include "common.fullname" . }}-rule-config + configMap: + defaultMode: 422 + name: {{ include "common.fullname" . }}-rule-config + - name: {{ include "common.fullname" . }}-env-config + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/archive/holmes/components/holmes-rule-mgmt/templates/ingress.yaml b/archive/holmes/components/holmes-rule-mgmt/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/archive/holmes/components/holmes-rule-mgmt/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/secret.yaml b/archive/holmes/components/holmes-rule-mgmt/templates/secret.yaml similarity index 100% rename from kubernetes/dmaap/components/dmaap-dr-prov/templates/secret.yaml rename to archive/holmes/components/holmes-rule-mgmt/templates/secret.yaml diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/service.yaml b/archive/holmes/components/holmes-rule-mgmt/templates/service.yaml similarity index 100% rename from kubernetes/holmes/components/holmes-rule-mgmt/templates/service.yaml rename to archive/holmes/components/holmes-rule-mgmt/templates/service.yaml diff --git a/archive/holmes/components/holmes-rule-mgmt/values.yaml b/archive/holmes/components/holmes-rule-mgmt/values.yaml new file mode 100644 index 0000000000..a7e0e25a17 --- /dev/null +++ b/archive/holmes/components/holmes-rule-mgmt/values.yaml @@ -0,0 +1,149 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2021 ZTE Corporation Intellectual Property. All rights reserved. +# Modifications 2023 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration. +################################################################# +global: + nodePortPrefixExt: 302 + msbProtocol: http + msbServiceName: msb-iag + msbPort: 80 + postgres: + localCluster: false + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/holmes/rule-management:12.0.0 +consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 + +################################################################# +# Secrets metaconfig +################################################################# +secrets: +- uid: pg-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.pgConfig.dbUserCredsExternalSecret) . }}' + login: '{{ .Values.config.pgConfig.dbUser }}' + password: '{{ .Values.config.pgConfig.dbUserPassword }}' + +# application configuration +config: + logstashServiceName: log-ls + logstashPort: 5044 + # Addresses of other ONAP entities + address: + consul: + host: consul-server + port: 8500 + pgConfig: + dbName: defaultName + dbHost: defaultHost + dbPort: 1234 + dbUser: admin + dbUserPassword: admin + # dbUserCredsExternalSecret + +service: + type: NodePort + name: holmes-rule-mgmt + ports: + - name: http-rest + port: &svc_port 9101 + nodePort: 92 + - name: http-ui + port: &ui_port 9104 + nodePort: 93 + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "holmes-rule-mgmt", + "version": "v1", + "url": "/api/holmes-rule-mgmt/v1", + "path":"/api/holmes-rule-mgmt/v1", + "protocol": "REST", + "visualRange":"0|1", + "port": "9101", + "enable_ssl": false + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: "holmes-rule-mgmt" + name: "holmes-rule-mgmt" + path: "/api/holmes-rule-mgmt/v1" + port: *svc_port + - baseaddr: "holmes-rule-mgmt-ui" + name: "holmes-rule-mgmt" + path: "/iui/holmes" + port: *ui_port + config: + ssl: "redirect" + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + port: *svc_port + periodSeconds: 10 + path: /api/holmes-rule-mgmt/v1/healthcheck + enabled: true + scheme: HTTP + +readiness: + initialDelaySeconds: 30 + port: *svc_port + periodSeconds: 30 + path: /api/holmes-rule-mgmt/v1/healthcheck + scheme: HTTP + +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} + +readinessCheck: + wait_for_global: + jobs: + - '{{ include "common.release" . }}-holmes-postgres-init-config-job' + wait_for_local: + services: + - '{{ .Values.global.postgres.service.name2 }}' + +#Pods Service Account +serviceAccount: + nameOverride: holmes-rule-mgmt + roles: + - read diff --git a/kubernetes/holmes/templates/secrets.yaml b/archive/holmes/templates/secrets.yaml similarity index 100% rename from kubernetes/holmes/templates/secrets.yaml rename to archive/holmes/templates/secrets.yaml diff --git a/archive/holmes/values.yaml b/archive/holmes/values.yaml new file mode 100644 index 0000000000..4ede9a15fd --- /dev/null +++ b/archive/holmes/values.yaml @@ -0,0 +1,112 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 + #Service Names of the postgres db to connect to. + #Override it to dbc-pg if localCluster is enabled. + postgres: + #This flag allows SO to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: false + globalCluster: true + service: + name: pgset + name2: &postgres tcp-pgset-primary + name3: tcp-pgset-replica + container: + name: postgres +secrets: +- uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-holmes-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "holmes-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootPassword }}' +- uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-holmes-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "holmes-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +################################################################# +# Application configuration defaults. +################################################################# +pullPolicy: IfNotPresent + +config: + logstashServiceName: log-ls + logstashPort: 5044 + +# application configuration override for postgres +postgres: + nameOverride: holmes-pg + service: + name: holmes-postgres + name2: &dbHost holmes-postgres-primary + name3: holmes-postgres-replica + container: + name: + primary: holmes-postgres-primary + replica: holmes-postgres-replica + config: + pgUserName: holmes + pgDatabase: &dbName holmes + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + pgPort: &dbPort "5432" + persistence: + mountSubPath: holmes/data + mountInitPath: holmes + +postgres-init: + nameOverride: holmes-postgres-init + config: + pgUserName: holmes + pgDatabase: *dbName + pgDataPath: data + pgUserExternalSecret: *pgUserCredsSecretName + # pgPrimaryPassword: password + # pgUserPassword: password + # pgRootPassword: password + serviceAccount: + nameOverride: holmes-postgres-init + +holmes-engine-mgmt: + config: + pgConfig: + dbName: *dbName + # dbHost: *dbHost + dbHost: *postgres + dbPort: *dbPort + dbUserCredsExternalSecret: *pgUserCredsSecretName + +holmes-rule-mgmt: + config: + pgConfig: + dbName: *dbName + # dbHost: *dbHost + dbHost: *postgres + dbPort: *dbPort + dbUserCredsExternalSecret: *pgUserCredsSecretName + +# Resource Limit flavor -By Default using small +flavor: small diff --git a/kubernetes/appc/.helmignore b/archive/modeling/.helmignore similarity index 100% rename from kubernetes/appc/.helmignore rename to archive/modeling/.helmignore diff --git a/archive/modeling/Chart.yaml b/archive/modeling/Chart.yaml new file mode 100644 index 0000000000..72e6b880d2 --- /dev/null +++ b/archive/modeling/Chart.yaml @@ -0,0 +1,25 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Modeling (Modeling) +name: modeling +version: 13.0.0 + +dependencies: + - name: modeling-etsicatalog + version: ~13.x-0 + repository: 'file://components/modeling-etsicatalog' diff --git a/kubernetes/holmes/Makefile b/archive/modeling/Makefile similarity index 100% rename from kubernetes/holmes/Makefile rename to archive/modeling/Makefile diff --git a/kubernetes/contrib/components/Makefile b/archive/modeling/components/Makefile similarity index 100% rename from kubernetes/contrib/components/Makefile rename to archive/modeling/components/Makefile diff --git a/kubernetes/appc/components/appc-ansible-server/.helmignore b/archive/modeling/components/modeling-etsicatalog/.helmignore similarity index 100% rename from kubernetes/appc/components/appc-ansible-server/.helmignore rename to archive/modeling/components/modeling-etsicatalog/.helmignore diff --git a/archive/modeling/components/modeling-etsicatalog/Chart.yaml b/archive/modeling/components/modeling-etsicatalog/Chart.yaml new file mode 100644 index 0000000000..80db5cc8b9 --- /dev/null +++ b/archive/modeling/components/modeling-etsicatalog/Chart.yaml @@ -0,0 +1,42 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Modeling - Etsicatalog +name: modeling-etsicatalog +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: mariadb-galera + version: ~13.x-0 + repository: '@local' + condition: global.mariadbGalera.localCluster + - name: mariadb-init + version: ~13.x-0 + repository: '@local' + condition: global.mariadbGalera.globalCluster + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/modeling/components/modeling-etsicatalog/resources/config/log/filebeat/filebeat.yml b/archive/modeling/components/modeling-etsicatalog/resources/config/log/filebeat/filebeat.yml similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/resources/config/log/filebeat/filebeat.yml rename to archive/modeling/components/modeling-etsicatalog/resources/config/log/filebeat/filebeat.yml diff --git a/kubernetes/modeling/components/modeling-etsicatalog/resources/config/log/server/log.yml b/archive/modeling/components/modeling-etsicatalog/resources/config/log/server/log.yml similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/resources/config/log/server/log.yml rename to archive/modeling/components/modeling-etsicatalog/resources/config/log/server/log.yml diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/configmap.yaml b/archive/modeling/components/modeling-etsicatalog/templates/configmap.yaml similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/templates/configmap.yaml rename to archive/modeling/components/modeling-etsicatalog/templates/configmap.yaml diff --git a/archive/modeling/components/modeling-etsicatalog/templates/deployment.yaml b/archive/modeling/components/modeling-etsicatalog/templates/deployment.yaml new file mode 100644 index 0000000000..fbe3e0ca07 --- /dev/null +++ b/archive/modeling/components/modeling-etsicatalog/templates/deployment.yaml @@ -0,0 +1,169 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + initContainers: + - command: + - /app/ready.py + args: +{{- if .Values.global.mariadbGalera.localCluster }} + - --service-name + - {{ index .Values "mariadb-galera" "service" "name" }} +{{- else }} + - --job-name + - {{ include "common.release" . }}-etsicatalog-db-config-job +{{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-job-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + {{ if .Values.config.msb_enabled }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + {{ end }} + - command: + - /bin/sh + - -c + - chown -R 1000:1000 /service/modeling/etsicatalog/static + image: {{ include "repositoryGenerator.image.busybox" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-init + volumeMounts: + - name: {{ include "common.fullname" . }}-etsicatalog + mountPath: /service/modeling/etsicatalog/static + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + {{- if and (include "common.needTLS" .) (eq .Values.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: MSB_ENABLED + value: "{{ .Values.config.msb_enabled }}" + {{- if (include "common.needTLS" .) }} + - name: MSB_ADDR + value: "{{ .Values.config.msbProtocol }}s://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPort }}" + - name: SDC_ADDR + value: "{{ .Values.config.sdcProtocol }}s://{{ .Values.config.sdcServiceName }}:{{ .Values.config.sdcPort }}" + {{- else }} + - name: MSB_ADDR + value: "{{ .Values.config.msbProtocol }}://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPlainPort }}" + - name: SDC_ADDR + value: "{{ .Values.config.sdcProtocol }}://{{ .Values.config.sdcServiceName }}:{{ .Values.config.sdcPlainPort }}" + {{- end }} + - name: DMAAP_ENABLED + value: "{{ .Values.config.dmaap_enabled }}" + - name: DMAAP_ADDR + value: "{{ .Values.config.dmaapProtocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.config.dmaapServiceName }}:{{ .Values.config.dmaapPort }}" + - name: DB_IP + value: "{{ include "common.mariadbService" . }}" + - name: DB_PORT + value: "{{ include "common.mariadbPort" . }}" + - name: DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "modeling-db-secret" "key" "login") | indent 12 }} + - name: DB_PASSWD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "modeling-db-secret" "key" "password") | indent 12 }} + volumeMounts: + - name: {{ include "common.fullname" . }}-etsicatalog + mountPath: /service/modeling/etsicatalog/static + - name: {{ include "common.fullname" . }}-logs + mountPath: {{ .Values.log.path }} + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/modeling/etsicatalog/config/log.yml + subPath: log.yml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-etsicatalog + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }} + {{- else }} + emptyDir: {} + {{- end }} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + + {{ include "common.log.volumes" . | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/pv.yaml b/archive/modeling/components/modeling-etsicatalog/templates/pv.yaml similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/templates/pv.yaml rename to archive/modeling/components/modeling-etsicatalog/templates/pv.yaml diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/pvc.yaml b/archive/modeling/components/modeling-etsicatalog/templates/pvc.yaml similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/templates/pvc.yaml rename to archive/modeling/components/modeling-etsicatalog/templates/pvc.yaml diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/secrets.yaml b/archive/modeling/components/modeling-etsicatalog/templates/secrets.yaml similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/templates/secrets.yaml rename to archive/modeling/components/modeling-etsicatalog/templates/secrets.yaml diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/service.yaml b/archive/modeling/components/modeling-etsicatalog/templates/service.yaml similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/templates/service.yaml rename to archive/modeling/components/modeling-etsicatalog/templates/service.yaml diff --git a/archive/modeling/components/modeling-etsicatalog/values.yaml b/archive/modeling/components/modeling-etsicatalog/values.yaml new file mode 100644 index 0000000000..83cfde8a7b --- /dev/null +++ b/archive/modeling/components/modeling-etsicatalog/values.yaml @@ -0,0 +1,203 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + + persistence: + mountPath: /dockerdata-nfs + + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows SO to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: false + globalCluster: true + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + + centralizedLoggingEnabled: true + +readinessCheck: + wait_for: + services: + - msb-iag + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: modeling-db-secret + name: &dbSecretName '{{ include "common.release" . }}-modeling-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + +################################################################# +# Dependencies configuration +################################################################# + +mariadb-galera: + db: + user: &dbUser etsicatalog + externalSecret: *dbSecretName + name: &mysqlDbName etsicatalog + nameOverride: &modeling-db modeling-db + service: + name: *modeling-db + internalPort: 3306 + nfsprovisionerPrefix: modeling + persistence: + mountSubPath: modeling/data + enabled: true + disableNfsProvisioner: true + serviceAccount: + nameOverride: *modeling-db + replicaCount: 1 + mariadbOperator: + galera: + enabled: false + +mariadb-init: + config: + userCredentialsExternalSecret: *dbSecretName + mysqlDatabase: *mysqlDbName + # nameOverride should be the same with common.name + nameOverride: etsicatalog-db + serviceAccount: + nameOverride: etsicatalog-db + +################################################################# +# Application configuration defaults. +################################################################# +config: + #application configuration about msb + ssl_enabled: false + msb_enabled: false + msbProtocol: http + msbServiceName: msb-iag + msbPort: 443 + msbPlainPort: 80 + sdcProtocol: http + sdcServiceName: sdc-be + sdcPort: 8443 + sdcPlainPort: 8080 + dmaap_enabled: false + dmaapProtocol: http + dmaapServiceName: message-router-external + dmaapPort: 3905 + + #application configuration user password about mariadb + db: + userName: *dbUser + # userPassword: password + # userCredentialsExternalSecret: some-secret + +# application image +flavor: small + +image: onap/modeling/etsicatalog:1.0.14 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +## Persist data to a persitent volume +persistence: + enabled: true + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + volumeReclaimPolicy: Retain + ## database data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + accessMode: ReadWriteOnce + size: 2Gi + mountPath: /dockerdata-nfs + mountSubPath: modeling/etsicatalog + +service: + type: ClusterIP + name: modeling-etsicatalog + portName: http + externalPort: 8806 + internalPort: 8806 +# nodePort: 30806 + +ingress: + enabled: false + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "500Mi" + requests: + cpu: "100m" + memory: "200Mi" + large: + limits: + cpu: "400m" + memory: "1Gi" + requests: + cpu: "200m" + memory: "500Mi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: modeling-etsicatalog + roles: + - read + +#Log configuration +log: + path: /var/log/onap diff --git a/kubernetes/modeling/values.yaml b/archive/modeling/values.yaml similarity index 100% rename from kubernetes/modeling/values.yaml rename to archive/modeling/values.yaml diff --git a/kubernetes/consul/.helmignore b/archive/msb/.helmignore similarity index 100% rename from kubernetes/consul/.helmignore rename to archive/msb/.helmignore diff --git a/archive/msb/Chart.yaml b/archive/msb/Chart.yaml new file mode 100644 index 0000000000..67db10be70 --- /dev/null +++ b/archive/msb/Chart.yaml @@ -0,0 +1,45 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP MicroServices Bus +name: msb +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: kube2msb + version: ~13.x-0 + repository: 'file://components/kube2msb' + - name: msb-consul + version: ~13.x-0 + repository: 'file://components/msb-consul' + - name: msb-discovery + version: ~13.x-0 + repository: 'file://components/msb-discovery' + - name: msb-eag + version: ~13.x-0 + repository: 'file://components/msb-eag' + - name: msb-iag + version: ~13.x-0 + repository: 'file://components/msb-iag' + diff --git a/kubernetes/modeling/Makefile b/archive/msb/Makefile similarity index 100% rename from kubernetes/modeling/Makefile rename to archive/msb/Makefile diff --git a/kubernetes/holmes/components/Makefile b/archive/msb/components/Makefile similarity index 100% rename from kubernetes/holmes/components/Makefile rename to archive/msb/components/Makefile diff --git a/kubernetes/appc/components/appc-cdt/.helmignore b/archive/msb/components/kube2msb/.helmignore similarity index 100% rename from kubernetes/appc/components/appc-cdt/.helmignore rename to archive/msb/components/kube2msb/.helmignore diff --git a/archive/msb/components/kube2msb/Chart.yaml b/archive/msb/components/kube2msb/Chart.yaml new file mode 100644 index 0000000000..2e823e69b8 --- /dev/null +++ b/archive/msb/components/kube2msb/Chart.yaml @@ -0,0 +1,27 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v2 +description: ONAP MicroServices Bus Kube2MSB Registrator +name: kube2msb +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/archive/msb/components/kube2msb/templates/deployment.yaml b/archive/msb/components/kube2msb/templates/deployment.yaml new file mode 100644 index 0000000000..b83d4c9d99 --- /dev/null +++ b/archive/msb/components/kube2msb/templates/deployment.yaml @@ -0,0 +1,80 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + serviceAccountName: msb + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - msb-discovery + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: KUBE_MASTER_URL + value: {{ .Values.config.kubeMasterUrl }} + - name: MSB_URL + value: {{tpl $.Values.config.discoveryUrl .}} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/archive/msb/components/kube2msb/values.yaml b/archive/msb/components/kube2msb/values.yaml new file mode 100644 index 0000000000..bdc7c06b3b --- /dev/null +++ b/archive/msb/components/kube2msb/values.yaml @@ -0,0 +1,70 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/oom/kube2msb:1.2.6 +pullPolicy: Always +istioSidecar: true + +# application configuration +config: + routeLabels: "visualRange:1" + kubeMasterUrl: https://kubernetes.default:443 + discoveryUrl: http://msb-discovery.{{include "common.namespace" .}}:10081 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: {} + +readiness: {} + +service: {} + +ingress: + enabled: false + +# Resource Limit flavor -By Default using small +flavor: small + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} diff --git a/kubernetes/cli/.helmignore b/archive/msb/components/msb-consul/.helmignore similarity index 100% rename from kubernetes/cli/.helmignore rename to archive/msb/components/msb-consul/.helmignore diff --git a/archive/msb/components/msb-consul/Chart.yaml b/archive/msb/components/msb-consul/Chart.yaml new file mode 100644 index 0000000000..356ca84972 --- /dev/null +++ b/archive/msb/components/msb-consul/Chart.yaml @@ -0,0 +1,30 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v2 +description: ONAP MicroServices Bus Consul +name: msb-consul +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/msb/components/msb-consul/resources/docker-entrypoint.sh b/archive/msb/components/msb-consul/resources/docker-entrypoint.sh similarity index 100% rename from kubernetes/msb/components/msb-consul/resources/docker-entrypoint.sh rename to archive/msb/components/msb-consul/resources/docker-entrypoint.sh diff --git a/kubernetes/msb/components/msb-consul/templates/NOTES.txt b/archive/msb/components/msb-consul/templates/NOTES.txt similarity index 100% rename from kubernetes/msb/components/msb-consul/templates/NOTES.txt rename to archive/msb/components/msb-consul/templates/NOTES.txt diff --git a/kubernetes/msb/components/msb-consul/templates/configmap.yaml b/archive/msb/components/msb-consul/templates/configmap.yaml similarity index 100% rename from kubernetes/msb/components/msb-consul/templates/configmap.yaml rename to archive/msb/components/msb-consul/templates/configmap.yaml diff --git a/archive/msb/components/msb-consul/templates/deployment.yaml b/archive/msb/components/msb-consul/templates/deployment.yaml new file mode 100644 index 0000000000..d229590da0 --- /dev/null +++ b/archive/msb/components/msb-consul/templates/deployment.yaml @@ -0,0 +1,89 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + command: + - docker-entrypoint.sh + args: + - "agent" + - "-dev" + - "-client" + - "0.0.0.0" + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + volumeMounts: + - mountPath: /usr/local/bin/docker-entrypoint.sh + name: entrypoint + subPath: docker-entrypoint.sh + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: entrypoint + configMap: + name: {{ include "common.fullname" . }}-entrypoint + defaultMode: 0777 + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/appc/components/appc-cdt/templates/ingress.yaml b/archive/msb/components/msb-consul/templates/ingress.yaml similarity index 100% rename from kubernetes/appc/components/appc-cdt/templates/ingress.yaml rename to archive/msb/components/msb-consul/templates/ingress.yaml diff --git a/kubernetes/msb/components/msb-consul/templates/service.yaml b/archive/msb/components/msb-consul/templates/service.yaml similarity index 100% rename from kubernetes/msb/components/msb-consul/templates/service.yaml rename to archive/msb/components/msb-consul/templates/service.yaml diff --git a/archive/msb/components/msb-consul/values.yaml b/archive/msb/components/msb-consul/values.yaml new file mode 100644 index 0000000000..37ccf988d8 --- /dev/null +++ b/archive/msb/components/msb-consul/values.yaml @@ -0,0 +1,95 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: library/consul:1.4.3 +pullPolicy: Always +istioSidecar: true + +# application configuration +config: {} + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: msb-consul + externalPort: 8500 + internalPort: 8500 + nodePort: 85 + +ingress: + enabled: false + service: + - baseaddr: "msb-consul-api" + name: "msb-consul" + port: 8500 + config: + ssl: "none" + +flavor: small + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} + +securityContext: + fsGroup: 1000 + runAsUser: 100 + runAsGroup: 1000 + +#Pods Service Account +serviceAccount: + nameOverride: msb-consul + roles: + - read diff --git a/kubernetes/common/dgbuilder/.helmignore b/archive/msb/components/msb-discovery/.helmignore similarity index 100% rename from kubernetes/common/dgbuilder/.helmignore rename to archive/msb/components/msb-discovery/.helmignore diff --git a/archive/msb/components/msb-discovery/Chart.yaml b/archive/msb/components/msb-discovery/Chart.yaml new file mode 100644 index 0000000000..545bc0082a --- /dev/null +++ b/archive/msb/components/msb-discovery/Chart.yaml @@ -0,0 +1,30 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v2 +description: ONAP MicroServices Bus Discovery +name: msb-discovery +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/msb/components/msb-discovery/resources/config/logback.xml b/archive/msb/components/msb-discovery/resources/config/logback.xml similarity index 100% rename from kubernetes/msb/components/msb-discovery/resources/config/logback.xml rename to archive/msb/components/msb-discovery/resources/config/logback.xml diff --git a/kubernetes/msb/components/msb-discovery/templates/NOTES.txt b/archive/msb/components/msb-discovery/templates/NOTES.txt similarity index 100% rename from kubernetes/msb/components/msb-discovery/templates/NOTES.txt rename to archive/msb/components/msb-discovery/templates/NOTES.txt diff --git a/kubernetes/msb/components/msb-discovery/templates/configmap.yaml b/archive/msb/components/msb-discovery/templates/configmap.yaml similarity index 100% rename from kubernetes/msb/components/msb-discovery/templates/configmap.yaml rename to archive/msb/components/msb-discovery/templates/configmap.yaml diff --git a/archive/msb/components/msb-discovery/templates/deployment.yaml b/archive/msb/components/msb-discovery/templates/deployment.yaml new file mode 100644 index 0000000000..4f286535dc --- /dev/null +++ b/archive/msb/components/msb-discovery/templates/deployment.yaml @@ -0,0 +1,107 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - msb-consul + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: CONSUL_IP + value: msb-consul.{{ include "common.namespace" . }} + volumeMounts: + - mountPath: /usr/local/discover-works/logs + name: {{ include "common.fullname" . }}-logs + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # Filebeat sidecar container + {{ include "common.log.sidecar" . | nindent 8 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/appc/templates/ingress.yaml b/archive/msb/components/msb-discovery/templates/ingress.yaml similarity index 100% rename from kubernetes/appc/templates/ingress.yaml rename to archive/msb/components/msb-discovery/templates/ingress.yaml diff --git a/kubernetes/msb/components/msb-discovery/templates/service.yaml b/archive/msb/components/msb-discovery/templates/service.yaml similarity index 100% rename from kubernetes/msb/components/msb-discovery/templates/service.yaml rename to archive/msb/components/msb-discovery/templates/service.yaml diff --git a/archive/msb/components/msb-discovery/values.yaml b/archive/msb/components/msb-discovery/values.yaml new file mode 100644 index 0000000000..b8c361a296 --- /dev/null +++ b/archive/msb/components/msb-discovery/values.yaml @@ -0,0 +1,95 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/msb/msb_discovery:1.3.0 +pullPolicy: Always +istioSidecar: true + +# application configuration +config: {} + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: msb-discovery + externalPort: 10081 + internalPort: 10081 + nodePort: 81 + +ingress: + enabled: false + service: + - baseaddr: "msb-discovery-api" + name: "msb-discovery" + port: 10081 + config: + ssl: "none" + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: msb-discovery + roles: + - read + +#Logs configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/common/mongo/.helmignore b/archive/msb/components/msb-eag/.helmignore similarity index 100% rename from kubernetes/common/mongo/.helmignore rename to archive/msb/components/msb-eag/.helmignore diff --git a/archive/msb/components/msb-eag/Chart.yaml b/archive/msb/components/msb-eag/Chart.yaml new file mode 100644 index 0000000000..d42c99388d --- /dev/null +++ b/archive/msb/components/msb-eag/Chart.yaml @@ -0,0 +1,30 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v2 +description: ONAP MicroServices Bus Internal API Gateway +name: msb-eag +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/msb/components/msb-eag/resources/config/logback.xml b/archive/msb/components/msb-eag/resources/config/logback.xml similarity index 100% rename from kubernetes/msb/components/msb-eag/resources/config/logback.xml rename to archive/msb/components/msb-eag/resources/config/logback.xml diff --git a/kubernetes/msb/components/msb-eag/templates/NOTES.txt b/archive/msb/components/msb-eag/templates/NOTES.txt similarity index 100% rename from kubernetes/msb/components/msb-eag/templates/NOTES.txt rename to archive/msb/components/msb-eag/templates/NOTES.txt diff --git a/archive/msb/components/msb-eag/templates/configmap.yaml b/archive/msb/components/msb-eag/templates/configmap.yaml new file mode 100644 index 0000000000..62bbf4272a --- /dev/null +++ b/archive/msb/components/msb-eag/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} + diff --git a/archive/msb/components/msb-eag/templates/deployment.yaml b/archive/msb/components/msb-eag/templates/deployment.yaml new file mode 100644 index 0000000000..da2afc3bfc --- /dev/null +++ b/archive/msb/components/msb-eag/templates/deployment.yaml @@ -0,0 +1,96 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - msb-discovery + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{- include "common.containerPorts" . | indent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: CONSUL_IP + value: msb-consul.{{ include "common.namespace" . }} + - name: SDCLIENT_IP + value: msb-discovery.{{ include "common.namespace" . }} + - name: ROUTE_LABELS + value: {{ .Values.config.routeLabels }} + volumeMounts: + - mountPath: /usr/local/apiroute-works/logs + name: {{ include "common.fullname" . }}-logs + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cli/templates/ingress.yaml b/archive/msb/components/msb-eag/templates/ingress.yaml similarity index 100% rename from kubernetes/cli/templates/ingress.yaml rename to archive/msb/components/msb-eag/templates/ingress.yaml diff --git a/kubernetes/msb/components/msb-eag/templates/service.yaml b/archive/msb/components/msb-eag/templates/service.yaml similarity index 100% rename from kubernetes/msb/components/msb-eag/templates/service.yaml rename to archive/msb/components/msb-eag/templates/service.yaml diff --git a/archive/msb/components/msb-eag/values.yaml b/archive/msb/components/msb-eag/values.yaml new file mode 100644 index 0000000000..49f0be78f5 --- /dev/null +++ b/archive/msb/components/msb-eag/values.yaml @@ -0,0 +1,102 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/msb/msb_apigateway:1.6.0 +pullPolicy: Always +istioSidecar: true + +# application configuration +config: + routeLabels: "visualRange:0" + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: NodePort + name: msb-eag + # for liveness and readiness probe only + # internalPort: + internalPort: 80 + ports: + - name: msb-eag + port: 80 + port_protocol: http + nodePort: '84' + +ingress: + enabled: false + service: + - baseaddr: "msb-eag-ui" + name: "msb-eag" + port: 80 + config: + ssl: "redirect" + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: msb-eag + roles: + - read + +#Logs configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/common/music/components/music-cassandra/.helmignore b/archive/msb/components/msb-iag/.helmignore similarity index 100% rename from kubernetes/common/music/components/music-cassandra/.helmignore rename to archive/msb/components/msb-iag/.helmignore diff --git a/archive/msb/components/msb-iag/Chart.yaml b/archive/msb/components/msb-iag/Chart.yaml new file mode 100644 index 0000000000..50fa020c8b --- /dev/null +++ b/archive/msb/components/msb-iag/Chart.yaml @@ -0,0 +1,30 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v2 +description: ONAP MicroServices Bus Internal API Gateway +name: msb-iag +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/msb/components/msb-iag/resources/config/logback.xml b/archive/msb/components/msb-iag/resources/config/logback.xml similarity index 100% rename from kubernetes/msb/components/msb-iag/resources/config/logback.xml rename to archive/msb/components/msb-iag/resources/config/logback.xml diff --git a/kubernetes/msb/components/msb-iag/templates/NOTES.txt b/archive/msb/components/msb-iag/templates/NOTES.txt similarity index 100% rename from kubernetes/msb/components/msb-iag/templates/NOTES.txt rename to archive/msb/components/msb-iag/templates/NOTES.txt diff --git a/archive/msb/components/msb-iag/templates/configmap.yaml b/archive/msb/components/msb-iag/templates/configmap.yaml new file mode 100644 index 0000000000..7214c8a95f --- /dev/null +++ b/archive/msb/components/msb-iag/templates/configmap.yaml @@ -0,0 +1,23 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-log + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} diff --git a/archive/msb/components/msb-iag/templates/deployment.yaml b/archive/msb/components/msb-iag/templates/deployment.yaml new file mode 100644 index 0000000000..da2afc3bfc --- /dev/null +++ b/archive/msb/components/msb-iag/templates/deployment.yaml @@ -0,0 +1,96 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - msb-discovery + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{- include "common.containerPorts" . | indent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: CONSUL_IP + value: msb-consul.{{ include "common.namespace" . }} + - name: SDCLIENT_IP + value: msb-discovery.{{ include "common.namespace" . }} + - name: ROUTE_LABELS + value: {{ .Values.config.routeLabels }} + volumeMounts: + - mountPath: /usr/local/apiroute-works/logs + name: {{ include "common.fullname" . }}-logs + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-log-conf + configMap: + name: {{ include "common.fullname" . }}-log + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/consul/templates/ingress.yaml b/archive/msb/components/msb-iag/templates/ingress.yaml similarity index 100% rename from kubernetes/consul/templates/ingress.yaml rename to archive/msb/components/msb-iag/templates/ingress.yaml diff --git a/kubernetes/msb/components/msb-iag/templates/service.yaml b/archive/msb/components/msb-iag/templates/service.yaml similarity index 100% rename from kubernetes/msb/components/msb-iag/templates/service.yaml rename to archive/msb/components/msb-iag/templates/service.yaml diff --git a/archive/msb/components/msb-iag/values.yaml b/archive/msb/components/msb-iag/values.yaml new file mode 100644 index 0000000000..19b500a62c --- /dev/null +++ b/archive/msb/components/msb-iag/values.yaml @@ -0,0 +1,102 @@ +# Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/msb/msb_apigateway:1.6.0 +pullPolicy: Always +istioSidecar: true + +# application configuration +config: + routeLabels: "visualRange:1" + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: NodePort + name: msb-iag + # for liveness and readiness probe only + # internalPort: + internalPort: 80 + ports: + - name: msb-iag + port: 80 + port_protocol: http + nodePort: '83' + +ingress: + enabled: false + service: + - baseaddr: "msb-iag-ui" + name: "msb-iag" + port: 80 + config: + ssl: "redirect" + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: msb-iag + roles: + - read + +#Logs configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/msb/resources/config/log/discovery/logback.xml b/archive/msb/resources/config/log/discovery/logback.xml similarity index 100% rename from kubernetes/msb/resources/config/log/discovery/logback.xml rename to archive/msb/resources/config/log/discovery/logback.xml diff --git a/kubernetes/msb/resources/config/log/eag/logback.xml b/archive/msb/resources/config/log/eag/logback.xml similarity index 100% rename from kubernetes/msb/resources/config/log/eag/logback.xml rename to archive/msb/resources/config/log/eag/logback.xml diff --git a/kubernetes/msb/resources/config/log/filebeat/filebeat.yml b/archive/msb/resources/config/log/filebeat/filebeat.yml similarity index 100% rename from kubernetes/msb/resources/config/log/filebeat/filebeat.yml rename to archive/msb/resources/config/log/filebeat/filebeat.yml diff --git a/kubernetes/msb/resources/config/log/iag/logback.xml b/archive/msb/resources/config/log/iag/logback.xml similarity index 100% rename from kubernetes/msb/resources/config/log/iag/logback.xml rename to archive/msb/resources/config/log/iag/logback.xml diff --git a/kubernetes/msb/templates/configmap.yaml b/archive/msb/templates/configmap.yaml similarity index 100% rename from kubernetes/msb/templates/configmap.yaml rename to archive/msb/templates/configmap.yaml diff --git a/kubernetes/msb/templates/serviceaccount.yaml b/archive/msb/templates/serviceaccount.yaml similarity index 100% rename from kubernetes/msb/templates/serviceaccount.yaml rename to archive/msb/templates/serviceaccount.yaml diff --git a/kubernetes/msb/values.yaml b/archive/msb/values.yaml similarity index 100% rename from kubernetes/msb/values.yaml rename to archive/msb/values.yaml diff --git a/kubernetes/contrib/components/netbox/.helmignore b/archive/multicloud/components/multicloud-pike/.helmignore old mode 100755 new mode 100644 similarity index 100% rename from kubernetes/contrib/components/netbox/.helmignore rename to archive/multicloud/components/multicloud-pike/.helmignore diff --git a/archive/multicloud/components/multicloud-pike/Chart.yaml b/archive/multicloud/components/multicloud-pike/Chart.yaml new file mode 100644 index 0000000000..74d6b8ce29 --- /dev/null +++ b/archive/multicloud/components/multicloud-pike/Chart.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2018 Intel Corporation. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP multicloud OpenStack Pike Plugin +name: multicloud-pike +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-pike/resources/config/log/log.yml b/archive/multicloud/components/multicloud-pike/resources/config/log/log.yml similarity index 100% rename from kubernetes/multicloud/components/multicloud-pike/resources/config/log/log.yml rename to archive/multicloud/components/multicloud-pike/resources/config/log/log.yml diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/NOTES.txt b/archive/multicloud/components/multicloud-pike/templates/NOTES.txt similarity index 100% rename from kubernetes/multicloud/components/multicloud-pike/templates/NOTES.txt rename to archive/multicloud/components/multicloud-pike/templates/NOTES.txt diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/configmap.yaml b/archive/multicloud/components/multicloud-pike/templates/configmap.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-pike/templates/configmap.yaml rename to archive/multicloud/components/multicloud-pike/templates/configmap.yaml diff --git a/archive/multicloud/components/multicloud-pike/templates/deployment.yaml b/archive/multicloud/components/multicloud-pike/templates/deployment.yaml new file mode 100644 index 0000000000..1822695eab --- /dev/null +++ b/archive/multicloud/components/multicloud-pike/templates/deployment.yaml @@ -0,0 +1,87 @@ +{{/* +# Copyright (c) 2018 Intel Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: pike-log + - mountPath: /opt/pike/pike/pub/config/log.yml + name: pike-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/sh"] + args: ["-c", "/bin/sh /opt/pike/run.sh"] + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-pike/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: pike-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} + - name: pike-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/archive/multicloud/components/multicloud-pike/templates/ingress.yaml b/archive/multicloud/components/multicloud-pike/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/archive/multicloud/components/multicloud-pike/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/archive/multicloud/components/multicloud-pike/templates/service.yaml b/archive/multicloud/components/multicloud-pike/templates/service.yaml new file mode 100644 index 0000000000..adbb87c70d --- /dev/null +++ b/archive/multicloud/components/multicloud-pike/templates/service.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright (c) 2018 Intel Corporation. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/archive/multicloud/components/multicloud-pike/values.yaml b/archive/multicloud/components/multicloud-pike/values.yaml new file mode 100644 index 0000000000..643daa7e3f --- /dev/null +++ b/archive/multicloud/components/multicloud-pike/values.yaml @@ -0,0 +1,123 @@ +# Copyright (c) 2018 Intel Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/multicloud/openstack-pike:1.5.7 +pullPolicy: Always + +# application configuration +config: + msbgateway: msb-iag + msbPort: 80 + aai: + aaiPort: 80 + schemaVersion: v13 + username: AAI + password: AAI + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + enabled: true + +service: + type: NodePort + internalPort: 9007 + ports: + - name: http + port: 9007 + nodePort: '96' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-pike", + "version": "v0", + "url": "/api/multicloud-pike/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-pike", + "version": "v1", + "url": "/api/multicloud-pike/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-pike-api' + name: 'multicloud-pike' + port: 9007 + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "4Gi" + requests: + cpu: "10m" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "8Gi" + requests: + cpu: "20m" + memory: "2Gi" + unlimited: {} + +# memcached image resource +memcached: memcached:alpine3.15 + +#Pods Service Account +serviceAccount: + nameOverride: multicloud-pike + roles: + - read + +#Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/archive/multicloud/components/multicloud-prometheus/Chart.yaml b/archive/multicloud/components/multicloud-prometheus/Chart.yaml new file mode 100644 index 0000000000..2ed930aa65 --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/Chart.yaml @@ -0,0 +1,37 @@ +# Copyright 2018 Intel Corporation, Inc +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Multicloud Prometheus +name: multicloud-prometheus +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: prometheus-alertmanager + version: ~13.x-0 + repository: 'file://components/prometheus-alertmanager' + - name: prometheus-grafana + version: ~13.x-0 + repository: 'file://components/prometheus-grafana' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml new file mode 100644 index 0000000000..b4643db800 --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml @@ -0,0 +1,19 @@ +# Copyright 2018 Intel Corporation, Inc +# Modifications Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Multicloud Prometheus Alert Manager +name: prometheus-alertmanager +version: 13.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/resources/config/alertmanager.yml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/resources/config/alertmanager.yml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/resources/config/alertmanager.yml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/resources/config/alertmanager.yml diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/configmap.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/configmap.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/configmap.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/configmap.yaml diff --git a/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml new file mode 100644 index 0000000000..185aa1e47b --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml @@ -0,0 +1,98 @@ +{{/* +# Copyright 2018 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.alertmanager.enabled -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "common.name" . }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + name: {{ include "common.name" . }} + spec: + containers: + - name: {{ include "common.name" . }}-configmap-reload + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.global.configmapReload.image.repository }}:{{ .Values.global.configmapReload.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + args: + - --volume-dir=/etc/config + - --webhook-url=http://localhost:9093/-/reload + volumeMounts: + - name: {{ include "common.fullname" . }}-config + mountPath: /etc/config + readOnly: true + + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + args: + - --config.file=/etc/config/alertmanager.yml + - --storage.path={{ .Values.persistence.containerMountPath }} + resources: +{{ toYaml .Values.resources | indent 10 }} + ports: + - containerPort: {{ .Values.service.internalPort }} + {{- if .Values.readiness.enabled }} + readinessProbe: + httpGet: + path: /#/status + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + {{ end -}} + volumeMounts: + - name: {{ include "common.fullname" . }}-config + mountPath: /etc/config + - name: {{ include "common.fullname" . }}-storage + mountPath: {{ .Values.persistence.containerMountPath }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }} + - name: {{ include "common.fullname" . }}-storage + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }} + {{- else }} + emptyDir: {} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always +{{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pv.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pv.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pv.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pv.yaml diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pvc.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pvc.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pvc.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/pvc.yaml diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/service.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/service.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/service.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/service.yaml diff --git a/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml new file mode 100644 index 0000000000..5b48f73a45 --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml @@ -0,0 +1,87 @@ +# Copyright 2018 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +#Alertmanager Configuration +image: + repository: prom/alertmanager + tag: v0.15.2 + +persistence: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + size: 2Gi + mountPath: /dockerdata-nfs + mountSubPath: multicloud/prometheus/alertmanager + containerMountPath: /alertmanager/data + +#Service configuration for this chart +service: + type: ClusterIP + name: multicloud-prometheus-alertmanager + portName: prometheus-alertmanager + internalPort: 9093 + externalPort: 9093 + + meshpeer: + enabled: false + portName: multicloud-prometheus-meshpeer + port: 6783 + +# probe configuration parameters +readiness: + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 30 + enabled: true + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +ingress: + enabled: false + +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "4Gi" + requests: + cpu: "10m" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "8Gi" + requests: + cpu: "20m" + memory: "2Gi" + unlimited: {} diff --git a/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml new file mode 100644 index 0000000000..cc89de3d26 --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml @@ -0,0 +1,19 @@ +# Copyright 2018 Intel Corporation, Inc +# Modifications Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Multicloud Grafana for Prometheus +name: prometheus-grafana +version: 13.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/resources/config/grafana.ini b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/resources/config/grafana.ini similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/resources/config/grafana.ini rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/resources/config/grafana.ini diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/configmap.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/configmap.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/configmap.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/configmap.yaml diff --git a/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml new file mode 100644 index 0000000000..e578feb96d --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml @@ -0,0 +1,137 @@ +{{/* +# Copyright 2018 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.grafana.enabled -}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "common.name" . }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + name: {{ include "common.name" . }} + spec: + {{- if .Values.dashboards }} + initContainers: + - name: {{ include "common.name" . }}-download-dashboards + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["sh", "/etc/grafana/download_dashboards.sh"] + volumeMounts: + - name: {{ include "common.fullname" . }}-config + mountPath: "/etc/grafana/download_dashboards.sh" + subPath: download_dashboards.sh + - name: {{ include "common.fullname" . }}-storage + mountPath: {{ .Values.persistence.containerMountPath }} + {{- end }} + + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: +{{ toYaml .Values.resources | indent 10 }} + ports: + - containerPort: {{ .Values.service.internalPort }} + protocol: TCP + {{- if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/health + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + {{ end -}} + {{- if .Values.readiness.enabled }} + readinessProbe: + httpGet: + path: /api/health + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + {{ end -}} + volumeMounts: + - name: {{ include "common.fullname" . }}-config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + - name: {{ include "common.fullname" . }}-storage + mountPath: {{ .Values.persistence.containerMountPath }} + {{- if .Values.dashboards }} + {{- range $provider, $dashboards := .Values.dashboards }} + {{- range $key, $value := $dashboards }} + {{- if hasKey $value "json" }} + - name: {{ include "common.fullname" $ }}-dashboards-{{ $provider }} + mountPath: "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" + subPath: "{{ $key }}.json" + {{- end }} + {{- end }} + {{- end }} + {{- end -}} + {{- if .Values.datasources }} + - name: {{ include "common.fullname" . }}-config + mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" + subPath: datasources.yaml + {{- end }} + {{- if .Values.dashboardProviders }} + - name: {{ include "common.fullname" . }}-config + mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" + subPath: dashboardproviders.yaml + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }} + - name: {{ include "common.fullname" . }}-storage + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.dashboards }} + {{- range keys .Values.dashboards }} + - name: {{ include "common.fullname" $ }}-dashboards-{{ . }} + configMap: + name: {{ include "common.fullname" $ }}-dashboards-{{ . }} + {{- end }} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always +{{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pv.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pv.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pv.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pv.yaml diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pvc.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pvc.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pvc.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/pvc.yaml diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/service.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/service.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/service.yaml rename to archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/service.yaml diff --git a/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml new file mode 100644 index 0000000000..0d066bbdc7 --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml @@ -0,0 +1,114 @@ +# Copyright 2018 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +#Alertmanager Configuration +image: + repository: grafana/grafana + tag: 5.2.4 + +downloadDashboardsImage: + repository: appropriate/curl + tag: latest + +persistence: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + size: 10Gi + mountPath: /dockerdata-nfs + mountSubPath: multicloud/prometheus/grafana + containerMountPath: /grafana/data + +#Service configuration for this chart +service: + type: ClusterIP + name: multicloud-prometheus-grafana + portName: prometheus-grafana + internalPort: 3000 + externalPort: 3000 + +#Grafana Datasources +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + #Make sure the port number matches for the prometheus service + url: http://multicloud-prometheus:9090 + access: proxy + isDefault: true + + +#Grafana Dashboard providers +dashboardProviders: {} + +#Grafana Dashboards for importing +#This requires dashboardProviders to be enabled with some data +#The dashboards will be downloaded from the URL provided in +#dashboardProviders +dashboards: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 30 + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 30 + enabled: true + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +ingress: + enabled: false + +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "4Gi" + requests: + cpu: "10m" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "8Gi" + requests: + cpu: "20m" + memory: "2Gi" + unlimited: {} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/resources/config/prometheus.yml b/archive/multicloud/components/multicloud-prometheus/resources/config/prometheus.yml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/resources/config/prometheus.yml rename to archive/multicloud/components/multicloud-prometheus/resources/config/prometheus.yml diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml b/archive/multicloud/components/multicloud-prometheus/templates/configmap.yaml similarity index 100% rename from kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/configmap.yaml rename to archive/multicloud/components/multicloud-prometheus/templates/configmap.yaml diff --git a/archive/multicloud/components/multicloud-prometheus/templates/deployment.yaml b/archive/multicloud/components/multicloud-prometheus/templates/deployment.yaml new file mode 100644 index 0000000000..a75ac28b2d --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/templates/deployment.yaml @@ -0,0 +1,107 @@ +{{/* +# Copyright 2018 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - image: {{ include "repositoryGenerator.image.busybox" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-chown-init + command: ["chown", "-R", "65534:65534", "{{ .Values.persistence.containerMountPath }}"] + volumeMounts: + - name: {{ include "common.fullname" . }}-storage + mountPath: {{ .Values.persistence.containerMountPath }} + containers: + - name: {{ include "common.name" . }}-configmap-reload + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.global.configmapReload.image.repository }}:{{ .Values.global.configmapReload.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + args: + - --volume-dir=/etc/config + - --webhook-url=http://localhost:9090/-/reload + volumeMounts: + - name: {{ include "common.fullname" . }}-config + mountPath: /etc/config + readOnly: true + + - name: {{ include "common.name" . }}-server + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + args: + - --config.file=/etc/config/prometheus.yml + - --storage.tsdb.path={{ .Values.persistence.containerMountPath }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + - --web.enable-lifecycle + {{- if .Values.server.enableAdminApi }} + - --web.enable-admin-api + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /-/healthy + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + {{ end -}} + {{- if .Values.readiness.enabled }} + readinessProbe: + httpGet: + path: /-/ready + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + {{ end -}} + volumeMounts: + - name: {{ include "common.fullname" . }}-config + mountPath: /etc/config + - name: {{ include "common.fullname" . }}-storage + mountPath: {{ .Values.persistence.containerMountPath }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }} + - name: {{ include "common.fullname" . }}-storage + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }} + {{- else }} + emptyDir: {} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/pv.yaml b/archive/multicloud/components/multicloud-prometheus/templates/pv.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/templates/pv.yaml rename to archive/multicloud/components/multicloud-prometheus/templates/pv.yaml diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/pvc.yaml b/archive/multicloud/components/multicloud-prometheus/templates/pvc.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-prometheus/templates/pvc.yaml rename to archive/multicloud/components/multicloud-prometheus/templates/pvc.yaml diff --git a/archive/multicloud/components/multicloud-prometheus/templates/service.yaml b/archive/multicloud/components/multicloud-prometheus/templates/service.yaml new file mode 100644 index 0000000000..ec4e1a7011 --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/templates/service.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright 2018 Intel Corporation, Inc +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/archive/multicloud/components/multicloud-prometheus/values.yaml b/archive/multicloud/components/multicloud-prometheus/values.yaml new file mode 100644 index 0000000000..20ab052169 --- /dev/null +++ b/archive/multicloud/components/multicloud-prometheus/values.yaml @@ -0,0 +1,108 @@ +# Copyright 2018 Intel Corporation, Inc +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + alertmanager: + enabled: false + grafana: + enabled: false + configmapReload: + image: + repository: jimmidyson/configmap-reload + tag: v0.2.2 + persistence: {} + +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +#Server Configuration +image: + repository: prom/prometheus + tag: v2.4.0 + +server: + enableAdminApi: false + +persistence: + enabled: true + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + size: 8Gi + mountPath: /dockerdata-nfs + mountSubPath: multicloud/prometheus/server + containerMountPath: /prometheus/data + +#Service configuration for this chart +service: + type: ClusterIP + internalPort: 9090 + ports: + - name: http + port: 9090 + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 30 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 30 + enabled: true + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +ingress: + enabled: false + +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "4Gi" + requests: + cpu: "10m" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "8Gi" + requests: + cpu: "20m" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: multicloud-prometheus + roles: + - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/.helmignore b/archive/multicloud/components/multicloud-starlingx/.helmignore old mode 100755 new mode 100644 similarity index 100% rename from kubernetes/contrib/components/netbox/components/netbox-app/.helmignore rename to archive/multicloud/components/multicloud-starlingx/.helmignore diff --git a/archive/multicloud/components/multicloud-starlingx/Chart.yaml b/archive/multicloud/components/multicloud-starlingx/Chart.yaml new file mode 100644 index 0000000000..dd0d9e5564 --- /dev/null +++ b/archive/multicloud/components/multicloud-starlingx/Chart.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2019 Intel Corporation. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP multicloud OpenStack Starlingx Plugin +name: multicloud-starlingx +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/config.json b/archive/multicloud/components/multicloud-starlingx/resources/config/log/config.json similarity index 100% rename from kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/config.json rename to archive/multicloud/components/multicloud-starlingx/resources/config/log/config.json diff --git a/kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/log.yml b/archive/multicloud/components/multicloud-starlingx/resources/config/log/log.yml similarity index 100% rename from kubernetes/multicloud/components/multicloud-starlingx/resources/config/log/log.yml rename to archive/multicloud/components/multicloud-starlingx/resources/config/log/log.yml diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/NOTES.txt b/archive/multicloud/components/multicloud-starlingx/templates/NOTES.txt similarity index 100% rename from kubernetes/multicloud/components/multicloud-starlingx/templates/NOTES.txt rename to archive/multicloud/components/multicloud-starlingx/templates/NOTES.txt diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/configmap.yaml b/archive/multicloud/components/multicloud-starlingx/templates/configmap.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-starlingx/templates/configmap.yaml rename to archive/multicloud/components/multicloud-starlingx/templates/configmap.yaml diff --git a/archive/multicloud/components/multicloud-starlingx/templates/deployment.yaml b/archive/multicloud/components/multicloud-starlingx/templates/deployment.yaml new file mode 100644 index 0000000000..96942ddae5 --- /dev/null +++ b/archive/multicloud/components/multicloud-starlingx/templates/deployment.yaml @@ -0,0 +1,102 @@ +{{/* +# Copyright (c) 2019 Intel Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: starlingx-log + - mountPath: /opt/starlingx/starlingx/pub/config/log.yml + name: starlingx-logconfig + subPath: log.yml + - mountPath: /opt/artifacts/ + name: artifact-data + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-starlingx/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.artifactImage }} + name: framework-artifactbroker + command: ["/opt/app/distribution/bin/artifact-dist.sh"] + args: ["/opt/app/distribution/etc/mounted/config.json"] + ports: + - containerPort: 9014 + protocol: TCP + volumeMounts: + - mountPath: /opt/app/distribution/etc/mounted/config.json + name: starlingx-logconfig + subPath: config.json + - mountPath: /data + name: artifact-data + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: starlingx-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: starlingx-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + - name: artifact-data + emptyDir: {} + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/archive/multicloud/components/multicloud-starlingx/templates/ingress.yaml b/archive/multicloud/components/multicloud-starlingx/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/archive/multicloud/components/multicloud-starlingx/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/archive/multicloud/components/multicloud-starlingx/templates/service.yaml b/archive/multicloud/components/multicloud-starlingx/templates/service.yaml new file mode 100644 index 0000000000..6eb90e5630 --- /dev/null +++ b/archive/multicloud/components/multicloud-starlingx/templates/service.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright (c) 2019 Intel Corporation. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/archive/multicloud/components/multicloud-starlingx/values.yaml b/archive/multicloud/components/multicloud-starlingx/values.yaml new file mode 100644 index 0000000000..2f06b4b3d4 --- /dev/null +++ b/archive/multicloud/components/multicloud-starlingx/values.yaml @@ -0,0 +1,126 @@ +# Copyright (c) 2019 Intel Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefixExt: 304 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +repository: nexus3.onap.org:10001 +image: onap/multicloud/openstack-starlingx:1.5.7 +pullPolicy: Always + +# application configuration +config: + msbgateway: msb-iag + msbPort: 80 + aai: + aaiPort: 80 + schemaVersion: v13 + username: AAI + password: AAI + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + enabled: true + +service: + type: NodePort + internalPort: 9009 + ports: + - name: http + port: 9009 + nodePort: '85' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-starlingx", + "version": "v0", + "url": "/api/multicloud-starlingx/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-starlingx", + "version": "v1", + "url": "/api/multicloud-starlingx/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-starlingx-api' + name: 'multicloud-starlingx' + port: 9009 + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "4Gi" + requests: + cpu: "10m" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "8Gi" + requests: + cpu: "20m" + memory: "2Gi" + unlimited: {} + +# memcached image resource +memcached: memcached:alpine3.15 + +#Pods Service Account +serviceAccount: + nameOverride: multicloud-starlingx + roles: + - read + +#Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore b/archive/multicloud/components/multicloud-vio/.helmignore old mode 100755 new mode 100644 similarity index 100% rename from kubernetes/contrib/components/netbox/components/netbox-nginx/.helmignore rename to archive/multicloud/components/multicloud-vio/.helmignore diff --git a/archive/multicloud/components/multicloud-vio/Chart.yaml b/archive/multicloud/components/multicloud-vio/Chart.yaml new file mode 100644 index 0000000000..2efafe9267 --- /dev/null +++ b/archive/multicloud/components/multicloud-vio/Chart.yaml @@ -0,0 +1,32 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP multicloud VIO plugin +name: multicloud-vio +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-vio/resources/config/log/log.yml b/archive/multicloud/components/multicloud-vio/resources/config/log/log.yml similarity index 100% rename from kubernetes/multicloud/components/multicloud-vio/resources/config/log/log.yml rename to archive/multicloud/components/multicloud-vio/resources/config/log/log.yml diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/NOTES.txt b/archive/multicloud/components/multicloud-vio/templates/NOTES.txt similarity index 100% rename from kubernetes/multicloud/components/multicloud-vio/templates/NOTES.txt rename to archive/multicloud/components/multicloud-vio/templates/NOTES.txt diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/configmap.yaml b/archive/multicloud/components/multicloud-vio/templates/configmap.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-vio/templates/configmap.yaml rename to archive/multicloud/components/multicloud-vio/templates/configmap.yaml diff --git a/archive/multicloud/components/multicloud-vio/templates/deployment.yaml b/archive/multicloud/components/multicloud-vio/templates/deployment.yaml new file mode 100644 index 0000000000..9e26cc3d14 --- /dev/null +++ b/archive/multicloud/components/multicloud-vio/templates/deployment.yaml @@ -0,0 +1,81 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: vio-log + - mountPath: /opt/vio/vio/pub/config/log.yml + name: vio-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: /api/multicloud-vio/v0/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end -}} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: vio-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: vio-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/archive/multicloud/components/multicloud-vio/templates/ingress.yaml b/archive/multicloud/components/multicloud-vio/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/archive/multicloud/components/multicloud-vio/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/archive/multicloud/components/multicloud-vio/templates/service.yaml b/archive/multicloud/components/multicloud-vio/templates/service.yaml new file mode 100644 index 0000000000..0cff91a68c --- /dev/null +++ b/archive/multicloud/components/multicloud-vio/templates/service.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/archive/multicloud/components/multicloud-vio/values.yaml b/archive/multicloud/components/multicloud-vio/values.yaml new file mode 100644 index 0000000000..1337362a34 --- /dev/null +++ b/archive/multicloud/components/multicloud-vio/values.yaml @@ -0,0 +1,121 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/multicloud/vio:1.4.2 +pullPolicy: Always + +# application configuration +config: + msbgateway: msb-iag + msbPort: 80 + aai: + aaiPort: 80 + schemaVersion: v13 + username: AAI + password: AAI + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + enabled: true + +service: + type: NodePort + internalPort: 9004 + ports: + - name: http + port: 9004 + nodePort: '92' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-vio", + "version": "v0", + "url": "/api/multicloud-vio/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-vio", + "version": "v1", + "url": "/api/multicloud-vio/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-vio-api' + name: 'multicloud-vio' + port: 9004 + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "4Gi" + requests: + cpu: "10m" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "8Gi" + requests: + cpu: "20m" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: multicloud-vio + roles: + - read + +#Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore b/archive/multicloud/components/multicloud-windriver/.helmignore old mode 100755 new mode 100644 similarity index 100% rename from kubernetes/contrib/components/netbox/components/netbox-postgres/.helmignore rename to archive/multicloud/components/multicloud-windriver/.helmignore diff --git a/archive/multicloud/components/multicloud-windriver/Chart.yaml b/archive/multicloud/components/multicloud-windriver/Chart.yaml new file mode 100644 index 0000000000..110cba02c2 --- /dev/null +++ b/archive/multicloud/components/multicloud-windriver/Chart.yaml @@ -0,0 +1,32 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP multicloud OpenStack WindRiver Plugin +name: multicloud-windriver +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-windriver/resources/config/log/config.json b/archive/multicloud/components/multicloud-windriver/resources/config/log/config.json similarity index 100% rename from kubernetes/multicloud/components/multicloud-windriver/resources/config/log/config.json rename to archive/multicloud/components/multicloud-windriver/resources/config/log/config.json diff --git a/kubernetes/multicloud/components/multicloud-windriver/resources/config/log/log.yml b/archive/multicloud/components/multicloud-windriver/resources/config/log/log.yml similarity index 100% rename from kubernetes/multicloud/components/multicloud-windriver/resources/config/log/log.yml rename to archive/multicloud/components/multicloud-windriver/resources/config/log/log.yml diff --git a/kubernetes/multicloud/components/multicloud-windriver/resources/config/log/test.txt b/archive/multicloud/components/multicloud-windriver/resources/config/log/test.txt similarity index 100% rename from kubernetes/multicloud/components/multicloud-windriver/resources/config/log/test.txt rename to archive/multicloud/components/multicloud-windriver/resources/config/log/test.txt diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/NOTES.txt b/archive/multicloud/components/multicloud-windriver/templates/NOTES.txt similarity index 100% rename from kubernetes/multicloud/components/multicloud-windriver/templates/NOTES.txt rename to archive/multicloud/components/multicloud-windriver/templates/NOTES.txt diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/configmap.yaml b/archive/multicloud/components/multicloud-windriver/templates/configmap.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-windriver/templates/configmap.yaml rename to archive/multicloud/components/multicloud-windriver/templates/configmap.yaml diff --git a/archive/multicloud/components/multicloud-windriver/templates/deployment.yaml b/archive/multicloud/components/multicloud-windriver/templates/deployment.yaml new file mode 100644 index 0000000000..434c0d156e --- /dev/null +++ b/archive/multicloud/components/multicloud-windriver/templates/deployment.yaml @@ -0,0 +1,116 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: ["sh", "-c", "chown -R 100:101 /data"] + image: {{ include "repositoryGenerator.image.busybox" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-init + volumeMounts: + - mountPath: /data + name: artifact-data + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: windriver-log + - mountPath: /opt/windriver/titanium_cloud/pub/config/log.yml + name: windriver-logconfig + subPath: log.yml + - mountPath: /opt/artifacts/ + name: artifact-data + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-titaniumcloud/v1/swagger.json + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.artifactImage }} + name: framework-artifactbroker + command: ["/opt/app/distribution/bin/artifact-dist.sh"] + args: ["/opt/app/distribution/etc/mounted/config.json"] + ports: + - containerPort: 9014 + protocol: TCP + volumeMounts: + - mountPath: /opt/app/distribution/etc/mounted/config.json + name: windriver-logconfig + subPath: config.json + - mountPath: /data + name: artifact-data + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: windriver-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: windriver-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + - name: artifact-data + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ include "common.fullname" . }} + {{- else }} + emptyDir: {} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/archive/multicloud/components/multicloud-windriver/templates/ingress.yaml b/archive/multicloud/components/multicloud-windriver/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/archive/multicloud/components/multicloud-windriver/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/pv.yaml b/archive/multicloud/components/multicloud-windriver/templates/pv.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-windriver/templates/pv.yaml rename to archive/multicloud/components/multicloud-windriver/templates/pv.yaml diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/pvc.yaml b/archive/multicloud/components/multicloud-windriver/templates/pvc.yaml similarity index 100% rename from kubernetes/multicloud/components/multicloud-windriver/templates/pvc.yaml rename to archive/multicloud/components/multicloud-windriver/templates/pvc.yaml diff --git a/archive/multicloud/components/multicloud-windriver/templates/service.yaml b/archive/multicloud/components/multicloud-windriver/templates/service.yaml new file mode 100644 index 0000000000..578036bb8d --- /dev/null +++ b/archive/multicloud/components/multicloud-windriver/templates/service.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/archive/multicloud/components/multicloud-windriver/values.yaml b/archive/multicloud/components/multicloud-windriver/values.yaml new file mode 100644 index 0000000000..0af9df856b --- /dev/null +++ b/archive/multicloud/components/multicloud-windriver/values.yaml @@ -0,0 +1,144 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 + persistence: {} + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/multicloud/openstack-windriver:1.5.7 +pullPolicy: Always + +# application configuration +config: + ssl_enabled: true + msbgateway: msb-iag + msbPort: 80 + aai: + aaiPort: 80 + schemaVersion: v13 + username: AAI + password: AAI + +service: + type: NodePort + internalPort: 9005 + ports: + - name: http + port: 9005 + nodePort: '94' + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-titanium_cloud", + "version": "v0", + "url": "/api/multicloud-titanium_cloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-titaniumcloud", + "version": "v0", + "url": "/api/multicloud-titaniumcloud/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-titaniumcloud", + "version": "v1", + "url": "/api/multicloud-titaniumcloud/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-titaniumcloud-api' + name: 'multicloud-titaniumcloud' + port: 9005 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + enabled: true + +persistence: + enabled: true + mountPath: /dockerdata-nfs + mountSubPath: multicloud-windriver/data + volumeReclaimPolicy: Retain + accessMode: ReadWriteOnce + size: 5Gi + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "4Gi" + requests: + cpu: "10m" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "8Gi" + requests: + cpu: "20m" + memory: "2Gi" + unlimited: {} + +# memcached image resource +memcached: memcached:alpine3.15 + +#Pods Service Account +serviceAccount: + nameOverride: multicloud-windriver + roles: + - read + +#Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore b/archive/nbi/.helmignore similarity index 100% rename from kubernetes/dcaemod/components/dcaemod-onboarding-api/.helmignore rename to archive/nbi/.helmignore diff --git a/archive/nbi/Chart.yaml b/archive/nbi/Chart.yaml new file mode 100644 index 0000000000..3ffd2a1f81 --- /dev/null +++ b/archive/nbi/Chart.yaml @@ -0,0 +1,45 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018,2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Northbound Interface +name: nbi +version: 13.1.0 + +dependencies: + - name: common + version: ~13.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: mongodb + version: ~14.12.x-0 + repository: '@local' + - name: mariadb-galera + version: ~13.x-0 + repository: '@local' + condition: global.mariadbGalera.localCluster + - name: mariadb-init + version: ~13.x-0 + repository: '@local' + condition: global.mariadbGalera.globalCluster + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/nbi/README.md b/archive/nbi/README.md similarity index 100% rename from kubernetes/nbi/README.md rename to archive/nbi/README.md diff --git a/archive/nbi/templates/deployment.yaml b/archive/nbi/templates/deployment.yaml new file mode 100644 index 0000000000..863926a8ce --- /dev/null +++ b/archive/nbi/templates/deployment.yaml @@ -0,0 +1,112 @@ +{{/* +# Copyright © 2018 Orange +# Modifications Copyright © 2018 Amdocs, Bell Canada +# Modifications Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + port: {{ .Values.service.internalPort }} + path: {{ .Values.liveness.path }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + httpGet: + port: {{ .Values.service.internalPort }} + path: {{ .Values.readiness.path }} + scheme: HTTP + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SPRING_DATASOURCE_URL + value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "db" "name" }} + - name: SPRING_DATASOURCE_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nbi-db-secret" "key" "login") | indent 14 }} + - name: SPRING_DATASOURCE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nbi-db-secret" "key" "password") | indent 14 }} + - name: SPRING_DATA_MONGODB_HOST + value: {{ .Values.mongodb.service.nameOverride }}.{{ include "common.namespace" . }} + - name: SPRING_DATA_MONGODB_PORT + value: "{{ .Values.mongodb.service.port }}" + - name: SPRING_DATA_MONGODB_DATABASE + value: {{ .Values.mongodb.config.dbName }} + - name: ONAP_LCPCLOUDREGIONID + value: {{ .Values.config.openStackRegion }} + - name: ONAP_TENANTID + value: {{ .Values.config.openStackVNFTenantId | quote }} + - name: ONAP_CLOUDOWNER + value: {{ .Values.config.cloudOwner }} + - name: ONAP_K8SCLOUDREGIONID + value: {{ .Values.config.k8sCloudRegionId }} + - name: ONAP_K8SCLOUDOWNER + value: {{ .Values.config.k8sCloudOwner }} + - name: NBI_URL + value: "http://nbi.{{ include "common.namespace" . }}:{{ .Values.service.internalPort }}/nbi/api/v4" + - name: SDC_HOST + value: "http://sdc-be.{{ include "common.namespace" . }}:8080" + - name: SDC_HEADER_ECOMPINSTANCEID + value: {{ .Values.config.ecompInstanceId }} + - name: SDC_HEADER_AUTHORIZATION + value: {{ .Values.sdc_authorization }} + - name: AAI_HOST + value: "http://aai.{{ include "common.namespace" . }}:80" + - name: AAI_HEADER_AUTHORIZATION + value: {{ .Values.aai_authorization }} + - name: SO_HOST + value: http://so.{{ include "common.namespace" . }}:8080 + {{- if .Values.so_authorization }} + - name: SO_HEADER_AUTHORIZATION + value: {{ .Values.so_authorization }} + {{- end }} + - name: DMAAP_HOST + value: "http://message-router.{{ include "common.namespace" . }}:3904" + - name: LOGGING_LEVEL_ORG_ONAP_NBI + value: {{ .Values.config.loglevel }} + - name: MSB_ENABLED + value: "{{ .Values.global.msbEnabled }}" + - name: MSB_DISCOVERY_HOST + value: "msb-discovery.{{ include "common.namespace" . }}" + - name: MSB_DISCOVERY_PORT + value: "10081" + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/nbi/templates/ingress.yaml b/archive/nbi/templates/ingress.yaml similarity index 100% rename from kubernetes/nbi/templates/ingress.yaml rename to archive/nbi/templates/ingress.yaml diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/templates/secret.yaml b/archive/nbi/templates/secret.yaml similarity index 100% rename from kubernetes/holmes/components/holmes-engine-mgmt/templates/secret.yaml rename to archive/nbi/templates/secret.yaml diff --git a/kubernetes/nbi/templates/service.yaml b/archive/nbi/templates/service.yaml similarity index 100% rename from kubernetes/nbi/templates/service.yaml rename to archive/nbi/templates/service.yaml diff --git a/archive/nbi/tests/deployment_test.yaml b/archive/nbi/tests/deployment_test.yaml new file mode 100644 index 0000000000..fe9d0d2977 --- /dev/null +++ b/archive/nbi/tests/deployment_test.yaml @@ -0,0 +1,205 @@ +--- +suite: test deployment behavior +templates: + - deployment.yaml +tests: + - it: "should render with default values (global)" + asserts: + - isKind: + of: Deployment + - equal: + path: metadata.name + value: RELEASE-NAME-nbi + - equal: + path: metadata.namespace + value: NAMESPACE + - matchRegex: + path: metadata.labels.app + pattern: nbi + - matchRegex: + path: spec.template.metadata.labels.app + pattern: nbi + - equal: + path: spec.template.metadata.name + value: RELEASE-NAME-nbi + - equal: + path: spec.replicas + value: 1 + - isNull: + path: spec.template.spec.nodeSelector + - isNull: + path: spec.template.spec.affinity + + - it: "should render with default value (container)" + asserts: + - equal: + path: spec.template.spec.containers[0].name + value: nbi + - equal: + path: spec.template.spec.containers[0].image + value: nexus3.onap.org:10001/onap/externalapi/nbi:5.0.1 + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: IfNotPresent + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATASOURCE_URL + value: jdbc:mariadb://mariadb-galera:3306/nbi + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATASOURCE_USERNAME + value: rene + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATASOURCE_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-nbi-config + key: db-user-password + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATA_MONGODB_HOST + value: nbi-mongohost.NAMESPACE + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATA_MONGODB_PORT + value: "27017" + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATA_MONGODB_DATABASE + value: ServiceOrderDB + - contains: + path: spec.template.spec.containers[0].env + content: + name: ONAP_LCPCLOUDREGIONID + value: RegionOne + - contains: + path: spec.template.spec.containers[0].env + content: + name: ONAP_TENANTID + value: 31047205ce114b60833b23e400d6a535 + - contains: + path: spec.template.spec.containers[0].env + content: + name: ONAP_CLOUDOWNER + value: CloudOwner + - contains: + path: spec.template.spec.containers[0].env + content: + name: NBI_URL + value: http://nbi.NAMESPACE:8080/nbi/api/v4 + - contains: + path: spec.template.spec.containers[0].env + content: + name: SDC_HOST + value: http://sdc-be.NAMESPACE:8080 + - contains: + path: spec.template.spec.containers[0].env + content: + name: SDC_HEADER_ECOMPINSTANCEID + value: OOM + - contains: + path: spec.template.spec.containers[0].env + content: + name: SDC_HEADER_AUTHORIZATION + value: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= + - contains: + path: spec.template.spec.containers[0].env + content: + name: AAI_HOST + value: http://aai.NAMESPACE:80 + - contains: + path: spec.template.spec.containers[0].env + content: + name: AAI_HEADER_AUTHORIZATION + value: Basic QUFJOkFBSQ== + - contains: + path: spec.template.spec.containers[0].env + content: + name: SO_HOST + value: http://so.NAMESPACE:8080 + - contains: + path: spec.template.spec.containers[0].env + content: + name: DMAAP_HOST + value: http://message-router.NAMESPACE:3904 + - contains: + path: spec.template.spec.containers[0].env + content: + name: LOGGING_LEVEL_ORG_ONAP_NBI + value: INFO + - contains: + path: spec.template.spec.containers[0].env + content: + name: MSB_ENABLED + value: "true" + - contains: + path: spec.template.spec.containers[0].env + content: + name: MSB_DISCOVERY_HOST + value: msb-discovery.NAMESPACE + - contains: + path: spec.template.spec.containers[0].env + content: + name: MSB_DISCOVERY_PORT + value: "10081" + - equal: + path: spec.template.spec.containers[0].livenessProbe + value: + initialDelaySeconds: 180 + periodSeconds: 30 + tcpSocket: + port: 8080 + - equal: + path: spec.template.spec.containers[0].readinessProbe + value: + initialDelaySeconds: 185 + periodSeconds: 30 + tcpSocket: + port: 8080 + - contains: + path: spec.template.spec.containers[0].ports + content: + containerPort: 8080 + - equal: + path: spec.template.spec.containers[0].resources.limits.cpu + value: 1 + - equal: + path: spec.template.spec.containers[0].resources.limits.memory + value: 2Gi + - equal: + path: spec.template.spec.containers[0].resources.requests.cpu + value: 100m + - equal: + path: spec.template.spec.containers[0].resources.requests.memory + value: 1Gi + - it: "should render when deciding to use local cluster (container)" + set: + global: + mariadbGalera: + localCluster: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATASOURCE_URL + value: jdbc:mariadb://nbi-galera:3306/nbi + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATASOURCE_USERNAME + value: rene + - contains: + path: spec.template.spec.containers[0].env + content: + name: SPRING_DATASOURCE_PASSWORD + valueFrom: + secretKeyRef: + name: RELEASE-NAME-nbi-nbi-galera + key: user-password diff --git a/archive/nbi/values.yaml b/archive/nbi/values.yaml new file mode 100644 index 0000000000..0d143dc6c6 --- /dev/null +++ b/archive/nbi/values.yaml @@ -0,0 +1,193 @@ +# Copyright © 2018 Orange +# Modifications Copyright © 2018 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: false + globalCluster: true + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + msbEnabled: false + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: nbi-db-secret + name: &dbUserSecretName '{{ include "common.release" . }}-nbi-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + +subChartsOnly: + enabled: true + +# application image +repository: nexus3.onap.org:10001 +image: onap/externalapi/nbi:10.0.0 +pullPolicy: IfNotPresent +sdc_authorization: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= +aai_authorization: Basic QUFJOkFBSQ== +so_authorization: + +# application configuration +config: + loglevel: INFO + logstashServiceName: log-ls + logstashPort: 5044 + cloudOwner: CloudOwner + k8sCloudRegionId: k8sregionfour + k8sCloudOwner: k8scloudowner4 + ecompInstanceId: OOM + openStackRegion: RegionOne + openStackVNFTenantId: 31047205ce114b60833b23e400d6a535 + db: + userName: &dbuser rene + # userPassword: password + # userCredentialsExternalSecret: some-secret + +mariadb-galera: + db: + user: *dbuser + externalSecret: *dbUserSecretName + name: &mysqlDbName nbi + service: + name: nbi-galera + portName: nbi-galera + internalPort: 3306 + nameOverride: &nbi-galera nbi-galera + replicaCount: 1 + mariadbOperator: + galera: + enabled: false + persistence: + enabled: true + mountSubPath: nbi/maria/data + serviceAccount: + nameOverride: *nbi-galera + +mariadb-init: + config: + userCredentialsExternalSecret: *dbUserSecretName + mysqlDatabase: *mysqlDbName + nameOverride: nbi-config + serviceAccount: + nameOverride: nbi-config + +mongodb: + nameOverride: nbi-mongo + config: + dbName: &mongoDBName ServiceOrderDB + auth: + enabled: false + databases: + - *mongoDBName + usernames: + - "nbi" + service: + nameOverride: nbi-mongohost + internalPort: 27017 + resources: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "500m" + memory: "1Gi" + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + path: /nbi/api/v4/status + initialDelaySeconds: 180 + periodSeconds: 30 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + path: /nbi/api/v4/status + initialDelaySeconds: 185 + periodSeconds: 30 + +service: + type: NodePort + portName: api + name: nbi + internalPort: 8080 + ports: + - name: http + port: 8080 + nodePort: '74' + +ingress: + enabled: false + service: + - baseaddr: "nbi-api" + name: "nbi" + port: 8080 + config: + ssl: "redirect" +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: nbi + roles: + - read diff --git a/kubernetes/contrib/.helmignore b/archive/oof/.helmignore similarity index 100% rename from kubernetes/contrib/.helmignore rename to archive/oof/.helmignore diff --git a/archive/oof/Chart.yaml b/archive/oof/Chart.yaml new file mode 100755 index 0000000000..6be063fc4c --- /dev/null +++ b/archive/oof/Chart.yaml @@ -0,0 +1,42 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Optimization Framework +name: oof +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: oof-has + version: ~13.x-0 + repository: 'file://components/oof-has' + condition: oof-has.enabled + - name: oof-templates + version: ~13.x-0 + repository: 'file://components/oof-templates' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/log/Makefile b/archive/oof/Makefile similarity index 100% rename from kubernetes/log/Makefile rename to archive/oof/Makefile diff --git a/kubernetes/log/components/Makefile b/archive/oof/components/Makefile old mode 100644 new mode 100755 similarity index 100% rename from kubernetes/log/components/Makefile rename to archive/oof/components/Makefile diff --git a/kubernetes/oof/.helmignore b/archive/oof/components/oof-has/.helmignore similarity index 100% rename from kubernetes/oof/.helmignore rename to archive/oof/components/oof-has/.helmignore diff --git a/archive/oof/components/oof-has/Chart.yaml b/archive/oof/components/oof-has/Chart.yaml new file mode 100755 index 0000000000..79f19c176c --- /dev/null +++ b/archive/oof/components/oof-has/Chart.yaml @@ -0,0 +1,58 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Homing and Allocation Service +name: oof-has +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: etcd + version: ~13.x-0 + repository: '@local' + condition: etcd.enabled + - name: etcd-init + version: ~13.x-0 + repository: '@local' + condition: etcd-init.enabled + - name: oof-has-api + version: ~13.x-0 + repository: 'file://components/oof-has-api' + condition: oof-has-api.enabled + - name: oof-has-controller + version: ~13.x-0 + repository: 'file://components/oof-has-controller' + condition: oof-has-controller.enabled + - name: oof-has-data + version: ~13.x-0 + repository: 'file://components/oof-has-data' + condition: oof-has-data.enabled + - name: oof-has-reservation + version: ~13.x-0 + repository: 'file://components/oof-has-reservation' + condition: oof-has-reservation.enabled + - name: oof-has-solver + version: ~13.x-0 + repository: 'file://components/oof-has-solver' + condition: oof-has-solver.enabled + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/oof/components/oof-has/Makefile b/archive/oof/components/oof-has/Makefile similarity index 100% rename from kubernetes/oof/components/oof-has/Makefile rename to archive/oof/components/oof-has/Makefile diff --git a/kubernetes/oof/components/oof-has/components/Makefile b/archive/oof/components/oof-has/components/Makefile similarity index 100% rename from kubernetes/oof/components/oof-has/components/Makefile rename to archive/oof/components/oof-has/components/Makefile diff --git a/archive/oof/components/oof-has/components/oof-has-api/Chart.yaml b/archive/oof/components/oof-has/components/oof-has-api/Chart.yaml new file mode 100755 index 0000000000..c6c07bd8ef --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-api/Chart.yaml @@ -0,0 +1,39 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Homing and Allocation Servicei - API +name: oof-has-api +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: oof-templates + version: ~13.x-0 + repository: 'file://../../../oof-templates' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/NOTES.txt b/archive/oof/components/oof-has/components/oof-has-api/templates/NOTES.txt similarity index 100% rename from kubernetes/oof/components/oof-has/components/oof-has-api/templates/NOTES.txt rename to archive/oof/components/oof-has/components/oof-has-api/templates/NOTES.txt diff --git a/archive/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml b/archive/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml new file mode 100755 index 0000000000..703d8bb7c4 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml @@ -0,0 +1,110 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Copyright (C) 2020 Wipro Limited. +# Modifications Copyright © 2018 AT&T,VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/sh","-c"] + args: ["/usr/local/bin/uwsgi -s /run/conductor/uwsgi.sock --chmod-socket=777 --wsgi-file /etc/nginx/conductor.wsgi --callable application --set port={{ .Values.uwsgi.internalPort }} --die-on-term --exit-on-reload --pidfile /run/conductor/conductor-uwsgi.pid --enable-threads --workers 6 --master --vacuum --single-interpreter --socket-timeout 10 --max-worker-lifetime 300 --max-requests 100 --no-defer-accept --protocol=uwsgi --socket 0.0.0.0:{{ .Values.uwsgi.internalPort }}"] + ports: + - containerPort: {{ .Values.uwsgi.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.uwsgi.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.uwsgi.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: {{ include "oof.etcd.env" . | nindent 10 }} + volumeMounts: + - mountPath: /usr/local/etc/conductor/conductor.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: conductor.conf + - mountPath: /usr/local/bin/log.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: log.conf + resources: {{ include "common.resources" . | nindent 12 }} + - name: {{ include "common.name" . }}-nginx + image: {{ include "repositoryGenerator.image.nginx" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + args: + - "-c" + - | + /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh + ports: + - containerPort: {{ .Values.service.internalPort }} + name: http + {{- if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /opt/bitnami/nginx/conf/nginx.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: nginx.conf + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ .Values.global.commonConfigPrefix }}-config + configMap: + name: {{ .Values.global.commonConfigPrefix }}-configmap + items: + - key: nginx.conf + path: nginx.conf + - key: conductor.conf + path: conductor.conf + - key: log.conf + path: log.conf + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml b/archive/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml rename to archive/oof/components/oof-has/components/oof-has-api/templates/ingress.yaml diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/secret.yaml b/archive/oof/components/oof-has/components/oof-has-api/templates/secret.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/components/oof-has-api/templates/secret.yaml rename to archive/oof/components/oof-has/components/oof-has-api/templates/secret.yaml diff --git a/archive/oof/components/oof-has/components/oof-has-api/templates/service.yaml b/archive/oof/components/oof-has/components/oof-has-api/templates/service.yaml new file mode 100755 index 0000000000..b77b592c08 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-api/templates/service.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/archive/oof/components/oof-has/components/oof-has-api/values.yaml b/archive/oof/components/oof-has/components/oof-has-api/values.yaml new file mode 100755 index 0000000000..0d7bd7c995 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-api/values.yaml @@ -0,0 +1,101 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware +# Copyright (C) 2020 Wipro Limited. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: # global defaults + nodePortPrefix: 302 + image: + optf_has: onap/optf-has:2.3.1 + +################################################################# +# secrets metaconfig +################################################################# +secrets: + - uid: oof-has-etcd-secret + name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.etcd.appUser }}' + password: '{{ .Values.config.etcd.appPassword }}' + passwordPolicy: required + +config: + etcd: + appUser: user + appPassword: pass + +service: + type: NodePort + name: oof-has-api + internalPort: 8091 + ports: + - name: http + port: 8091 + nodePort: '75' + +#backend container info +uwsgi: + internalPort: 8080 +replicaCount: 1 +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +ingress: + enabled: false + service: + - baseaddr: "oof-has-api" + name: "oof-has-api" + port: 8091 + config: + ssl: "redirect" + +readinessCheck: + wait_for: + apps: + - oof-has-controller + +#Pods Service Account +serviceAccount: + nameOverride: oof-has-api + roles: + - read diff --git a/archive/oof/components/oof-has/components/oof-has-controller/Chart.yaml b/archive/oof/components/oof-has/components/oof-has-controller/Chart.yaml new file mode 100755 index 0000000000..9c155e8525 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-controller/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Homing and Allocation Sservice - Controller +name: oof-has-controller +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: oof-templates + version: ~13.x-0 + repository: 'file://../../../oof-templates' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/archive/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml b/archive/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml new file mode 100755 index 0000000000..2367da742e --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml @@ -0,0 +1,88 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - python + args: + - /usr/local/bin/conductor-controller + - --config-file=/usr/local/bin/conductor.conf + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if .Values.liveness.enabled }} + livenessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: {{ include "oof.etcd.env" . | nindent 10 }} + volumeMounts: + - mountPath: /usr/local/bin/conductor.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: conductor.conf + - mountPath: /usr/local/bin/log.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: log.conf + - mountPath: /usr/local/bin/healthy.sh + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: healthy.sh + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ .Values.global.commonConfigPrefix }}-config + configMap: + name: {{ .Values.global.commonConfigPrefix }}-configmap + items: + - key: conductor.conf + path: conductor.conf + - key: log.conf + path: log.conf + - key: healthy.sh + path: healthy.sh + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/secret.yaml b/archive/oof/components/oof-has/components/oof-has-controller/templates/secret.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/components/oof-has-controller/templates/secret.yaml rename to archive/oof/components/oof-has/components/oof-has-controller/templates/secret.yaml diff --git a/archive/oof/components/oof-has/components/oof-has-controller/values.yaml b/archive/oof/components/oof-has/components/oof-has-controller/values.yaml new file mode 100755 index 0000000000..7cbfafbc76 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-controller/values.yaml @@ -0,0 +1,80 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + image: + optf_has: onap/optf-has:2.3.1 + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: oof-has-etcd-secret + name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.etcd.appUser }}' + password: '{{ .Values.config.etcd.appPassword }}' + passwordPolicy: required + +config: + etcd: + appUser: user + appPassword: pass + +ingress: + enabled: false +replicaCount: 1 +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + +#Pods Service Account +serviceAccount: + nameOverride: oof-has-controller + roles: + - read diff --git a/archive/oof/components/oof-has/components/oof-has-data/Chart.yaml b/archive/oof/components/oof-has/components/oof-has-data/Chart.yaml new file mode 100755 index 0000000000..142f6e563e --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-data/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Homing and Allocation Service - Data Component +name: oof-has-data +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: oof-templates + version: ~13.x-0 + repository: 'file://../../../oof-templates' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/archive/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml b/archive/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml new file mode 100755 index 0000000000..765d3dbda4 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml @@ -0,0 +1,88 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - python + args: + - /usr/local/bin/conductor-data + - --config-file=/usr/local/bin/conductor.conf + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if .Values.liveness.enabled }} + livenessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: {{ include "oof.etcd.env" . | nindent 10 }} + volumeMounts: + - mountPath: /usr/local/bin/conductor.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: conductor.conf + - mountPath: /usr/local/bin/log.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: log.conf + - mountPath: /usr/local/bin/healthy.sh + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: healthy.sh + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ .Values.global.commonConfigPrefix }}-config + configMap: + name: {{ .Values.global.commonConfigPrefix }}-configmap + items: + - key: conductor.conf + path: conductor.conf + - key: log.conf + path: log.conf + - key: healthy.sh + path: healthy.sh + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/secret.yaml b/archive/oof/components/oof-has/components/oof-has-data/templates/secret.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/components/oof-has-data/templates/secret.yaml rename to archive/oof/components/oof-has/components/oof-has-data/templates/secret.yaml diff --git a/archive/oof/components/oof-has/components/oof-has-data/values.yaml b/archive/oof/components/oof-has/components/oof-has-data/values.yaml new file mode 100755 index 0000000000..37e131ba91 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-data/values.yaml @@ -0,0 +1,80 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + image: + optf_has: onap/optf-has:2.3.1 + +################################################################# +# secrets metaconfig +################################################################# +secrets: + - uid: oof-has-etcd-secret + name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.etcd.appUser }}' + password: '{{ .Values.config.etcd.appPassword }}' + passwordPolicy: required + +config: + etcd: + appUser: user + appPassword: pass + +ingress: + enabled: false +replicaCount: 1 +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + +#Pods Service Account +serviceAccount: + nameOverride: oof-has-data + roles: + - read diff --git a/archive/oof/components/oof-has/components/oof-has-reservation/Chart.yaml b/archive/oof/components/oof-has/components/oof-has-reservation/Chart.yaml new file mode 100755 index 0000000000..2e7666ca06 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-reservation/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Homing and Allocation Sevice - Reservation Component +name: oof-has-reservation +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: oof-templates + version: ~13.x-0 + repository: 'file://../../../oof-templates' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/archive/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml b/archive/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml new file mode 100755 index 0000000000..d7b53346e9 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml @@ -0,0 +1,88 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - python + args: + - /usr/local/bin/conductor-reservation + - --config-file=/usr/local/bin/conductor.conf + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if .Values.liveness.enabled }} + livenessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + readinessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + {{ end -}} + env: {{ include "oof.etcd.env" . | nindent 10 }} + volumeMounts: + - mountPath: /usr/local/bin/conductor.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: conductor.conf + - mountPath: /usr/local/bin/log.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: log.conf + - mountPath: /usr/local/bin/healthy.sh + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: healthy.sh + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ .Values.global.commonConfigPrefix }}-config + configMap: + name: {{ .Values.global.commonConfigPrefix }}-configmap + items: + - key: conductor.conf + path: conductor.conf + - key: log.conf + path: log.conf + - key: healthy.sh + path: healthy.sh + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/secret.yaml b/archive/oof/components/oof-has/components/oof-has-reservation/templates/secret.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/secret.yaml rename to archive/oof/components/oof-has/components/oof-has-reservation/templates/secret.yaml diff --git a/archive/oof/components/oof-has/components/oof-has-reservation/values.yaml b/archive/oof/components/oof-has/components/oof-has-reservation/values.yaml new file mode 100755 index 0000000000..6a1bc53582 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-reservation/values.yaml @@ -0,0 +1,80 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + image: + optf_has: onap/optf-has:2.3.1 + +################################################################# +# secrets metaconfig +################################################################# +secrets: + - uid: oof-has-etcd-secret + name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.etcd.appUser }}' + password: '{{ .Values.config.etcd.appPassword }}' + passwordPolicy: required + +config: + etcd: + appUser: user + appPassword: pass + +ingress: + enabled: false +replicaCount: 1 +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + +#Pods Service Account +serviceAccount: + nameOverride: oof-has-reservation + roles: + - read diff --git a/archive/oof/components/oof-has/components/oof-has-solver/Chart.yaml b/archive/oof/components/oof-has/components/oof-has-solver/Chart.yaml new file mode 100755 index 0000000000..7fe3d0c8ca --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-solver/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Homing and Allocation Service - Solver Component +name: oof-has-solver +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: oof-templates + version: ~13.x-0 + repository: 'file://../../../oof-templates' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/archive/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml b/archive/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml new file mode 100755 index 0000000000..5d9c0763b5 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml @@ -0,0 +1,88 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - python + args: + - /usr/local/bin/conductor-solver + - --config-file=/usr/local/bin/conductor.conf + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if .Values.liveness.enabled }} + livenessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + exec: + command: + - cat + - /usr/local/bin/healthy.sh + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: {{ include "oof.etcd.env" . | nindent 10 }} + volumeMounts: + - mountPath: /usr/local/bin/conductor.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: conductor.conf + - mountPath: /usr/local/bin/log.conf + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: log.conf + - mountPath: /usr/local/bin/healthy.sh + name: {{ .Values.global.commonConfigPrefix }}-config + subPath: healthy.sh + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ .Values.global.commonConfigPrefix }}-config + configMap: + name: {{ .Values.global.commonConfigPrefix }}-configmap + items: + - key: conductor.conf + path: conductor.conf + - key: log.conf + path: log.conf + - key: healthy.sh + path: healthy.sh + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/secret.yaml b/archive/oof/components/oof-has/components/oof-has-solver/templates/secret.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/components/oof-has-solver/templates/secret.yaml rename to archive/oof/components/oof-has/components/oof-has-solver/templates/secret.yaml diff --git a/archive/oof/components/oof-has/components/oof-has-solver/values.yaml b/archive/oof/components/oof-has/components/oof-has-solver/values.yaml new file mode 100755 index 0000000000..e0a9b0cdd1 --- /dev/null +++ b/archive/oof/components/oof-has/components/oof-has-solver/values.yaml @@ -0,0 +1,80 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + image: + optf_has: onap/optf-has:2.3.1 + +################################################################# +# secrets metaconfig +################################################################# +secrets: + - uid: oof-has-etcd-secret + name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.etcd.appUser }}' + password: '{{ .Values.config.etcd.appPassword }}' + passwordPolicy: required + +config: + etcd: + appUser: user + appPassword: pass + +ingress: + enabled: false +replicaCount: 1 +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job' + +#Pods Service Account +serviceAccount: + nameOverride: oof-has-solver + roles: + - read diff --git a/archive/oof/components/oof-has/resources/config/conductor.conf b/archive/oof/components/oof-has/resources/config/conductor.conf new file mode 100755 index 0000000000..511c0cd6de --- /dev/null +++ b/archive/oof/components/oof-has/resources/config/conductor.conf @@ -0,0 +1,706 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware, Intel Corporation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +[DEFAULT] + +# +# From conductor +# + +# Configuration file for WSGI definition of API. (string value) +api_paste_config = /usr/local/etc/conductor/api_paste.ini + +# Music keyspace for content (string value) +#keyspace = conductor + +# Delay time (Seconds) for MUSIC requests. Set it to 2 seconds by default. +# (integer value) +#delay_time = 2 + +# (boolean value) +#HPA_enabled = true + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false +debug = true + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, logging_context_format_string). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = +log_config_append = /usr/local/bin/log.conf + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Enable journald for logging. If running in a systemd environment you may wish +# to enable journal support. Doing so will use the journal native protocol +# which includes structured metadata in addition to log messages.This option is +# ignored if log_config_append is set. (boolean value) +#use_journal = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Use JSON formatting for logging. This option is ignored if log_config_append +# is set. (boolean value) +#use_json = false + +# Log output to standard error. This option is ignored if log_config_append is +# set. (boolean value) +#use_stderr = false + +# Format string to use for log messages with context. (string value) +#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s + +# Format string to use for log messages when context is undefined. (string +# value) +#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s + +# Additional data to append to log message when logging level for the message +# is DEBUG. (string value) +#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d + +# Prefix each line of exception output with this format. (string value) +#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s + +# Defines the format string for %(user_identity)s that is used in +# logging_context_format_string. (string value) +#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s + +# List of package logging levels in logger=LEVEL pairs. This option is ignored +# if log_config_append is set. (list value) +#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO + +# Enables or disables publication of error events. (boolean value) +#publish_errors = false + +# The format for an instance that is passed with the log message. (string +# value) +#instance_format = "[instance: %(uuid)s] " + +# The format for an instance UUID that is passed with the log message. (string +# value) +#instance_uuid_format = "[instance: %(uuid)s] " + +# Interval, number of seconds, of log rate limiting. (integer value) +#rate_limit_interval = 0 + +# Maximum number of logged messages per rate_limit_interval. (integer value) +#rate_limit_burst = 0 + +# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG +# or empty string. Logs with level greater or equal to rate_limit_except_level +# are not filtered. An empty string means that all levels are filtered. (string +# value) +#rate_limit_except_level = CRITICAL + +# Enables or disables fatal status of deprecations. (boolean value) +#fatal_deprecations = false + +[auth] +appkey = "" + +[aaf_api] + +# +# From conductor +# + +# is_aaf_enabled. (boolean value) +is_aaf_enabled = false + +# aaf_cache_expiry_hrs. (integer value) +aaf_cache_expiry_hrs = 3 + +# aaf_url. (string value) +aaf_url = + +# aaf_cert_file. (string value) +#aaf_cert_file = + +# aaf_cert_key_file. (string value) +#aaf_cert_key_file = + +# aaf_ca_bundle_file. (string value) +#aaf_ca_bundle_file = +aaf_ca_bundle_file = + +# aaf_retries. (integer value) +#aaf_retries = 3 + +# aaf_timeout. (integer value) +#aaf_timeout = 100 + +# aaf_user_roles. (list value) +#aaf_permissions = {"type": "org.onap.oof.access","instance": "*","action": "*"} + + +[aaf_sms] + +# +# From conductor +# + +# is_enabled. (boolean value) +is_enabled = false + +# Base URL for SMS, up to and not including the version, and without a trailing +# slash. (string value) +aaf_sms_url = + + +# Timeout for SMS API Call (integer value) +#aaf_sms_timeout = 30 + +# Path to the cacert that will be used to verify If this is None, verify will +# be False and the server certis not verified by the client. (string value) +#aaf_ca_certs = AAF_RootCA.cer +aaf_ca_certs = /usr/local/bin/AAF_RootCA.cer + +# Domain UUID - A unique UUID generated when the domainfor HAS is created by +# administrator during deployment (string value) +#secret_domain = has + + +[aai] + +# +# From conductor +# + +# Interval with which to refresh the local cache, in minutes. (integer value) +#cache_refresh_interval = 1440 +cache_refresh_interval = 1 + +# Interval with which to refresh the local complex cache, in minutes. (integer +# value) +#complex_cache_refresh_interval = 1440 +complex_cache_refresh_interval = 60 + +# Data Store table prefix. (string value) +#table_prefix = aai + +# Base URL for A&AI, up to and not including the version, and without a +# trailing slash. (string value) +server_url = http://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai + +# Timeout for A&AI Rest Call (string value) +#aai_rest_timeout = 30 + +# Number of retry for A&AI Rest Call (string value) +#aai_retries = 3 + +# The version of A&AI in v# format. (string value) +server_url_version = v21 + +# SSL/TLS certificate file in pem format. This certificate must be registered +# with the A&AI endpoint. (string value) +certificate_file = + +# Private Certificate Key file in pem format. (string value) +certificate_key_file = + +# Certificate Authority Bundle file in pem format. Must contain the appropriate +# trust chain for the Certificate file. (string value) +#certificate_authority_bundle_file = certificate_authority_bundle.pem +certificate_authority_bundle_file = + +# Username for AAI. (string value) +username = OOF + +# Password for AAI. (string value) +password = OOF + + +[api] + +# +# From conductor +# + +# Toggle Pecan Debug Middleware. (boolean value) +#pecan_debug = false + +# Default maximum number of items returned by API request. (integer value) +# Minimum value: 1 +#default_api_return_limit = 100 + +[conductor_api] + +# +# From conductor +# + +# Base URL for plans. (string value) +#server_url = + +# username for plans. (string value) +#username = +username = admin1 + +# password for plans. (string value) +#password = +password = plan.15 + +# auth toggling. (boolean value) +basic_auth_secure = true + + +[controller] + +# +# From conductor +# + +# Timeout for planning requests. Default value is 10. (integer value) +# Minimum value: 1 +#timeout = 10 +timeout = 200 + +# Maximum number of result sets to return. Default value is 1. (integer value) +# Minimum value: 1 +#limit = 1 + +# Number of workers for controller service. Default value is 1. (integer value) +# Minimum value: 1 +#workers = 1 + +# Set to True when controller will run in active-active mode. When set to +# False, controller will flush any abandoned messages at startup. The +# controller always restarts abandoned template translations at startup. +# (boolean value) +#concurrent = false +concurrent = true + +# Time between checking for new plans. Default value is 1. (integer value) +# Minimum value: 1 +#polling_interval = 1 + +# (integer value) +# Minimum value: 1 +#max_translation_counter = 1 + +# (string value) +opt_schema_file = /opt/has/conductor/etc/conductor/opt_schema.json + +[data] + +# +# From conductor +# + +# Number of workers for data service. Default value is 1. (integer value) +# Minimum value: 1 +#workers = 1 + +# Set to True when data will run in active-active mode. When set to False, data +# will flush any abandoned messages at startup. (boolean value) +#concurrent = false +concurrent = true + +# Default value is -8000, which is the diameter of the earth. The distance +# cannot larger than this value (floating point value) +#existing_placement_cost = -8000.0 + +# (floating point value) +#cloud_candidate_cost = 2.0 + +# (floating point value) +#service_candidate_cost = 1.0 + + +[inventory_provider] + +# +# From conductor +# + +# Extensions list to use (list value) +extensions = aai,generator + + +[messaging_server] + +# +# From conductor +# + +# Music keyspace for messages (string value) +#keyspace = conductor_rpc + +# Wait interval while checking for a message response. Default value is 1 +# second. (integer value) +# Minimum value: 1 +#check_interval = 1 + +# Overall message response timeout. Default value is 120 seconds. (integer +# value) +# Minimum value: 1 +#response_timeout = 120 + +# Timeout for detecting a VM is down, and other VMs can pick the plan up. +# Default value is 5 minutes. (integer value) (integer value) +# Minimum value: 1 +timeout = 300 + +# Number of workers for messaging service. Default value is 1. (integer value) +# Minimum value: 1 +#workers = 1 + +# Time between checking for new messages. Default value is 1. (integer value) +# Minimum value: 1 +#polling_interval = 1 + +# Log debug messages. Default value is False. (boolean value) +#debug = false + + +[multicloud] + +# +# From conductor +# + +# Base URL for Multicloud without a trailing slash. (string value) +#server_url = http://msb.onap.org/api/multicloud +server_url = http://{{.Values.config.msb.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.msb.port}}/api/multicloud + +# Timeout for Multicloud Rest Call (string value) +#multicloud_rest_timeout = 30 + +# Number of retry for Multicloud Rest Call (string value) +#multicloud_retries = 3 + +# The version of Multicloud API. (string value) +#server_url_version = v0 + + +[db_options] + +# db_backend to use +db_backend = {{.Values.config.dbBackend}} + +# Use music mock api +music_mock = False + + +[etcd_api] + +# host/ip address of etcd server +host = {{.Values.config.etcd.serviceName}}.{{ include "common.namespace" . }} + +# port of etcd server +port = {{.Values.config.etcd.port}} + +# username for etcd authentication +username = + +# password for etcd authentication +password = + + +[prometheus] + +# +# From conductor +# + +# Prometheus Metrics Endpoint (list value) +#metrics_port = 8000,8001,8002,8003,8004 + + +[reservation] + +# +# From conductor +# + +# Number of workers for reservation service. Default value is 1. (integer +# value) +# Minimum value: 1 +#workers = 1 + +# Number of times reservation/release should be attempted. (integer value) +#reserve_retries = 1 + +# Timeout for detecting a VM is down, and other VMs can pick the plan up and +# resereve. Default value is 600 seconds. (integer value) (integer value) +# Minimum value: 1 +#timeout = 600 + +# Set to True when reservation will run in active-active mode. When set to +# False, reservation will restart any orphaned reserving requests at startup. +# (boolean value) +#concurrent = false +concurrent = true + +# (integer value) +# Minimum value: 1 +#max_reservation_counter = 1 + + +[sdnc] + +# +# From conductor +# + +# Interval with which to refresh the local cache, in minutes. (integer value) +#cache_refresh_interval = 1440 + +# Data Store table prefix. (string value) +#table_prefix = sdnc + +# Base URL for SDN-C, up to and including the version. (string value) +server_url = https://controller:8443/restconf/ + +# Basic Authentication Username (string value) +#username = +username = admin + +# Basic Authentication Password (string value) +#password = +password = Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + +# Timeout for SDNC Rest Call (string value) +#sdnc_rest_timeout = 30 + +# Retry Numbers for SDNC Rest Call (string value) +#sdnc_retries = 3 + +[service_controller] + +# +# From conductor +# + +# Extensions list to use (list value) +#extensions = sdnc + + +[solver] + +# +# From conductor +# + +# Number of workers for solver service. Default value is 1. (integer value) +# Minimum value: 1 +#workers = 1 + +# The timeout value for solver service. Default value is 480 seconds. (integer +# value) +# Minimum value: 1 +#solver_timeout = 480 + +# Set to True when solver will run in active-active mode. When set to False, +# solver will restart any orphaned solving requests at startup. (boolean value) +#concurrent = false +concurrent = true + +# Timeout for detecting a VM is down, and other VMs can pick the plan up. This +# value should be larger than solver_timeoutDefault value is 10 minutes. +# (integer value) (integer value) +# Minimum value: 1 +#timeout = 600 + +# (integer value) +# Minimum value: 1 +#max_solver_counter = 1 + + +[vim_controller] + +# +# From conductor +# + +# Extensions list to use (list value) +#extensions = multicloud + + +[sdc] + +# +# From conductor +# + +# Data Store table prefix. (string value) +#table_prefix = sdc + +# Base URL for SDC, up to and not including the version, and without a +# trailing slash. (string value) +#server_url = https://controller:8443/sdc +server_url = http://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc + +# Timeout for SDC Rest Call (string value) +#sdc_rest_timeout = 30 + +# Number of retry for SDC Rest Call (string value) +#sdc_retries = 3 + +# The version of A&AI in v# format. (string value) +server_url_version = v1 + +# SSL/TLS certificate file in pem format. This certificate must be registered +# with the SDC endpoint. (string value) +#certificate_file = certificate.pem +certificate_file = + +# Private Certificate Key file in pem format. (string value) +#certificate_key_file = certificate_key.pem +certificate_key_file = + +# Certificate Authority Bundle file in pem format. Must contain the appropriate +# trust chain for the Certificate file. (string value) +#certificate_authority_bundle_file = certificate_authority_bundle.pem +certificate_authority_bundle_file = + +# Username for SDC. (string value) +#username = + +# Password for SDC. (string value) +#password = + +temp_path = "/tmp/nsttemplates" + + +[cps] + +# +# From conductor +# + +# Data Store table prefix. (string value) +#table_prefix = cps + +# Base URL for CPS, up to and not including the version, and without a +# trailing slash. (string value) +#yet to be finalized +#server_url = https://cps.api.simpledemo.onap.org:8443/cps +server_url=http://{{.Values.config.cps.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.cps.port}}/ + +# Timeout for CPS Rest Call (string value) +#cps_rest_timeout = 30 + +# Number of retry for CPS Rest Call (string value) +#cps_retries = 3 + + +# SSL/TLS certificate file in pem format. This certificate must be registered +# with the CPS endpoint. (string value) +#certificate_file = certificate.pem +certificate_file = + +# Private Certificate Key file in pem format. (string value) +#certificate_key_file = certificate_key.pem +certificate_key_file = + +# Certificate Authority Bundle file in pem format. Must contain the appropriate +# trust chain for the Certificate file. (string value) +#certificate_authority_bundle_file = certificate_authority_bundle.pem +certificate_authority_bundle_file = + +# Username for CPS. (string value) +#username = + +# Password for CPS. (string value) +#password = + +get_ta_list_url = "/api/v1/execute/ran-coverage-area/get_ta_list" + +[dcae] + +# +# From conductor +# +# +# Data Store table prefix. (string value) +#table_prefix = dcae + +# Base URL for DCAE, up to and not including the version, and without a +# trailing slash. (string value) +server_url = http://{{.Values.config.dcae.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.dcae.port}} + +# Timeout for DCAE Rest Call (string value) +#dcae_rest_timeout = 30 + +# Number of retry for DCAE Rest Call (string value) +#dcae_retries = 3 + +# The version of A&AI in v# format. (string value) +server_url_version = v1 + +# SSL/TLS certificate file in pem format. This certificate must be registered +# with the SDC endpoint. (string value) +#certificate_file = certificate.pem +certificate_file = + +# Private Certificate Key file in pem format. (string value) +#certificate_key_file = certificate_key.pem +certificate_key_file = + +# Certificate Authority Bundle file in pem format. Must contain the appropriate +# trust chain for the Certificate file. (string value) +#certificate_authority_bundle_file = certificate_authority_bundle.pem +certificate_authority_bundle_file = + +# Username for DCAE. (string value) +#username = + +# Password for DCAE. (string value) +#password = + +get_slice_config_url = "/api/v1/slices-config" diff --git a/kubernetes/oof/components/oof-has/resources/config/healthy.sh b/archive/oof/components/oof-has/resources/config/healthy.sh similarity index 100% rename from kubernetes/oof/components/oof-has/resources/config/healthy.sh rename to archive/oof/components/oof-has/resources/config/healthy.sh diff --git a/kubernetes/oof/components/oof-has/resources/config/log.conf b/archive/oof/components/oof-has/resources/config/log.conf similarity index 100% rename from kubernetes/oof/components/oof-has/resources/config/log.conf rename to archive/oof/components/oof-has/resources/config/log.conf diff --git a/kubernetes/oof/components/oof-has/resources/config/log/filebeat.yml b/archive/oof/components/oof-has/resources/config/log/filebeat.yml similarity index 100% rename from kubernetes/oof/components/oof-has/resources/config/log/filebeat.yml rename to archive/oof/components/oof-has/resources/config/log/filebeat.yml diff --git a/archive/oof/components/oof-has/resources/config/nginx.conf b/archive/oof/components/oof-has/resources/config/nginx.conf new file mode 100644 index 0000000000..1c1094dacb --- /dev/null +++ b/archive/oof/components/oof-has/resources/config/nginx.conf @@ -0,0 +1,27 @@ +events { + worker_connections 768; + # multi_accept on; +} + +http { + # ... + upstream conductor_uwsgi { + server 127.0.0.1:8080; + } + + server { + + listen 8091; + server_name oof; + + location / { + include /opt/bitnami/nginx/conf/uwsgi_params; + uwsgi_pass conductor_uwsgi; + + uwsgi_param Host $host; + uwsgi_param X-Real-IP $remote_addr; + uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; + uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; + } + } +} diff --git a/kubernetes/oof/components/oof-has/templates/configmap.yaml b/archive/oof/components/oof-has/templates/configmap.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/templates/configmap.yaml rename to archive/oof/components/oof-has/templates/configmap.yaml diff --git a/kubernetes/oof/components/oof-has/templates/secret.yaml b/archive/oof/components/oof-has/templates/secret.yaml similarity index 100% rename from kubernetes/oof/components/oof-has/templates/secret.yaml rename to archive/oof/components/oof-has/templates/secret.yaml diff --git a/archive/oof/components/oof-has/values.yaml b/archive/oof/components/oof-has/values.yaml new file mode 100755 index 0000000000..33558c4567 --- /dev/null +++ b/archive/oof/components/oof-has/values.yaml @@ -0,0 +1,148 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware +# Modifications Copyright © 2018 Intel Corporation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + commonConfigPrefix: onap-oof-has + image: + optf_has: onap/optf-has:2.3.1 + persistence: + enabled: true + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: oof-has-etcd-root-password + name: &root-password '{{ include "common.release" . }}-has-etcd-root-password' + type: password + password: '{{ .Values.config.etcd.rootPassword }}' + policy: generate + - uid: oof-has-etcd-secret + name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.etcd.appUser }}' + password: '{{ .Values.config.etcd.appPassword }}' + passwordPolicy: generate + +pullPolicy: Always +nodePortPrefix: 302 +dataRootDir: /dockerdata-nfs +config: + dbBackend: etcd + aai: + serviceName: aai + port: 80 + msb: + serviceName: msb-iag + port: 80 + sdc: + serviceName: sdc-be + port: 8080 + cps: + serviceName: cps-tbdmt + port: 8080 + dcae: + serviceName: dcae-slice-analysis-ms + port: 8080 + etcd: + serviceName: &etcd-service oof-has-etcd + port: 2379 + appUser: conductor +# rootPassword: +# appPassword: +# userCredentialsExternalSecret: +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "2Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#component overrides +oof-has-api: &has-config + enabled: true + config: + etcd: + userCredentialsExternalSecret: *user-creds + configJobNameOverride: &job-name oof-has-etcd-config +oof-has-controller: *has-config +oof-has-data: *has-config +oof-has-reservation: *has-config +oof-has-solver: *has-config + +#etcd subchart configurations +etcd: + enabled: true + replicaCount: 3 + nameOverride: &etcd-container oof-has-etcd + service: + name: *etcd-service + persistence: + mountSubPath: oof/etcd/data + enabled: true + flavor: &etcd-flavor large + resources: &etcd-resources + small: + limits: + cpu: "100m" + memory: "300Mi" + requests: + cpu: "10m" + memory: "70Mi" + large: + limits: + cpu: "200m" + memory: "1Gi" + requests: + cpu: "50m" + memory: "300Mi" + unlimited: {} + +etcd-init: + enabled: true + nameOverride: *job-name + etcd: + serviceName: *etcd-service + port : 2379 + containerName: *etcd-container + config: + userRootSecret: *root-password + userCredentialsExternalSecret: *user-creds + appRole: conductor + keyPrefix: conductor + flavor: *etcd-flavor + resources: *etcd-resources + serviceAccount: + nameOverride: *job-name + +# Python doesn't support well dollar sign in password +passwordStrengthOverride: basic diff --git a/archive/oof/components/oof-templates/Chart.yaml b/archive/oof/components/oof-templates/Chart.yaml new file mode 100755 index 0000000000..946be1fd2d --- /dev/null +++ b/archive/oof/components/oof-templates/Chart.yaml @@ -0,0 +1,27 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP OOF helm templates +name: oof-templates +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + diff --git a/kubernetes/oof/components/oof-templates/templates/_secret.tpl b/archive/oof/components/oof-templates/templates/_secret.tpl similarity index 100% rename from kubernetes/oof/components/oof-templates/templates/_secret.tpl rename to archive/oof/components/oof-templates/templates/_secret.tpl diff --git a/kubernetes/oof/components/oof-templates/values.yaml b/archive/oof/components/oof-templates/values.yaml similarity index 100% rename from kubernetes/oof/components/oof-templates/values.yaml rename to archive/oof/components/oof-templates/values.yaml diff --git a/archive/oof/resources/config/conf/common_config.yaml b/archive/oof/resources/config/conf/common_config.yaml new file mode 100644 index 0000000000..394bece9d9 --- /dev/null +++ b/archive/oof/resources/config/conf/common_config.yaml @@ -0,0 +1,175 @@ +osdf_system: + libpath: /opt/app/osdf/libs + osdf_ports: + internal: 8699 # inside the Docker container, the app listens to this port + external: 8698 # clients use this port on DockerHost + osdf_ip_default: 0.0.0.0 + +osdf_temp: # special configuration required for "workarounds" or testing + local_policies: + global_disabled: True + local_placement_policies_enabled: True + local_slice_selection_policies_enabled: True + local_nst_selection_policies_enabled: True + placement_policy_dir_vcpe: "./test/policy-local-files/" + placement_policy_files_vcpe: # workaroud for policy platform glitches (or "work-arounds" for other components) + - Affinity_vCPE_1.json + - Attribute_vNS_1.json + #- Capacity_vGMuxInfra.json + #- Capacity_vG_1.json + - Distance_vG_1.json + - Distance_vGMuxInfra_1.json + - hpa_policy_vG_1.json + - hpa_policy_vGMuxInfra_1.json + - Placement_Optimization_1.json + - QueryPolicy_vCPE.json + - vnfPolicy_vG.json + - vnfPolicy_vGMuxInfra.json + placement_policy_dir_vfw: "./test/policy-local-files/" + placement_policy_files_vfw: # workaroud for policy platform glitches (or "work-arounds" for other components) + #- Capacity_vFW_1.json + - Distance_vFW_1.json + - hpa_policy_vFW_1.json + - Placement_Optimization_1.json + - QueryPolicy_vFW.json + - vnfPolicy_vFW.json + placement_policy_dir_vfw_td: "./test/policy-local-files/" + placement_policy_files_vfw_td: + - vnfPolicy_vFW_TD.json + - vnfPolicy_vPGN_TD.json + - affinity_vFW_TD.json + - QueryPolicy_vFW_TD.json + slice_selection_policy_dir_embb-nst: "./test/policy-local-files/slice-selection-files/" + slice_selection_policy_files_embb-nst: + - query_policy_nsi.json + - threshold_policy_nsi.json + - vnf_policy_nsi_shared_case.json + nst_selection_policy_dir_nst: "./test/policy-local-files/nst-selection-files/" + nst_selection_policy_files_nst: + - query_policy_nst.json + - attribute_policy_nst.json + - vnf_policy_nst.json + - optimization_policy_nst.json + +service_info: + vCPE: + vcpeHostName: requestParameters.vcpeHostName + e2eVpnKey: requestParameters.e2eVpnKey + vFW: + vcpeHostName: requestParameters.vcpeHostName + e2eVpnKey: requestParameters.e2eVpnKey + +references: + service_name: + source: request + value: serviceInfo.serviceName + resource: + source: request + value: placementInfo.placementDemands.resourceModuleName + subscriber_role: + source: onap.policies.optimization.SubscriberPolicy + value: properties.properties.subscriberRole + resource_sharing_level: + source: request + value: serviceProfile.resourceSharingLevel + slice_scope: + source: request + value: slice_scope + reuse_preference: + source: request + value: preferReuse + +policy_info: + prioritization_attributes: + policy_type: + - type + resources: + - properties.resources + - properties.objectiveParameter.parameterAttributes.resources + service_name: + - properties.services + + slice_selection: + policy_fetch: by_scope + policy_scope: + - + scope: + - get_param: slice_scope + services: + - get_param: service_name + resources: + - get_param: service_name + + nst_selection: + policy_fetch: by_scope + policy_scope: + - + scope: + - OSDF_GUILIN + services: + - nst + resources: + - nst + + nsst_selection: + policy_fetch: by_scope + policy_scope: + - + scope: + - OSDF_GUILIN + services: + - nsst + resources: + - nsst + + subnet_selection: + policy_fetch: by_scope + policy_scope: + - scope: + - OSDF_GUILIN + services: + - get_param: service_name + resources: + - get_param: service_name + + placement: + policy_fetch: by_scope + policy_scope: + - + scope: + - OSDF_FRANKFURT + geography: + - US + services: + - get_param: service_name + resources: + - get_param: resource + # - + # - get_param: service_name + # - get_param: subscriber_role + default: # if no explicit service related information is needed + policy_fetch: by_name + policy_scope: none + +PCI: + ML: + average_ho_threshold: 10000 + latest_ho_threshold: 500 + DES: + service_id: ho_metric + filter: + interval: 10 + ml_enabled: false + +nxi_termination: + query_templates: + nsi: "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}') > service-instance*('service-role','e2eserviceprofile-service')" + nsi_with_profile: "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}') > service-instance*('service-role','e2eserviceprofile-service')('service-instance-id','{{ printf "{{profile_id}}" }}')" + nssi: + - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'CN') > service-instance*('service-role','nsi')" + - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'TN_BH') > service-instance*('service-role','nsi')" + - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'AN') > service-instance*('service-role','nsi')" + - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'AN_NF') > service-instance*('workload-context','AN')" + - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'TN_MH') > service-instance*('workload-context','AN')" + - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'TN_FH') > service-instance*('workload-context','AN')" + - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'AN_NF') > service-instance*('workload-context','AN')" diff --git a/kubernetes/oof/resources/config/conf/log.yml b/archive/oof/resources/config/conf/log.yml similarity index 100% rename from kubernetes/oof/resources/config/conf/log.yml rename to archive/oof/resources/config/conf/log.yml diff --git a/archive/oof/resources/config/conf/osdf_config.yaml b/archive/oof/resources/config/conf/osdf_config.yaml new file mode 100755 index 0000000000..818d4f340a --- /dev/null +++ b/archive/oof/resources/config/conf/osdf_config.yaml @@ -0,0 +1,76 @@ +placementVersioningEnabled: {{ .Values.config.placementVersioningEnabled }} + +# Placement API latest version numbers to be set in HTTP header +placementMajorVersion: {{ .Values.config.placementMajorVersion }} +placementMinorVersion: {{ .Values.config.placementMinorVersion }} +placementPatchVersion: {{ .Values.config.placementPatchVersion }} + +# Placement API default version numbers to be set in HTTP header +placementDefaultMajorVersion: {{ .Values.config.placementDefaultMajorVersion }} +placementDefaultMinorVersion: {{ .Values.config.placementDefaultMinorVersion }} +placementDefaultPatchVersion: {{ .Values.config.placementDefaultPatchVersion }} + +# Credentials for Conductor +conductorUrl: {{ .Values.config.conductorUrl.http }} +conductorPingWaitTime: {{ .Values.config.conductorPingWaitTime }} +conductorMaxRetries: {{ .Values.config.conductorMaxRetries }} +# versions to be set in HTTP header +conductorMinorVersion: {{ .Values.config.conductorMinorVersion }} + +# Policy Platform -- requires ClientAuth, Authorization, and Environment +policyPlatformUrl: {{ .Values.config.policyPlatformUrl.http }} +policyPlatformEnv: {{ .Values.config.policyPlatformEnv }} + +# Credentials for DMaaP +messageReaderHosts: {{ .Values.config.messageReaderHosts }} +messageReaderTopic: {{ .Values.config.messageReaderTopic }} + +# Credentials for SDC +sdcUrl: {{ .Values.config.sdcUrl }} +sdcONAPInstanceID: {{ .Values.config.sdcONAPInstanceID }} + +is_aaf_enabled: False +aaf_cache_expiry_mins: 5 +aaf_url: +aaf_user_roles: + +# Secret Management Service from AAF +aaf_sms_url: +aaf_sms_timeout: 30 +secret_domain: '' +aaf_ca_certs: '' + +configClientType: {{ .Values.config.configClientType }} + +# config db api +configDbUrl: {{ .Values.config.configDbUrl }} +configDbGetCellListUrl: {{ .Values.config.configDbGetCellListUrl }} +configDbGetNbrListUrl: {{ .Values.config.configDbGetNbrListUrl }} + +# cps api +cpsUrl: {{ .Values.config.cps.Url }} +cpsCellListUrl: {{ .Values.config.cps.cellListUrl }} +cpsNbrListUrl: {{ .Values.config.cps.nbrListUrl }} + +# AAI api +aaiUrl: {{ .Values.config.aaiUrl.http }} +aaiGetLinksUrl: {{ .Values.config.aaiGetLinksUrl }} +aaiServiceInstanceUrl : {{ .Values.config.aaiServiceInstanceUrl }} +aaiGetControllersUrl: {{ .Values.config.aaiGetControllersUrl }} +controllerQueryUrl: {{ .Values.config.controllerQueryUrl }} +aaiGetInterDomainLinksUrl: {{ .Values.config.aaiGetInterDomainLinksUrl }} +dslQueryPath: /aai/v23/dsl?format= + +#DES api +desUrl: {{ .Values.config.desUrl.http }} +desApiPath: {{ .Values.config.desApiPath }} +desHeaders: + Accept: application/json + Content-Type: application/json +desUsername: {{ .Values.config.desUsername }} +desPassword: {{ .Values.config.desPassword }} + +#key +appkey: '' + +activateConsulConfig: False diff --git a/kubernetes/oof/resources/config/conf/slicing_config.yaml b/archive/oof/resources/config/conf/slicing_config.yaml similarity index 100% rename from kubernetes/oof/resources/config/conf/slicing_config.yaml rename to archive/oof/resources/config/conf/slicing_config.yaml diff --git a/kubernetes/oof/templates/NOTES.txt b/archive/oof/templates/NOTES.txt similarity index 100% rename from kubernetes/oof/templates/NOTES.txt rename to archive/oof/templates/NOTES.txt diff --git a/kubernetes/oof/templates/configmap.yaml b/archive/oof/templates/configmap.yaml similarity index 100% rename from kubernetes/oof/templates/configmap.yaml rename to archive/oof/templates/configmap.yaml diff --git a/archive/oof/templates/deployment.yaml b/archive/oof/templates/deployment.yaml new file mode 100644 index 0000000000..5eb0fc0c6a --- /dev/null +++ b/archive/oof/templates/deployment.yaml @@ -0,0 +1,94 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright (C) 2020 Wipro Limited. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + args: + - "-c" + - | + python osdfapp.py + ports: + - containerPort: {{ .Values.service.internalPort }} + name: http + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + volumeMounts: + - mountPath: /opt/osdf/config/osdf_config.yaml + name: {{ include "common.fullname" . }}-config + subPath: osdf_config.yaml + - mountPath: /opt/osdf/config/common_config.yaml + name: {{ include "common.fullname" . }}-config + subPath: common_config.yaml + - mountPath: /opt/osdf/config/log.yml + name: {{ include "common.fullname" . }}-config + subPath: log.yml + - mountPath: /opt/osdf/config/slicing_config.yaml + name: {{ include "common.fullname" . }}-config + subPath: slicing_config.yaml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-configmap + items: + - key: osdf_config.yaml + path: osdf_config.yaml + - key: common_config.yaml + path: common_config.yaml + - key: log.yml + path: log.yml + - key: slicing_config.yaml + path: slicing_config.yaml + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/archive/oof/templates/ingress.yaml b/archive/oof/templates/ingress.yaml new file mode 100644 index 0000000000..99c7f87970 --- /dev/null +++ b/archive/oof/templates/ingress.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# Modifications Copyright (C) 2020 Wipro Limited. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/oof/templates/secret.yaml b/archive/oof/templates/secret.yaml similarity index 100% rename from kubernetes/oof/templates/secret.yaml rename to archive/oof/templates/secret.yaml diff --git a/archive/oof/templates/service.yaml b/archive/oof/templates/service.yaml new file mode 100644 index 0000000000..418f89ac93 --- /dev/null +++ b/archive/oof/templates/service.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T,VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/archive/oof/values.yaml b/archive/oof/values.yaml new file mode 100644 index 0000000000..738df14015 --- /dev/null +++ b/archive/oof/values.yaml @@ -0,0 +1,157 @@ +# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + persistence: {} + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/optf-osdf:3.0.8 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: + msbgateway: msb-iag + msbPort: 80 + placementVersioningEnabled: True + # Placement API latest version numbers to be set in HTTP header + placementMajorVersion: "1" + placementMinorVersion: "0" + placementPatchVersion: "0" + # Placement API default version numbers to be set in HTTP header + placementDefaultMajorVersion: "1" + placementDefaultMinorVersion: "0" + placementDefaultPatchVersion: "0" + + # Url and credentials for Conductor. + conductorUrl: + http: http://oof-has-api:8091/v1/plans/ + conductorPingWaitTime: 10 + conductorMaxRetries: 30 + # versions to be set in HTTP header + conductorMinorVersion: 0 + # Url and credentials for the Policy Platform + policyPlatformUrl: + http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision + policyPlatformEnv: TEST # Environment for policy platform + # Credentials for the message reader - A placeholder. + messageReaderHosts: NA + messageReaderTopic: NA + # Credentials for the SDC interface - A placeholder. + sdcUrl: NA + sdcONAPInstanceID: NA + + configClientType: cps + + # config db api + configDbUrl: http://configdb:8080 + configDbGetCellListUrl: 'api/sdnc-config-db/v3/getCellList' + configDbGetNbrListUrl: 'api/sdnc-config-db/v3/getNbrList' + + # cps api + cps: + url: cps-tbdmt:8080/execute + cellListUrl: 'ran-network/getCellList' + nbrListUrl: 'ran-network/getNbrList' + + #aai api + aaiUrl: + http: http://aai:80 + aaiGetLinksUrl: /aai/v16/network/logical-links + aaiServiceInstanceUrl : /aai/v20/nodes/service-instances/service-instance/ + aaiGetControllersUrl: /aai/v19/external-system/esr-thirdparty-sdnc-list + controllerQueryUrl: /aai/v19/query?format=resource + aaiGetInterDomainLinksUrl: /aai/v19/network/logical-links?link-type=inter-domain&operational-status=up + #des api + desUrl: + http: http://des.url:8080 + desApiPath: /datalake/v1/exposure/ + desUsername: '' + desPassword: '' +# default number of instances +replicaCount: 1 +nodeSelector: {} +affinity: {} +# Resource Limit flavor -By Default using small +flavor: small + +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + + unlimited: {} +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 +service: + type: NodePort + name: oof-osdf + internalPort: 8699 + ports: + - name: http + port: 8698 + nodePort: '48' +ingress: + enabled: false + service: + - baseaddr: "oof-osdf-api" + name: "oof-osdf" + port: 8698 + config: + ssl: "redirect" + +#component overrides + +oof-has: + enabled: true + +readinessCheck: + wait_for: + services: + - policy-xacml-pdp + +#Pods Service Account +serviceAccount: + nameOverride: oof + roles: + - read diff --git a/archive/policy/components/policy-gui/Chart.yaml b/archive/policy/components/policy-gui/Chart.yaml new file mode 100644 index 0000000000..28972b59b0 --- /dev/null +++ b/archive/policy/components/policy-gui/Chart.yaml @@ -0,0 +1,32 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021, 2024 Nordix Foundation +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy GUI +name: policy-gui +version: 14.0.0 + +dependencies: + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/archive/policy/components/policy-gui/resources/config/application.yml b/archive/policy/components/policy-gui/resources/config/application.yml new file mode 100644 index 0000000000..f81a1b452a --- /dev/null +++ b/archive/policy/components/policy-gui/resources/config/application.yml @@ -0,0 +1,19 @@ +server: + port: 2443 + ssl: + enabled: false + +clamp: + url: + disable-ssl-validation: true + disable-ssl-hostname-check: true + +apex-editor: + upload-url: + upload-userid: + +management: + endpoints: + web: + exposure: + include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml b/archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml similarity index 100% rename from kubernetes/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml rename to archive/policy/components/policy-gui/resources/config/log/filebeat/filebeat.yml diff --git a/kubernetes/policy/components/policy-gui/resources/config/logback.xml b/archive/policy/components/policy-gui/resources/config/logback.xml similarity index 100% rename from kubernetes/policy/components/policy-gui/resources/config/logback.xml rename to archive/policy/components/policy-gui/resources/config/logback.xml diff --git a/kubernetes/policy/components/policy-gui/templates/NOTES.txt b/archive/policy/components/policy-gui/templates/NOTES.txt similarity index 100% rename from kubernetes/policy/components/policy-gui/templates/NOTES.txt rename to archive/policy/components/policy-gui/templates/NOTES.txt diff --git a/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml b/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/archive/policy/components/policy-gui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-gui/templates/configmap.yaml b/archive/policy/components/policy-gui/templates/configmap.yaml similarity index 100% rename from kubernetes/policy/components/policy-gui/templates/configmap.yaml rename to archive/policy/components/policy-gui/templates/configmap.yaml diff --git a/archive/policy/components/policy-gui/templates/deployment.yaml b/archive/policy/components/policy-gui/templates/deployment.yaml new file mode 100644 index 0000000000..a236d5f558 --- /dev/null +++ b/archive/policy/components/policy-gui/templates/deployment.yaml @@ -0,0 +1,127 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: POLICY_LOGS + value: {{ .Values.log.path }} + volumeMounts: + - mountPath: /config-input + name: policy-gui-config + - mountPath: /config + name: policy-gui-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: + - /app/ready.py + args: + - --service-name + - policy-clamp-runtime-acm + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + # side car containers + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} + # main container + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/gui/bin/policy-gui.sh"] + env: + - name: CLAMP_URL + value: http://policy-clamp-runtime-acm:6969 + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - name: logs + mountPath: {{ .Values.log.path }} + - mountPath: /opt/app/policy/gui/etc/application.yml + name: policy-gui-config-processed + subPath: application.yml + - mountPath: /opt/app/policy/gui/etc/logback.xml + name: policy-gui-config-processed + subPath: logback.xml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }} + - name: logs + emptyDir: {} + {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} + - name: policy-gui-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: policy-gui-config-processed + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-gui/templates/ingress.yaml b/archive/policy/components/policy-gui/templates/ingress.yaml similarity index 100% rename from kubernetes/policy/components/policy-gui/templates/ingress.yaml rename to archive/policy/components/policy-gui/templates/ingress.yaml diff --git a/kubernetes/policy/components/policy-gui/templates/secrets.yaml b/archive/policy/components/policy-gui/templates/secrets.yaml similarity index 100% rename from kubernetes/policy/components/policy-gui/templates/secrets.yaml rename to archive/policy/components/policy-gui/templates/secrets.yaml diff --git a/archive/policy/components/policy-gui/templates/service.yaml b/archive/policy/components/policy-gui/templates/service.yaml new file mode 100644 index 0000000000..36406228d5 --- /dev/null +++ b/archive/policy/components/policy-gui/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/archive/policy/components/policy-gui/values.yaml b/archive/policy/components/policy-gui/values.yaml new file mode 100644 index 0000000000..1533f823a9 --- /dev/null +++ b/archive/policy/components/policy-gui/values.yaml @@ -0,0 +1,130 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2022 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: # global defaults + nodePortPrefix: 304 + centralizedLoggingEnabled: true + +subChartsOnly: + enabled: true + +flavor: small + +# application image +image: onap/policy-gui:3.1.3 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# log configuration +log: + path: /var/log/onap/policy/gui + +################################################################# +# Application configuration defaults. +################################################################# +config: + log: + logstashServiceName: log-ls + logstashPort: 5044 + dataRootDir: /dockerdata-nfs + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 3 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 3 + +service: + type: NodePort + name: policy-gui + internalPort: 2443 + ports: + - name: http + port: 2443 + nodePort: 43 + + # see https://wiki.onap.org/display/DW/OOM+NodePort+List + +ingress: + enabled: false + service: + - baseaddr: "policy-ui" + name: "policy-gui" + port: 2443 + config: + ssl: "redirect" + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + + #resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # + # Example: + # Configure resource requests and limits + # ref: http://kubernetes.io/docs/user-guide/compute-resources/ + # Minimum memory for development is 2 CPU cores and 4GB memory + # Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "1" + memory: "700Mi" + requests: + cpu: "0.5" + memory: "700Mi" + large: + limits: + cpu: "2" + memory: "1.4Gi" + requests: + cpu: "1" + memory: "1.4Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: policy-gui + roles: + - read diff --git a/archive/sdnc/components/dmaap-listener/Chart.yaml b/archive/sdnc/components/dmaap-listener/Chart.yaml new file mode 100644 index 0000000000..41c018ebc3 --- /dev/null +++ b/archive/sdnc/components/dmaap-listener/Chart.yaml @@ -0,0 +1,30 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: SDNC DMaaP Listener +name: dmaap-listener +version: 14.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/aai.properties b/archive/sdnc/components/dmaap-listener/resources/config/aai.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/aai.properties rename to archive/sdnc/components/dmaap-listener/resources/config/aai.properties diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/dblib.properties b/archive/sdnc/components/dmaap-listener/resources/config/dblib.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/dblib.properties rename to archive/sdnc/components/dmaap-listener/resources/config/dblib.properties diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/dhcpalert.properties b/archive/sdnc/components/dmaap-listener/resources/config/dhcpalert.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/dhcpalert.properties rename to archive/sdnc/components/dmaap-listener/resources/config/dhcpalert.properties diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties b/archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties rename to archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-CMNotify.properties diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-RANSlice.properties b/archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-RANSlice.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-RANSlice.properties rename to archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-RANSlice.properties diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties b/archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties rename to archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-a1Adapter-policy.properties diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties b/archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties rename to archive/sdnc/components/dmaap-listener/resources/config/dmaap-consumer-oofpcipoc.properties diff --git a/kubernetes/sdnc/components/dmaap-listener/resources/config/lcm.properties b/archive/sdnc/components/dmaap-listener/resources/config/lcm.properties similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/resources/config/lcm.properties rename to archive/sdnc/components/dmaap-listener/resources/config/lcm.properties diff --git a/archive/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml b/archive/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/archive/sdnc/components/dmaap-listener/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/configmap.yaml b/archive/sdnc/components/dmaap-listener/templates/configmap.yaml similarity index 100% rename from kubernetes/sdnc/components/dmaap-listener/templates/configmap.yaml rename to archive/sdnc/components/dmaap-listener/templates/configmap.yaml diff --git a/archive/sdnc/components/dmaap-listener/templates/deployment.yaml b/archive/sdnc/components/dmaap-listener/templates/deployment.yaml new file mode 100644 index 0000000000..110001a6a6 --- /dev/null +++ b/archive/sdnc/components/dmaap-listener/templates/deployment.yaml @@ -0,0 +1,130 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: SDNC_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} + - name: SDNC_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: ODL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }} + - name: ODL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: properties + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + + - command: + - /app/ready.py + args: + - --service-name + - {{ include "common.mariadbService" . }} + - --service-name + - {{ .Values.config.sdncChartName }} + - --service-name + - {{ .Values.config.msgRouterContainerName }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - command: + - /opt/onap/sdnc/dmaap-listener/bin/start-dmaap-listener.sh + name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: PROPERTY_DIR + value: "{{ .Values.config.configDir }}" + - name: SDNC_CONFIG_DIR + value: "{{ .Values.config.configDir }}" + - name: LOG4J_FORMAT_MSG_NO_LOOKUPS + value: "true" + volumeMounts: + - mountPath: {{ .Values.config.configDir }}/dblib.properties + name: properties + subPath: dblib.properties + - mountPath: {{ .Values.config.configDir }}/dhcpalert.properties + name: properties + subPath: dhcpalert.properties + - mountPath: {{ .Values.config.configDir }}/lcm.properties + name: properties + subPath: lcm.properties + - mountPath: {{ .Values.config.configDir }}/aai.properties + name: properties + subPath: aai.properties + - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-CMNotify.properties + name: properties + subPath: dmaap-consumer-CMNotify.properties + - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-a1Adapter-policy.properties + name: properties + subPath: dmaap-consumer-a1Adapter-policy.properties + - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-oofpcipoc.properties + name: properties + subPath: dmaap-consumer-oofpcipoc.properties + - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-RANSlice.properties + name: properties + subPath: dmaap-consumer-RANSlice.properties + resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: config-input + configMap: + name: {{ include "common.fullname" . }} + defaultMode: 0644 + - name: properties + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/secret.yaml b/archive/sdnc/components/dmaap-listener/templates/secret.yaml similarity index 100% rename from kubernetes/holmes/components/holmes-rule-mgmt/templates/secret.yaml rename to archive/sdnc/components/dmaap-listener/templates/secret.yaml diff --git a/archive/sdnc/components/dmaap-listener/templates/service.yaml b/archive/sdnc/components/dmaap-listener/templates/service.yaml new file mode 100644 index 0000000000..77b0d878c1 --- /dev/null +++ b/archive/sdnc/components/dmaap-listener/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/archive/sdnc/components/dmaap-listener/values.yaml b/archive/sdnc/components/dmaap-listener/values.yaml new file mode 100644 index 0000000000..f6363c6903 --- /dev/null +++ b/archive/sdnc/components/dmaap-listener/values.yaml @@ -0,0 +1,150 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows SO to instantiate its own mariadb-galera cluster + #If shared instance is used, this chart assumes that DB already exists + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-secret + name: &dbSecretName '{{ include "common.release" . }}-sdnc-dmaap-listener-db-secret' + type: basicAuth + # This is a nasty trick that allows you override this secret using external one + # with the same field that is used to pass this to subchart + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-dmaap-listener-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "config" "userName" }}' + password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' + passwordPolicy: required + - uid: odl-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.odlCredsExternalSecret) . }}' + login: '{{ .Values.config.odlUser }}' + password: '{{ .Values.config.odlPassword }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/sdnc-dmaap-listener-image:2.6.1 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: + dmaapPort: 3904 + sdncChartName: sdnc + sdncPort: 8282 + msgRouterContainerName: message-router + configDir: /opt/onap/sdnc/data/properties + odlUser: admin + odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + # odlCredsExternalSecret: some secret + +mariadb-galera: + config: + userCredentialsExternalSecret: *dbSecretName + userName: sdnctl + userPassword: gamma + mysqlDatabase: sdnctl + nameOverride: dmaap-listener-galera + service: + name: dmaap-listener-galera + portName: dmaap-listener-galera + internalPort: 3306 + replicaCount: 1 + persistence: + enabled: true + mountSubPath: dmaap-listener/maria/data + mariadbOperator: + galera: + enabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +ingress: + enabled: false + +service: + type: ClusterIP + name: sdnc-dmaap-listener + internalPort: 80 + ports: + - name: http + port: 80 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + +#Resource limit flavor -By default using small +flavor: small +#Segregation for different environment (small and large) + +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: sdnc-dmaap-listener + roles: + - read diff --git a/kubernetes/dcaemod/.helmignore b/archive/vfc/.helmignore similarity index 100% rename from kubernetes/dcaemod/.helmignore rename to archive/vfc/.helmignore diff --git a/archive/vfc/Chart.yaml b/archive/vfc/Chart.yaml new file mode 100644 index 0000000000..0965d00905 --- /dev/null +++ b/archive/vfc/Chart.yaml @@ -0,0 +1,64 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Virtual Function Controller (VF-C) +name: vfc +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: mariadb-galera + version: ~13.x-0 + repository: '@local' + condition: global.mariadbGalera.localCluster + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: vfc-generic-vnfm-driver + version: ~13.x-0 + repository: 'file://components/vfc-generic-vnfm-driver' + condition: vfc-generic-vnfm-driver.enabled + - name: vfc-huawei-vnfm-driver + version: ~13.x-0 + repository: 'file://components/vfc-huawei-vnfm-driver' + condition: vfc-huawei-vnfm-driver.enabled + - name: vfc-nslcm + version: ~13.x-0 + repository: 'file://components/vfc-nslcm' + condition: vfc-nslcm.enabled + - name: vfc-redis + version: ~13.x-0 + repository: 'file://components/vfc-redis' + condition: vfc-redis.enabled + - name: vfc-vnflcm + version: ~13.x-0 + repository: 'file://components/vfc-vnflcm' + condition: vfc-vnflcm.enabled + - name: vfc-vnfmgr + version: ~13.x-0 + repository: 'file://components/vfc-vnfmgr' + condition: vfc-vnfmgr.enabled + - name: vfc-vnfres + version: ~13.x-0 + repository: 'file://components/vfc-vnfres' + condition: vfc-vnfres.enabled + - name: vfc-zte-vnfm-driver + version: ~13.x-0 + repository: 'file://components/vfc-zte-vnfm-driver' + condition: vfc-zte-vnfm-driver.enabled diff --git a/kubernetes/msb/Makefile b/archive/vfc/Makefile similarity index 100% rename from kubernetes/msb/Makefile rename to archive/vfc/Makefile diff --git a/kubernetes/modeling/components/Makefile b/archive/vfc/components/Makefile similarity index 100% rename from kubernetes/modeling/components/Makefile rename to archive/vfc/components/Makefile diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore b/archive/vfc/components/vfc-generic-vnfm-driver/.helmignore similarity index 100% rename from kubernetes/dcaemod/components/dcaemod-runtime-api/.helmignore rename to archive/vfc/components/vfc-generic-vnfm-driver/.helmignore diff --git a/archive/vfc/components/vfc-generic-vnfm-driver/Chart.yaml b/archive/vfc/components/vfc-generic-vnfm-driver/Chart.yaml new file mode 100644 index 0000000000..a8f441dce4 --- /dev/null +++ b/archive/vfc/components/vfc-generic-vnfm-driver/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - Generic VNFM Driver +name: vfc-generic-vnfm-driver +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/resources/config/logging/log.yml b/archive/vfc/components/vfc-generic-vnfm-driver/resources/config/logging/log.yml similarity index 100% rename from kubernetes/vfc/components/vfc-generic-vnfm-driver/resources/config/logging/log.yml rename to archive/vfc/components/vfc-generic-vnfm-driver/resources/config/logging/log.yml diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/configmap.yaml b/archive/vfc/components/vfc-generic-vnfm-driver/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/configmap.yaml rename to archive/vfc/components/vfc-generic-vnfm-driver/templates/configmap.yaml diff --git a/archive/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml b/archive/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml new file mode 100644 index 0000000000..4cd1100988 --- /dev/null +++ b/archive/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml @@ -0,0 +1,97 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: MSB_HOST + value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" + {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: REG_TO_MSB_WHEN_START + value: "{{ .Values.global.config.reg_to_msb_when_start }}" + volumeMounts: + - name: {{ include "common.fullname" . }}-logs + mountPath: "{{ .Values.log.path }}" + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/vfc/gvnfmdriver/config/log.yml + subPath: log.yml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + volumes: + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/service.yaml b/archive/vfc/components/vfc-generic-vnfm-driver/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/service.yaml rename to archive/vfc/components/vfc-generic-vnfm-driver/templates/service.yaml diff --git a/archive/vfc/components/vfc-generic-vnfm-driver/values.yaml b/archive/vfc/components/vfc-generic-vnfm-driver/values.yaml new file mode 100644 index 0000000000..c96712be4f --- /dev/null +++ b/archive/vfc/components/vfc-generic-vnfm-driver/values.yaml @@ -0,0 +1,92 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + config: + ssl_enabled: false + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/gvnfmdriver:1.4.4 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: {} + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-generic-vnfm-driver + portName: http + externalPort: 8484 + internalPort: 8484 +# nodePort: 30484 + +ingress: + enabled: false + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "500Mi" + requests: + cpu: "100m" + memory: "200Mi" + large: + limits: + cpu: "400m" + memory: "1Gi" + requests: + cpu: "200m" + memory: "500Mi" + unlimited: {} + +# Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/dmaap/components/dmaap-bc/.helmignore b/archive/vfc/components/vfc-huawei-vnfm-driver/.helmignore similarity index 100% rename from kubernetes/dmaap/components/dmaap-bc/.helmignore rename to archive/vfc/components/vfc-huawei-vnfm-driver/.helmignore diff --git a/archive/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml b/archive/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml new file mode 100644 index 0000000000..37158d942d --- /dev/null +++ b/archive/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - Huawei VNFM Driver +name: vfc-huawei-vnfm-driver +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/resources/config/logging/log4j.properties b/archive/vfc/components/vfc-huawei-vnfm-driver/resources/config/logging/log4j.properties similarity index 100% rename from kubernetes/vfc/components/vfc-huawei-vnfm-driver/resources/config/logging/log4j.properties rename to archive/vfc/components/vfc-huawei-vnfm-driver/resources/config/logging/log4j.properties diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/configmap.yaml b/archive/vfc/components/vfc-huawei-vnfm-driver/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/configmap.yaml rename to archive/vfc/components/vfc-huawei-vnfm-driver/templates/configmap.yaml diff --git a/archive/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml b/archive/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml new file mode 100644 index 0000000000..ff22976b17 --- /dev/null +++ b/archive/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml @@ -0,0 +1,100 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + - containerPort: {{ .Values.service.internalPort2 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: MSB_PROTO + value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}" + {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: MSB_ADDR + value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" + - name: REG_TO_MSB_WHEN_START + value: "{{ .Values.global.config.reg_to_msb_when_start }}" + volumeMounts: + - name: {{ include "common.fullname" . }}-logs + mountPath: {{ .Values.log.path }} + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/vfc/hwvnfmdriver/config/log4j.properties + subPath: log4j.properties + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + volumes: + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/service.yaml b/archive/vfc/components/vfc-huawei-vnfm-driver/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/service.yaml rename to archive/vfc/components/vfc-huawei-vnfm-driver/templates/service.yaml diff --git a/archive/vfc/components/vfc-huawei-vnfm-driver/values.yaml b/archive/vfc/components/vfc-huawei-vnfm-driver/values.yaml new file mode 100644 index 0000000000..040ad08694 --- /dev/null +++ b/archive/vfc/components/vfc-huawei-vnfm-driver/values.yaml @@ -0,0 +1,94 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + config: + ssl_enabled: false + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/nfvo/svnfm/huawei:1.3.9 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: {} + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-huawei-vnfm-driver + portName: http + externalPort: 8482 + internalPort: 8482 + externalPort2: 8483 + internalPort2: 8483 +# nodePort: 30482 + +ingress: + enabled: false + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "2Gi" + requests: + cpu: "100m" + memory: "1Gi" + large: + limits: + cpu: "400m" + memory: "4Gi" + requests: + cpu: "200m" + memory: "2Gi" + unlimited: {} + +# Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/dmaap/components/dmaap-dr-node/.helmignore b/archive/vfc/components/vfc-nslcm/.helmignore similarity index 100% rename from kubernetes/dmaap/components/dmaap-dr-node/.helmignore rename to archive/vfc/components/vfc-nslcm/.helmignore diff --git a/archive/vfc/components/vfc-nslcm/Chart.yaml b/archive/vfc/components/vfc-nslcm/Chart.yaml new file mode 100644 index 0000000000..3bef3a8743 --- /dev/null +++ b/archive/vfc/components/vfc-nslcm/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - NS Life Cycle Management +name: vfc-nslcm +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/components/vfc-nslcm/resources/config/logging/log.yml b/archive/vfc/components/vfc-nslcm/resources/config/logging/log.yml similarity index 100% rename from kubernetes/vfc/components/vfc-nslcm/resources/config/logging/log.yml rename to archive/vfc/components/vfc-nslcm/resources/config/logging/log.yml diff --git a/kubernetes/vfc/components/vfc-nslcm/templates/configmap.yaml b/archive/vfc/components/vfc-nslcm/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-nslcm/templates/configmap.yaml rename to archive/vfc/components/vfc-nslcm/templates/configmap.yaml diff --git a/archive/vfc/components/vfc-nslcm/templates/deployment.yaml b/archive/vfc/components/vfc-nslcm/templates/deployment.yaml new file mode 100644 index 0000000000..88c322fef7 --- /dev/null +++ b/archive/vfc/components/vfc-nslcm/templates/deployment.yaml @@ -0,0 +1,134 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - {{ include "common.mariadbService" . }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + command: + - sh + args: + - -c + - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: MSB_HOST + value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" + {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: MYSQL_ADDR + value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' + - name: MYSQL_ROOT_USER + value: "{{ .Values.global.config.mariadb_admin }}" + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} + - name: REDIS_HOST + value: "{{ .Values.global.config.redisServiceName }}" + - name: REDIS_PORT + value: "{{ .Values.global.config.redisPort }}" + - name: REG_TO_MSB_WHEN_START + value: "{{ .Values.global.config.reg_to_msb_when_start }}" + volumeMounts: + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/vfc/nslcm/config/log.yml + subPath: log.yml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + volumes: + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-nslcm/templates/secrets.yaml b/archive/vfc/components/vfc-nslcm/templates/secrets.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-nslcm/templates/secrets.yaml rename to archive/vfc/components/vfc-nslcm/templates/secrets.yaml diff --git a/kubernetes/vfc/components/vfc-nslcm/templates/service.yaml b/archive/vfc/components/vfc-nslcm/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-nslcm/templates/service.yaml rename to archive/vfc/components/vfc-nslcm/templates/service.yaml diff --git a/archive/vfc/components/vfc-nslcm/values.yaml b/archive/vfc/components/vfc-nslcm/values.yaml new file mode 100644 index 0000000000..48cce40822 --- /dev/null +++ b/archive/vfc/components/vfc-nslcm/values.yaml @@ -0,0 +1,113 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + config: + ssl_enabled: false + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-pass + externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' + type: password + password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' + policy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/nslcm:1.4.7 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# Local mariadb galera instance default name +mariadb-galera: + rootUser: + externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' + nameOverride: vfc-mariadb + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-nslcm + portName: http + externalPort: 8403 + internalPort: 8403 +# nodePort: 30403 + +ingress: + enabled: false + + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "500Mi" + requests: + cpu: "100m" + memory: "200Mi" + large: + limits: + cpu: "400m" + memory: "1Gi" + requests: + cpu: "200m" + memory: "500Mi" + unlimited: {} + +# Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/.helmignore b/archive/vfc/components/vfc-redis/.helmignore similarity index 100% rename from kubernetes/dmaap/components/dmaap-dr-prov/.helmignore rename to archive/vfc/components/vfc-redis/.helmignore diff --git a/archive/vfc/components/vfc-redis/Chart.yaml b/archive/vfc/components/vfc-redis/Chart.yaml new file mode 100644 index 0000000000..84736f364b --- /dev/null +++ b/archive/vfc/components/vfc-redis/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright (C) 2018 Verizon. All Rights Reserved. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - REDIS +name: vfc-redis +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/archive/vfc/components/vfc-redis/templates/deployment.yaml b/archive/vfc/components/vfc-redis/templates/deployment.yaml new file mode 100644 index 0000000000..02fc994599 --- /dev/null +++ b/archive/vfc/components/vfc-redis/templates/deployment.yaml @@ -0,0 +1,67 @@ +{{/* +# Copyright (C) 2018 Verizon. All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-redis/templates/service.yaml b/archive/vfc/components/vfc-redis/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-redis/templates/service.yaml rename to archive/vfc/components/vfc-redis/templates/service.yaml diff --git a/archive/vfc/components/vfc-redis/values.yaml b/archive/vfc/components/vfc-redis/values.yaml new file mode 100644 index 0000000000..60c95b9b7c --- /dev/null +++ b/archive/vfc/components/vfc-redis/values.yaml @@ -0,0 +1,81 @@ +# Copyright (C) 2018 Verizon. All Rights Reserved +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/db:1.3.5 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: {} + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 120 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-redis + portName: http + externalPort: 6379 + internalPort: 6379 + +ingress: + enabled: false + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "500Mi" + requests: + cpu: "100m" + memory: "200Mi" + large: + limits: + cpu: "400m" + memory: "1Gi" + requests: + cpu: "200m" + memory: "500Mi" + unlimited: {} \ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/.helmignore b/archive/vfc/components/vfc-vnflcm/.helmignore similarity index 100% rename from kubernetes/dmaap/components/message-router/.helmignore rename to archive/vfc/components/vfc-vnflcm/.helmignore diff --git a/archive/vfc/components/vfc-vnflcm/Chart.yaml b/archive/vfc/components/vfc-vnflcm/Chart.yaml new file mode 100644 index 0000000000..fe0ce9b4f9 --- /dev/null +++ b/archive/vfc/components/vfc-vnflcm/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - VNF Life Cycle Management +name: vfc-vnflcm +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnflcm/resources/config/logging/log.yml b/archive/vfc/components/vfc-vnflcm/resources/config/logging/log.yml similarity index 100% rename from kubernetes/vfc/components/vfc-vnflcm/resources/config/logging/log.yml rename to archive/vfc/components/vfc-vnflcm/resources/config/logging/log.yml diff --git a/kubernetes/vfc/components/vfc-vnflcm/templates/configmap.yaml b/archive/vfc/components/vfc-vnflcm/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnflcm/templates/configmap.yaml rename to archive/vfc/components/vfc-vnflcm/templates/configmap.yaml diff --git a/archive/vfc/components/vfc-vnflcm/templates/deployment.yaml b/archive/vfc/components/vfc-vnflcm/templates/deployment.yaml new file mode 100644 index 0000000000..e915587a4f --- /dev/null +++ b/archive/vfc/components/vfc-vnflcm/templates/deployment.yaml @@ -0,0 +1,134 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - {{ include "common.mariadbService" . }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + command: + - sh + args: + - -c + - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: MSB_HOST + value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" + {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: MYSQL_ADDR + value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' + - name: MYSQL_ROOT_USER + value: "{{ .Values.global.config.mariadb_admin }}" + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} + - name: REDIS_HOST + value: "{{ .Values.global.config.redisServiceName }}" + - name: REDIS_PORT + value: "{{ .Values.global.config.redisPort }}" + - name: REG_TO_MSB_WHEN_START + value: "{{ .Values.global.config.reg_to_msb_when_start }}" + volumeMounts: + - name: {{ include "common.fullname" . }}-logs + mountPath: {{ .Values.log.path }} + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/vfc/gvnfm-vnflcm/config/log.yml + subPath: log.yml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + volumes: + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnflcm/templates/secrets.yaml b/archive/vfc/components/vfc-vnflcm/templates/secrets.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnflcm/templates/secrets.yaml rename to archive/vfc/components/vfc-vnflcm/templates/secrets.yaml diff --git a/kubernetes/vfc/components/vfc-vnflcm/templates/service.yaml b/archive/vfc/components/vfc-vnflcm/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnflcm/templates/service.yaml rename to archive/vfc/components/vfc-vnflcm/templates/service.yaml diff --git a/archive/vfc/components/vfc-vnflcm/values.yaml b/archive/vfc/components/vfc-vnflcm/values.yaml new file mode 100644 index 0000000000..bc22a32206 --- /dev/null +++ b/archive/vfc/components/vfc-vnflcm/values.yaml @@ -0,0 +1,113 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + config: + ssl_enabled: false + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-pass + externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' + type: password + password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' + policy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/vnflcm:1.4.3 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# Local mariadb galera instance default name +mariadb-galera: + rootUser: + externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' + nameOverride: vfc-mariadb + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-vnflcm + portName: http + externalPort: 8801 + internalPort: 8801 +# nodePort: 30801 + +ingress: + enabled: false + + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "500Mi" + requests: + cpu: "100m" + memory: "200Mi" + large: + limits: + cpu: "400m" + memory: "1Gi" + requests: + cpu: "200m" + memory: "500Mi" + unlimited: {} + +# Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/holmes/.helmignore b/archive/vfc/components/vfc-vnfmgr/.helmignore similarity index 100% rename from kubernetes/holmes/.helmignore rename to archive/vfc/components/vfc-vnfmgr/.helmignore diff --git a/archive/vfc/components/vfc-vnfmgr/Chart.yaml b/archive/vfc/components/vfc-vnfmgr/Chart.yaml new file mode 100644 index 0000000000..d5ec0cfc80 --- /dev/null +++ b/archive/vfc/components/vfc-vnfmgr/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - VNF Manager +name: vfc-vnfmgr +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfmgr/resources/config/logging/log.yml b/archive/vfc/components/vfc-vnfmgr/resources/config/logging/log.yml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfmgr/resources/config/logging/log.yml rename to archive/vfc/components/vfc-vnfmgr/resources/config/logging/log.yml diff --git a/kubernetes/vfc/components/vfc-vnfmgr/templates/configmap.yaml b/archive/vfc/components/vfc-vnfmgr/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfmgr/templates/configmap.yaml rename to archive/vfc/components/vfc-vnfmgr/templates/configmap.yaml diff --git a/archive/vfc/components/vfc-vnfmgr/templates/deployment.yaml b/archive/vfc/components/vfc-vnfmgr/templates/deployment.yaml new file mode 100644 index 0000000000..8dd9f57921 --- /dev/null +++ b/archive/vfc/components/vfc-vnfmgr/templates/deployment.yaml @@ -0,0 +1,135 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - {{ include "common.mariadbService" . }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + command: + - sh + args: + - -c + - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: MSB_HOST + value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" + {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: MYSQL_ADDR + value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' + - name: REDIS_HOST + value: "{{ .Values.global.config.redisServiceName }}" + - name: REDIS_PORT + value: "{{ .Values.global.config.redisPort }}" + - name: MYSQL_ROOT_USER + value: "{{ .Values.global.config.mariadb_admin }}" + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} + - name: REG_TO_MSB_WHEN_START + value: "{{ .Values.global.config.reg_to_msb_when_start }}" + volumeMounts: + - name: {{ include "common.fullname" . }}-logs + mountPath: {{ .Values.log.path }} + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/vfc/gvnfm-vnfmgr/config/log.yml + subPath: log.yml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + volumes: + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnfmgr/templates/secrets.yaml b/archive/vfc/components/vfc-vnfmgr/templates/secrets.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfmgr/templates/secrets.yaml rename to archive/vfc/components/vfc-vnfmgr/templates/secrets.yaml diff --git a/kubernetes/vfc/components/vfc-vnfmgr/templates/service.yaml b/archive/vfc/components/vfc-vnfmgr/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfmgr/templates/service.yaml rename to archive/vfc/components/vfc-vnfmgr/templates/service.yaml diff --git a/archive/vfc/components/vfc-vnfmgr/values.yaml b/archive/vfc/components/vfc-vnfmgr/values.yaml new file mode 100644 index 0000000000..31b5a66fd0 --- /dev/null +++ b/archive/vfc/components/vfc-vnfmgr/values.yaml @@ -0,0 +1,112 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + config: + ssl_enabled: false + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-pass + externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' + type: password + password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' + policy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/vnfmgr:1.4.1 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# Local mariadb galera instance default name +mariadb-galera: + rootUser: + externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' + nameOverride: vfc-mariadb + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-vnfmgr + portName: http + externalPort: 8803 + internalPort: 8803 +# nodePort: 30803 + +ingress: + enabled: false + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "500Mi" + requests: + cpu: "100m" + memory: "200Mi" + large: + limits: + cpu: "400m" + memory: "1Gi" + requests: + cpu: "200m" + memory: "500Mi" + unlimited: {} + +# Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/modeling/components/modeling-etsicatalog/.helmignore b/archive/vfc/components/vfc-vnfres/.helmignore similarity index 100% rename from kubernetes/modeling/components/modeling-etsicatalog/.helmignore rename to archive/vfc/components/vfc-vnfres/.helmignore diff --git a/archive/vfc/components/vfc-vnfres/Chart.yaml b/archive/vfc/components/vfc-vnfres/Chart.yaml new file mode 100644 index 0000000000..be05a88d7a --- /dev/null +++ b/archive/vfc/components/vfc-vnfres/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - VNF Resource Manager +name: vfc-vnfres +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfres/resources/config/logging/log.yml b/archive/vfc/components/vfc-vnfres/resources/config/logging/log.yml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfres/resources/config/logging/log.yml rename to archive/vfc/components/vfc-vnfres/resources/config/logging/log.yml diff --git a/kubernetes/vfc/components/vfc-vnfres/templates/configmap.yaml b/archive/vfc/components/vfc-vnfres/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfres/templates/configmap.yaml rename to archive/vfc/components/vfc-vnfres/templates/configmap.yaml diff --git a/archive/vfc/components/vfc-vnfres/templates/deployment.yaml b/archive/vfc/components/vfc-vnfres/templates/deployment.yaml new file mode 100644 index 0000000000..f4138d256f --- /dev/null +++ b/archive/vfc/components/vfc-vnfres/templates/deployment.yaml @@ -0,0 +1,133 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - {{ include "common.mariadbService" . }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + command: + - sh + args: + - -c + - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: MSB_HOST + value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" + {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: MYSQL_ADDR + value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' + - name: REDIS_HOST + value: "{{ .Values.global.config.redisServiceName }}" + - name: REDIS_PORT + value: "{{ .Values.global.config.redisPort }}" + - name: MYSQL_ROOT_USER + value: "{{ .Values.global.config.mariadb_admin }}" + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} + - name: REG_TO_MSB_WHEN_START + value: "{{ .Values.global.config.reg_to_msb_when_start }}" + volumeMounts: + - name: {{ include "common.fullname" . }}-logs + mountPath: /var/log/onap + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/vfc/gvnfm-vnfres/config/log.yml + subPath: log.yml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + volumes: + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-vnfres/templates/secrets.yaml b/archive/vfc/components/vfc-vnfres/templates/secrets.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfres/templates/secrets.yaml rename to archive/vfc/components/vfc-vnfres/templates/secrets.yaml diff --git a/kubernetes/vfc/components/vfc-vnfres/templates/service.yaml b/archive/vfc/components/vfc-vnfres/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-vnfres/templates/service.yaml rename to archive/vfc/components/vfc-vnfres/templates/service.yaml diff --git a/archive/vfc/components/vfc-vnfres/values.yaml b/archive/vfc/components/vfc-vnfres/values.yaml new file mode 100644 index 0000000000..2c54249de4 --- /dev/null +++ b/archive/vfc/components/vfc-vnfres/values.yaml @@ -0,0 +1,113 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + config: + ssl_enabled: false + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-pass + externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' + type: password + password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' + policy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/vnfres:1.4.1 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# Local mariadb galera instance default name +mariadb-galera: + rootUser: + externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' + nameOverride: vfc-mariadb + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-vnfres + portName: http + externalPort: 8802 + internalPort: 8802 +# nodePort: 30802 + +ingress: + enabled: false + + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "200m" + memory: "500Mi" + requests: + cpu: "100m" + memory: "200Mi" + large: + limits: + cpu: "400m" + memory: "1Gi" + requests: + cpu: "200m" + memory: "500Mi" + unlimited: {} + +# Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/msb/components/kube2msb/.helmignore b/archive/vfc/components/vfc-zte-vnfm-driver/.helmignore similarity index 100% rename from kubernetes/msb/components/kube2msb/.helmignore rename to archive/vfc/components/vfc-zte-vnfm-driver/.helmignore diff --git a/archive/vfc/components/vfc-zte-vnfm-driver/Chart.yaml b/archive/vfc/components/vfc-zte-vnfm-driver/Chart.yaml new file mode 100644 index 0000000000..2511b5e587 --- /dev/null +++ b/archive/vfc/components/vfc-zte-vnfm-driver/Chart.yaml @@ -0,0 +1,28 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VFC - ZTE VNFM Driver +name: vfc-zte-vnfm-driver +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/resources/config/logging/log.yml b/archive/vfc/components/vfc-zte-vnfm-driver/resources/config/logging/log.yml similarity index 100% rename from kubernetes/vfc/components/vfc-zte-vnfm-driver/resources/config/logging/log.yml rename to archive/vfc/components/vfc-zte-vnfm-driver/resources/config/logging/log.yml diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/configmap.yaml b/archive/vfc/components/vfc-zte-vnfm-driver/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/configmap.yaml rename to archive/vfc/components/vfc-zte-vnfm-driver/templates/configmap.yaml diff --git a/archive/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml b/archive/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml new file mode 100644 index 0000000000..c58957c2a2 --- /dev/null +++ b/archive/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml @@ -0,0 +1,97 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + replicas: {{ .Values.replicaCount }} + template: + metadata: + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + annotations: + sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: + - containerPort: {{ .Values.service.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: MSB_HOST + value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" + {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} + - name: SSL_ENABLED + value: "true" + {{- else }} + - name: SSL_ENABLED + value: "false" + {{- end }} + - name: REG_TO_MSB_WHEN_START + value: "{{ .Values.global.config.reg_to_msb_when_start }}" + volumeMounts: + - name: {{ include "common.fullname" . }}-logs + mountPath: {{ .Values.log.path }} + - name: {{ include "common.fullname" . }}-logconfig + mountPath: /opt/vfc/ztevnfmdriver/config/log.yml + subPath: log.yml + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + + # side car containers + {{ include "common.log.sidecar" . | nindent 8 }} + volumes: + - name: {{ include "common.fullname" . }}-logs + emptyDir: {} + - name: {{ include "common.fullname" . }}-logconfig + configMap: + name : {{ include "common.fullname" . }}-logging-configmap + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/service.yaml b/archive/vfc/components/vfc-zte-vnfm-driver/templates/service.yaml similarity index 100% rename from kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/service.yaml rename to archive/vfc/components/vfc-zte-vnfm-driver/templates/service.yaml diff --git a/archive/vfc/components/vfc-zte-vnfm-driver/values.yaml b/archive/vfc/components/vfc-zte-vnfm-driver/values.yaml new file mode 100644 index 0000000000..3588ba548e --- /dev/null +++ b/archive/vfc/components/vfc-zte-vnfm-driver/values.yaml @@ -0,0 +1,92 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + config: + ssl_enabled: false + +################################################################# +# Application configuration defaults. +################################################################# +# application image +flavor: small + +image: onap/vfc/ztevnfmdriver:1.4.1 +pullPolicy: Always + +#Istio sidecar injection policy +istioSidecar: true + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: {} + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 120 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: vfc-zte-vnfm-driver + portName: http + externalPort: 8410 + internalPort: 8410 + +ingress: + enabled: false + + +# Configure resource requests and limits +resources: + small: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "50m" + memory: "200Mi" + large: + limits: + cpu: "200m" + memory: "1Gi" + requests: + cpu: "100m" + memory: "500Mi" + unlimited: {} + +# Log configuration +log: + path: /var/log/onap +logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/resources/config/log/filebeat/filebeat.yml b/archive/vfc/resources/config/log/filebeat/filebeat.yml similarity index 100% rename from kubernetes/vfc/resources/config/log/filebeat/filebeat.yml rename to archive/vfc/resources/config/log/filebeat/filebeat.yml diff --git a/kubernetes/vfc/templates/configmap.yaml b/archive/vfc/templates/configmap.yaml similarity index 100% rename from kubernetes/vfc/templates/configmap.yaml rename to archive/vfc/templates/configmap.yaml diff --git a/kubernetes/vfc/templates/secrets.yaml b/archive/vfc/templates/secrets.yaml similarity index 100% rename from kubernetes/vfc/templates/secrets.yaml rename to archive/vfc/templates/secrets.yaml diff --git a/archive/vfc/values.yaml b/archive/vfc/values.yaml new file mode 100644 index 0000000000..05b7eb1fa3 --- /dev/null +++ b/archive/vfc/values.yaml @@ -0,0 +1,122 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + config: + ssl_enabled: false + msbprotocol: http + msbServiceName: msb-iag + msbPort: 443 + redisServiceName: vfc-redis + redisPort: 6379 +# Becaue now oom can register the microservice to msb automatically, +# If it is set to false, vfc contanier will not register again, if it is +# set to true, vfc will register by itself. +# we use this flag to determine who is responbile for serice registeration +# and it can reduce duplicate registration. + reg_to_msb_when_start: False + mariadb_admin: &mariadbAdmin root + persistence: + mountPath: /dockerdata-nfs + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows VFC to instantiate its own mariadb-galera cluster + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + centralizedLoggingEnabled: true + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-root-pass + name: &dbRootPassSecret '{{ include "common.release" . }}-vfc-db-root-pass' + externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "db-root-pass" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' + login: '{{ index .Values "mariadb-galera" "rootUser" "user" }}' + password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' + type: password + +# application configuration +config: + logstashServiceName: log-ls + logstashPort: 5044 + +mariadb-galera: &localMariadb + rootUser: + user: *mariadbAdmin + # password: + externalSecret: *dbRootPassSecret + nameOverride: &dbServer vfc-mariadb + service: + name: *dbServer + portName: *dbServer + internalPort: 3306 + nfsprovisionerPrefix: vfc + persistence: + mountSubPath: vfc/data + enabled: true + disableNfsProvisioner: true + serviceAccount: + nameOverride: *dbServer + replicaCount: 1 + mariadbOperator: + galera: + enabled: false + +vfc-generic-vnfm-driver: + enabled: true + logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' + +vfc-huawei-vnfm-driver: + enabled: true + logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' + +vfc-nslcm: + enabled: true + mariadb-galera: *localMariadb + logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' + +vfc-redis: + enabled: true + +vfc-vnflcm: + enabled: true + mariadb-galera: *localMariadb + logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' + +vfc-vnfmgr: + enabled: true + mariadb-galera: *localMariadb + logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' + +vfc-vnfres: + enabled: true + mariadb-galera: *localMariadb + logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' + +# sub-chart configuration +vfc-workflow: + service: + externalPort: 10550 + +vfc-workflow-engine: + config: + workflowPort: 10550 + +vfc-zte-vnfm-driver: + enabled: true + logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' diff --git a/archive/vnfsdk/Chart.yaml b/archive/vnfsdk/Chart.yaml new file mode 100644 index 0000000000..bf0dbe6640 --- /dev/null +++ b/archive/vnfsdk/Chart.yaml @@ -0,0 +1,34 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP VNF SDK +name: vnfsdk +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vnfsdk/resources/config/configuration.xml b/archive/vnfsdk/resources/config/configuration.xml similarity index 100% rename from kubernetes/vnfsdk/resources/config/configuration.xml rename to archive/vnfsdk/resources/config/configuration.xml diff --git a/kubernetes/vnfsdk/resources/config/marketplace_tables_postgres.sql b/archive/vnfsdk/resources/config/marketplace_tables_postgres.sql similarity index 100% rename from kubernetes/vnfsdk/resources/config/marketplace_tables_postgres.sql rename to archive/vnfsdk/resources/config/marketplace_tables_postgres.sql diff --git a/archive/vnfsdk/resources/nginx/nginx.conf b/archive/vnfsdk/resources/nginx/nginx.conf new file mode 100644 index 0000000000..9d7aa78b36 --- /dev/null +++ b/archive/vnfsdk/resources/nginx/nginx.conf @@ -0,0 +1,55 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +daemon off; + +#pid /run/nginx.pid; + +events { + worker_connections 500; + # multi_accept on; +} +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + #Comment or disable the access_log once tested to avoid runtime logs +# access_log /var/log/nginx/access.log format gzip; + access_log off; + error_log /var/log/nginx/error.log; + + server { + listen {{ .Values.service.internalPort }}; + server_name {{ .Values.service.name }}; + keepalive_timeout 70; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://localhost:8702; + proxy_read_timeout 90; + proxy_redirect off; + } + } +} \ No newline at end of file diff --git a/kubernetes/vnfsdk/templates/NOTES.txt b/archive/vnfsdk/templates/NOTES.txt similarity index 100% rename from kubernetes/vnfsdk/templates/NOTES.txt rename to archive/vnfsdk/templates/NOTES.txt diff --git a/kubernetes/vnfsdk/templates/configmap.yaml b/archive/vnfsdk/templates/configmap.yaml similarity index 100% rename from kubernetes/vnfsdk/templates/configmap.yaml rename to archive/vnfsdk/templates/configmap.yaml diff --git a/archive/vnfsdk/templates/deployment.yaml b/archive/vnfsdk/templates/deployment.yaml new file mode 100644 index 0000000000..bf9ad3e031 --- /dev/null +++ b/archive/vnfsdk/templates/deployment.yaml @@ -0,0 +1,75 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PG_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: init-data-input + - mountPath: /config + name: init-data + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }} + ports: {{ include "common.containerPorts" . | nindent 8 }} + resources: {{ include "common.resources" . | nindent 10 }} + volumeMounts: + - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml + name: init-data + subPath: configuration.xml + - mountPath: /etc/nginx/nginx.conf + name: nginx + subPath: nginx.conf + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + volumes: + - name: init-data-input + configMap: + name: {{ include "common.fullname" . }} + - name: nginx + configMap: + name: {{ include "common.fullname" . }}-nginx + - name: init-data + emptyDir: + medium: Memory diff --git a/archive/vnfsdk/templates/ingress.yaml b/archive/vnfsdk/templates/ingress.yaml new file mode 100644 index 0000000000..1f6ec7ab0e --- /dev/null +++ b/archive/vnfsdk/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/archive/vnfsdk/templates/job.yaml b/archive/vnfsdk/templates/job.yaml new file mode 100644 index 0000000000..a6966a7708 --- /dev/null +++ b/archive/vnfsdk/templates/job.yaml @@ -0,0 +1,82 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-init-postgres + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-job + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }}-job + release: {{ include "common.release" . }} + spec: + restartPolicy: Never + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - "{{ .Values.postgres.service.name2 }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy}} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }}-job + image: {{ include "repositoryGenerator.image.postgres" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: PGUSER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + command: + - /bin/sh + - -c + - | + psql -h $(VNFSDK_DBPRI_SERVICE_HOST) -f /aaa/init/marketplace_tables_postgres.sql + volumeMounts: + - name: init-data + mountPath: /aaa/init/marketplace_tables_postgres.sql + subPath: marketplace_tables_postgres.sql + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + volumes: + - name: init-data + configMap: + name: {{ include "common.fullname" . }} diff --git a/kubernetes/vnfsdk/templates/secrets.yaml b/archive/vnfsdk/templates/secrets.yaml similarity index 100% rename from kubernetes/vnfsdk/templates/secrets.yaml rename to archive/vnfsdk/templates/secrets.yaml diff --git a/archive/vnfsdk/templates/service.yaml b/archive/vnfsdk/templates/service.yaml new file mode 100644 index 0000000000..6127b2b373 --- /dev/null +++ b/archive/vnfsdk/templates/service.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modification © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/archive/vnfsdk/values.yaml b/archive/vnfsdk/values.yaml new file mode 100644 index 0000000000..723dfc3b4f --- /dev/null +++ b/archive/vnfsdk/values.yaml @@ -0,0 +1,128 @@ +# Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-vnfsdk-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "vnfsdk-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-vnfsdk-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "vnfsdk-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/vnfsdk/refrepo:1.6.3 +pullPolicy: Always + +# application configuration override for postgres +postgres: + nameOverride: vnfsdk-postgres + service: + name: vnfsdk-dbset + name2: vnfsdk-dbpri + name3: vnfsdk-dbrep + container: + name: + primary: vnfsdk-dbpri + replica: vnfsdk-dbrep + persistence: + mountSubPath: vnfsdk/data + mountInitPath: vnfsdk + config: + pgUserName: postgres + pgDatabase: postgres + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + +# flag to enable debugging - application support required +debugEnabled: false + +nodeSelector: {} + +affinity: {} + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "2000m" + memory: "4Gi" + requests: + cpu: "500m" + memory: "1Gi" + large: + limits: + cpu: "4000m" + memory: "8Gi" + requests: + cpu: "1000m" + memory: "2Gi" + unlimited: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 60 + periodSeconds: 30 + +service: + type: NodePort + name: refrepo + internalPort: 8703 + ports: + - name: http + port: 8703 + nodePort: '97' + +ingress: + enabled: false + service: + - baseaddr: "vnfsdk-refrepo-api" + name: "refrepo" + port: 8703 + config: + ssl: "redirect" + +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' diff --git a/argo/argocd/app-argocd.yaml b/argo/argocd/app-argocd.yaml new file mode 100644 index 0000000000..aee59505d7 --- /dev/null +++ b/argo/argocd/app-argocd.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argo-managenent + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + name: argo-app +spec: + project: argo-management + source: + repoURL: '' + targetRevision: + path: ./argo/argocd + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: + - Validate=true + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/argo/argocd/argo-project.yaml b/argo/argocd/argo-project.yaml new file mode 100644 index 0000000000..8e08f3f87a --- /dev/null +++ b/argo/argocd/argo-project.yaml @@ -0,0 +1,35 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: argo-management + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + description: argo-management Project + sourceRepos: + - '*' + destinations: + - namespace: '*' + server: https://kubernetes.default.svc + clusterResourceWhitelist: + - group: '*' + kind: '*' diff --git a/argo/argocd/argo-secret.yaml b/argo/argocd/argo-secret.yaml new file mode 100644 index 0000000000..72373d8bfa --- /dev/null +++ b/argo/argocd/argo-secret.yaml @@ -0,0 +1,39 @@ +--- +# Git Repository definition. +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-onap-repo + namespace: argocd + labels: + argocd.argoproj.io/secret-type: repository +stringData: + url: +--- +# Git Repository credentials, for using the same credentials in multiple repositories. +#apiVersion: v1 +#kind: Secret +#metadata: +# name: gitlab-onap-creds +# namespace: argocd +# labels: +# argocd.argoproj.io/secret-type: repo-creds +#stringData: +# url: +# type: git +# password: +# username: +#--- +# (optional) Helm Repository credentials, for using the same credentials in multiple repositories. +#apiVersion: v1 +#kind: Secret +#metadata: +# name: helm-repo-onap +# namespace: argocd +# labels: +# argocd.argoproj.io/secret-type: repo-creds +#stringData: +# url: +# type: helm +# password: ${HELM_PASSWORD} +# username: ${HELM_USERNAME} diff --git a/argo/argocd/argocd.yaml b/argo/argocd/argocd.yaml new file mode 100644 index 0000000000..6967d40248 --- /dev/null +++ b/argo/argocd/argocd.yaml @@ -0,0 +1,47 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://argoproj.github.io/argo-helm + chart: argo-cd + targetRevision: 7.9.0 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/argocd/values/argocd.yaml + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/argocd/kustomization.yaml b/argo/argocd/kustomization.yaml new file mode 100644 index 0000000000..83caa54bee --- /dev/null +++ b/argo/argocd/kustomization.yaml @@ -0,0 +1,24 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - argocd.yaml + - argo-project.yaml + - argo-secret.yaml diff --git a/argo/argocd/values/argocd.yaml b/argo/argocd/values/argocd.yaml new file mode 100644 index 0000000000..b03353bc22 --- /dev/null +++ b/argo/argocd/values/argocd.yaml @@ -0,0 +1,38 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +#global: +# domain: ${DNS_ZONE} + +configs: + # Argo CD configuration parameters + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml + params: + server.insecure: true + # -- Specifies the timeout after which a sync would be terminated. 0 means no timeout + #controller.sync.timeout.seconds: 600 + secret: + argocdServerAdminPassword: "$2a$10$VHCTI04YLEJHZQjBmlZ89OKs8iqYF6I5sjdwRLKy4ChVxFPxt09Ue" + argocdServerAdminPasswordMtime: "2021-08-03T13:45:00Z" + extra: + oidc.keycloak.clientSecret: "06dc70a8-23c3-4d9f-b1f2-6ea80047c674" + cm: + url: "https://argocd." + statusbadge.enabled: 'true' + exec.enabled: true + admin.enabled: true diff --git a/argo/infra/app-infra.yaml b/argo/infra/app-infra.yaml new file mode 100644 index 0000000000..5730015e7d --- /dev/null +++ b/argo/infra/app-infra.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: infra-components + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + name: infra-components +spec: + project: argo-management + source: + repoURL: '' + targetRevision: + path: ./argo/infra + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: + - Validate=true + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/argo/infra/cert-manager.yaml b/argo/infra/cert-manager.yaml new file mode 100644 index 0000000000..3032dff29e --- /dev/null +++ b/argo/infra/cert-manager.yaml @@ -0,0 +1,49 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://charts.jetstack.io + chart: cert-manager + targetRevision: v1.17.2 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/cert-manager.yaml + destination: + server: https://kubernetes.default.svc + namespace: cert-manager + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/chartmuseum.yaml b/argo/infra/chartmuseum.yaml new file mode 100644 index 0000000000..e351dfaeff --- /dev/null +++ b/argo/infra/chartmuseum.yaml @@ -0,0 +1,47 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: chartmuseum + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://chartmuseum.github.io/charts + chart: chartmuseum + targetRevision: 3.10.3 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/chartmuseum.yaml + destination: + server: https://kubernetes.default.svc + namespace: chartmuseum + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/compile-onap.yaml b/argo/infra/compile-onap.yaml new file mode 100644 index 0000000000..254e4079f2 --- /dev/null +++ b/argo/infra/compile-onap.yaml @@ -0,0 +1,66 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: v1 +kind: Namespace +metadata: + name: gating + labels: + name: gating + istio-injection: enabled +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: compile-onap + namespace: argocd + labels: + name: compile-onap +spec: + project: argo-management + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: + targetRevision: + path: ./argo/infra/compile-onap/helm + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/compile-onap.yaml + destination: + server: https://kubernetes.default.svc + namespace: gating + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: + - Validate=true + - CreateNamespace=true + #- PrunePropagationPolicy=foreground + #- PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/argo/infra/compile-onap/helm/Chart.yaml b/argo/infra/compile-onap/helm/Chart.yaml new file mode 100644 index 0000000000..fc1592ba97 --- /dev/null +++ b/argo/infra/compile-onap/helm/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: v2 +version: 0.0.1 +description: Job to compile ONAP helm charts +name: compile-onap diff --git a/argo/infra/compile-onap/helm/templates/onap-helm-render-job.yaml b/argo/infra/compile-onap/helm/templates/onap-helm-render-job.yaml new file mode 100644 index 0000000000..0f0af16bd7 --- /dev/null +++ b/argo/infra/compile-onap/helm/templates/onap-helm-render-job.yaml @@ -0,0 +1,59 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: onap-helm-render + namespace: gating + #annotations: + # "helm.sh/hook": pre-upgrade,pre-rollback,pre-install + # "helm.sh/hook-weight": "2" + # "helm.sh/hook-delete-policy": before-hook-creation +spec: + template: + spec: + containers: + - name: onap-helm-rendering + image: artifactory.devops.telekom.de/onap-repo/onap/k8s-toolbox:1.1.0 + #image: nexus3.onap.org:10003/onap/k8s-toolbox:1.1.0 + args: + - /bin/bash + - -c + - | + set -x + helm repo add --force-update "local" {{ .Values.repository_url }} + #helm repo add --force-update "onap" {{ .Values.repository_url }} + helm repo update + helm repo list + helm search repo local + #helm search repo onap + helm plugin install --version v0.10.4 https://github.com/chartmuseum/helm-push.git + git clone {{ .Values.onap_repo }} -b {{ .Values.onap_repo_branch }} + cd oom + {{- if not (eq .Values.gerrit_review "") }} + {{- $review_end := trunc -2 .Values.gerrit_review }} + {{- $review_end_url := printf "%s/%s/%s" $review_end .Values.gerrit_review .Values.gerrit_patchset }} + git fetch {{ .Values.onap_repo }} refs/changes/{{ $review_end_url }} && git checkout FETCH_HEAD + {{- end }} + helm plugin install kubernetes/helm/plugins/deploy + helm plugin install kubernetes/helm/plugins/undeploy + cd kubernetes + make SKIP_LINT=TRUE all + #make SKIP_LINT=TRUE onap + restartPolicy: Never diff --git a/argo/infra/compile-onap/helm/values.yaml b/argo/infra/compile-onap/helm/values.yaml new file mode 100644 index 0000000000..09c62079f6 --- /dev/null +++ b/argo/infra/compile-onap/helm/values.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +repository_url: "http://chartmuseum.chartmuseum:8080" +onap_repo: "https://gerrit.onap.org/r/oom" +onap_repo_branch: "master" +gerrit_review: "" +gerrit_patchset: "" diff --git a/argo/infra/django-defectdojo.yaml b/argo/infra/django-defectdojo.yaml new file mode 100644 index 0000000000..2840eb9c64 --- /dev/null +++ b/argo/infra/django-defectdojo.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: defectdojo + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://raw.githubusercontent.com/DefectDojo/django-DefectDojo/helm-charts + chart: defectdojo + targetRevision: 1.6.190 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/django-defectdojo.yaml + destination: + server: https://kubernetes.default.svc + namespace: defectdojo + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: disabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/gateway-api.yaml b/argo/infra/gateway-api.yaml new file mode 100644 index 0000000000..5d6e610f3f --- /dev/null +++ b/argo/infra/gateway-api.yaml @@ -0,0 +1,42 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gateway-api + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: '' + targetRevision: + path: argo/infra/gateway-api + destination: + server: https://kubernetes.default.svc + namespace: istio-ingress + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_backendlbpolicies.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_backendlbpolicies.yaml new file mode 100644 index 0000000000..3b0f0c48ee --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_backendlbpolicies.yaml @@ -0,0 +1,497 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + gateway.networking.k8s.io/policy: Direct + name: backendlbpolicies.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: BackendLBPolicy + listKind: BackendLBPolicyList + plural: backendlbpolicies + shortNames: + - blbpolicy + singular: backendlbpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + BackendLBPolicy provides a way to define load balancing rules + for a backend. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendLBPolicy. + properties: + sessionPersistence: + description: |- + SessionPersistence defines and configures session persistence + for the backend. + + Support: Extended + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. + + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. + + Support: Core for "Session" type + + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. + + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use a header or cookie. Defaults to cookie based session + persistence. + + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + targetRefs: + description: |- + TargetRef identifies an API object to apply policy to. + Currently, Backends (i.e. Service, ServiceImport, or any + implementation-specific backendRef) are the only valid API + target references. + items: + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - group + - kind + - name + x-kubernetes-list-type: map + required: + - targetRefs + type: object + status: + description: Status defines the current state of BackendLBPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - controllerName + type: object + maxItems: 16 + type: array + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml new file mode 100644 index 0000000000..fb642f6123 --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_backendtlspolicies.yaml @@ -0,0 +1,625 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + labels: + gateway.networking.k8s.io/policy: Direct + name: backendtlspolicies.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: BackendTLSPolicy + listKind: BackendTLSPolicyList + plural: backendtlspolicies + shortNames: + - btlspolicy + singular: backendtlspolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: |- + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTLSPolicy. + properties: + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: + description: |- + TargetRefs identifies an API object to apply the policy to. + Only Services have Extended support. Implementations MAY support + additional objects, with Implementation Specific support. + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + items: + description: |- + LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a + direct policy to. This should be used as part of Policy resources that can + target single resources. For more information on how this policy attachment + mode works, and a sample Policy resource, refer to the policy attachment + documentation for Gateway API. + + Note: This should only be used for direct policy attachment when references + to SectionName are actually needed. In all other cases, + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: |- + SectionName is the name of a section within the target resource. When + unspecified, this targetRef targets the entire resource. In the following + resources, SectionName is interpreted as the following: + + * Gateway: Listener name + * HTTPRoute: HTTPRouteRule name + * Service: Port name + + If a SectionName is specified, but does not exist on the targeted object, + the Policy must fail to attach, and the policy implementation should record + a `ResolvedRefs` or similar Condition in the Policy's status. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes objects that + contain a PEM-encoded TLS CA certificate bundle, which is used to + validate a TLS handshake between the Gateway and backend Pod. + + If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be + specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, + not both. If CACertifcateRefs is empty or unspecified, the configuration for + WellKnownCACertificates MUST be honored instead if supported by the implementation. + + References to a resource in a different namespace are invalid for the + moment, although we will revisit this in the future. + + A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a backend, but this behavior is implementation-specific. + + Support: Core - An optional single reference to a Kubernetes ConfigMap, + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one reference, or other kinds + of resources). + items: + description: |- + LocalObjectReference identifies an API object within the namespace of the + referrer. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" + or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + hostname: + description: |- + Hostname is used for two purposes in the connection between Gateways and + backends: + + 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). + 2. If SubjectAltNames is not specified, Hostname MUST be used for + authentication and MUST match the certificate served by the matching + backend. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + subjectAltNames: + description: |- + SubjectAltNames contains one or more Subject Alternative Names. + When specified, the certificate served from the backend MUST have at least one + Subject Alternate Name matching one of the specified SubjectAltNames. + + Support: Core + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: |- + Hostname contains Subject Alternative Name specified in DNS name format. + Required when Type is set to Hostname, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: |- + Type determines the format of the Subject Alternative Name. Always required. + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: |- + URI contains Subject Alternative Name specified in a full URI format. + It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. + Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + Required when Type is set to URI, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: '!(self.type == "Hostname" && (!has(self.hostname) || + self.hostname == ""))' + - message: SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: '!(self.type != "Hostname" && has(self.hostname) && + self.hostname != "")' + - message: SubjectAltName element must contain URI, if Type + is set to URI + rule: '!(self.type == "URI" && (!has(self.uri) || self.uri + == ""))' + - message: SubjectAltName element must not contain URI, if Type + is not set to URI + rule: '!(self.type != "URI" && has(self.uri) && self.uri != + "")' + maxItems: 5 + type: array + wellKnownCACertificates: + description: |- + WellKnownCACertificates specifies whether system CA certificates may be used in + the TLS handshake between the gateway and backend pod. + + If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs + must be specified with at least one entry for a valid configuration. Only one of + CACertificateRefs or WellKnownCACertificates may be specified, not both. If an + implementation does not support the WellKnownCACertificates field or the value + supplied is not supported, the Status Conditions on the Policy MUST be + updated to include an Accepted: False Condition with Reason: Invalid. + + Support: Implementation-specific + enum: + - System + type: string + required: + - hostname + type: object + x-kubernetes-validations: + - message: must not contain both CACertificateRefs and WellKnownCACertificates + rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "")' + - message: must specify either CACertificateRefs or WellKnownCACertificates + rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "") + required: + - targetRefs + - validation + type: object + status: + description: Status defines the current state of BackendTLSPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - controllerName + type: object + maxItems: 16 + type: array + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml new file mode 100644 index 0000000000..5dd5f710f9 --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_gatewayclasses.yaml @@ -0,0 +1,516 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + Example: "example.net/gateway-controller". + + This field is not mutable and cannot be empty. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: | + SupportedFeatures is the set of features the GatewayClass support. + It MUST be sorted in ascending alphabetical order by the Name key. + items: + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + Example: "example.net/gateway-controller". + + This field is not mutable and cannot be empty. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: | + SupportedFeatures is the set of features the GatewayClass support. + It MUST be sorted in ascending alphabetical order by the Name key. + items: + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_gateways.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_gateways.yaml new file mode 100644 index 0000000000..d7790f97ef --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_gateways.yaml @@ -0,0 +1,2496 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + Support: Extended + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + backendTLS: + description: |+ + BackendTLS configures TLS settings for when this Gateway is connecting to + backends with TLS. + + Support: Core + + properties: + clientCertificateRef: + description: |+ + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: |- + Infrastructure defines infrastructure level attributes about this Gateway instance. + + Support: Extended + properties: + annotations: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Annotations that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. + For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. + + An implementation may chose to add additional implementation-specific annotations as they see fit. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: |- + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + Labels that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. + For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + + An implementation may chose to add additional implementation-specific labels as they see fit. + + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the Gateway. This is optional if the + controller does not require any additional configuration. + + This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + + The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + ## Distinct Listeners + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on the objects + they support: + + HTTPRoute + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + TLSRoute + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + "Distinct" Listeners have the following property: + + **The implementation can match inbound requests to a single distinct + Listener**. + + When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + When multiple listeners have the same value for the Protocol field, then + each of the Listeners with matching Protocol values MUST have different + values for other fields. + + The set of fields that MUST be different for a Listener differs per protocol. + The following rules define the rules for what fields MUST be considered for + Listeners to be distinct with each protocol currently defined in the + Gateway API spec. + + The set of listeners that all share a protocol value MUST have _different_ + values for _at least one_ of these fields to be distinct: + + * **HTTP, HTTPS, TLS**: Port, Hostname + * **TCP, UDP**: Port + + One **very** important rule to call out involves what happens when an + implementation: + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP + Protocol. + + In this case all the Listeners that share a port with the + TCP Listener are not distinct and so MUST NOT be accepted. + + If an implementation does not support TCP Protocol Listeners, then the + previous rule does not apply, and the TCP Listeners SHOULD NOT be + accepted. + + Note that the `tls` field is not used for determining if a listener is distinct, because + Listeners that _only_ differ on TLS config will still conflict in all cases. + + ### Listeners that are distinct only by Hostname + + When the Listeners are distinct based only on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + Exact matches MUST be processed before wildcard matches, and wildcard + matches MUST be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + ## Handling indistinct Listeners + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + The words "indistict" and "conflicted" are considered equivalent for the + purpose of this documentation. + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. + + Specifically, an implementation MAY accept a partial Listener set subject to + the following rules: + + * The implementation MUST NOT pick one conflicting Listener as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + ## General Listener behavior + + Note that, for all distinct Listeners, requests SHOULD match at most one Listener. + For example, if Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + + This concept is known as "Listener Isolation", and it is an Extended feature + of Gateway API. Implementations that do not support Listener Isolation MUST + clearly document this, and MUST NOT claim support for the + `GatewayHTTPListenerIsolation` feature. + + Implementations that _do_ support Listener Isolation SHOULD claim support + for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated + conformance tests. + + ## Compatible Listeners + + A Gateway's Listeners are considered _compatible_ if: + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + frontendValidation: + description: |+ + FrontendValidation holds configuration information for validating the frontend (client). + Setting this field will require clients to send a client certificate + required for validation during the TLS handshake. In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Extended + + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one reference, or other kinds + of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + type: object + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + This list may differ from the addresses provided in the spec under some + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + Known condition types are: + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + Support: Extended + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + backendTLS: + description: |+ + BackendTLS configures TLS settings for when this Gateway is connecting to + backends with TLS. + + Support: Core + + properties: + clientCertificateRef: + description: |+ + ClientCertificateRef is a reference to an object that contains a Client + Certificate and the associated private key. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + ClientCertificateRef can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + This setting can be overridden on the service level by use of BackendTLSPolicy. + + Support: Core + + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + type: object + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: |- + Infrastructure defines infrastructure level attributes about this Gateway instance. + + Support: Extended + properties: + annotations: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Annotations that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. + For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. + + An implementation may chose to add additional implementation-specific annotations as they see fit. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: |- + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + Labels that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. + For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + + An implementation may chose to add additional implementation-specific labels as they see fit. + + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the Gateway. This is optional if the + controller does not require any additional configuration. + + This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + + The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + ## Distinct Listeners + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on the objects + they support: + + HTTPRoute + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + TLSRoute + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + "Distinct" Listeners have the following property: + + **The implementation can match inbound requests to a single distinct + Listener**. + + When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + When multiple listeners have the same value for the Protocol field, then + each of the Listeners with matching Protocol values MUST have different + values for other fields. + + The set of fields that MUST be different for a Listener differs per protocol. + The following rules define the rules for what fields MUST be considered for + Listeners to be distinct with each protocol currently defined in the + Gateway API spec. + + The set of listeners that all share a protocol value MUST have _different_ + values for _at least one_ of these fields to be distinct: + + * **HTTP, HTTPS, TLS**: Port, Hostname + * **TCP, UDP**: Port + + One **very** important rule to call out involves what happens when an + implementation: + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP + Protocol. + + In this case all the Listeners that share a port with the + TCP Listener are not distinct and so MUST NOT be accepted. + + If an implementation does not support TCP Protocol Listeners, then the + previous rule does not apply, and the TCP Listeners SHOULD NOT be + accepted. + + Note that the `tls` field is not used for determining if a listener is distinct, because + Listeners that _only_ differ on TLS config will still conflict in all cases. + + ### Listeners that are distinct only by Hostname + + When the Listeners are distinct based only on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + Exact matches MUST be processed before wildcard matches, and wildcard + matches MUST be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + ## Handling indistinct Listeners + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + The words "indistict" and "conflicted" are considered equivalent for the + purpose of this documentation. + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. + + Specifically, an implementation MAY accept a partial Listener set subject to + the following rules: + + * The implementation MUST NOT pick one conflicting Listener as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + ## General Listener behavior + + Note that, for all distinct Listeners, requests SHOULD match at most one Listener. + For example, if Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + + This concept is known as "Listener Isolation", and it is an Extended feature + of Gateway API. Implementations that do not support Listener Isolation MUST + clearly document this, and MUST NOT claim support for the + `GatewayHTTPListenerIsolation` feature. + + Implementations that _do_ support Listener Isolation SHOULD claim support + for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated + conformance tests. + + ## Compatible Listeners + + A Gateway's Listeners are considered _compatible_ if: + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + frontendValidation: + description: |+ + FrontendValidation holds configuration information for validating the frontend (client). + Setting this field will require clients to send a client certificate + required for validation during the TLS handshake. In browsers this may result in a dialog appearing + that requests a user to specify the client certificate. + The maximum depth of a certificate chain accepted in verification is Implementation specific. + + Support: Extended + + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to + Kubernetes objects that contain TLS certificates of + the Certificate Authorities that can be used + as a trust anchor to validate the certificates presented by the client. + + A single CA certificate reference to a Kubernetes ConfigMap + has "Core" support. + Implementations MAY choose to support attaching multiple CA certificates to + a Listener, but this behavior is implementation-specific. + + Support: Core - A single reference to a Kubernetes ConfigMap + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific (More than one reference, or other kinds + of resources). + + References to a resource in a different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + items: + description: |- + ObjectReference identifies an API object including its namespace. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "ConfigMap" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + minItems: 1 + type: array + type: object + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + This list may differ from the addresses provided in the spec under some + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + Known condition types are: + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml new file mode 100644 index 0000000000..2c637ecc3b --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_grpcroutes.yaml @@ -0,0 +1,2234 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + GRPCRoute provides a way to route gRPC requests. This includes the capability + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + Filters can be used to specify additional processing steps. Backends specify + where matching requests will be routed. + + GRPCRoute falls under extended support within the Gateway API. Within the + following specification, the word "MUST" indicates that an implementation + supporting GRPCRoute must conform to the indicated requirement, but an + implementation not supporting this route type need not follow the requirement + unless explicitly indicated. + + Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + ALPN. If the implementation does not support this, then it MUST set the + "Accepted" condition to "False" for the affected listener with a reason of + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + with an upgrade from HTTP/1. + + Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + upgrade from HTTP/1.1, i.e. with prior knowledge + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + does not support this, then it MUST set the "Accepted" condition to "False" + for the affected listener with a reason of "UnsupportedProtocol". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames to match against the GRPC + Host header to select a GRPCRoute to process the request. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: |+ + Rules are a list of GRPC matchers, filters and actions. + + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + Support: Core for Kubernetes Service + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + If an implementation can not support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: + + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 + + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. + + If no matches are specified, the implementation MUST match every gRPC request. + + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. + + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: + + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" + + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) + + Support: Implementation-specific (Exact with method specified but no service specified) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 8 + type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + sessionPersistence: + description: |+ + SessionPersistence defines and configures session persistence + for the route rule. + + Support: Extended + + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. + + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. + + Support: Core for "Session" type + + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. + + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use a header or cookie. Defaults to cookie based session + persistence. + + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + type: object + maxItems: 16 + type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() + : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() + : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() + : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() + : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() + : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() + : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() + : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() + : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() + : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() + : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() + : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() + : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() + : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() + : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() + : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() + : 0) : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_httproutes.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_httproutes.yaml new file mode 100644 index 0000000000..2824317d69 --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_httproutes.yaml @@ -0,0 +1,6158 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: |+ + Rules are a list of HTTP matchers, filters and actions. + + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + Note: The precedence of RegularExpression path matches are implementation-specific. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + Support: Core (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + Support: Core (Exact, PathPrefix) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + Support: Extended (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |+ + Retry defines the configuration for when to retry an HTTP request. + + Support: Extended + + properties: + attempts: + description: |- + Attempts specifies the maximum number of times an individual request + from the gateway to a backend should be retried. + + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. + + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. + + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. + + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. + + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. + + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. + + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. + + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. + + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. + + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. + + Implementations MUST support the following status codes as retryable: + + * 500 + * 502 + * 503 + * 504 + + Implementations MAY support specifying additional discrete values in the + 500-599 range. + + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + + + maximum: 599 + minimum: 400 + type: integer + type: array + type: object + sessionPersistence: + description: |+ + SessionPersistence defines and configures session persistence + for the route rule. + + Support: Extended + + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. + + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. + + Support: Core for "Session" type + + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. + + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use a header or cookie. Defaults to cookie based session + persistence. + + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. + + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. + + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. + + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. + + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: |+ + Rules are a list of HTTP matchers, filters and actions. + + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |+ + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |+ + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + Note: The precedence of RegularExpression path matches are implementation-specific. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + Support: Core (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + Support: Core (Exact, PathPrefix) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + Support: Extended (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + name: + description: | + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + retry: + description: |+ + Retry defines the configuration for when to retry an HTTP request. + + Support: Extended + + properties: + attempts: + description: |- + Attempts specifies the maximum number of times an individual request + from the gateway to a backend should be retried. + + If the maximum number of retries has been attempted without a successful + response from the backend, the Gateway MUST return an error. + + When this field is unspecified, the number of times to attempt to retry + a backend request is implementation-specific. + + Support: Extended + type: integer + backoff: + description: |- + Backoff specifies the minimum duration a Gateway should wait between + retry attempts and is represented in Gateway API Duration formatting. + + For example, setting the `rules[].retry.backoff` field to the value + `100ms` will cause a backend request to first be retried approximately + 100 milliseconds after timing out or receiving a response code configured + to be retryable. + + An implementation MAY use an exponential or alternative backoff strategy + for subsequent retry attempts, MAY cap the maximum backoff duration to + some amount greater than the specified minimum, and MAY add arbitrary + jitter to stagger requests, as long as unsuccessful backend requests are + not retried before the configured minimum duration. + + If a Request timeout (`rules[].timeouts.request`) is configured on the + route, the entire duration of the initial request and any retry attempts + MUST not exceed the Request timeout duration. If any retry attempts are + still in progress when the Request timeout duration has been reached, + these SHOULD be canceled if possible and the Gateway MUST immediately + return a timeout error. + + If a BackendRequest timeout (`rules[].timeouts.backendRequest`) is + configured on the route, any retry attempts which reach the configured + BackendRequest timeout duration without a response SHOULD be canceled if + possible and the Gateway should wait for at least the specified backoff + duration before attempting to retry the backend request again. + + If a BackendRequest timeout is _not_ configured on the route, retry + attempts MAY time out after an implementation default duration, or MAY + remain pending until a configured Request timeout or implementation + default duration for total request time is reached. + + When this field is unspecified, the time to wait between retry attempts + is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + codes: + description: |- + Codes defines the HTTP response status codes for which a backend request + should be retried. + + Support: Extended + items: + description: |- + HTTPRouteRetryStatusCode defines an HTTP response status code for + which a backend request should be retried. + + Implementations MUST support the following status codes as retryable: + + * 500 + * 502 + * 503 + * 504 + + Implementations MAY support specifying additional discrete values in the + 500-599 range. + + Implementations MAY support specifying discrete values in the 400-499 range, + which are often inadvisable to retry. + + + maximum: 599 + minimum: 400 + type: integer + type: array + type: object + sessionPersistence: + description: |+ + SessionPersistence defines and configures session persistence + for the route rule. + + Support: Extended + + properties: + absoluteTimeout: + description: |- + AbsoluteTimeout defines the absolute timeout of the persistent + session. Once the AbsoluteTimeout duration has elapsed, the + session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + cookieConfig: + description: |- + CookieConfig provides configuration settings that are specific + to cookie-based session persistence. + + Support: Core + properties: + lifetimeType: + default: Session + description: |- + LifetimeType specifies whether the cookie has a permanent or + session-based lifetime. A permanent cookie persists until its + specified expiry time, defined by the Expires or Max-Age cookie + attributes, while a session cookie is deleted when the current + session ends. + + When set to "Permanent", AbsoluteTimeout indicates the + cookie's lifetime via the Expires or Max-Age cookie attributes + and is required. + + When set to "Session", AbsoluteTimeout indicates the + absolute lifetime of the cookie tracked by the gateway and + is optional. + + Support: Core for "Session" type + + Support: Extended for "Permanent" type + enum: + - Permanent + - Session + type: string + type: object + idleTimeout: + description: |- + IdleTimeout defines the idle timeout of the persistent session. + Once the session has been idle for more than the specified + IdleTimeout duration, the session becomes invalid. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + sessionName: + description: |- + SessionName defines the name of the persistent session token + which may be reflected in the cookie or the header. Users + should avoid reusing session names to prevent unintended + consequences, such as rejection or unpredictable behavior. + + Support: Implementation-specific + maxLength: 128 + type: string + type: + default: Cookie + description: |- + Type defines the type of session persistence such as through + the use a header or cookie. Defaults to cookie based session + persistence. + + Support: Core for "Cookie" type + + Support: Extended for "Header" type + enum: + - Cookie + - Header + type: string + type: object + x-kubernetes-validations: + - message: AbsoluteTimeout must be specified when cookie lifetimeType + is Permanent + rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) + || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. + + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. + + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. + + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. + + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml new file mode 100644 index 0000000000..a128ab06b0 --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_referencegrants.yaml @@ -0,0 +1,189 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml new file mode 100644 index 0000000000..b1ea117834 --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_tcproutes.yaml @@ -0,0 +1,741 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + TCPRoute provides a way to route TCP requests. When combined with a Gateway + listener, it can be used to forward connections on the port specified by the + listener to a set of backends specified by the TCPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: |+ + Rules are a list of TCP matchers and actions. + + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a non-existent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Connection rejections must + respect weight; if an invalid backend is requested to have 80% of + connections, then 80% of connections must be rejected instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml new file mode 100644 index 0000000000..25072a33a0 --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml @@ -0,0 +1,804 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + The TLSRoute resource is similar to TCPRoute, but can be configured + to match against TLS-specific metadata. This allows more flexibility + in matching streams for a given TLS listener. + + If you need to forward traffic to a single target for a TLS listener, you + could choose to use a TCPRoute with a TLS listener. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of SNI names that should match against the + SNI attribute of TLS ClientHello message in TLS handshake. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed in SNI names per RFC 6066. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and TLSRoute, there + must be at least one intersecting hostname for the TLSRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches TLSRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + If both the Listener and TLSRoute have specified hostnames, any + TLSRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + TLSRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and TLSRoute have specified hostnames, and none + match with the criteria above, then the TLSRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: |+ + Rules are a list of TLS matchers and actions. + + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a non-existent resource or + a Service with no endpoints), the rule performs no forwarding; if no + filters are specified that would result in a response being sent, the + underlying implementation must actively reject request attempts to this + backend, by rejecting the connection or returning a 500 status code. + Request rejections must respect weight; if an invalid backend is + requested to have 80% of requests, then 80% of requests must be rejected + instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_udproutes.yaml b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_udproutes.yaml new file mode 100644 index 0000000000..8c6cba3538 --- /dev/null +++ b/argo/infra/gateway-api/crd/experimental/gateway.networking.k8s.io_udproutes.yaml @@ -0,0 +1,741 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: experimental + creationTimestamp: null + name: udproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: UDPRoute + listKind: UDPRouteList + plural: udproutes + singular: udproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: |- + UDPRoute provides a way to route UDP traffic. When combined with a Gateway + listener, it can be used to forward traffic on the port specified by the + listener to a set of backends specified by the UDPRoute. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of UDPRoute. + properties: + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: |+ + Rules are a list of UDP matchers and actions. + + items: + description: UDPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. If unspecified or invalid (refers to a non-existent resource or a + Service with no endpoints), the underlying implementation MUST actively + reject connection attempts to this backend. Packet drops must + respect weight; if an invalid backend is requested to have 80% of + the packets, then 80% of packets must be dropped instead. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Extended + items: + description: |- + BackendRef defines how a Route should forward a request to a Kubernetes + resource. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + + Note that when the BackendTLSPolicy object is enabled by the implementation, + there are some extra rules about validity to consider here. See the fields + where this struct is used for more information about the exact behavior. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + required: + - rules + type: object + status: + description: Status defines the current state of UDPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/kustomization.yaml b/argo/infra/gateway-api/crd/kustomization.yaml new file mode 100644 index 0000000000..168e004cff --- /dev/null +++ b/argo/infra/gateway-api/crd/kustomization.yaml @@ -0,0 +1,29 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +resources: + #- experimental/gateway.networking.k8s.io_gateways.yaml + - experimental/gateway.networking.k8s.io_udproutes.yaml + - experimental/gateway.networking.k8s.io_tcproutes.yaml + - experimental/gateway.networking.k8s.io_tlsroutes.yaml + - experimental/gateway.networking.k8s.io_backendlbpolicies.yaml + - standard/gateway.networking.k8s.io_gatewayclasses.yaml + - standard/gateway.networking.k8s.io_gateways.yaml + - standard/gateway.networking.k8s.io_grpcroutes.yaml + - standard/gateway.networking.k8s.io_httproutes.yaml + - standard/gateway.networking.k8s.io_referencegrants.yaml diff --git a/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml new file mode 100644 index 0000000000..ff0eda087e --- /dev/null +++ b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml @@ -0,0 +1,478 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + Example: "example.net/gateway-controller". + + This field is not mutable and cannot be empty. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + Example: "example.net/gateway-controller". + + This field is not mutable and cannot be empty. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_gateways.yaml b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_gateways.yaml new file mode 100644 index 0000000000..c2eea6cb3b --- /dev/null +++ b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_gateways.yaml @@ -0,0 +1,2188 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + Support: Extended + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: |- + Infrastructure defines infrastructure level attributes about this Gateway instance. + + Support: Extended + properties: + annotations: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Annotations that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. + For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. + + An implementation may chose to add additional implementation-specific annotations as they see fit. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: |- + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + Labels that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. + For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + + An implementation may chose to add additional implementation-specific labels as they see fit. + + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the Gateway. This is optional if the + controller does not require any additional configuration. + + This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + + The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + ## Distinct Listeners + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on the objects + they support: + + HTTPRoute + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + TLSRoute + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + "Distinct" Listeners have the following property: + + **The implementation can match inbound requests to a single distinct + Listener**. + + When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + When multiple listeners have the same value for the Protocol field, then + each of the Listeners with matching Protocol values MUST have different + values for other fields. + + The set of fields that MUST be different for a Listener differs per protocol. + The following rules define the rules for what fields MUST be considered for + Listeners to be distinct with each protocol currently defined in the + Gateway API spec. + + The set of listeners that all share a protocol value MUST have _different_ + values for _at least one_ of these fields to be distinct: + + * **HTTP, HTTPS, TLS**: Port, Hostname + * **TCP, UDP**: Port + + One **very** important rule to call out involves what happens when an + implementation: + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP + Protocol. + + In this case all the Listeners that share a port with the + TCP Listener are not distinct and so MUST NOT be accepted. + + If an implementation does not support TCP Protocol Listeners, then the + previous rule does not apply, and the TCP Listeners SHOULD NOT be + accepted. + + Note that the `tls` field is not used for determining if a listener is distinct, because + Listeners that _only_ differ on TLS config will still conflict in all cases. + + ### Listeners that are distinct only by Hostname + + When the Listeners are distinct based only on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + Exact matches MUST be processed before wildcard matches, and wildcard + matches MUST be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + ## Handling indistinct Listeners + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + The words "indistict" and "conflicted" are considered equivalent for the + purpose of this documentation. + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. + + Specifically, an implementation MAY accept a partial Listener set subject to + the following rules: + + * The implementation MUST NOT pick one conflicting Listener as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + ## General Listener behavior + + Note that, for all distinct Listeners, requests SHOULD match at most one Listener. + For example, if Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + + This concept is known as "Listener Isolation", and it is an Extended feature + of Gateway API. Implementations that do not support Listener Isolation MUST + clearly document this, and MUST NOT claim support for the + `GatewayHTTPListenerIsolation` feature. + + Implementations that _do_ support Listener Isolation SHOULD claim support + for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated + conformance tests. + + ## Compatible Listeners + + A Gateway's Listeners are considered _compatible_ if: + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + This list may differ from the addresses provided in the spec under some + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + Known condition types are: + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |+ + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in the associated entry in GatewayStatus.Addresses. + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + Support: Extended + + items: + description: GatewayAddress describes an address that can be bound + to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' ? self.exists_one(a2, + a2.type == a1.type && a2.value == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: |- + Infrastructure defines infrastructure level attributes about this Gateway instance. + + Support: Extended + properties: + annotations: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Annotations that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. + For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. + + An implementation may chose to add additional implementation-specific annotations as they see fit. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: |- + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + Labels that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. + For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + + An implementation may chose to add additional implementation-specific labels as they see fit. + + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the Gateway. This is optional if the + controller does not require any additional configuration. + + This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + + The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + ## Distinct Listeners + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on the objects + they support: + + HTTPRoute + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + TLSRoute + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + "Distinct" Listeners have the following property: + + **The implementation can match inbound requests to a single distinct + Listener**. + + When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + When multiple listeners have the same value for the Protocol field, then + each of the Listeners with matching Protocol values MUST have different + values for other fields. + + The set of fields that MUST be different for a Listener differs per protocol. + The following rules define the rules for what fields MUST be considered for + Listeners to be distinct with each protocol currently defined in the + Gateway API spec. + + The set of listeners that all share a protocol value MUST have _different_ + values for _at least one_ of these fields to be distinct: + + * **HTTP, HTTPS, TLS**: Port, Hostname + * **TCP, UDP**: Port + + One **very** important rule to call out involves what happens when an + implementation: + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP + Protocol. + + In this case all the Listeners that share a port with the + TCP Listener are not distinct and so MUST NOT be accepted. + + If an implementation does not support TCP Protocol Listeners, then the + previous rule does not apply, and the TCP Listeners SHOULD NOT be + accepted. + + Note that the `tls` field is not used for determining if a listener is distinct, because + Listeners that _only_ differ on TLS config will still conflict in all cases. + + ### Listeners that are distinct only by Hostname + + When the Listeners are distinct based only on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + Exact matches MUST be processed before wildcard matches, and wildcard + matches MUST be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + ## Handling indistinct Listeners + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + The words "indistict" and "conflicted" are considered equivalent for the + purpose of this documentation. + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. + + Specifically, an implementation MAY accept a partial Listener set subject to + the following rules: + + * The implementation MUST NOT pick one conflicting Listener as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + ## General Listener behavior + + Note that, for all distinct Listeners, requests SHOULD match at most one Listener. + For example, if Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + + This concept is known as "Listener Isolation", and it is an Extended feature + of Gateway API. Implementations that do not support Listener Isolation MUST + clearly document this, and MUST NOT claim support for the + `GatewayHTTPListenerIsolation` feature. + + Implementations that _do_ support Listener Isolation SHOULD claim support + for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated + conformance tests. + + ## Compatible Listeners + + A Gateway's Listeners are considered _compatible_ if: + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match at both the TLS and HTTP + protocol layers as described above. If an implementation does not + ensure that both the SNI and Host header match the Listener hostname, + it MUST clearly document that. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in GatewayTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |+ + Addresses lists the network addresses that have been bound to the + Gateway. + + This list may differ from the addresses provided in the spec under some + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + Known condition types are: + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml new file mode 100644 index 0000000000..0fec6a4ea6 --- /dev/null +++ b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml @@ -0,0 +1,2009 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + GRPCRoute provides a way to route gRPC requests. This includes the capability + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + Filters can be used to specify additional processing steps. Backends specify + where matching requests will be routed. + + GRPCRoute falls under extended support within the Gateway API. Within the + following specification, the word "MUST" indicates that an implementation + supporting GRPCRoute must conform to the indicated requirement, but an + implementation not supporting this route type need not follow the requirement + unless explicitly indicated. + + Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + ALPN. If the implementation does not support this, then it MUST set the + "Accepted" condition to "False" for the affected listener with a reason of + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + with an upgrade from HTTP/1. + + Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + upgrade from HTTP/1.1, i.e. with prior knowledge + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + does not support this, then it MUST set the "Accepted" condition to "False" + for the affected listener with a reason of "UnsupportedProtocol". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames to match against the GRPC + Host header to select a GRPCRoute to process the request. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: |+ + Rules are a list of GRPC matchers, filters and actions. + + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + Support: Core for Kubernetes Service + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + If an implementation can not support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |+ + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: + + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 + + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. + + If no matches are specified, the implementation MUST match every gRPC request. + + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. + + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: + + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" + + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) + + Support: Implementation-specific (Exact with method specified but no service specified) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() + : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() + : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() + : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() + : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() + : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() + : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() + : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() + : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() + : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() + : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() + : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() + : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() + : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() + : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() + : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() + : 0) : 0) <= 128' + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_httproutes.yaml b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_httproutes.yaml new file mode 100644 index 0000000000..31d3cc06c6 --- /dev/null +++ b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_httproutes.yaml @@ -0,0 +1,5528 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: |+ + Rules are a list of HTTP matchers, filters and actions. + + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + Note: The precedence of RegularExpression path matches are implementation-specific. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + Support: Core (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + Support: Core (Exact, PathPrefix) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + Support: Extended (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. + + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. + + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. + + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. + + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: |+ + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + + + + + + + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: |+ + Rules are a list of HTTP matchers, filters and actions. + + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations SHOULD + honor the appProtocol field if it is set for the target Service Port. + + Implementations supporting appProtocol SHOULD recognize the Kubernetes + Standard Application Protocols defined in KEP-3726. + + If a Service appProtocol isn't specified, an implementation MAY infer the + backend protocol through its own means. Implementations MAY infer the + protocol from the Route type referring to the backend Service. + + If a Route is not able to send traffic to the backend using the specified + protocol then the backend is considered invalid. Implementations MUST set the + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" reason. + + + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that can not be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation can not support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |+ + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + required: + - backendRef + type: object + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + Note: The precedence of RegularExpression path matches are implementation-specific. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + Support: Core (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + Support: Core (Exact, PathPrefix) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + Support: Extended (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. + + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. + + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. + + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. + + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a non-existent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_referencegrants.yaml b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_referencegrants.yaml new file mode 100644 index 0000000000..8fb4050026 --- /dev/null +++ b/argo/infra/gateway-api/crd/standard/gateway.networking.k8s.io_referencegrants.yaml @@ -0,0 +1,189 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.2.1 + gateway.networking.k8s.io/channel: standard + creationTimestamp: null + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/argo/infra/gateway-api/kustomization.yaml b/argo/infra/gateway-api/kustomization.yaml new file mode 100644 index 0000000000..cfc4445ab5 --- /dev/null +++ b/argo/infra/gateway-api/kustomization.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 + +resources: + - crd/ diff --git a/argo/infra/infra-ingress.yaml b/argo/infra/infra-ingress.yaml new file mode 100644 index 0000000000..fc9f4548cd --- /dev/null +++ b/argo/infra/infra-ingress.yaml @@ -0,0 +1,60 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: infra-ingress + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + name: infra-ingress +spec: + project: argo-management + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: + targetRevision: + path: ./argo/infra/ingress-routes/helm + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/infra-ingress.yaml + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: + - Validate=true + - CreateNamespace=true + #- PrunePropagationPolicy=foreground + #- PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/argo/infra/ingress-routes/helm/Chart.yaml b/argo/infra/ingress-routes/helm/Chart.yaml new file mode 100644 index 0000000000..7b45819a96 --- /dev/null +++ b/argo/infra/ingress-routes/helm/Chart.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: v2 +version: 0.0.1 +description: Chart to create gateway and Ingress Routes +name: ingress diff --git a/argo/infra/ingress-routes/helm/templates/gateway.yaml b/argo/infra/ingress-routes/helm/templates/gateway.yaml new file mode 100644 index 0000000000..7aadb7a2a9 --- /dev/null +++ b/argo/infra/ingress-routes/helm/templates/gateway.yaml @@ -0,0 +1,164 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: common-gateway + namespace: istio-ingress +spec: + gatewayClassName: istio + listeners: + - name: http + hostname: "*.{{ .Values.dns_zone }}" + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + - name: https + hostname: "*.{{ .Values.dns_zone }}" + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + options: + minProtocolVersion: TLSV1_3 + certificateRefs: + - kind: Secret + group: "" + name: ingress-tls-secret + # TODO cert from other NS eg. cert-manager https://gateway-api.sigs.k8s.io/v1alpha2/guides/tls/#cross-namespace-certificate-references + - name: ftp-20 + protocol: TCP + port: 30026 + allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: All + - name: ftp-21 + protocol: TCP + port: 30025 + allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: All + - name: ftp-route-passive-32100 + protocol: TCP + port: 32100 + allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: All + - name: ftp-route-passive-32101 + protocol: TCP + port: 32101 + allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: All + - name: ftp-route-passive-32102 + protocol: TCP + port: 32102 + allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: All + - name: cson-importer + protocol: TCP + port: 2222 + allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: All + - name: tcp-4334 + protocol: TCP + port: 4334 + allowedRoutes: + kinds: + - group: gateway.networking.k8s.io + kind: TCPRoute + namespaces: + from: All + - name: tcp-9000 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}" + port: 9000 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9001 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}" + port: 9001 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9002 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}" + port: 9002 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9010 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-bootstrap-api{{ .Values.post_addr }}.{{ .Values.dns_zone }}" + port: 9010 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate diff --git a/argo/infra/ingress-routes/helm/templates/ingress-argocd.yaml b/argo/infra/ingress-routes/helm/templates/ingress-argocd.yaml new file mode 100644 index 0000000000..b424de41a2 --- /dev/null +++ b/argo/infra/ingress-routes/helm/templates/ingress-argocd.yaml @@ -0,0 +1,57 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: argocd-http-route + namespace: argocd +spec: + parentRefs: + - name: common-gateway + namespace: istio-ingress + hostnames: + - argocd{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - backendRefs: + - name: argocd-server + port: 80 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: argocd-redirect-route + namespace: argocd +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - argocd{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + #statusCode: 301 + port: 443 diff --git a/argo/infra/ingress-routes/helm/templates/ingress-defectdojo.yaml b/argo/infra/ingress-routes/helm/templates/ingress-defectdojo.yaml new file mode 100644 index 0000000000..02678ab7b7 --- /dev/null +++ b/argo/infra/ingress-routes/helm/templates/ingress-defectdojo.yaml @@ -0,0 +1,58 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: defectdojo-route + namespace: defectdojo +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - defectdojo{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: defectdojo-django + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: defectdojo-redirect-route + namespace: defectdojo +spec: + parentRefs: + - name: common-gateway + sectionName: http + namespace: istio-ingress + hostnames: + - defectdojo{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 diff --git a/argo/infra/ingress-routes/helm/templates/ingress-grafana.yaml b/argo/infra/ingress-routes/helm/templates/ingress-grafana.yaml new file mode 100644 index 0000000000..8855f7c356 --- /dev/null +++ b/argo/infra/ingress-routes/helm/templates/ingress-grafana.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: grafana-route + namespace: prometheus +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - grafana{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - backendRefs: + - name: prometheus-grafana + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: grafana-redirect-route + namespace: prometheus +spec: + parentRefs: + - name: common-gateway + sectionName: http + namespace: istio-ingress + hostnames: + - grafana{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 diff --git a/argo/infra/ingress-routes/helm/templates/ingress-jaeger.yaml b/argo/infra/ingress-routes/helm/templates/ingress-jaeger.yaml new file mode 100644 index 0000000000..64b449496b --- /dev/null +++ b/argo/infra/ingress-routes/helm/templates/ingress-jaeger.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: jaeger-route + namespace: istio-system +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - jaeger-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - backendRefs: + - name: jaeger-query + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: jaeger-redirect-route + namespace: istio-system +spec: + parentRefs: + - name: common-gateway + sectionName: http + namespace: istio-ingress + hostnames: + - jaeger-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 diff --git a/argo/infra/ingress-routes/helm/templates/ingress-keycloak.yaml b/argo/infra/ingress-routes/helm/templates/ingress-keycloak.yaml new file mode 100644 index 0000000000..62753b8a1d --- /dev/null +++ b/argo/infra/ingress-routes/helm/templates/ingress-keycloak.yaml @@ -0,0 +1,53 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }} + parentRefs: + - name: common-gateway + namespace: istio-ingress + rules: + - backendRefs: + - name: keycloak-http + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: keycloak-ui-redirect-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }} + parentRefs: + - name: common-gateway + namespace: istio-ingress + sectionName: https + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + #statusCode: 301 + port: 443 diff --git a/argo/infra/ingress-routes/helm/templates/ingress-kiali.yaml b/argo/infra/ingress-routes/helm/templates/ingress-kiali.yaml new file mode 100644 index 0000000000..cafd38fb3b --- /dev/null +++ b/argo/infra/ingress-routes/helm/templates/ingress-kiali.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: kiali-route + namespace: istio-system +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - kiali{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - backendRefs: + - name: kiali + port: 20001 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: kiali-redirect-route + namespace: istio-system +spec: + parentRefs: + - name: common-gateway + sectionName: http + namespace: istio-ingress + hostnames: + - kiali{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 diff --git a/argo/infra/ingress-routes/helm/values.yaml b/argo/infra/ingress-routes/helm/values.yaml new file mode 100644 index 0000000000..d282f5e9a3 --- /dev/null +++ b/argo/infra/ingress-routes/helm/values.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +post_addr: "" +dns_zone: "" diff --git a/argo/infra/istio.yaml b/argo/infra/istio.yaml new file mode 100644 index 0000000000..2936c488ce --- /dev/null +++ b/argo/infra/istio.yaml @@ -0,0 +1,94 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-base + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://istio-release.storage.googleapis.com/charts + chart: base + targetRevision: 1.26.1 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/istio-base.yaml + destination: + server: https://kubernetes.default.svc + namespace: istio-system + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: istiod-default-validator + jsonPointers: + - /webhooks/0/failurePolicy + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istiod + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://istio-release.storage.googleapis.com/charts + chart: istiod + targetRevision: 1.26.1 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/istiod.yaml + destination: + server: https://kubernetes.default.svc + namespace: istio-system + ignoreDifferences: + - group: admissionregistration.k8s.io + kind: ValidatingWebhookConfiguration + name: istio-validator-istio-system + jsonPointers: + - /webhooks/0/failurePolicy + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/jaeger.yaml b/argo/infra/jaeger.yaml new file mode 100644 index 0000000000..c9efbb4d7d --- /dev/null +++ b/argo/infra/jaeger.yaml @@ -0,0 +1,52 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: jaeger + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://jaegertracing.github.io/helm-charts + chart: jaeger + targetRevision: 3.4.1 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/jaeger.yaml + destination: + server: https://kubernetes.default.svc + namespace: istio-system + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: disabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/k8ssandra-operator.yaml b/argo/infra/k8ssandra-operator.yaml new file mode 100644 index 0000000000..33bb535744 --- /dev/null +++ b/argo/infra/k8ssandra-operator.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: k8ssandra-operator + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://helm.k8ssandra.io/stable + chart: k8ssandra-operator + targetRevision: 1.23.1 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/k8ssandra-operator.yaml + destination: + server: https://kubernetes.default.svc + namespace: k8ssandra-operator + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/keycloak-db.yaml b/argo/infra/keycloak-db.yaml new file mode 100644 index 0000000000..b6dd0bad87 --- /dev/null +++ b/argo/infra/keycloak-db.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: keycloak-db + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: 'registry-1.docker.io/bitnamicharts' + path: 'postgresql' + chart: postgresql + targetRevision: 16.6.6 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/keycloak-db.yaml + destination: + server: https://kubernetes.default.svc + namespace: keycloak + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/keycloak.yaml b/argo/infra/keycloak.yaml new file mode 100644 index 0000000000..101f27dd64 --- /dev/null +++ b/argo/infra/keycloak.yaml @@ -0,0 +1,52 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: keycloak + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://codecentric.github.io/helm-charts + chart: keycloakx + #targetRevision: 2.5.1 + targetRevision: 7.0.1 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/keycloak.yaml + destination: + server: https://kubernetes.default.svc + namespace: keycloak + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/kiali-instance/kiali-instance.yaml b/argo/infra/kiali-instance/kiali-instance.yaml new file mode 100644 index 0000000000..ad61fd8ae3 --- /dev/null +++ b/argo/infra/kiali-instance/kiali-instance.yaml @@ -0,0 +1,80 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: kiali.io/v1alpha1 +kind: Kiali +metadata: + name: kiali-instance + namespace: istio-system +spec: + # changing the app_label_name, as long as not all applications using "app" label + # istio_labels: + # app_label_name: "app.kubernetes.io/name" + api: + namespaces: + include: + - "keycloak" + - "kiali-operator" + - "onap" + - "postgres-operator" + - "kiali-operator" + - "k8ssandra-operator" + - "mariadb-operator" + - "mongodb-operator" + - "psmdb-operator" + - "nonrtric-rapp" + - "strimzi-system" + - "istio-ingress" + - "istio-system" + auth: + strategy: anonymous + istio_component_namespaces: + prometheus: cluster-observability + external_services: + grafana: + internal_url: "http://prometheus-grafana.prometheus" + url: "https://grafana." + auth: + username: "admin" + password: "prom-operator" + enabled: true + prometheus: + url: "http://prometheus-kube-prometheus-prometheus.prometheus:9090" + tracing: + enabled: false + external_url: https://jaeger. + internal_url: http://jaeger-query.istio-system:16685 + use_grpc: true + istio: + egress_gateway_namespace: istio-ingress + ingress_gateway_namespace: istio-ingress + deployment: + view_only_mode: false + security_context: + allowPrivilegeEscalation: false + capabilities: + drop: ["CAP_NET_RAW", "ALL"] + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: RuntimeDefault + server: + web_root: "/kiali" diff --git a/argo/infra/kiali-instance/kustomization.yaml b/argo/infra/kiali-instance/kustomization.yaml new file mode 100644 index 0000000000..13b6e21a01 --- /dev/null +++ b/argo/infra/kiali-instance/kustomization.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +kind: Kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 + +resources: + - kiali-instance.yaml diff --git a/argo/infra/kiali-operator.yaml b/argo/infra/kiali-operator.yaml new file mode 100644 index 0000000000..5a71a1a14e --- /dev/null +++ b/argo/infra/kiali-operator.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kiali-operator + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://kiali.org/helm-charts + chart: kiali-operator + targetRevision: 2.9.0 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/kiali-operator.yaml + destination: + server: https://kubernetes.default.svc + namespace: kiali-operator + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/kiali.yaml b/argo/infra/kiali.yaml new file mode 100644 index 0000000000..99f95ac88a --- /dev/null +++ b/argo/infra/kiali.yaml @@ -0,0 +1,40 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kiali-instance + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: '' + targetRevision: + path: argo/infra/kiali-instance + destination: + server: https://kubernetes.default.svc + namespace: istio-system + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/kustomization.yaml b/argo/infra/kustomization.yaml new file mode 100644 index 0000000000..5b42a4c940 --- /dev/null +++ b/argo/infra/kustomization.yaml @@ -0,0 +1,42 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - cert-manager.yaml + - istio.yaml + - gateway-api.yaml + - chartmuseum.yaml + - kiali-operator.yaml + - kiali.yaml + - k8ssandra-operator.yaml + - keycloak-db.yaml + - keycloak.yaml + - jaeger.yaml + - mariadb-operator.yaml + - mariadb-operator-crds.yaml + - mongodb-operator.yaml + - postgres-operator.yaml + - nfs-server-provisioner.yaml + - strimzi.yaml + - prometheus.yaml + - infra-ingress.yaml + - django-defectdojo.yaml + - trivy-dojo-report-operator.yaml + - compile-onap.yaml diff --git a/argo/infra/mariadb-operator-crds.yaml b/argo/infra/mariadb-operator-crds.yaml new file mode 100644 index 0000000000..8bbf32b6af --- /dev/null +++ b/argo/infra/mariadb-operator-crds.yaml @@ -0,0 +1,52 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mariadb-operator-crds + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://helm.mariadb.com/mariadb-operator + chart: mariadb-operator-crds + targetRevision: 0.38.1 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/mariadb-operator-crds.yaml + destination: + server: https://kubernetes.default.svc + namespace: mariadb-operator + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/mariadb-operator.yaml b/argo/infra/mariadb-operator.yaml new file mode 100644 index 0000000000..6790d1320e --- /dev/null +++ b/argo/infra/mariadb-operator.yaml @@ -0,0 +1,53 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mariadb-operator + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://helm.mariadb.com/mariadb-operator + chart: mariadb-operator + targetRevision: 0.38.1 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/mariadb-operator.yaml + destination: + server: https://kubernetes.default.svc + namespace: mariadb-operator + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/mongodb-operator.yaml b/argo/infra/mongodb-operator.yaml new file mode 100644 index 0000000000..543ed51245 --- /dev/null +++ b/argo/infra/mongodb-operator.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: mongodb-operator + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://percona.github.io/percona-helm-charts + chart: psmdb-operator + targetRevision: 1.19.1 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/mongodb-operator.yaml + destination: + server: https://kubernetes.default.svc + namespace: mongodb-operator + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/nfs-server-provisioner.yaml b/argo/infra/nfs-server-provisioner.yaml new file mode 100644 index 0000000000..eae1b410af --- /dev/null +++ b/argo/infra/nfs-server-provisioner.yaml @@ -0,0 +1,49 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nfs-server-provisioner + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://kvaps.github.io/charts + chart: nfs-server-provisioner + targetRevision: 1.8.0 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/nfs-server-provisioner.yaml + destination: + server: https://kubernetes.default.svc + namespace: nfs-server + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/postgres-operator.yaml b/argo/infra/postgres-operator.yaml new file mode 100644 index 0000000000..4415fdf462 --- /dev/null +++ b/argo/infra/postgres-operator.yaml @@ -0,0 +1,43 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: postgres-operator + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-1" + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: 'https://github.com/CrunchyData/postgres-operator-examples' + targetRevision: main + path: kustomize/install/default + destination: + server: https://kubernetes.default.svc + namespace: postgres-operator + syncPolicy: + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/prometheus.yaml b/argo/infra/prometheus.yaml new file mode 100644 index 0000000000..d9721efccf --- /dev/null +++ b/argo/infra/prometheus.yaml @@ -0,0 +1,49 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: prometheus + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://prometheus-community.github.io/helm-charts + chart: kube-prometheus-stack + # targetRevision: 67.4.0 + targetRevision: 71.1.1 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/prometheus.yaml + destination: + server: https://kubernetes.default.svc + namespace: prometheus + syncPolicy: + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/strimzi.yaml b/argo/infra/strimzi.yaml new file mode 100644 index 0000000000..5c72bae868 --- /dev/null +++ b/argo/infra/strimzi.yaml @@ -0,0 +1,50 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: strimzi-kafka-operator + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://strimzi.io/charts/ + chart: strimzi-kafka-operator + targetRevision: 0.46.0 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/strimzi.yaml + destination: + server: https://kubernetes.default.svc + namespace: strimzi-system + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/trivy-dojo-report-operator.yaml b/argo/infra/trivy-dojo-report-operator.yaml new file mode 100644 index 0000000000..27a13ca615 --- /dev/null +++ b/argo/infra/trivy-dojo-report-operator.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: trivy-dojo-report-operator + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://telekom-mms.github.io/trivy-dojo-report-operator + chart: trivy-dojo-report-operator + targetRevision: 0.8.8 + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/infra/values/trivy-dojo-report-operator.yaml + destination: + server: https://kubernetes.default.svc + namespace: trividojo + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: disabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/infra/values/cert-manager.yaml b/argo/infra/values/cert-manager.yaml new file mode 100644 index 0000000000..2445061095 --- /dev/null +++ b/argo/infra/values/cert-manager.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +installCRDs: true + +prometheus: + servicemonitor: + enabled: false diff --git a/argo/infra/values/chartmuseum.yaml b/argo/infra/values/chartmuseum.yaml new file mode 100644 index 0000000000..7b7d6a8fb6 --- /dev/null +++ b/argo/infra/values/chartmuseum.yaml @@ -0,0 +1,42 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +replicaCount: 1 + +image: + repository: ghcr.io/helm/chartmuseum + tag: v0.16.2 + pullPolicy: IfNotPresent + +service: + type: ClusterIP + port: 8080 + +ingress: + enabled: false + +env: + open: + STORAGE: local + DISABLE_API: false + DEBUG: true + +persistence: + storageClass: + enabled: true + size: 8Gi diff --git a/argo/infra/values/compile-onap.yaml b/argo/infra/values/compile-onap.yaml new file mode 100644 index 0000000000..09c62079f6 --- /dev/null +++ b/argo/infra/values/compile-onap.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +repository_url: "http://chartmuseum.chartmuseum:8080" +onap_repo: "https://gerrit.onap.org/r/oom" +onap_repo_branch: "master" +gerrit_review: "" +gerrit_patchset: "" diff --git a/argo/infra/values/django-defectdojo.yaml b/argo/infra/values/django-defectdojo.yaml new file mode 100644 index 0000000000..301e4f90d6 --- /dev/null +++ b/argo/infra/values/django-defectdojo.yaml @@ -0,0 +1,69 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + defaultStorageClass: + +# Global settings +# create defectdojo specific secret +createSecret: true +# create redis secret in defectdojo chart, outside of redis chart +createRedisSecret: true +# create postgresql secret in defectdojo chart, outside of postgresql chart +createPostgresqlSecret: true +# create postgresql-ha secret in defectdojo chart, outside of postgresql-ha chart +createPostgresqlHaSecret: false +# create postgresql-ha-pgpool secret in defectdojo chart, outside of postgresql-ha chart +createPostgresqlHaPgpoolSecret: false +# Primary hostname of instance +host: defectdojo-django.defectdojo +alternativeHosts: + - defectdojo. +admin: + user: admin + password: gating +postgresql: + enabled: true + auth: + username: defectdojo + password: "defectdojo" + primary: + resources: + limits: + cpu: 500m + memory: 512Mi +redis: + auth: + password: "defectdojo" +django: + ingress: + enabled: false + uwsgi: + resources: + requests: + cpu: 300m + limits: + memory: 1Gi + appSettings: + maxFd: 102400 +extraEnv: + # Disable API token usage + #- name: DD_API_TOKENS_ENABLED + # value: "false" + #- name: DD_API_TOKEN_AUTH_ENDPOINT_ENABLED + # value: "false" \ No newline at end of file diff --git a/argo/infra/values/infra-ingress.yaml b/argo/infra/values/infra-ingress.yaml new file mode 100644 index 0000000000..ed43abd81e --- /dev/null +++ b/argo/infra/values/infra-ingress.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +post_addr: "" +dns_zone: "" diff --git a/argo/infra/values/istiod.yaml b/argo/infra/values/istiod.yaml new file mode 100644 index 0000000000..2cc8e36805 --- /dev/null +++ b/argo/infra/values/istiod.yaml @@ -0,0 +1,65 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + # configValidation enables the validation webhook for Istio configuration. + # TNAP: had to set it to False, as otherwise a setting is required: + # .Values.base.validationCABundle + configValidation: false + #hub: "/istio" + proxy: + holdApplicationUntilProxyStarts: true + +meshConfig: + enablePrometheusMerge: true + defaultConfig: + tracing: + zipkin: + address: jaeger-collector.istio-system:9411 + sampling: 100 + meshMTLS: + minProtocolVersion: TLSV1_3 + #tlsDefaults: + # Note: applicable only for non ISTIO_MUTUAL scenarios + # ecdhCurves: + # - P-256 + # - P-512 + rootNamespace: istio-config + extensionProviders: + - name: oauth2-proxy + envoyExtAuthzHttp: + service: oauth2-proxy.default.svc.cluster.local + port: 80 + timeout: 1.5s + includeHeadersInCheck: ["authorization", "cookie"] + headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"] + headersToDownstreamOnDeny: ["content-type", "set-cookie"] + +pilot: + env: + PILOT_ENABLE_ALPHA_GATEWAY_API: true + PILOT_HTTP10: true + ENABLE_NATIVE_SIDECARS: true + cni: + enabled: false + +istio_cni: + enabled: false + +base: + enableIstioConfigCRDs: false \ No newline at end of file diff --git a/argo/infra/values/jaeger.yaml b/argo/infra/values/jaeger.yaml new file mode 100644 index 0000000000..bdaca66a93 --- /dev/null +++ b/argo/infra/values/jaeger.yaml @@ -0,0 +1,35 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +fullnameOverride: jaeger + +collector: + service: + zipkin: + port: 9411 + otlp: + grpc: + name: otlp-grpc + port: 4317 + http: + name: otlp-http + port: 4318 + +query: + cmdlineParams: + query.max-clock-skew-adjustment: 300s diff --git a/argo/infra/values/k8ssandra-operator.yaml b/argo/infra/values/k8ssandra-operator.yaml new file mode 100644 index 0000000000..977ca8d569 --- /dev/null +++ b/argo/infra/values/k8ssandra-operator.yaml @@ -0,0 +1,42 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + clusterScoped: true + +image: + registry: + registryOverride: + +cass-operator: + image: + registry: + registryOverride: + admissionWebhooks: + enabled: true + +cleaner: + image: + registry: + +client: + image: + registry: + +# -- Allows managing CRD upgrades externally and fully disable the CRD upgrader job hook +disableCrdUpgraderJob: true diff --git a/argo/infra/values/keycloak-db.yaml b/argo/infra/values/keycloak-db.yaml new file mode 100644 index 0000000000..aeb3cc5310 --- /dev/null +++ b/argo/infra/values/keycloak-db.yaml @@ -0,0 +1,28 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + defaultStorageClass: + imageRegistry: + security: + allowInsecureImages: true + postgresql: + auth: + username: dbusername + password: dbpassword + database: keycloak \ No newline at end of file diff --git a/argo/infra/values/keycloak.yaml b/argo/infra/values/keycloak.yaml new file mode 100644 index 0000000000..46e58f245d --- /dev/null +++ b/argo/infra/values/keycloak.yaml @@ -0,0 +1,79 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +fullnameOverride: keycloak + +image: + tag: "26.0.6" + +command: + - "/opt/keycloak/bin/kc.sh" + - "--verbose" + - "start" + - "--http-port=8080" + - "--hostname-strict=false" + - "--spi-events-listener-jboss-logging-success-level=info" + - "--spi-events-listener-jboss-logging-error-level=warn" + +extraEnv: | + - name: KC_BOOTSTRAP_ADMIN_USERNAME + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: user + - name: KC_BOOTSTRAP_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: password + - name: JAVA_OPTS_APPEND + value: >- + -XX:+UseContainerSupport + -XX:MaxRAMPercentage=50.0 + -Djava.awt.headless=true + -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless + - name: PROXY_ADDRESS_FORWARDING + value: "true" + +dbchecker: + enabled: true + image: + repository: /busybox + +database: + vendor: postgres + hostname: keycloak-db-postgresql + port: 5432 + username: dbusername + password: dbpassword + database: keycloak + +proxy: + enabled: true + mode: xforwarded + http: + enabled: true + +secrets: + admin-creds: + stringData: + user: admin + password: secret + +http: + relativePath: "/" diff --git a/argo/infra/values/kiali-operator.yaml b/argo/infra/values/kiali-operator.yaml new file mode 100644 index 0000000000..abb2f67cb5 --- /dev/null +++ b/argo/infra/values/kiali-operator.yaml @@ -0,0 +1,42 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + clusterScoped: true + +image: + registry: + registryOverride: + +cass-operator: + image: + registry: + registryOverride: + admissionWebhooks: + enabled: true + +cleaner: + image: + registry: + +client: + image: + registry: + +# -- Allows managing CRD upgrades externally and fully disable the CRD upgrader job hook +disableCrdUpgraderJob: true \ No newline at end of file diff --git a/argo/infra/values/mariadb-operator.yaml b/argo/infra/values/mariadb-operator.yaml new file mode 100644 index 0000000000..dd9a949510 --- /dev/null +++ b/argo/infra/values/mariadb-operator.yaml @@ -0,0 +1,29 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +ha: + enabled: true + +logLevel: "debug" + +metrics: + enabled: false + +webhook: + certificate: + certManager: true \ No newline at end of file diff --git a/argo/infra/values/mongodb-operator.yaml b/argo/infra/values/mongodb-operator.yaml new file mode 100644 index 0000000000..a38003081d --- /dev/null +++ b/argo/infra/values/mongodb-operator.yaml @@ -0,0 +1,46 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +watchAllNamespaces: true + +fullnameOverride: "percona-server-mongodb-operator" + +replicaCount: 1 + +resources: + requests: + cpu: 600m + memory: 700Mi + limits: + cpu: 1200m + memory: 1000Mi + +podSecurityContext: + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + +securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW diff --git a/argo/infra/values/prometheus.yaml b/argo/infra/values/prometheus.yaml new file mode 100644 index 0000000000..d985e0c9b3 --- /dev/null +++ b/argo/infra/values/prometheus.yaml @@ -0,0 +1,57 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +prometheus: + agentMode: false + prometheusSpec: + ## If true, a nil or {} value for prometheus.prometheusSpec.ruleSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the PrometheusRule resources created + ## + ruleSelectorNilUsesHelmValues: false + ## If true, a nil or {} value for prometheus.prometheusSpec.serviceMonitorSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the servicemonitors created + ## + serviceMonitorSelectorNilUsesHelmValues: false + ## If true, a nil or {} value for prometheus.prometheusSpec.podMonitorSelector will cause the + ## prometheus resource to be created with selectors based on values in the helm deployment, + ## which will also match the podmonitors created + ## + podMonitorSelectorNilUsesHelmValues: false + additionalScrapeConfigs: + - job_name: 'istiod' + kubernetes_sd_configs: + - role: endpoints + namespaces: + names: + - istio-system + relabel_configs: + - source_labels: [__meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: istiod;http-monitoring + - job_name: 'envoy-stats' + metrics_path: /stats/prometheus + kubernetes_sd_configs: + - role: pod + scrape_interval: 5m + scrape_timeout: 1m + relabel_configs: + - source_labels: [__meta_kubernetes_pod_container_port_name] + action: keep + regex: '.*-envoy-prom' diff --git a/argo/infra/values/strimzi.yaml b/argo/infra/values/strimzi.yaml new file mode 100644 index 0000000000..9f20ee8721 --- /dev/null +++ b/argo/infra/values/strimzi.yaml @@ -0,0 +1,43 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +watchAnyNamespace: true + +podSecurityContext: + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + +config: + kafkaVersion: 4.0.0 + kafkaMetadataVersion: 4.0.0-IV3 \ No newline at end of file diff --git a/argo/infra/values/trivy-dojo-report-operator.yaml b/argo/infra/values/trivy-dojo-report-operator.yaml new file mode 100644 index 0000000000..55cb7362d2 --- /dev/null +++ b/argo/infra/values/trivy-dojo-report-operator.yaml @@ -0,0 +1,29 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +defectDojoApiCredentials: + apiKey: "2e5af2a04069492ea63cbd593efccfd4b2758b77" + url: "http://defectdojo-django.defectdojo" + #url: "https://defectdojo." + +operator: + trivyDojoReportOperator: + env: + defectDojoActive: "true" + defectDojoCloseOldFindings: "false" + defectDojoMinimumSeverity: Critical diff --git a/argo/onap-test/app-onap-test.yaml b/argo/onap-test/app-onap-test.yaml new file mode 100644 index 0000000000..77fe56169d --- /dev/null +++ b/argo/onap-test/app-onap-test.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-test + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + name: onap-test +spec: + project: argo-management + source: + repoURL: '' + targetRevision: + path: ./argo/onap-test + destination: + server: https://kubernetes.default.svc + namespace: onap + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: + - Validate=true + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/argo/onap-test/ingress-routes/helm/Chart.yaml b/argo/onap-test/ingress-routes/helm/Chart.yaml new file mode 100644 index 0000000000..3b96e8298c --- /dev/null +++ b/argo/onap-test/ingress-routes/helm/Chart.yaml @@ -0,0 +1,21 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +apiVersion: v2 +version: 0.0.1 +description: Chart to create gateway and Ingress Routes +name: ingress diff --git a/argo/onap-test/ingress-routes/helm/templates/ingress-kafka-ui.yaml b/argo/onap-test/ingress-routes/helm/templates/ingress-kafka-ui.yaml new file mode 100644 index 0000000000..6552dc3b4d --- /dev/null +++ b/argo/onap-test/ingress-routes/helm/templates/ingress-kafka-ui.yaml @@ -0,0 +1,58 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: kafka-ui-route + namespace: onap +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - kafka-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: kafka-ui + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: kafka-ui-redirect-route + namespace: onap +spec: + parentRefs: + - name: common-gateway + sectionName: http + namespace: istio-ingress + hostnames: + - kafka-ui{{ .Values.post_addr }}.{{ .Values.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 diff --git a/argo/onap-test/ingress-routes/helm/values.yaml b/argo/onap-test/ingress-routes/helm/values.yaml new file mode 100644 index 0000000000..d282f5e9a3 --- /dev/null +++ b/argo/onap-test/ingress-routes/helm/values.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +post_addr: "" +dns_zone: "" diff --git a/argo/onap-test/kafka-ui.yaml b/argo/onap-test/kafka-ui.yaml new file mode 100644 index 0000000000..db8cc2b508 --- /dev/null +++ b/argo/onap-test/kafka-ui.yaml @@ -0,0 +1,48 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: kafka-ui + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://kafbat.github.io/helm-charts + chart: kafka-ui + targetRevision: 1.5.0 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap-test/values/kafka-ui.yaml + destination: + server: https://kubernetes.default.svc + namespace: onap + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap-test/kustomization.yaml b/argo/onap-test/kustomization.yaml new file mode 100644 index 0000000000..7518ca39e8 --- /dev/null +++ b/argo/onap-test/kustomization.yaml @@ -0,0 +1,29 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +generatorOptions: + disableNameSuffixHash: true + +resources: + - testkube.yaml + - kafka-ui.yaml + - trivy-operator.yaml + - onap-test-ingress.yaml diff --git a/argo/onap-test/onap-test-ingress.yaml b/argo/onap-test/onap-test-ingress.yaml new file mode 100644 index 0000000000..fce16708c0 --- /dev/null +++ b/argo/onap-test/onap-test-ingress.yaml @@ -0,0 +1,60 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-test-ingress + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + name: onap-test-ingress +spec: + project: argo-management + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: + targetRevision: + path: ./argo/onap-test/ingress-routes/helm + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap-test/values/onap-test-ingress.yaml + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: + - Validate=true + - CreateNamespace=true + #- PrunePropagationPolicy=foreground + #- PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/argo/onap-test/testkube.yaml b/argo/onap-test/testkube.yaml new file mode 100644 index 0000000000..8243884ed1 --- /dev/null +++ b/argo/onap-test/testkube.yaml @@ -0,0 +1,54 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: testkube + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + name: testkube +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: + targetRevision: + path: ./argo/onap-test/testkube/helm + helm: + # Values file as block file. This takes precedence over values + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap-test/values/testkube.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap-test/testkube/helm/Chart.yaml b/argo/onap-test/testkube/helm/Chart.yaml new file mode 100644 index 0000000000..44c541c02a --- /dev/null +++ b/argo/onap-test/testkube/helm/Chart.yaml @@ -0,0 +1,26 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +apiVersion: v2 +name: onapTestkube +description: A Helm chart with tests for onap +type: application +version: 0.0.1 +dependencies: + - name: testkube + version: 1.16.63 + repository: 'https://kubeshop.github.io/helm-charts' diff --git a/argo/onap-test/testkube/helm/templates/cluster-role-binding.yaml b/argo/onap-test/testkube/helm/templates/cluster-role-binding.yaml new file mode 100644 index 0000000000..0bef9b5fe0 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/cluster-role-binding.yaml @@ -0,0 +1,31 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: rbac.authorization.k8s.io/v1 +# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-tests-cluster-role-binding +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-tests-service-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-tests-cluster-role + apiGroup: rbac.authorization.k8s.io diff --git a/argo/onap-test/testkube/helm/templates/cluster-role.yaml b/argo/onap-test/testkube/helm/templates/cluster-role.yaml new file mode 100644 index 0000000000..a8f5bceab9 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/cluster-role.yaml @@ -0,0 +1,129 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-tests-cluster-role +rules: +- apiGroups: + - '' + - apps + - batch + - extensions + - networking.k8s.io + - gateway.networking.k8s.io + - tf.galleybytes.com + - aquasecurity.github.io + - onap.com + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + - events + - configmaps + - ingresses + - persistentvolumeclaims + - nodes + - terraforms + - httproutes + - namespaces + - serviceinstances + - vnfs + - vulnerabilityreports + verbs: + - get + - watch + - list +- apiGroups: + - '' + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch +- apiGroups: + - '' + - apps + - tf.galleybytes.com + - onap.com + resources: + - deployments + - daemonsets + - statefulsets + - secrets + - services + - pods + - terraforms + - namespaces + - configmaps + - serviceinstances + - vnfs + verbs: + - create +- apiGroups: + - '' + - apps + - tf.galleybytes.com + - onap.com + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - daemonsets + - statefulsets + - services + - terraforms + - configmaps + - serviceinstances + - vnfs + verbs: + - delete +- apiGroups: + - '' + - apps + resources: + - pods/exec + verbs: + - create +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete +{{- if .Values.tests.tests.basicKafka.enabled }} +- apiGroups: + - kafka.strimzi.io + resources: + - kafkatopics + verbs: + - create + - delete +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/control-panel-basic-executor.yaml b/argo/onap-test/testkube/helm/templates/control-panel-basic-executor.yaml new file mode 100644 index 0000000000..22a3a25aaf --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/control-panel-basic-executor.yaml @@ -0,0 +1,37 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: executor.testkube.io/v1 +kind: Executor +metadata: + name: {{ .Values.tests.smokeTests.executor.controlPanelSdk.name }} +spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 4 }} + {{- end }} + image: /onap/control-panel-ui-smoke-tests/controlpanel-smoke-tests:{{ .Values.tests.smokeTests.executor.controlPanelSdk.imageVersion }} + command: + - "/bin/bash" + - "-c" + - "./gradlew --offline -p controlpanel-smoke-tests test \"-Dcucumber.filter.tags=${CUCUMBER_FILTER_TAGS}\" " + executor_type: container + types: + - {{ .Values.tests.smokeTests.executor.controlPanelSdk.type }} + features: + - artifacts diff --git a/argo/onap-test/testkube/helm/templates/control-panel-smoke-test.yaml b/argo/onap-test/testkube/helm/templates/control-panel-smoke-test.yaml new file mode 100644 index 0000000000..42310c1c50 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/control-panel-smoke-test.yaml @@ -0,0 +1,43 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +{{- if .Values.tests.tests.controlPanelSmokeTest.enabled }} +apiVersion: tests.testkube.io/v3 +kind: Test +metadata: + name: {{ .Values.tests.tests.controlPanelSmokeTest.testName }} +spec: + type: {{ .Values.tests.smokeTests.executor.controlPanelSdk.type }} + executionRequest: + variables: + CUCUMBER_FILTER_TAGS: + name: CUCUMBER_FILTER_TAGS + type: basic + CONTROLPANEL_ENV: + name: CONTROLPANEL_ENV + value: {{ .Values.tests.testEnvName }} + type: basic + activeDeadlineSeconds: {{ .Values.tests.smokeTests.execution.activeDeadlineSeconds }} + artifactRequest: + storageClassName: {{ .Values.tests.smokeTests.artifacts.storageClassName }} + volumeMountPath: /app/test-artifacts +{{- include "job.template" . | indent 4 }} +{{- if .Values.global.serviceMesh.enabled }} +{{- include "scraper.template" . | indent 4 }} +{{- end }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/cypress-tests/cypress-test.tpl b/argo/onap-test/testkube/helm/templates/cypress-tests/cypress-test.tpl new file mode 100644 index 0000000000..ce96733a39 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/cypress-tests/cypress-test.tpl @@ -0,0 +1,69 @@ +{{/* https://docs.testkube.io/articles/crds/tests.testkube.io-v3 */}} +{{/* +Common test template for cypress tests + +@param .dot (Optional, default .) The root scope +@param .repo A map representing the repository configuration + The map must contain at least the following fields: + .repo.uri: the uri of the git repo that + contains the cypress project + .repo.branch the branch of the git repo that + contains the cypress project +@param .test A map representing a single test + The map must contain at least the following fields: + .test.name: The name of the test + The map may contain the following optional fields: + .test.env: environment variables for the container + +Example include: + {{ include "cypress.test" (dict "repo" .Values.tests.cypress "test" .Values.tests.cypress.tests.aai) }} +*/}} +{{- define "cypress.test" }} +apiVersion: tests.testkube.io/v3 +kind: Test +metadata: + name: {{ kebabcase .test.testName }} +spec: + type: cypress/project + content: + type: git + repository: + type: git + uri: {{ .repo.uri }} + branch: {{ .test.branch | default .repo.branch }} + tokenSecret: + key: git-token + name: testkube-git-creds + usernameSecret: + key: git-username + name: testkube-git-creds + executionRequest: + activeDeadlineSeconds: 1800 + jobTemplate: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false + spec: + template: + metadata: + labels: + sidecar.istio.io/inject: 'false' + spec: + containers: + - name: {{ kebabcase .test.testName }} + image: {{ .repo.image }} + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 300m + memory: 300Mi + {{- if .test.env }} + envs: + {{- range $key, $value := .test.env }} + {{ $key }}: {{ $value | quote }} + {{ end -}} + {{ end -}} +{{ end -}} diff --git a/argo/onap-test/testkube/helm/templates/cypress-tests/demo-test.yaml b/argo/onap-test/testkube/helm/templates/cypress-tests/demo-test.yaml new file mode 100644 index 0000000000..9fd7148106 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/cypress-tests/demo-test.yaml @@ -0,0 +1,44 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: tests.testkube.io/v3 +kind: Test +metadata: + name: cypress-test-3 +spec: + type: cypress/project + content: + type: git-dir + repository: + type: git + uri: https://github.com/kubeshop/testkube.git + branch: main + path: test/cypress/executor-tests/cypress-14 + executionRequest: + variables: + CYPRESS_CUSTOM_ENV: + name: CYPRESS_CUSTOM_ENV + value: "CYPRESS_CUSTOM_ENV_value" + type: basic + DEBUG: + name: DEBUG + value: "cypress:*" + type: basic + args: + - "--env" + - "NON_CYPRESS_ENV=NON_CYPRESS_ENV_value" diff --git a/argo/onap-test/testkube/helm/templates/cypress-tests/portalng-ui-test.yaml b/argo/onap-test/testkube/helm/templates/cypress-tests/portalng-ui-test.yaml new file mode 100644 index 0000000000..5c7d29cb1b --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/cypress-tests/portalng-ui-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.cypress.tests.portalng.someTest.enabled }} +{{ include "cypress.test" (dict "repo" .Values.tests.cypress "test" .Values.tests.cypress.tests.portalng.someTest) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/gradle-tests/aai-crud-test.yaml b/argo/onap-test/testkube/helm/templates/gradle-tests/aai-crud-test.yaml new file mode 100644 index 0000000000..316f772b3e --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/gradle-tests/aai-crud-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.gradle.tests.aai.aaiCrudTest.enabled }} +{{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai.aaiCrudTest) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/gradle-tests/aai-kafka-test.yaml b/argo/onap-test/testkube/helm/templates/gradle-tests/aai-kafka-test.yaml new file mode 100644 index 0000000000..d96cf54375 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/gradle-tests/aai-kafka-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.gradle.tests.aai.kafkaTest.enabled }} +{{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai.kafkaTest) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/gradle-tests/aai-traversal-test.yaml b/argo/onap-test/testkube/helm/templates/gradle-tests/aai-traversal-test.yaml new file mode 100644 index 0000000000..d5cf4ac7e4 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/gradle-tests/aai-traversal-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.gradle.tests.aai.aaiTraversalTest.enabled }} +{{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai.aaiTraversalTest) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/gradle-tests/gradle-test.tpl b/argo/onap-test/testkube/helm/templates/gradle-tests/gradle-test.tpl new file mode 100644 index 0000000000..7bfd50f8bb --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/gradle-tests/gradle-test.tpl @@ -0,0 +1,75 @@ +{{/* https://docs.testkube.io/articles/crds/tests.testkube.io-v3 */}} +{{/* +Common test template for gradle tests + +@param .dot (Optional, default .) The root scope +@param .repo A map representing the repository configuration + The map must contain at least the following fields: + .repo.uri: the uri of the git repo that + contains the gradle project + .repo.branch the branch of the git repo that + contains the gradle project +@param .test A map representing a single test + The map must contain at least the following fields: + .test.name: The name of the test + The map may contain the following optional fields: + .test.env: environment variables for the container + +Example include: + {{ include "gradle.test" (dict "repo" .Values.tests.gradle "test" .Values.tests.gradle.tests.aai) }} +*/}} +{{- define "gradle.test" }} +apiVersion: tests.testkube.io/v3 +kind: Test +metadata: + name: {{ kebabcase .test.testName }} +spec: + type: gradle/test + content: + type: git + repository: + type: git + uri: {{ .repo.uri }} + branch: {{ .test.branch | default .repo.branch }} + tokenSecret: + key: git-token + name: testkube-git-creds + usernameSecret: + key: git-username + name: testkube-git-creds + executionRequest: + args: + - "--tests" + - {{ .test.testName | quote }} + {{- if .test.debugLogEnabled }} + - "--info" + {{- end }} + activeDeadlineSeconds: 1800 + jobTemplate: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false + spec: + template: + metadata: + labels: + sidecar.istio.io/inject: 'false' + spec: + containers: + - name: {{ kebabcase .test.testName }} + image: {{ .repo.image }} + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 300m + memory: 300Mi + {{- if .test.env }} + envs: + {{- range $key, $value := .test.env }} + {{ $key }}: {{ $value | quote }} + {{ end -}} + {{ end -}} +{{ end -}} diff --git a/argo/onap-test/testkube/helm/templates/ingress.yaml b/argo/onap-test/testkube/helm/templates/ingress.yaml new file mode 100644 index 0000000000..0f40a3e236 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/ingress.yaml @@ -0,0 +1,91 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: testkube-route + namespace: onap +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - testkube{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }} + rules: + - backendRefs: + - name: testkube-dashboard + port: 8080 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: testkube-redirect-route + namespace: onap +spec: + parentRefs: + - name: common-gateway + sectionName: http + namespace: istio-ingress + hostnames: + - testkube{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: testkube-api-route + namespace: onap +spec: + parentRefs: + - name: common-gateway + sectionName: https + namespace: istio-ingress + hostnames: + - testkube-api{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }} + rules: + - backendRefs: + - name: testkube-api-server + port: 8088 +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: testkube-api-redirect-route + namespace: onap +spec: + parentRefs: + - name: common-gateway + sectionName: http + namespace: istio-ingress + hostnames: + - testkube-api{{ .Values.global.ingress.post_addr }}.{{ .Values.global.ingress.dns_zone }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 diff --git a/argo/onap-test/testkube/helm/templates/job-template.tpl b/argo/onap-test/testkube/helm/templates/job-template.tpl new file mode 100644 index 0000000000..9693c551ff --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/job-template.tpl @@ -0,0 +1,18 @@ +{{- define "job.template" }} +{{/* Define job.template */}} +jobTemplate: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false + spec: + template: + spec: + serviceAccountName: {{ .Release.Name }}-tests-service-account + containers: + - name: {{ printf "\"{{ .Name }}\"" }} + image: {{ printf "{{ .Image }}" }} + imagePullPolicy: Always +{{ end -}} diff --git a/argo/onap-test/testkube/helm/templates/onap-smoke-tests-testsuite.yaml b/argo/onap-test/testkube/helm/templates/onap-smoke-tests-testsuite.yaml new file mode 100644 index 0000000000..0ab83b5069 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/onap-smoke-tests-testsuite.yaml @@ -0,0 +1,164 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: tests.testkube.io/v3 +kind: TestSuite +metadata: + name: {{ .Values.tests.smokeTests.testsuite.name }} +spec: + schedule: "{{ .Values.tests.smokeTests.testsuite.cron }}" + steps: + {{- /* Gradle tests */}} + - execute: + {{- range $usecase := .Values.tests.gradle.tests }} + {{- range $test := $usecase }} + {{- if $test.enabled }} + - test: {{ kebabcase $test.testName }} + {{- end }} + {{- end }} + {{- end }} + stopOnFailure: false + {{- /* Smoke tests */}} + {{- /* Basic tests group */}} + - stopOnFailure: false + execute: + {{- $test := .Values.tests.tests.basicCps }} + {{- if $test.enabled }} + - test: {{ $test.testName }} + {{- end }} + {{- $test := .Values.tests.tests.basicOnboard }} + {{- if $test.enabled }} + - test: {{ $test.testName }} + {{- end }} + {{- $test := .Values.tests.tests.basicNetwork }} + {{- if $test.enabled }} + - test: {{ $test.testName }} + {{- end }} + {{- $test := .Values.tests.tests.basicCds }} + {{- if $test.enabled }} + - test: {{ $test.testName }} + {{- end }} + {{- $test := .Values.tests.tests.basicSdnc }} + {{- if $test.enabled }} + - test: {{ $test.testName }} + {{- end }} + {{- $test := .Values.tests.tests.basicCnfMacro }} + {{- if $test.enabled }} + - test: {{ $test.testName }} + {{- end }} + {{- $test := .Values.tests.tests.controlPanelSmokeTest }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.aaiInitialDataSetup }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.serviceWithoutResource }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.addDeletePnfInRunningService }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.pnfWithVesEvent }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.pnfWithoutVesEvent }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.pnfMacro }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.basicPrh }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.checkTimeSync }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.basicStatus }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.basicKafka }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.addDeleteCnfMacro }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.policyFramework }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- $test := .Values.tests.tests.vesPublish }} + {{- if $test.enabled }} + - execute: + - test: {{ $test.testName }} + stopOnFailure: false + {{- end }} + {{- if .Values.global.serviceMesh.enabled }} + executionRequest: + cronJobTemplate: | + apiVersion: batch/v1 + kind: CronJob + metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false + spec: + jobTemplate: + spec: + activeDeadlineSeconds: {{ .Values.tests.smokeTests.testsuite.testsuiteJobActiveDeadlineSeconds }} + template: + spec: + serviceAccountName: {{ .Release.Name }}-tests-service-account + {{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-smoke-test.tpl b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-smoke-test.tpl new file mode 100644 index 0000000000..8876d3fc9a --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-smoke-test.tpl @@ -0,0 +1,81 @@ +{{- define "sidecarKiller" }} +{{/* +{{ include "sidecarKiller" (dict "containerName" "containerNameToCheck" "Values" .Values) }} +*/}} +- name: sidecar-killer + image: {{ .Values.serviceMesh.sidecarKiller.image }} + command: ["/bin/sh", "-c"] + args: ["echo \"waiting 10s for istio side cars to be up\"; sleep 10s; /app/ready.py --service-mesh-check {{ .containerName }} -t 45;"] + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace +{{ end -}} + +{{- define "smoke.test" }} +{{/* Define smoke test template */}} +{{- $dot := default . .dot -}} +{{- $configurationName := default .onapTestName .configurationName }} +{{- $executor := default $dot.Values.tests.smokeTests.executor.pythonsdk.type .executor }} +{{- $testEnv := default $dot.Values.tests.testEnvName .testEnvName }} +{{- $schedule := default "" .schedule }} +{{/* - if hasKey $dot.Values.tests.configuration $executor */}} +{{- $executorRepoConfig := get $dot.Values.tests.configuration $executor }} +{{- $uri := default "" $executorRepoConfig.uri }} +{{- $branch := default "master" $executorRepoConfig.branch }} +{{- $path := default "/" $executorRepoConfig.path }} +{{/* - else */}} +{{/* - fail "Executor has to have git configuration set in .Values.tests.configuration" -*/}} +{{/*- end */}} +apiVersion: tests.testkube.io/v3 +kind: Test +metadata: + name: {{ .testName }} +spec: + type: {{ $executor }} + executionRequest: + args: + - $(TESTNAME) + envs: + NAMESPACE: "{{ $dot.Values.namespace }}" + TESTNAME: {{ .onapTestName }} + PYTHONPATH: $PYTHONPATH:/data/repo{{ $path }}/basic_configuration_settings + ONAP_PYTHON_SDK_SETTINGS: "{{ $configurationName }}.{{ $configurationName }}_configuration" + TEST_ENV_NAME: "{{ $testEnv }}" + {{- if $dot.Values.tests.slackNotifications.enabled }} + SLACK_TOKEN: "{{ $dot.Values.tests.slackNotifications.slackConfig.token }}" + SLACK_URL: {{ $dot.Values.tests.slackNotifications.slackConfig.baseUrl }} + SLACK_CHANNEL: "{{ $dot.Values.tests.slackNotifications.slackConfig.channel }}" + {{- end }} + {{- if $dot.Values.global.serviceMesh.enabled }} + {{- range $key, $val := $dot.Values.serviceMesh.envVariable }} + {{ $key }}: {{ $val | quote }} + {{- end }} + {{- end }} + artifactRequest: + storageClassName: {{ $dot.Values.tests.smokeTests.artifacts.storageClassName }} + volumeMountPath: /tmp + activeDeadlineSeconds: {{ $dot.Values.tests.smokeTests.execution.activeDeadlineSeconds }} + {{- include "job.template" $dot | indent 4 }} + {{- if $dot.Values.global.serviceMesh.enabled }} + {{- include "scraper.template" $dot | indent 4 }} + {{- end }} + content: + type: git-file + repository: + type: git + uri: {{ $uri }} + branch: {{ $branch }} + path: {{ $path }} + tokenSecret: + key: git-token + name: {{ $executorRepoConfig.secretName | default "tnap-testkube-git-creds" }} + usernameSecret: + key: git-username + name: {{ $executorRepoConfig.secretName | default "tnap-testkube-git-creds" }} + {{- if $schedule }} + schedule: "{{ $schedule }}" + {{- end }} +{{ end -}} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-aai-initial-data-setup.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-aai-initial-data-setup.yaml new file mode 100644 index 0000000000..d6ff397955 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-aai-initial-data-setup.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.aaiInitialDataSetup.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.aaiInitialDataSetup.testName "onapTestName" "aai_initial_data_setup" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-add-delete-cnf-macro.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-add-delete-cnf-macro.yaml new file mode 100644 index 0000000000..52c541910d --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-add-delete-cnf-macro.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.addDeleteCnfMacro.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.addDeleteCnfMacro.testName "onapTestName" "add_delete_cnf_macro" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-add-delete-pnf-in-running-service.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-add-delete-pnf-in-running-service.yaml new file mode 100644 index 0000000000..82f0035be9 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-add-delete-pnf-in-running-service.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.addDeletePnfInRunningService.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.addDeletePnfInRunningService.testName "onapTestName" "add_pnf_in_running_service" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cds-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cds-test.yaml new file mode 100644 index 0000000000..0027e65299 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cds-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicCds.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicCds.testName "onapTestName" "basic_cds" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cnf-macro.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cnf-macro.yaml new file mode 100644 index 0000000000..9c935857a4 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cnf-macro.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicCnfMacro.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicCnfMacro.testName "onapTestName" "basic_cnf_macro" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cps-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cps-test.yaml new file mode 100644 index 0000000000..58e665af01 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-cps-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicCps.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicCps.testName "onapTestName" "basic_cps" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-executor.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-executor.yaml new file mode 100644 index 0000000000..62a89cd733 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-executor.yaml @@ -0,0 +1,37 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: executor.testkube.io/v1 +kind: Executor +metadata: + name: {{ .Values.tests.smokeTests.executor.pythonsdk.name }} +spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 4 }} + {{- end }} + image: {{ .Values.tests.smokeTests.executor.pythonsdk.image }} + command: + - /bin/sh + - -c + - run_tests -t ${TESTNAME} + executor_type: container + types: + - {{ .Values.tests.smokeTests.executor.pythonsdk.type }} + features: + - artifacts diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-kafka-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-kafka-test.yaml new file mode 100644 index 0000000000..3d3439177e --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-kafka-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicKafka.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicKafka.testName "onapTestName" "basic_kafka" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-network-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-network-test.yaml new file mode 100644 index 0000000000..8c8b48495a --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-network-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicNetwork.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicNetwork.testName "onapTestName" "basic_network" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-onboard-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-onboard-test.yaml new file mode 100644 index 0000000000..4c201c81c9 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-onboard-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicOnboard.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicOnboard.testName "onapTestName" "basic_onboard" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-prh-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-prh-test.yaml new file mode 100644 index 0000000000..8d506c9ea5 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-prh-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicPrh.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicPrh.testName "onapTestName" "basic_prh" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-sdnc-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-sdnc-test.yaml new file mode 100644 index 0000000000..1d74ce6e12 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-sdnc-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicSdnc.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicSdnc.testName "onapTestName" "basic_sdnc" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-status-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-status-test.yaml new file mode 100644 index 0000000000..7d9bc5e999 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-basic-status-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.basicStatus.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.basicStatus.testName "onapTestName" "status" "configurationName" "basic_status" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-check-time-sync.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-check-time-sync.yaml new file mode 100644 index 0000000000..08a38f909b --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-check-time-sync.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.checkTimeSync.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.checkTimeSync.testName "onapTestName" "check_time_sync" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-full-status-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-full-status-test.yaml new file mode 100644 index 0000000000..a4fa8c161d --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-full-status-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.fullStatus.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.fullStatus.testName "onapTestName" "status" "configurationName" "full_status" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-macro-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-macro-test.yaml new file mode 100644 index 0000000000..d5b8386da5 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-macro-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.pnfMacro.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.pnfMacro.testName "onapTestName" "pnf_macro" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-with-ves-event.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-with-ves-event.yaml new file mode 100644 index 0000000000..5775cbea0b --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-with-ves-event.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.pnfWithVesEvent.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.pnfWithVesEvent.testName "onapTestName" "pnf_with_ves_event" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-without-ves-event.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-without-ves-event.yaml new file mode 100644 index 0000000000..3cc89eb956 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-pnf-without-ves-event.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.pnfWithoutVesEvent.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.pnfWithoutVesEvent.testName "onapTestName" "instantiate_pnf_without_registration_event" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-policy-framework.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-policy-framework.yaml new file mode 100644 index 0000000000..76d35831c3 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-policy-framework.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.policyFramework.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.policyFramework.testName "onapTestName" "basic_policy" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-service-without-res.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-service-without-res.yaml new file mode 100644 index 0000000000..02e630235e --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-service-without-res.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.serviceWithoutResource.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.serviceWithoutResource.testName "onapTestName" "instantiate_service_without_resource" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-ves-test.yaml b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-ves-test.yaml new file mode 100644 index 0000000000..6c7f9c27e9 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/pythonsdk-tests/pythonsdk-tests-ves-test.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +{{- if .Values.tests.tests.vesPublish.enabled }} +{{ include "smoke.test" (dict "testName" .Values.tests.tests.vesPublish.testName "onapTestName" "ves_publish" "dot" .) }} +{{- end }} diff --git a/argo/onap-test/testkube/helm/templates/robot-tests/healthcheck.yaml b/argo/onap-test/testkube/helm/templates/robot-tests/healthcheck.yaml new file mode 100644 index 0000000000..328dbd0061 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/robot-tests/healthcheck.yaml @@ -0,0 +1,70 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +#--- +# apiVersion: testworkflows.testkube.io/v1 +# kind: TestWorkflow +# metadata: +# name: integration-onap +# namespace: onap +# spec: +# content: +# container: +# image: nexus3.onap.org:10001/onap/xtesting-healthcheck:latest +# imagePullPolicy: Always +# env: +# - name: INSTALLER_TYPE +# value: "{{ .Values.config.deployment_name }}" +# - name: DEPLOY_SCENARIO +# value: "{{ .Values.config.deploy_scenario }}" +# - name: NODE_NAME +# value: "{{ .Values.config.node_name }}" +# - name: TEST_DB_URL +# value: http://testresults.opnfv.org/onap/api/v1/results +# - name: BUILD_TAG +# value: "{{ .Values.config.build_tag }}" +# - name: TAG +# value: "{{ .Values.config.run_type }}" +# volumeMounts: +# - mountPath: /etc/localtime +# name: localtime +# - mountPath: /share/config +# name: robot-eteshare +# - mountPath: /var/lib/xtesting/results/ +# name: robot-save-results + +# volumes: +# - name: localtime +# hostPath: +# path: /etc/localtime +# - name: robot-eteshare +# configMap: +# name: onap-robot-eteshare-configmap +# - name: robot-save-results +# hostPath: +# path: "{{ .Values.config.res_local_path }}" + +# steps: +# - name: run-robot-tests +# shell: | +# robot --outputdir /var/lib/xtesting/results/ /path/to/your/tests/ + +# artifacts: +# paths: +# - /var/lib/xtesting/results/* +# storageClassName: standard +# volumeSize: 1Gi diff --git a/argo/onap-test/testkube/helm/templates/scraper-template.tpl b/argo/onap-test/testkube/helm/templates/scraper-template.tpl new file mode 100644 index 0000000000..bef7b2d6e4 --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/scraper-template.tpl @@ -0,0 +1,25 @@ +{{- define "scraper.template" }} +{{/* Define scraper.template */}} +scraperTemplate: | + apiVersion: batch/v1 + kind: Job + metadata: + annotations: + argocd.argoproj.io/compare-options: IgnoreExtraneous + argocd.argoproj.io/sync-options: Prune=false + spec: + template: + spec: + serviceAccountName: {{ .Release.Name }}-tests-service-account + containers: + - name: {{ printf "\"{{ .Name }}-scraper\"" }} + {{ printf "{{- if .Registry }}" }} + image: {{ printf "{{ .Registry }}/{{ .ScraperImage }}" }} + {{ printf "{{- else }}" }} + image: {{ printf "{{ .ScraperImage }}" }} + {{ printf "{{- end }}" }} + imagePullPolicy: Always + command: + - "/bin/runner" + - {{ printf "'{{ .Jsn }}'" }} +{{ end -}} diff --git a/argo/onap-test/testkube/helm/templates/service-account.yaml b/argo/onap-test/testkube/helm/templates/service-account.yaml new file mode 100644 index 0000000000..36a2869a6c --- /dev/null +++ b/argo/onap-test/testkube/helm/templates/service-account.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-tests-service-account diff --git a/argo/onap-test/testkube/helm/values.yaml b/argo/onap-test/testkube/helm/values.yaml new file mode 100644 index 0000000000..af8c2573bf --- /dev/null +++ b/argo/onap-test/testkube/helm/values.yaml @@ -0,0 +1,427 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +# Default values for tnapTestkube. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + ingress: + enabled: false + post_addr: &postrAddr "" + dns_zone: &dnsZone "" + serviceMesh: + enabled: false + renderPullSecrets: True + defaultStorageClass: + storageClass: +ingress: + host: to-be-changed + +namespace: onap + +serviceMesh: + envVariable: + SERVICE_MESH_ENABLED: True + sidecarKiller: + image: /onap/oom/readiness:4.2.0 + +imagePullSecrets: + - name: onap-docker-registry-key + +tests: + testEnvName: "" + configuration: + pythonsdk-tests/smoke-test: + uri: + path: /argo/onap-test/testkube/pythonsdk-tests + branch: main + secretName: testkube-git-creds + gradle: + uri: https://git.onap.org/integration/java-tests + branch: main + image: /kubeshop/testkube-gradle-executor:1.16.39 + tests: + aai: + aaiTraversalTest: + enabled: true + testName: TraversalTest + env: + AAI_BASEURL: http://aai.onap/aai/v30 + aaiCrudTest: + enabled: true + testName: AAICrudTest + env: + AAI_BASEURL: http://aai.onap/aai/v30 + kafkaTest: + enabled: false + testName: KafkaTest + branch: kafka + env: + AAI_BASEURL: http://aai.onap/aai/v30 + cypress: + uri: https://git.onap.org/integration/cypress-tests + branch: main + image: /kubeshop/testkube-cypress-executor:1.16.39 + tests: + portalng: + someTest: + enabled: true + testName: foo + env: + CYPRESS_KEYCLOAK_URL: https://keycloak-ui. + CYPRESS_PORTAL_NG_URL: https://portal-ng-ui. + CYPRESS_PORTAL_NG_USERNAME: onap-admin + CYPRESS_PORTAL_NG_PASSWORD: password + + tests: + basicCds: + enabled: true + testName: basic-cds + basicCnfMacro: + enabled: true + testName: basic-cnf-macro + basicCps: + enabled: true + testName: basic-cps + basicOnboard: + enabled: true + testName: basic-onboard + basicNetwork: + enabled: false + testName: basic-network + basicSdnc: + enabled: true + testName: basic-sdnc + basicStatus: + enabled: true + testName: basic-status + fullStatus: + enabled: true + testName: full-status + resultSummary: + enabled: true + testName: result-summary + vesPublish: + enabled: true + testName: ves-publish + pnfMacro: + enabled: true + testName: pnf-macro + controlPanelSmokeTest: + enabled: false + testName: control-panel-ui-smoke-test + aaiInitialDataSetup: + enabled: true + testName: aai-initial-data-setup + serviceWithoutResource: + enabled: true + testName: service-without-resource + pnfWithoutVesEvent: + enabled: true + testName: pnf-without-ves-event + pnfWithVesEvent: + enabled: true + testName: pnf-with-ves-event + addDeletePnfInRunningService: + enabled: true + testName: add-delete-pnf-in-running-service + basicPrh: + enabled: true + testName: basic-prh + checkTimeSync: + enabled: true + testName: check-time-sync + basicKafka: + enabled: true + testName: basic-kafka + addDeleteCnfMacro: + enabled: true + testName: add-delete-cnf-macro + policyFramework: + enabled: true + testName: policy-framework + smokeTests: + artifacts: + storageClassName: + execution: + activeDeadlineSeconds: 1800 + executor: + pythonsdk: + name: pythonsdk-tests-basic-executor + type: pythonsdk-tests/smoke-test + image: /onap/xtesting-smoke-usecases-pythonsdk:master + controlPanelSdk: + name: control-panel-basic-executor + type: controlpanel-sdk/smoke-test + imageVersion: 3.1 + testsuite: + name: onap-testsuite + cron: 0 6 * * * + # Testsuite job is going to be killed after 6 hours + # if it doesn't end by itself. That prevents an issue + # with blocked cronjobs executions + testsuiteJobActiveDeadlineSeconds: 21600 + slackNotifications: + enabled: false + slackConfig: + baseUrl: https://slack.com + token: example + channel: test + +testkube: + testkube-dashboard: + apiServerEndpoint: "https://testkube-api." + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: false + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + podSecurityContext: + fsGroup: 65533 + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + analyticsEnabled: false + preUpgradeHook: + enabled: false + serviceAccount: + create: false + preUpgradeHookNATS: + labels: + sidecar.istio.io/inject: "false" + testkube-api: + image: + registry: + analyticsEnabled: false + minio: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsGroup: 65533 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + storageClassName: + image: + registry: + nats: + uri: nats://testkube-nats + storage: "30Gi" + storage: + expriation: + "7" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + podSecurityContext: + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + testkube-operator: + webhook: + patch: + enabled: true + labels: + sidecar.istio.io/inject: "false" + image: + registry: + migrate: + image: + registry: + preUpgrade: + image: + registry: + labels: + sidecar.istio.io/inject: "false" + proxy: + image: + registry: + resources: + limits: + cpu: 400m + memory: 500Mi + requests: + cpu: 10m + memory: 150Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + podSecurityContext: + runAsGroup: 65533 + runAsNonRoot: true + runAsUser: 100 + seccompProfile: + type: RuntimeDefault + mongodb: + storageClass: + image: + registry: + readinessProbe: + timeoutSeconds: 50 + livenessProbe: + timeoutSeconds: 50 + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: false + seccompProfile: + type: RuntimeDefault + podSecurityContext: + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + nats: + config: + jetstream: + fileStore: + pvc: + storageClassName: + resolver: + pvc: + storageClassName: + container: + image: + registry: + podTemplate: + merge: + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + natsBox: + container: + image: + registry: + merge: + resources: + limits: + cpu: 400m + memory: 500Mi + requests: + cpu: 10m + memory: 150Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - FSETID + - KILL + - MKNOD + - NET_BIND_SERVICE + - SETFCAP + - SETGID + - SETPCAP + - SETUID + - SYS_CHROOT + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: false + runAsGroup: 65533 + runAsNonRoot: false + runAsUser: 0 + podTemplate: + merge: + spec: + securityContext: + runAsGroup: 65533 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + reloader: + image: + registry: + merge: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + container: + merge: + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + +# this is here only temporarily +config: + run_type: "core" + deployment_name: "oom" + deploy_scenario: "onap-nofeature-noha" + node_name: foo + build_tag: bar + res_local_path: "/var/lib/xtesting/results" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns_attrib.dat b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/__init__.py similarity index 100% rename from kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns_attrib.dat rename to argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/__init__.py diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/aai_initial_data_setup/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/aai_initial_data_setup/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/aai_initial_data_setup/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/aai_initial_data_setup/aai_initial_data_setup_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/aai_initial_data_setup/aai_initial_data_setup_configuration.py new file mode 100644 index 0000000000..b23c7e3022 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/aai_initial_data_setup/aai_initial_data_setup_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.aai_initial_data_setup_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_delete_cnf_macro/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_delete_cnf_macro/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_delete_cnf_macro/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_delete_cnf_macro/add_delete_cnf_macro_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_delete_cnf_macro/add_delete_cnf_macro_configuration.py new file mode 100644 index 0000000000..a2baa455ff --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_delete_cnf_macro/add_delete_cnf_macro_configuration.py @@ -0,0 +1,4 @@ +from onaptests.configuration.add_delete_cnf_macro_settings import * +from global_tests_settings import * + +SERVICE_INSTANCE_NAME = f"add_delete_cnf_macro_{str(uuid4())}" diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_pnf_in_running_service/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_pnf_in_running_service/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_pnf_in_running_service/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_pnf_in_running_service/add_pnf_in_running_service_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_pnf_in_running_service/add_pnf_in_running_service_configuration.py new file mode 100644 index 0000000000..5e5efac64a --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/add_pnf_in_running_service/add_pnf_in_running_service_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.instantiate_pnf_without_registration_event_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cds/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cds/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cds/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cds/basic_cds_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cds/basic_cds_configuration.py new file mode 100644 index 0000000000..e5dd80208b --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cds/basic_cds_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.cds_resource_resolution_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cnf_macro/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cnf_macro/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cnf_macro/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cnf_macro/basic_cnf_macro_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cnf_macro/basic_cnf_macro_configuration.py new file mode 100644 index 0000000000..ab895a167d --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cnf_macro/basic_cnf_macro_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.basic_cnf_macro_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cps/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cps/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cps/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cps/basic_cps_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cps/basic_cps_configuration.py new file mode 100644 index 0000000000..3802c94081 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_cps/basic_cps_configuration.py @@ -0,0 +1,6 @@ +from onaptests.configuration.basic_cps_settings import * +from global_tests_settings import * + +CHECK_POSTGRESQL = True + +DB_PRIMARY_HOST = "tcp-pgset-primary" diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_kafka/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_kafka/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_kafka/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_kafka/basic_kafka_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_kafka/basic_kafka_configuration.py new file mode 100644 index 0000000000..085cbc668d --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_kafka/basic_kafka_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.basic_kafka_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_network/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_network/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_network/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_network/basic_network_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_network/basic_network_configuration.py new file mode 100644 index 0000000000..8ef891097a --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_network/basic_network_configuration.py @@ -0,0 +1,4 @@ +from onaptests.configuration.basic_network_nomulticloud_settings import * +from global_tests_settings import * + +SDC_CLEANUP = True diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_onboard/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_onboard/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_onboard/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_onboard/basic_onboard_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_onboard/basic_onboard_configuration.py new file mode 100644 index 0000000000..28fc1a01b7 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_onboard/basic_onboard_configuration.py @@ -0,0 +1,4 @@ +from onaptests.configuration.basic_onboard_settings import * +from global_tests_settings import * + +SDC_CLEANUP = True diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_policy/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_policy/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_policy/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_policy/basic_policy_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_policy/basic_policy_configuration.py new file mode 100644 index 0000000000..6196ede989 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_policy/basic_policy_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.basic_policy_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_prh/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_prh/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_prh/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_prh/basic_prh_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_prh/basic_prh_configuration.py new file mode 100644 index 0000000000..2ee04adbdd --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_prh/basic_prh_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.basic_prh_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_sdnc/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_sdnc/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_sdnc/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_sdnc/basic_sdnc_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_sdnc/basic_sdnc_configuration.py new file mode 100644 index 0000000000..67760550fa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_sdnc/basic_sdnc_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.basic_sdnc_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_status/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_status/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_status/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_status/basic_status_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_status/basic_status_configuration.py new file mode 100644 index 0000000000..874e08960b --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/basic_status/basic_status_configuration.py @@ -0,0 +1,13 @@ +from onaptests.configuration.status_settings import * +from global_tests_settings import * + +STORE_ARTIFACTS = False +CHECK_POD_VERSIONS = False +IGNORE_EMPTY_REPLICAS = True + +WAIVER_LIST = ['integration', 'jaeger', 'performance-test', 'medusa-purge', 'wiremock', 'sample-rapp', '-scraper', 'soak', 'repo1-full'] + +EXCLUDE_NAMESPACE_LIST = ['nonrtric-rapp', 'kyverno', 'cluster-observability'] + +CHECK_ALL_NAMESPACES = True +LOG_CONFIG["handlers"]["file"]["level"] = "INFO" diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/check_time_sync/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/check_time_sync/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/check_time_sync/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/check_time_sync/check_time_sync_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/check_time_sync/check_time_sync_configuration.py new file mode 100644 index 0000000000..52e504d4d7 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/check_time_sync/check_time_sync_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.check_time_sync_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/connectivity.json b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/connectivity.json new file mode 100644 index 0000000000..d3fa0019f2 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/connectivity.json @@ -0,0 +1,6 @@ +{ +"cloud-region":"k8sregion-cnf-macro", +"cloud-owner":"basiccnf-cloud-owner", +"other-connectivity-list": + {"connectivity-records":[]} +} diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/full_status/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/full_status/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/full_status/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/full_status/full_status_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/full_status/full_status_configuration.py new file mode 100644 index 0000000000..c65a67437f --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/full_status/full_status_configuration.py @@ -0,0 +1,4 @@ +from onaptests.configuration.status_settings import * +from global_tests_settings import * + +IGNORE_EMPTY_REPLICAS = True diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/global_tests_settings.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/global_tests_settings.py new file mode 100644 index 0000000000..71cd64ad15 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/global_tests_settings.py @@ -0,0 +1,41 @@ +from os import getenv + +K8S_TESTS_NAMESPACE = getenv("NAMESPACE", "onap") + +CDS_URL = f"http://cds-blueprints-processor-http.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080" +SDC_BE_URL = f"http://sdc-be.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080" +SDC_FE_URL = f"http://sdc-fe.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8181" +SO_URL = f"http://so.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080" +K8SPLUGIN_URL = f"http://multicloud-k8s.{K8S_TESTS_NAMESPACE}.svc.cluster.local:9015" +AAI_URL = f"http://aai.{K8S_TESTS_NAMESPACE}.svc.cluster.local:80" +CPS_URL = f"http://cps-core.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080" +SDNC_URL = f"http://sdnc.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8282" +TESTKUBE_URL = f"http://testkube-api-server.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8088" +VES_URL = f"http://dcae-ves-collector.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080" +NBI_URL = f"http://nbi.{K8S_TESTS_NAMESPACE}.svc.cluster.local:8080" +POLICY_API_URL = f"http://policy-api.{K8S_TESTS_NAMESPACE}.svc.cluster.local:6969" +POLICY_PAP_URL = f"http://policy-pap.{K8S_TESTS_NAMESPACE}.svc.cluster.local:6969" +POLICY_PDP_URL = f"http://policy-xacml-pdp.{K8S_TESTS_NAMESPACE}.svc.cluster.local:6969" + +IN_CLUSTER = True +SERVICE_DISTRIBUTION_NUMBER_OF_TRIES = 15 +EXPOSE_SERVICES_NODE_PORTS = False +CPS_AUTH = ("cpsuser", "tj61KoH9") +SDC_CLEANUP = False +#SDNC_DB_PRIMARY_HOST = f"sdnc-db.{K8S_TESTS_NAMESPACE}.svc.cluster.local" +SDNC_DB_PRIMARY_HOST = f"mariadb-galera.{K8S_TESTS_NAMESPACE}.svc.cluster.local" + +AAI_API_VERSION = "v29" + +SDC_SERVICE_DISTRIBUTION_COMPONENTS = [ + "SO-sdc-controller", + "aai-model-loader", + "sdnc-sdc-listener", + "multicloud-k8s" +] + +SDC_SERVICE_DISTRIBUTION_DESIRED_STATE = { + "SO-sdc-controller": "DOWNLOAD_OK", + "aai-model-loader": "DOWNLOAD_OK", + "sdnc-sdc-listener": "DOWNLOAD_OK", +} diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_pnf_without_registration_event/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_pnf_without_registration_event/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_pnf_without_registration_event/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_service_without_resource/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_service_without_resource/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_service_without_resource/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_service_without_resource/instantiate_service_without_resource_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_service_without_resource/instantiate_service_without_resource_configuration.py new file mode 100644 index 0000000000..13e348694a --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/instantiate_service_without_resource/instantiate_service_without_resource_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.instantiate_service_without_resource_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_macro/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_macro/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_macro/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_macro/pnf_macro_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_macro/pnf_macro_configuration.py new file mode 100644 index 0000000000..c67553d2a2 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_macro/pnf_macro_configuration.py @@ -0,0 +1,6 @@ +from onaptests.configuration.pnf_macro_settings import * +from global_tests_settings import * + +USE_SIMULATOR = True +PNF_SIMULATOR_URL = "pnf-macro-test-simulator.onap-tests" +PNF_SIMULATOR_PORT = "5000" diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_with_ves_event/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_with_ves_event/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_with_ves_event/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_with_ves_event/pnf_with_ves_event_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_with_ves_event/pnf_with_ves_event_configuration.py new file mode 100644 index 0000000000..e0e3fe93ec --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/pnf_with_ves_event/pnf_with_ves_event_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.pnf_with_ves_event_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/test-config.yaml b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/test-config.yaml new file mode 100644 index 0000000000..4b9354dd00 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/test-config.yaml @@ -0,0 +1,36 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: v1 +kind: Config +current-context: default +contexts: +- name: default + context: + cluster: cluster + user: cluster-admin + namespace: default +clusters: +- name: cluster + cluster: + insecure-skip-tls-verify: true + server: https://kubernetes.default.svc.cluster.local +users: +- name: cluster-admin + user: + token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImFwR0gwMGl4Q2hpRkU1OHAwSHQydDBMMjZkWk9nLVBmQ1Nfb2NWYjVXVFUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJvbmFwIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tejJzcXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImJjZGVjZTNmLTY2OTQtNDk2Yi05ZjVkLWNmMDA2OTY1NWQ5ZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpvbmFwOmRlZmF1bHQifQ.DCDab0Ccsj4kTynjKGRNGJrvkB-ZwBKWrJS72596S8ytLx-Ixe-lBxn_zAY3RCuamXASG93MaJQBbv1c_3KK5qf_zgqYoj21xI1A-WeBc_d0uoGtDq6LpgjJ-kmmZ8RE1p6kYIRp5xx-m9rE7jWcMBpxkTKeuZghX4zWwXXKpYzJ9JRW9dZqfRGyEzd32Rx8PlVU9B1G2-I4FInRsNjjD1h-ChR0Ur8mXj0WVJsM8EankmvI7hyDEnbj_DUnw09MhJLGxWyo-HBvj67grQGLpCnQpPZ3_fvWDCnqrv13EXLI_yBRt4rODIe-jFyeTKXV4Krvv8sR01UY1aSoWWh5ZQ diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/ves_publish/__init__.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/ves_publish/__init__.py new file mode 100644 index 0000000000..d3f5a12faa --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/ves_publish/__init__.py @@ -0,0 +1 @@ + diff --git a/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/ves_publish/ves_publish_configuration.py b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/ves_publish/ves_publish_configuration.py new file mode 100644 index 0000000000..9d810f93a8 --- /dev/null +++ b/argo/onap-test/testkube/pythonsdk-tests/basic_configuration_settings/ves_publish/ves_publish_configuration.py @@ -0,0 +1,2 @@ +from onaptests.configuration.ves_publish_settings import * +from global_tests_settings import * diff --git a/argo/onap-test/trivy-operator.yaml b/argo/onap-test/trivy-operator.yaml new file mode 100644 index 0000000000..d36a332368 --- /dev/null +++ b/argo/onap-test/trivy-operator.yaml @@ -0,0 +1,52 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: trivy-operator + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: https://aquasecurity.github.io/helm-charts + chart: trivy-operator + targetRevision: 0.27.0 + helm: + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap-test/values/trivy-operator.yaml + destination: + server: https://kubernetes.default.svc + namespace: trivy-system + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: disabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap-test/values/kafka-ui.yaml b/argo/onap-test/values/kafka-ui.yaml new file mode 100644 index 0000000000..c64876c639 --- /dev/null +++ b/argo/onap-test/values/kafka-ui.yaml @@ -0,0 +1,35 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +existingSecret: "strimzi-kafka-admin" + +yamlApplicationConfig: + kafka: + clusters: + - name: yaml + bootstrapServers: onap-strimzi-kafka-bootstrap:9092 + properties: + security.protocol: SASL_PLAINTEXT + sasl.mechanism: SCRAM-SHA-512 + sasl.jaas.config: "${sasl.jaas.config}" + auth: + type: disabled + management: + health: + ldap: + enabled: false diff --git a/argo/onap-test/values/onap-test-ingress.yaml b/argo/onap-test/values/onap-test-ingress.yaml new file mode 100644 index 0000000000..ed43abd81e --- /dev/null +++ b/argo/onap-test/values/onap-test-ingress.yaml @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +post_addr: "" +dns_zone: "" diff --git a/argo/onap-test/values/testkube.yaml b/argo/onap-test/values/testkube.yaml new file mode 100644 index 0000000000..ce85d2e7a2 --- /dev/null +++ b/argo/onap-test/values/testkube.yaml @@ -0,0 +1,98 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + imageRegistry: + imagePullSecrets: + - artifactory-docker-secret + defaultStorageClass: + storageClass: + serviceMesh: + enabled: true + ingress: + post_addr: "" + dns_zone: "" + +serviceMesh: + envVariable: + SERVICE_MESH_ENABLED: true + +imagePullSecrets: + - name: artifactory-docker-secret + +tests: + testEnvName: "" + smokeTests: + artifacts: + storageClassName: + testsuite: + name: onap-testsuite + cron: 0 6 * * * + # Testsuite job is going to be killed after 6 hours + # if it doesn't end by itself. That prevents an issue + # with blocked cronjobs executions + testsuiteJobActiveDeadlineSeconds: 21600 + # Tests listed below will be included into testsuite + # Important: test here is no a test name but a key from `tests.tests` value dictionary + # We are going to range through list below, get object from `tests.tests` dictionary, + # verify if it's enabled and then add it into testsuite. So user at the end has to + # remember only on one place to enable/disable test. But thanks to that we are able + # to modify order, presence of tests on testsuite but also to include some tests + # which are not a part of given helm package (so for example if that helm is a dependency + # of other package) + tests: + - basicCps + - basicOnboard + - basicNetwork + - basicCds + - basicSdnc + - basicCnfMacro + - controlPanelSmokeTest + - aaiInitialDataSetup + - serviceWithoutResource + - addDeletePnfInRunningService + - pnfWithVesEvent + - pnfWithoutVesEvent + - pnfMacro + - basicPrh + - checkTimeSync + - basicStatus + - basicKafka + - addDeleteCnfMacro + - policyFramework + - vesPublish + +testkube: + testkube-dashboard: + apiServerEndpoint: "https://testkube-api." + testkube-api: + minio: + storageClassName: + image: + registry: + mongodb: + storageClass: + nats: + config: + jetstream: + fileStore: + pvc: + storageClassName: + resolver: + pvc: + storageClassName: diff --git a/argo/onap-test/values/trivy-operator.yaml b/argo/onap-test/values/trivy-operator.yaml new file mode 100644 index 0000000000..f92f8709ff --- /dev/null +++ b/argo/onap-test/values/trivy-operator.yaml @@ -0,0 +1,71 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +# -- targetNamespace defines where you want trivy-operator to operate. By +# default, it's a blank string to select all namespaces, but you can specify +# another namespace, or a comma separated list of namespaces. +#targetNamespaces: "onap" +targetNamespaces: "onap" +operator: + # -- the flag to enable vulnerability scanner + vulnerabilityScannerEnabled: true + # -- the flag to enable sbom generation, required for enabling ClusterVulnerabilityReports + sbomGenerationEnabled: false + # -- the flag to enable cluster sbom cache generation + clusterSbomCacheEnabled: false + # -- scannerReportTTL the flag to set how long a report should exist. "" means that the ScannerReportTTL feature is disabled + scannerReportTTL: "24h" + # -- cacheReportTTL the flag to set how long a cluster sbom report should exist. "" means that the cacheReportTTL feature is disabled + cacheReportTTL: "120h" + # -- configAuditScannerEnabled the flag to enable configuration audit scanner + configAuditScannerEnabled: false + # -- rbacAssessmentScannerEnabled the flag to enable rbac assessment scanner + rbacAssessmentScannerEnabled: false + # -- infraAssessmentScannerEnabled the flag to enable infra assessment scanner + infraAssessmentScannerEnabled: true + # -- clusterComplianceEnabled the flag to enable cluster compliance scanner + clusterComplianceEnabled: true + # -- batchDeleteLimit the maximum number of config audit reports deleted by the operator when the plugin's config has changed. + batchDeleteLimit: 10 + # -- vulnerabilityScannerScanOnlyCurrentRevisions the flag to only create vulnerability scans on the current revision of a deployment. + vulnerabilityScannerScanOnlyCurrentRevisions: true + # -- configAuditScannerScanOnlyCurrentRevisions the flag to only create config audit scans on the current revision of a deployment. + configAuditScannerScanOnlyCurrentRevisions: true + # -- batchDeleteDelay the duration to wait before deleting another batch of config audit reports. + batchDeleteDelay: 10s + # -- accessGlobalSecretsAndServiceAccount The flag to enable access to global secrets/service accounts to allow `vulnerability scan job` to pull images from private registries + accessGlobalSecretsAndServiceAccount: true + # -- builtInTrivyServer The flag enables the usage of built-in trivy server in cluster. It also overrides the following trivy params with built-in values + # trivy.mode = ClientServer and serverURL = http://.:4975 + builtInTrivyServer: false + # -- builtInServerRegistryInsecure is the flag to enable insecure connection from the built-in Trivy server to the registry. + builtInServerRegistryInsecure: false + +image: + registry: +trivyOperator: + skipResourceByLabels: "test-name" +trivy: + resources: + requests: + cpu: 100m + memory: 100M + # ephemeralStorage: "2Gi" + limits: + cpu: 1 + memory: 2000M diff --git a/argo/onap/a1policymanagement.yaml b/argo/onap/a1policymanagement.yaml new file mode 100644 index 0000000000..327a8b92b2 --- /dev/null +++ b/argo/onap/a1policymanagement.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-a1policymanagement + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: a1policymanagement + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/a1policymanagement.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/aai.yaml b/argo/onap/aai.yaml new file mode 100644 index 0000000000..913df22206 --- /dev/null +++ b/argo/onap/aai.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-aai + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: aai + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/aai.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/app-onap.yaml b/argo/onap/app-onap.yaml new file mode 100644 index 0000000000..5f4a882ae7 --- /dev/null +++ b/argo/onap/app-onap.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + labels: + name: onap +spec: + project: argo-management + source: + repoURL: '' + targetRevision: + path: ./argo/onap + destination: + server: https://kubernetes.default.svc + namespace: onap + syncPolicy: + automated: + prune: false + selfHeal: true + allowEmpty: false + syncOptions: + - Validate=true + - CreateNamespace=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + revisionHistoryLimit: 10 diff --git a/argo/onap/authentication.yaml b/argo/onap/authentication.yaml new file mode 100644 index 0000000000..96ee57b0f1 --- /dev/null +++ b/argo/onap/authentication.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-authentication + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: authentication + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/authentication.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/cds.yaml b/argo/onap/cds.yaml new file mode 100644 index 0000000000..04698bd2cd --- /dev/null +++ b/argo/onap/cds.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-cds + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: cds + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/cds.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/common/cassandra.yaml b/argo/onap/common/cassandra.yaml new file mode 100644 index 0000000000..93860ac37f --- /dev/null +++ b/argo/onap/common/cassandra.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-cassandra + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: cassandra + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/cassandra.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/common/mariadb-galera.yaml b/argo/onap/common/mariadb-galera.yaml new file mode 100644 index 0000000000..ae34fc95fd --- /dev/null +++ b/argo/onap/common/mariadb-galera.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-mariadb-galera + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: mariadb-galera + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/mariadb-galera.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/common/postgres.yaml b/argo/onap/common/postgres.yaml new file mode 100644 index 0000000000..dd12246105 --- /dev/null +++ b/argo/onap/common/postgres.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-postgres + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: postgres + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/postgres.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/common/repository-wrapper.yaml b/argo/onap/common/repository-wrapper.yaml new file mode 100644 index 0000000000..07712fcf17 --- /dev/null +++ b/argo/onap/common/repository-wrapper.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-repository-wrapper + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: repository-wrapper + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/repository-wrapper.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/common/roles-wrapper.yaml b/argo/onap/common/roles-wrapper.yaml new file mode 100644 index 0000000000..007151d653 --- /dev/null +++ b/argo/onap/common/roles-wrapper.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-roles-wrapper + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: roles-wrapper + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/roles-wrapper.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/cps.yaml b/argo/onap/cps.yaml new file mode 100644 index 0000000000..aa1f46d38c --- /dev/null +++ b/argo/onap/cps.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-cps + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: cps + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/cps.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/dcaegen2-services.yaml b/argo/onap/dcaegen2-services.yaml new file mode 100644 index 0000000000..64e5594dba --- /dev/null +++ b/argo/onap/dcaegen2-services.yaml @@ -0,0 +1,52 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-dcaegen2-services + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: dcaegen2-services + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/dcaegen2-services.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/kustomization.yaml b/argo/onap/kustomization.yaml new file mode 100644 index 0000000000..4953d57e3d --- /dev/null +++ b/argo/onap/kustomization.yaml @@ -0,0 +1,41 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - a1policymanagement.yaml + - aai.yaml + - authentication.yaml + - cds.yaml + - cps.yaml + - dcaegen2-services.yaml + - multicloud.yaml + - platform.yaml + - policy.yaml + - portal-ng.yaml + - sdc.yaml + - sdnc.yaml + - so.yaml + - uui.yaml + - strimzi.yaml + - common/cassandra.yaml + - common/mariadb-galera.yaml + - common/postgres.yaml + - common/repository-wrapper.yaml + - common/roles-wrapper.yaml diff --git a/argo/onap/multicloud.yaml b/argo/onap/multicloud.yaml new file mode 100644 index 0000000000..8fdd1bf1a5 --- /dev/null +++ b/argo/onap/multicloud.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-multicloud + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: multicloud + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/multicloud.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/platform.yaml b/argo/onap/platform.yaml new file mode 100644 index 0000000000..1aef4f2d82 --- /dev/null +++ b/argo/onap/platform.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-platform + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: platform + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/platform.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/policy.yaml b/argo/onap/policy.yaml new file mode 100644 index 0000000000..5a3f26491f --- /dev/null +++ b/argo/onap/policy.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-policy + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: policy + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/policy.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/portal-ng.yaml b/argo/onap/portal-ng.yaml new file mode 100644 index 0000000000..3cadc5ca3c --- /dev/null +++ b/argo/onap/portal-ng.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-portal-ng + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: portal-ng + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/portal-ng.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/sdc.yaml b/argo/onap/sdc.yaml new file mode 100644 index 0000000000..1f825f65e4 --- /dev/null +++ b/argo/onap/sdc.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-sdc + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: sdc + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/sdc.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/sdnc.yaml b/argo/onap/sdnc.yaml new file mode 100644 index 0000000000..75122a0d5f --- /dev/null +++ b/argo/onap/sdnc.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-sdnc + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: sdnc + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/sdnc.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/so.yaml b/argo/onap/so.yaml new file mode 100644 index 0000000000..a144b8b431 --- /dev/null +++ b/argo/onap/so.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-so + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: so + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/so.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/strimzi.yaml b/argo/onap/strimzi.yaml new file mode 100644 index 0000000000..a56fa32562 --- /dev/null +++ b/argo/onap/strimzi.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-strimzi + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: strimzi + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/strimzi.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/uui.yaml b/argo/onap/uui.yaml new file mode 100644 index 0000000000..db98a9214c --- /dev/null +++ b/argo/onap/uui.yaml @@ -0,0 +1,51 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: onap-uui + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: onap + server: https://kubernetes.default.svc + project: default + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: uui + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/uui.yaml + syncPolicy: + managedNamespaceMetadata: + labels: + istio-injection: enabled + syncOptions: + - CreateNamespace=true + automated: + prune: true + selfHeal: true diff --git a/argo/onap/values/aai.yaml b/argo/onap/values/aai.yaml new file mode 100644 index 0000000000..2b824ea6c7 --- /dev/null +++ b/argo/onap/values/aai.yaml @@ -0,0 +1,50 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +aai-traversal: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +aai-resources: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +aai-modelloader: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +aai-babel: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +aai-schema-service: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 diff --git a/argo/onap/values/authentication.yaml b/argo/onap/values/authentication.yaml new file mode 100644 index 0000000000..cb4a8f1d40 --- /dev/null +++ b/argo/onap/values/authentication.yaml @@ -0,0 +1,21 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + # storageClass for oauth2-proxy setting for Redis DB + defaultStorageClass: diff --git a/argo/onap/values/cassandra.yaml b/argo/onap/values/cassandra.yaml new file mode 100644 index 0000000000..2a3c686dd2 --- /dev/null +++ b/argo/onap/values/cassandra.yaml @@ -0,0 +1,21 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +k8ssandraOperator: + persistence: + storageClassName: diff --git a/argo/onap/values/cds.yaml b/argo/onap/values/cds.yaml new file mode 100644 index 0000000000..0992d5378c --- /dev/null +++ b/argo/onap/values/cds.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +mariadb-galera: + mariadbOperator: + persistence: + storageClassName: diff --git a/argo/onap/values/cps.yaml b/argo/onap/values/cps.yaml new file mode 100644 index 0000000000..009fc19a88 --- /dev/null +++ b/argo/onap/values/cps.yaml @@ -0,0 +1,23 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +cps-core: + postgres-init: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation diff --git a/argo/onap/values/mariadb-galera.yaml b/argo/onap/values/mariadb-galera.yaml new file mode 100644 index 0000000000..39634aedfc --- /dev/null +++ b/argo/onap/values/mariadb-galera.yaml @@ -0,0 +1,21 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +mariadbOperator: + persistence: + storageClassName: diff --git a/argo/onap/values/multicloud.yaml b/argo/onap/values/multicloud.yaml new file mode 100644 index 0000000000..72621163d9 --- /dev/null +++ b/argo/onap/values/multicloud.yaml @@ -0,0 +1,21 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + # setting for mongodb + storageClass: diff --git a/argo/onap/values/platform.yaml b/argo/onap/values/platform.yaml new file mode 100644 index 0000000000..a3ef1da6da --- /dev/null +++ b/argo/onap/values/platform.yaml @@ -0,0 +1,22 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +cmpv2-cert-provider: + enabled: false +oom-cert-service: + enabled: false diff --git a/argo/onap/values/policy.yaml b/argo/onap/values/policy.yaml new file mode 100644 index 0000000000..63bd36c94e --- /dev/null +++ b/argo/onap/values/policy.yaml @@ -0,0 +1,25 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + mariadbGalera: + localCluster: false + +jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation diff --git a/argo/onap/values/portal-ng.yaml b/argo/onap/values/portal-ng.yaml new file mode 100644 index 0000000000..72621163d9 --- /dev/null +++ b/argo/onap/values/portal-ng.yaml @@ -0,0 +1,21 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +global: + # setting for mongodb + storageClass: diff --git a/argo/onap/values/sdc.yaml b/argo/onap/values/sdc.yaml new file mode 100644 index 0000000000..877dff51f9 --- /dev/null +++ b/argo/onap/values/sdc.yaml @@ -0,0 +1,37 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +sdc-cs: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +sdc-be: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +sdc-onboarding-be: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +sdc-wfd-be: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation diff --git a/argo/onap/values/sdnc.yaml b/argo/onap/values/sdnc.yaml new file mode 100644 index 0000000000..2ccaa71f91 --- /dev/null +++ b/argo/onap/values/sdnc.yaml @@ -0,0 +1,27 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +network-name-gen: + mariadb-init: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation diff --git a/argo/onap/values/so.yaml b/argo/onap/values/so.yaml new file mode 100644 index 0000000000..1f1261e981 --- /dev/null +++ b/argo/onap/values/so.yaml @@ -0,0 +1,52 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +so-mariadb: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +so-bpmn-infra: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +so-catalog-db-adapter: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +so-openstack-adapter: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +so-request-db-adapter: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 + +so-sdc-controller: + podAnnotations: + proxy.istio.io/config: | + tracing: + sampling: 0 diff --git a/argo/onap/values/uui.yaml b/argo/onap/values/uui.yaml new file mode 100644 index 0000000000..2729557680 --- /dev/null +++ b/argo/onap/values/uui.yaml @@ -0,0 +1,32 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +uui-server: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +uui-intent-analysis: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + +uui-llm-adaptation: + jobAnnotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation diff --git a/argo/onap/values/values-global.yaml b/argo/onap/values/values-global.yaml new file mode 100644 index 0000000000..23adee3dc6 --- /dev/null +++ b/argo/onap/values/values-global.yaml @@ -0,0 +1,196 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2025 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################ +# General configuration of ONAP +# ORIGINAL FILE: +# https://git.onap.org/oom/tree/kubernetes/onap/values.yaml +# +# Using value files in argo: +# https://github.com/argoproj/argo-cd/issues/2789#issuecomment-879043660 +################################ +global: + + # override default resource limit flavor for all charts + flavor: small + + nodePortPrefix: 302 + nodePortPrefixExt: 304 + masterPassword: gatingPassword + addTestingComponents: &testing false + repository: + dockerHubRepository: &dockerHubRepository + elasticRepository: &elasticRepository + quayRepository: + googleK8sRepository: + githubContainerRegistry: + loggingRepository: *elasticRepository + busyboxRepository: *dockerHubRepository + repositoryCred: + user: docker + password: docker + busyboxImage: busybox:1.34.1 + curlImage: curlimages/curl:7.80.0 + envsubstImage: dibi/envsubst:latest + htpasswdImage: xmartlabs/htpasswd:latest + kubectlImage: bitnami/kubectl:1.22.4 + loggingImage: beats/filebeat:5.5.0 + mongodbImage: percona/percona-server-mongodb:7.0.16-10 + mariadbImage: mariadb:11.7.2 + nginxImage: bitnami/nginx:1.21.4 + postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 + readinessImage: onap/oom/readiness:6.2.0 + # Default definition of the secret containing the docker image repository + # credentials. In the default ONAP deployment the secret is created by the + # repository-wrapper component, which uses the secrets defined above. + # If this is not wanted or other secrets are created, alternative secret + # names can be used + # Overrides for specific images can be done, if the "image" entry is used as + # a map and the "pullSecrets" is used, e.g. + # image: + # ... + # pullSecrets: + # - myRegistryKeySecretName + # + imagePullSecrets: + - name: '{{ include "common.namespace" . }}-docker-registry-key' + + pullPolicy: Always + jreImage: onap/integration-java11:10.0.0 + clusterName: cluster.local + + # enable this if you have deployed Jaeger alongside ONAP + tracing: + enabled: true + collector: + baseUrl: http://jaeger-collector.istio-system:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + + persistence: + mountPath: /dockerdata-nfs + enableDefaultStorageclass: false + parameters: {} + storageclassProvisioner: + volumeReclaimPolicy: Retain + storageClass: "" + debugEnabled: false + passwordStrength: long + + ingress: + enabled: true + # enable all component's Ingress interfaces + enable_all: true + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) + commonGateway: + name: common-gateway + httpListener: http + httpsListener: https + + # default Ingress base URL and preAddr- and postAddr settings + # Ingress URLs result: + # . + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # POSTADDR for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + config: + # All http (port 80) requests via ingress will be redirected + # to port 443 on Ingress controller + # only valid for Istio Gateway (ServiceMesh enabled) + ssl: "redirect" + tls: + secret: 'ingress-tls-secret' + # optional: Namespace of the Istio IngressGateway + # only valid for Istio Gateway (ServiceMesh enabled) + namespace: istio-ingress + serviceMesh: + enabled: true + tls: true + engine: "istio" + nativeSidecars: true + # Global Istio Authorization Policy configuration + authorizationPolicies: + enabled: false + metrics: + enabled: true + custom_resources: false + aafEnabled: false + aafAgentImage: onap/aaf/aaf_agent:2.1.20 + msbEnabled: false + certificate: + default: + renewBefore: 720h0m0s # 30 days + duration: 8760h0m0s # 365 days + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + cmpv2Enabled: false + platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-certificates-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-certificates-password + truststorePasswordSecretKey: password + offlineDeploymentBuild: false + centralizedLoggingEnabled: ¢ralizedLogging false + tlsEnabled: false + + # Global flag to enable the creation of default roles instead of using + # common roles-wrapper + createDefaultRoles: true + + # temporarily useOperator is set to false for migration to "Montreal" + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + + # not used in TNAP, as cassandra cluster is not created via ONAP chart + cassandra: + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false diff --git a/argo/updateVariables.sh b/argo/updateVariables.sh new file mode 100755 index 0000000000..cb972e3112 --- /dev/null +++ b/argo/updateVariables.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +# directories to patch +DIRS=("argocd" "infra" "onap" "onap-test") + +# Variables and Replacements (Key=Variable, Value=Replacement) +# Beispiel: VAR1="Wert1", VAR2="Wert2" +declare -A VARS +VARS["ONAP_ARGO_REPO_URL"]="https://git.onap.org/oom" +VARS["ONAP_ARGO_BRANCH"]="master" +VARS["STORAGECLASS"]="cinder-os" +VARS["BASEURL"]="simpledemo.onap.org" +VARS["POSTADDR"]="-test" +VARS["DOCKER_REPO"]="docker.io" +VARS["ONAP_REPO"]="nexus3.onap.org:10001" +VARS["ELASTIC_REPO"]="docker.elastic.co" +VARS["QUAY_REPO"]="quay.io" +VARS["GOOGLE_REPO"]="gcr.io" +VARS["K8S_REPO"]="registry.k8s.io" +VARS["GITHUB_REPO"]="ghcr.io" + +# Funktion to replace in one file +replace_in_file() { + local file="$1" + local tmpfile="${file}.tmp" + + cp "$file" "$tmpfile" + + for var in "${!VARS[@]}"; do + # Replace with value + # -i: inplace, but done with tmpfile, if Backup is required + sed -i "s|<${var}>|${VARS[$var]}|g" "$tmpfile" + done + + mv "$tmpfile" "$file" +} + +# Main Loop: Run through all files in the given directories +for dir in "${DIRS[@]}"; do + # Find all files recursively + find "$dir" -type f | while read -r file; do + replace_in_file "$file" + echo "Done: $file" + done +done + +echo "Done." \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000000..091cbca86c --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,13 @@ +version: '3' +services: + chartmuseum: + image: ghcr.io/helm/chartmuseum:v0.16.0 + ports: + - 6464:8080 + volumes: + - ./charts:/charts + environment: + PORT: 8080 + DEBUG: 1 + STORAGE: local + STORAGE_LOCAL_ROOTDIR: /charts \ No newline at end of file diff --git a/docs/_static/logo_onap_2024.png b/docs/_static/logo_onap_2024.png new file mode 100644 index 0000000000..55d307fc34 Binary files /dev/null and b/docs/_static/logo_onap_2024.png differ diff --git a/docs/archived/certs/hardcoded_certificates.csv b/docs/archived/certs/hardcoded_certificates.csv index fbc7db3e11..83c761e582 100644 --- a/docs/archived/certs/hardcoded_certificates.csv +++ b/docs/archived/certs/hardcoded_certificates.csv @@ -6,8 +6,6 @@ AAI/SEARCH-DATA,Yes,No,No,aai/oom/components/aai-search-data/resources/config/au AAI/SPARKY-BE,Yes,No,No,aai/oom/components/aai-spary-be/resources/config/auth/org.onap.aai.p12 AAI/BABEL,No,Yes,No,aai/oom/components/aai-babel/resources/config/auth/tomcat_keystore AAI/MODEL-LOADER,Yes,Yes,No,aai/oom/components/aai-model-loaderresources/config/auth/tomcat_keystore -APPC,Yes,No,No,kubernetes/appc/resources/config/certs/org.onap.appc.keyfile -APPC,Yes,No,No,kubernetes/appc/resources/config/certs/org.onap.appc.p12 certInitializer,Yes,No,No,kubernetes/common/certInitializer/resources DMaaP/MR,Yes,No,No,Hardcoded in container HOLMES,No,Yes,No,Hardcoded in container diff --git a/docs/archived/oom_developer_guide.rst b/docs/archived/oom_developer_guide.rst index f6513bdf83..59286375d6 100644 --- a/docs/archived/oom_developer_guide.rst +++ b/docs/archived/oom_developer_guide.rst @@ -994,156 +994,3 @@ persistent volume should be used to store all data that needs to be persisted over the re-creation of a container. Persistent volumes have been created for the database components of each of the projects and the same technique can be used for all persistent state information. - - - -Environment Files -~~~~~~~~~~~~~~~~~ - -MSB Integration -=============== - -The \ `Microservices Bus -Project `__ provides -facilities to integrate micro-services into ONAP and therefore needs to -integrate into OOM - primarily through Consul which is the backend of -MSB service discovery. The following is a brief description of how this -integration will be done: - -A registrator to push the service endpoint info to MSB service -discovery. - -- The needed service endpoint info is put into the kubernetes yaml file - as annotation, including service name, Protocol,version, visual - range,LB method, IP, Port,etc. - -- OOM deploy/start/restart/scale in/scale out/upgrade ONAP components - -- Registrator watch the kubernetes event - -- When an ONAP component instance has been started/destroyed by OOM, - Registrator get the notification from kubernetes - -- Registrator parse the service endpoint info from annotation and - register/update/unregister it to MSB service discovery - -- MSB API Gateway uses the service endpoint info for service routing - and load balancing. - -Details of the registration service API can be found at \ `Microservice -Bus API -Documentation `__. - -ONAP Component Registration to MSB ----------------------------------- -The charts of all ONAP components intending to register against MSB must have -an annotation in their service(s) template. A `sdc` example follows: - -.. code-block:: yaml - - apiVersion: v1 - kind: Service - metadata: - labels: - app: sdc-be - name: sdc-be - namespace: "{{ .Values.nsPrefix }}" - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "sdc", - "version": "v1", - "url": "/sdc/v1", - "protocol": "REST", - "port": "8080", - "visualRange":"1" - }, - { - "serviceName": "sdc-deprecated", - "version": "v1", - "url": "/sdc/v1", - "protocol": "REST", - "port": "8080", - "visualRange":"1", - "path":"/sdc/v1" - } - ]' - ... - - -MSB Integration with OOM ------------------------- -A preliminary view of the OOM-MSB integration is as follows: - -.. figure:: ../../resources/images/msb/MSB-OOM-Diagram.png - -A message sequence chart of the registration process: - -.. uml:: - - participant "OOM" as oom - participant "ONAP Component" as onap - participant "Service Discovery" as sd - participant "External API Gateway" as eagw - participant "Router (Internal API Gateway)" as iagw - - box "MSB" #LightBlue - participant sd - participant eagw - participant iagw - end box - - == Deploy Servcie == - - oom -> onap: Deploy - oom -> sd: Register service endpoints - sd -> eagw: Services exposed to external system - sd -> iagw: Services for internal use - - == Component Life-cycle Management == - - oom -> onap: Start/Stop/Scale/Migrate/Upgrade - oom -> sd: Update service info - sd -> eagw: Update service info - sd -> iagw: Update service info - - == Service Health Check == - - sd -> onap: Check the health of service - sd -> eagw: Update service status - sd -> iagw: Update service status - - -MSB Deployment Instructions ---------------------------- -MSB is helm installable ONAP component which is often automatically deployed. -To install it individually enter:: - - > helm install /msb - -.. note:: - TBD: Vaidate if the following procedure is still required. - -Please note that Kubernetes authentication token must be set at -*kubernetes/kube2msb/values.yaml* so the kube2msb registrator can get the -access to watch the kubernetes events and get service annotation by -Kubernetes APIs. The token can be found in the kubectl configuration file -*~/.kube/config* - -More details can be found here `MSB installation `_. - -.. MISC -.. ==== -.. Note that although OOM uses Kubernetes facilities to minimize the effort -.. required of the ONAP component owners to implement a successful rolling -.. upgrade strategy there are other considerations that must be taken into -.. consideration. -.. For example, external APIs - both internal and external to ONAP - should be -.. designed to gracefully accept transactions from a peer at a different -.. software version to avoid deadlock situations. Embedded version codes in -.. messages may facilitate such capabilities. -.. -.. Within each of the projects a new configuration repository contains all of -.. the project specific configuration artifacts. As changes are made within -.. the project, it's the responsibility of the project team to make appropriate -.. changes to the configuration data. diff --git a/docs/archived/oom_quickstart_guide.rst b/docs/archived/oom_quickstart_guide.rst index 4727a3e13d..99c7a5e7df 100644 --- a/docs/archived/oom_quickstart_guide.rst +++ b/docs/archived/oom_quickstart_guide.rst @@ -282,4 +282,4 @@ for use:: > helm undeploy dev More examples of using the deploy and undeploy plugins can be found here: -https://wiki.onap.org/display/DW/OOM+Helm+%28un%29Deploy+plugins +https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16315791/OOM+Helm+un+Deploy+plugins diff --git a/docs/archived/oom_setup_kubernetes_rancher.rst b/docs/archived/oom_setup_kubernetes_rancher.rst deleted file mode 100644 index 767b93925e..0000000000 --- a/docs/archived/oom_setup_kubernetes_rancher.rst +++ /dev/null @@ -1,531 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2018-2020 Amdocs, Bell Canada, Orange, Samsung - -.. Links -.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements -.. _kubectl Cheat Sheet: https://kubernetes.io/docs/reference/kubectl/cheatsheet/ -.. _Kubernetes documentation for emptyDir: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir -.. _Docker DevOps: https://wiki.onap.org/display/DW/Docker+DevOps#DockerDevOps-DockerBuild -.. _http://cd.onap.info:30223/mso/logging/debug: http://cd.onap.info:30223/mso/logging/debug -.. _Onboarding and Distributing a Vendor Software Product: https://wiki.onap.org/pages/viewpage.action?pageId=1018474 -.. _README.md: https://gerrit.onap.org/r/gitweb?p=oom.git;a=blob;f=kubernetes/README.md - -.. figure:: images/oom_logo/oomLogoV2-medium.png - :align: right - -.. _onap-on-kubernetes-with-rancher: - -ONAP on HA Kubernetes Cluster -############################# - -This guide provides instructions on how to setup a Highly-Available Kubernetes -Cluster. For this, we are hosting our cluster on OpenStack VMs and using the -Rancher Kubernetes Engine (RKE) to deploy and manage our Kubernetes Cluster. - -.. contents:: - :depth: 1 - :local: -.. - -The result at the end of this tutorial will be: - -#. Creation of a Key Pair to use with Open Stack and RKE - -#. Creation of OpenStack VMs to host Kubernetes Control Plane - -#. Creation of OpenStack VMs to host Kubernetes Workers - -#. Installation and configuration of RKE to setup an HA Kubernetes - -#. Installation and configuration of kubectl - -#. Installation and configuration of Helm - -#. Creation of an NFS Server to be used by ONAP as shared persistance - -There are many ways one can execute the above steps. Including automation -through the use of HEAT to setup the OpenStack VMs. To better illustrate the -steps involved, we have captured the manual creation of such an environment -using the ONAP Wind River Open Lab. - -Create Key Pair -=============== -A Key Pair is required to access the created OpenStack VMs and will be used by -RKE to configure the VMs for Kubernetes. - -Use an existing key pair, import one or create a new one to assign. - -.. image:: images/keys/key_pair_1.png - -.. Note:: - If you're creating a new Key Pair, ensure to create a local copy of the - Private Key through the use of "Copy Private Key to Clipboard". - -For the purpose of this guide, we will assume a new local key called "onap-key" -has been downloaded and is copied into **~/.ssh/**, from which it can be -referenced. - -Example:: - - > mv onap-key ~/.ssh - - > chmod 600 ~/.ssh/onap-key - - -Create Network -============== - -An internal network is required in order to deploy our VMs that will host -Kubernetes. - -.. image:: images/network/network_1.png - -.. image:: images/network/network_2.png - -.. image:: images/network/network_3.png - -.. Note:: - It's better to have one network per deployment and obviously the name of this - network should be unique. - -Now we need to create a router to attach this network to outside: - -.. image:: images/network/network_4.png - -Create Security Group -===================== - -A specific security group is also required - -.. image:: images/sg/sg_1.png - -then click on `manage rules` of the newly created security group. -And finally click on `Add Rule` and create the following one: - -.. image:: images/sg/sg_2.png - -.. Note:: - the security is clearly not good here and the right SG will be proposed in a - future version - -Create Kubernetes Control Plane VMs -=================================== - -The following instructions describe how to create 3 OpenStack VMs to host the -Highly-Available Kubernetes Control Plane. -ONAP workloads will not be scheduled on these Control Plane nodes. - -Launch new VM instances ------------------------ - -.. image:: images/cp_vms/control_plane_1.png - -Select Ubuntu 18.04 as base image ---------------------------------- -Select "No" for "Create New Volume" - -.. image:: images/cp_vms/control_plane_2.png - -Select Flavor -------------- -The recommended flavor is at least 4 vCPU and 8GB ram. - -.. image:: images/cp_vms/control_plane_3.png - -Networking ----------- - -Use the created network: - -.. image:: images/cp_vms/control_plane_4.png - -Security Groups ---------------- - -Use the created security group: - -.. image:: images/cp_vms/control_plane_5.png - -Key Pair --------- -Assign the key pair that was created/selected previously (e.g. onap_key). - -.. image:: images/cp_vms/control_plane_6.png - -Apply customization script for Control Plane VMs ------------------------------------------------- - -Click :download:`openstack-k8s-controlnode.sh ` -to download the script. - -.. literalinclude:: shell/openstack-k8s-controlnode.sh - :language: bash - -This customization script will: - -* update ubuntu -* install docker - -.. image:: images/cp_vms/control_plane_7.png - -Launch Instance ---------------- - -.. image:: images/cp_vms/control_plane_8.png - - - -Create Kubernetes Worker VMs -============================ -The following instructions describe how to create OpenStack VMs to host the -Highly-Available Kubernetes Workers. ONAP workloads will only be scheduled on -these nodes. - -Launch new VM instances ------------------------ - -The number and size of Worker VMs is dependent on the size of the ONAP -deployment. By default, all ONAP applications are deployed. It's possible to -customize the deployment and enable a subset of the ONAP applications. For the -purpose of this guide, however, we will deploy 12 Kubernetes Workers that have -been sized to handle the entire ONAP application workload. - -.. image:: images/wk_vms/worker_1.png - -Select Ubuntu 18.04 as base image ---------------------------------- -Select "No" on "Create New Volume" - -.. image:: images/wk_vms/worker_2.png - -Select Flavor -------------- -The size of Kubernetes hosts depend on the size of the ONAP deployment -being installed. - -If a small subset of ONAP applications are being deployed -(i.e. for testing purposes), then 16GB or 32GB may be sufficient. - -.. image:: images/wk_vms/worker_3.png - -Networking ------------ - -.. image:: images/wk_vms/worker_4.png - -Security Group ---------------- - -.. image:: images/wk_vms/worker_5.png - -Key Pair --------- -Assign the key pair that was created/selected previously (e.g. onap_key). - -.. image:: images/wk_vms/worker_6.png - -Apply customization script for Kubernetes VM(s) ------------------------------------------------ - -Click :download:`openstack-k8s-workernode.sh ` to -download the script. - -.. literalinclude:: shell/openstack-k8s-workernode.sh - :language: bash - -This customization script will: - -* update ubuntu -* install docker -* install nfs common - - -Launch Instance ---------------- - -.. image:: images/wk_vms/worker_7.png - - - - -Assign Floating IP addresses ----------------------------- -Assign Floating IPs to all Control Plane and Worker VMs. -These addresses provide external access to the VMs and will be used by RKE -to configure kubernetes on to the VMs. - -Repeat the following for each VM previously created: - -.. image:: images/floating_ips/floating_1.png - -Resulting floating IP assignments in this example. - -.. image:: images/floating_ips/floating_2.png - - - - -Configure Rancher Kubernetes Engine (RKE) -========================================= - -Install RKE ------------ -Download and install RKE on a VM, desktop or laptop. -Binaries can be found here for Linux and Mac: https://github.com/rancher/rke/releases/tag/v1.0.6 - -.. note:: - There are several ways to install RKE. Further parts of this documentation - assumes that you have rke command available. - If you don't know how to install RKE you may follow the below steps: - - * chmod +x ./rke_linux-amd64 - * sudo mv ./rke_linux-amd64 /user/local/bin/rke - -RKE requires a *cluster.yml* as input. An example file is show below that -describes a Kubernetes cluster that will be mapped onto the OpenStack VMs -created earlier in this guide. - -Click :download:`cluster.yml ` to download the -configuration file. - -.. literalinclude:: yaml/cluster.yml - :language: yaml - -Prepare cluster.yml -------------------- -Before this configuration file can be used the external **address** -and the **internal_address** must be mapped for each control and worker node -in this file. - -Run RKE -------- -From within the same directory as the cluster.yml file, simply execute:: - - > rke up - -The output will look something like:: - - INFO[0000] Initiating Kubernetes cluster - INFO[0000] [certificates] Generating admin certificates and kubeconfig - INFO[0000] Successfully Deployed state file at [./cluster.rkestate] - INFO[0000] Building Kubernetes cluster - INFO[0000] [dialer] Setup tunnel for host [10.12.6.82] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.249] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.74] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.85] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.238] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.89] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.11] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.90] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.244] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.165] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.126] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.111] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.160] - INFO[0000] [dialer] Setup tunnel for host [10.12.5.191] - INFO[0000] [dialer] Setup tunnel for host [10.12.6.195] - INFO[0002] [network] Deploying port listener containers - INFO[0002] [network] Pulling image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.85] - INFO[0002] [network] Pulling image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.89] - INFO[0002] [network] Pulling image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.90] - INFO[0011] [network] Successfully pulled image [nexus3.onap.org:10001/rancher/rke-tools:v0.1.27] on host [10.12.6.89] - . . . . - INFO[0309] [addons] Setting up Metrics Server - INFO[0309] [addons] Saving ConfigMap for addon rke-metrics-addon to Kubernetes - INFO[0309] [addons] Successfully saved ConfigMap for addon rke-metrics-addon to Kubernetes - INFO[0309] [addons] Executing deploy job rke-metrics-addon - INFO[0315] [addons] Metrics Server deployed successfully - INFO[0315] [ingress] Setting up nginx ingress controller - INFO[0315] [addons] Saving ConfigMap for addon rke-ingress-controller to Kubernetes - INFO[0316] [addons] Successfully saved ConfigMap for addon rke-ingress-controller to Kubernetes - INFO[0316] [addons] Executing deploy job rke-ingress-controller - INFO[0322] [ingress] ingress controller nginx deployed successfully - INFO[0322] [addons] Setting up user addons - INFO[0322] [addons] no user addons defined - INFO[0322] Finished building Kubernetes cluster successfully - -Install Kubectl -=============== - -Download and install kubectl. Binaries can be found here for Linux and Mac: - -https://storage.googleapis.com/kubernetes-release/release/v1.15.11/bin/linux/amd64/kubectl -https://storage.googleapis.com/kubernetes-release/release/v1.15.11/bin/darwin/amd64/kubectl - -You only need to install kubectl where you'll launch Kubernetes command. This -can be any machines of the Kubernetes cluster or a machine that has IP access -to the APIs. -Usually, we use the first controller as it has also access to internal -Kubernetes services, which can be convenient. - -Validate deployment -------------------- - -:: - - > mkdir -p ~/.kube - - > cp kube_config_cluster.yml ~/.kube/config.onap - - > export KUBECONFIG=~/.kube/config.onap - - > kubectl config use-context onap - - > kubectl get nodes -o=wide - -:: - - NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME - onap-control-1 Ready controlplane,etcd 3h53m v1.15.2 10.0.0.8 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-control-2 Ready controlplane,etcd 3h53m v1.15.2 10.0.0.11 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-control-3 Ready controlplane,etcd 3h53m v1.15.2 10.0.0.12 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-1 Ready worker 3h53m v1.15.2 10.0.0.14 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-10 Ready worker 3h53m v1.15.2 10.0.0.16 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-11 Ready worker 3h53m v1.15.2 10.0.0.18 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-12 Ready worker 3h53m v1.15.2 10.0.0.7 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-2 Ready worker 3h53m v1.15.2 10.0.0.26 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-3 Ready worker 3h53m v1.15.2 10.0.0.5 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-4 Ready worker 3h53m v1.15.2 10.0.0.6 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-5 Ready worker 3h53m v1.15.2 10.0.0.9 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-6 Ready worker 3h53m v1.15.2 10.0.0.17 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-7 Ready worker 3h53m v1.15.2 10.0.0.20 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-8 Ready worker 3h53m v1.15.2 10.0.0.10 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - onap-k8s-9 Ready worker 3h53m v1.15.2 10.0.0.4 Ubuntu 18.04 LTS 4.15.0-22-generic docker://18.9.5 - - -Install Helm -============ - -Example Helm client install on Linux:: - - > wget https://get.helm.sh/helm-v2.16.6-linux-amd64.tar.gz - - > tar -zxvf helm-v2.16.6-linux-amd64.tar.gz - - > sudo mv linux-amd64/helm /usr/local/bin/helm - -Initialize Kubernetes Cluster for use by Helm ---------------------------------------------- - -:: - - > kubectl -n kube-system create serviceaccount tiller - - > kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller - - > helm init --service-account tiller - - > kubectl -n kube-system  rollout status deploy/tiller-deploy - - - -Setting up an NFS share for Multinode Kubernetes Clusters -========================================================= -Deploying applications to a Kubernetes cluster requires Kubernetes nodes to -share a common, distributed filesystem. In this tutorial, we will setup an -NFS Master, and configure all Worker nodes a Kubernetes cluster to play -the role of NFS slaves. - -It is recommended that a separate VM, outside of the kubernetes -cluster, be used. This is to ensure that the NFS Master does not compete for -resources with Kubernetes Control Plane or Worker Nodes. - - -Launch new NFS Server VM instance ---------------------------------- -.. image:: images/nfs_server/nfs_server_1.png - -Select Ubuntu 18.04 as base image ---------------------------------- -Select "No" on "Create New Volume" - -.. image:: images/nfs_server/nfs_server_2.png - -Select Flavor -------------- - -.. image:: images/nfs_server/nfs_server_3.png - -Networking ------------ - -.. image:: images/nfs_server/nfs_server_4.png - -Security Group ---------------- - -.. image:: images/nfs_server/nfs_server_5.png - -Key Pair --------- -Assign the key pair that was created/selected previously (e.g. onap_key). - -.. image:: images/nfs_server/nfs_server_6.png - -Apply customization script for NFS Server VM --------------------------------------------- - -Click :download:`openstack-nfs-server.sh ` to download -the script. - -.. literalinclude:: shell/openstack-nfs-server.sh - :language: bash - -This customization script will: - -* update ubuntu -* install nfs server - - -Launch Instance ---------------- - -.. image:: images/nfs_server/nfs_server_7.png - - - -Assign Floating IP addresses ----------------------------- - -.. image:: images/nfs_server/nfs_server_8.png - -Resulting floating IP assignments in this example. - -.. image:: images/nfs_server/nfs_server_9.png - - -To properly set up an NFS share on Master and Slave nodes, the user can run the -scripts below. - -Click :download:`master_nfs_node.sh ` to download the -script. - -.. literalinclude:: shell/master_nfs_node.sh - :language: bash - -Click :download:`slave_nfs_node.sh ` to download the script. - -.. literalinclude:: shell/slave_nfs_node.sh - :language: bash - -The master_nfs_node.sh script runs in the NFS Master node and needs the list of -NFS Slave nodes as input, e.g.:: - - > sudo ./master_nfs_node.sh node1_ip node2_ip ... nodeN_ip - -The slave_nfs_node.sh script runs in each NFS Slave node and needs the IP of -the NFS Master node as input, e.g.:: - - > sudo ./slave_nfs_node.sh master_node_ip - - -ONAP Deployment via OOM -======================= -Now that Kubernetes and Helm are installed and configured you can prepare to -deploy ONAP. Follow the instructions in the README.md_ or look at the official -documentation to get started: - -- :ref:`quick-start-label` - deploy ONAP on an existing cloud -- :ref:`user-guide-label` - a guide for operators of an ONAP instance diff --git a/docs/archived/oom_user_guide.rst b/docs/archived/oom_user_guide.rst index 2ff74b5898..b4d1891864 100644 --- a/docs/archived/oom_user_guide.rst +++ b/docs/archived/oom_user_guide.rst @@ -55,8 +55,8 @@ ONAP with a few simple commands. Pre-requisites -------------- -Your environment must have the Kubernetes `kubectl` with Strimzi Apache Kafka, Cert-Manager -and Helm setup as a one time activity. +Your environment must have the Kubernetes `kubectl` with Strimzi Apache Kafka, +Cert-Manager and Helm setup as a one time activity. Install Kubectl ~~~~~~~~~~~~~~~ @@ -275,7 +275,7 @@ precedence of all. The top level onap/values.yaml file contains the values required to be set before deploying ONAP. Here is the contents of this file: -.. include:: ../kubernetes/onap/values.yaml +.. include:: ../../kubernetes/onap/values.yaml :code: yaml One may wish to create a value file that is specific to a given deployment such diff --git a/docs/archived/yaml/environments_onap_demo.yaml b/docs/archived/yaml/environments_onap_demo.yaml new file mode 100644 index 0000000000..1298fa5a6d --- /dev/null +++ b/docs/archived/yaml/environments_onap_demo.yaml @@ -0,0 +1,87 @@ +################################################################# +# Global configuration overrides. +# +# These overrides will affect all helm charts (ie. applications) +# that are listed below and are 'enabled'. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image repositories + repository: nexus3.onap.org:10001 + repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== + # readiness check + readinessImage: onap/oom/readiness:6.1.1 + # logging agent + loggingRepository: docker.elastic.co + + # image pull policy + pullPolicy: IfNotPresent + + # override default mount path root directory + # referenced by persistent volumes and log files + persistence: + mountPath: /dockerdata + + # flag to enable debugging - application support required + debugEnabled: true + +################################################################# +# Enable/disable and configure helm charts (ie. applications) +# to customize the ONAP deployment. +################################################################# +aai: + enabled: false +cli: + enabled: false +cps: + enabled: false +dcaegen2: + enabled: false +message-router: + enabled: false +msb: + enabled: false +multicloud: + enabled: false +policy: + enabled: false +robot: # Robot Health Check + enabled: true +sdc: + enabled: false +sdnc: + enabled: false +so: # Service Orchestrator + enabled: true + + replicaCount: 1 + + liveness: + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + + # so server configuration + config: + # message router configuration + dmaapTopic: "AUTO" + # openstack configuration + openStackUserName: "vnf_user" + openStackRegion: "RegionOne" + openStackKeyStoneUrl: "http://1.2.3.4:5000" + openStackServiceTenantName: "service" + openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" + + # configure embedded mariadb + mariadb: + config: + mariadbRootPassword: password +uui: + enabled: false +vfc: + enabled: false +vnfsdk: + enabled: false diff --git a/docs/archived/yaml/example-integration-override-v3.yaml b/docs/archived/yaml/example-integration-override-v3.yaml index a55b1c08fc..2c2742cc70 100644 --- a/docs/archived/yaml/example-integration-override-v3.yaml +++ b/docs/archived/yaml/example-integration-override-v3.yaml @@ -4,8 +4,6 @@ robot: enabled: true flavor: large - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" # KEYSTONE Version 3 Required for Rocky and beyond openStackKeystoneAPIVersion: "v3" # OS_AUTH_URL without the /v3 from the openstack .RC file @@ -54,16 +52,3 @@ so: openStackKeyStoneUrl: "http://10.12.25.2:5000/v3" # use the SO Java utility to encrypt the OS_PASSWORD for the OS_USERNAME openStackEncryptedPasswordHere: "YYYYYYYYYYYYYYYYYYYYYYYY_OPENSTACK_JAVA_PASSWORD_HERE_YYYYYYYYYYYYYYYY" -appc: - enabled: true - replicaCount: 3 - config: - enableClustering: true - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - # OS_AUTH_URL from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v3" - openStackServiceTenantName: "OPENSTACK_PROJECT_NAME_HERE" - openStackDomain: "OPEN_STACK_DOMAIN_NAME_HERE" - openStackUserName: "OS_USER_NAME_HERE" - openStackEncryptedPassword: "OPENSTACK_CLEAR_TEXT_PASSWORD_HERE" diff --git a/docs/archived/yaml/example-integration-override.yaml b/docs/archived/yaml/example-integration-override.yaml index 5eeee5e2f5..46e18fce8f 100644 --- a/docs/archived/yaml/example-integration-override.yaml +++ b/docs/archived/yaml/example-integration-override.yaml @@ -1,21 +1,7 @@ ################################################################# # This override file configures openstack parameters for ONAP ################################################################# -appc: - config: - enableClustering: false - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - # OS_AUTH_URL from the openstack .RC file - openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" - openStackServiceTenantName: "OPENSTACK_TENANTNAME_HERE" - # OS_USER_DOMAIN_NAME from the openstack .RC file - openStackDomain: "Default" - openStackUserName: "OPENSTACK_USERNAME_HERE" - openStackEncryptedPassword: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PASSWORD_HERE_XXXXXXXXXXXXXXXX" robot: - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" # OS_AUTH_URL without the /v2.0 from the openstack .RC file openStackKeyStoneUrl: "http://10.12.25.2:5000" # From openstack network list output diff --git a/docs/conf.py b/docs/conf.py index 29c57e6da0..3a63e0fab3 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -1,6 +1,6 @@ project = "onap" -release = "kohn" -version = "kohn" +release = "master" +version = "master" author = "Open Network Automation Platform" # yamllint disable-line rule:line-length @@ -11,7 +11,7 @@ html_theme = "sphinx_rtd_theme" html_theme_options = { "style_nav_header_background": "white", "sticky_navigation": "False" } -html_logo = "_static/logo_onap_2017.png" +html_logo = "_static/logo_onap_2024.png" html_favicon = "_static/favicon.ico" html_static_path = ["_static"] html_show_sphinx = False @@ -32,7 +32,7 @@ exclude_patterns = ['archived/*.rst', '.tox'] # Change to {releasename} after you have created the new 'doc' branch. # -branch = 'kohn' +branch = 'master' intersphinx_mapping = {} doc_url = 'https://docs.onap.org/projects' @@ -55,5 +55,7 @@ def setup(app): linkcheck_ignore = [ "https://istio-release.storage.googleapis.com/charts", + "https://charts.bitnami.com/bitnami", + "https://codecentric.github.io/helm-charts", r'http://localhost:\d+/' ] diff --git a/docs/conf.yaml b/docs/conf.yaml deleted file mode 100644 index 11eaff6045..0000000000 --- a/docs/conf.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -project_cfg: onap -project: onap - -# Change this to ReleaseBranchName to modify the header -default-version: kohn -# diff --git a/docs/index.rst b/docs/index.rst index 7a1d52b2ff..e889e0664c 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,7 +13,7 @@ OOM Documentation Repository sections/oom_project_description.rst sections/guides/development_guides/oom_development.rst - sections/guides/infra_guides/oom_infra_setup.rst + sections/guides/infra_guides/oom_infra.rst sections/guides/deployment_guides/oom_deployment.rst sections/guides/user_guides/oom_user_guide.rst sections/guides/access_guides/oom_access_info.rst diff --git a/docs/requirements-docs.txt b/docs/requirements-docs.txt index 9c104de61c..ba04a8dce9 100644 --- a/docs/requirements-docs.txt +++ b/docs/requirements-docs.txt @@ -6,3 +6,4 @@ sphinxcontrib-swaggerdoc sphinxcontrib-spelling sphinxcontrib-plantuml sphinx_toolbox>=3.2.0 +six diff --git a/docs/sections/guides/access_guides/oom_access_info.rst b/docs/sections/guides/access_guides/oom_access_info.rst index 4e9866725e..44491cce17 100644 --- a/docs/sections/guides/access_guides/oom_access_info.rst +++ b/docs/sections/guides/access_guides/oom_access_info.rst @@ -15,15 +15,49 @@ OOM Access Info .. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png :align: right -Access via NodePort/Loadbalancer -******************************** +Access via Ingress (production) +******************************* -The ONAP deployment created by OOM operates in a private IP network that isn't +Using Ingress as access method requires the installation of an Ingress +controller and the configuration of the ONAP deployment to use it. + +For "ONAP on ServiceMesh" you can find the instructions in: + +- :ref:`oom_base_optional_addons` +- :ref:`oom_customize_overrides` + +In the ServiceMesh deployment the Istio IngressGateway is the only access point +for ONAP component interfaces. +Usually the Ingress is accessed via a LoadBalancer IP (), +which is used as central address. +All APIs/UIs are provided via separate URLs which are routed to the component +service. +To use these URLs they need to be resolvable via DNS or via /etc/hosts. + +The domain name is usually defined in the `global` section of the ONAP +helm-charts, `virtualhost.baseurl` (here "simpledemo.onap.org") whereas the +hostname of the service (e.g. "sdc-fe-ui") is defined in the component's chart. + +.. code-block:: bash + + kiali.simpledemo.onap.org + cds-ui.simpledemo.onap.org + sdc-fe-ui.simpledemo.onap.org + ... + +To access e.g. the SDC UI now the new ssl-encrypted URL: + +``https://sdc-fe-ui.simpledemo.onap.org/sdc1`` + +Access via NodePort/Loadbalancer (development) +********************************************** + +In the development setop OOM operates in a private IP network that isn't publicly accessible (i.e. OpenStack VMs with private internal network) which blocks access to the ONAP User Interfaces. -To enable direct access to a service from a user's own environment (a laptop etc.) -the application's internal port is exposed through a `Kubernetes NodePort`_ or -`Kubernetes LoadBalancer`_ object. +To enable direct access to a service from a user's own environment (a laptop +etc.) the application's internal port is exposed through a +`Kubernetes NodePort`_ or `Kubernetes LoadBalancer`_ object. Typically, to be able to access the Kubernetes nodes publicly a public address is assigned. In OpenStack this is a floating IP address. @@ -31,59 +65,35 @@ is assigned. In OpenStack this is a floating IP address. Most ONAP applications use the `NodePort` as predefined `service:type`, which opens allows access to the service through the the IP address of each Kubernetes node. -When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ object -which gets a separate IP address. +When using the `Loadbalancer` as `service:type` `Kubernetes LoadBalancer`_ +object which gets a separate IP address. -.. note:: - The following example uses the `ONAP Portal`, which is not actively maintained - in Kohn and will be replaced in the future - -When e.g. the `portal-app` chart is deployed a Kubernetes service is created that +When e.g. the `sdc-fe` chart is deployed a Kubernetes service is created that instantiates a load balancer. The LB chooses the private interface of one of -the nodes as in the example below (10.0.0.4 is private to the K8s cluster only). +the nodes as in the example below (10.0.0.4 is private to the K8s cluster +only). Then to be able to access the portal on port 8989 from outside the K8s & -OpenStack environment, the user needs to assign/get the floating IP address that -corresponds to the private IP as follows:: - - > kubectl -n onap get services|grep "portal-app" - portal-app LoadBalancer 10.43.142.201 10.0.0.4 8989:30215/TCP,8006:30213/TCP,8010:30214/TCP 1d app=portal-app,release=dev +OpenStack environment, the user needs to assign/get the floating IP address +that corresponds to the private IP as follows:: + > kubectl -n onap get services|grep "sdc-fe" + sdc-fe LoadBalancer 10.43.142.201 10.0.0.4 8181:30207/TCP -In this example, use the 11.0.0.4 private address as a key find the +In this example, use the 10.0.0.4 private address as a key find the corresponding public address which in this example is 10.12.6.155. If you're using OpenStack you'll do the lookup with the horizon GUI or the OpenStack CLI -for your tenant (openstack server list). That IP is then used in your +for your tenant (openstack server list). That IP is then used in your `/etc/hosts` to map the fixed DNS aliases required by the ONAP Portal as shown below:: - 10.12.6.155 portal.api.simpledemo.onap.org - 10.12.6.155 vid.api.simpledemo.onap.org - 10.12.6.155 sdc.api.fe.simpledemo.onap.org - 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org - 10.12.6.155 sdc.dcae.plugin.simpledemo.onap.org - 10.12.6.155 portal-sdk.simpledemo.onap.org - 10.12.6.155 policy.api.simpledemo.onap.org - 10.12.6.155 aai.api.sparky.simpledemo.onap.org - 10.12.6.155 cli.api.simpledemo.onap.org - 10.12.6.155 msb.api.discovery.simpledemo.onap.org - 10.12.6.155 msb.api.simpledemo.onap.org - 10.12.6.155 clamp.api.simpledemo.onap.org - 10.12.6.155 so.api.simpledemo.onap.org - 10.12.6.155 sdc.workflow.plugin.simpledemo.onap.org + 10.43.142.201 sdc.fe.simpledemo.onap.org Ensure you've disabled any proxy settings the browser you are using to access the portal and then simply access now the new ssl-encrypted URL: -``https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm`` +``http://sdc.fe.simpledemo.onap.org:30207sdc1/portal`` .. note:: - Using the HTTPS based Portal URL the Browser needs to be configured to accept - unsecure credentials. - Additionally when opening an Application inside the Portal, the Browser - might block the content, which requires to disable the blocking and reloading - of the page - -.. note:: - Besides the ONAP Portal the Components can deliver additional user interfaces, + Besides the ONAP SDC the Components can deliver additional user interfaces, please check the Component specific documentation. .. note:: @@ -91,8 +101,8 @@ the portal and then simply access now the new ssl-encrypted URL: | Alternatives Considered: - Kubernetes port forwarding was considered but discarded as it would - require the end user to run a script that opens up port forwarding tunnels - to each of the pods that provides a portal application widget. + require the end user to run a script that opens up port forwarding + tunnels to each of the pods that provides a portal application widget. - Reverting to a VNC server similar to what was deployed in the Amsterdam release was also considered but there were many issues with resolution, @@ -102,9 +112,9 @@ the portal and then simply access now the new ssl-encrypted URL: Observations: - If you are not using floating IPs in your Kubernetes deployment and - directly attaching a public IP address (i.e. by using your public provider - network) to your K8S Node VMs' network interface, then the output of - 'kubectl -n onap get services | grep "portal-app"' + directly attaching a public IP address (i.e. by using your public + provider network) to your K8S Node VMs' network interface, then the + output of 'kubectl -n onap get services | grep "portal-app"' will show your public IP instead of the private network's IP. Therefore, you can grab this public IP directly (as compared to trying to find the floating IP first) and map this IP in /etc/hosts. @@ -133,44 +143,9 @@ The following table lists all the NodePorts used by ONAP. :widths: 20,20,20,20,20 :header-rows: 1 - This table retrieves information from the ONAP deployment using the following Kubernetes command: .. code-block:: bash kubectl get svc -n onap -o go-template='{{range .items}}{{range.spec.ports}}{{if .nodePort}}{{.nodePort}}{{.}}{{"\n"}}{{end}}{{end}}{{end}}' - - -(Optional) Access via Ingress -***************************** - -Using Ingress as access method requires the installation of an Ingress -controller and the configuration of the ONAP deployment to use it. - -For "ONAP on ServiceMesh" you can find the instructions in: - -- :ref:`oom_base_optional_addons` -- :ref:`oom_customize_overrides` - -In the ServiceMesh deployment the Istio IngressGateway is the only access point -for ONAP component interfaces. -Usually the Ingress is accessed via a LoadBalancer IP (), -which is used as central address. -All APIs/UIs are provided via separate URLs which are routed to the component service. -To use these URLs they need to be resolvable via DNS or via /etc/hosts. - -The domain name is usually defined in the `global` section of the ONAP helm-charts, -`virtualhost.baseurl` (here "simpledemo.onap.org") whereas the hostname of -the service (e.g. "sdc-fe-ui") is defined in the component's chart. - -.. code-block:: none - - kiali.simpledemo.onap.org - cds-ui.simpledemo.onap.org - sdc-fe-ui.simpledemo.onap.org - ... - -To access e.g. the SDC UI now the new ssl-encrypted URL: - -``https://sdc-fe-ui.simpledemo.onap.org/sdc1`` diff --git a/docs/sections/guides/deployment_guides/oom_argo_release_deploy.rst b/docs/sections/guides/deployment_guides/oom_argo_release_deploy.rst new file mode 100644 index 0000000000..399d96d845 --- /dev/null +++ b/docs/sections/guides/deployment_guides/oom_argo_release_deploy.rst @@ -0,0 +1,451 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2025 Deutsche Telekom + +.. Links +.. _ONAP helm release repository: https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/ +.. _ONAP Release Long Term Roadmap: https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16220234/Long+Term+Release+Roadmap +.. _GitOps Deployment: https://www.cncf.io/blog/2025/06/09/gitops-in-2025-from-old-school-updates-to-the-modern-way/ +.. _Trivy Scan: https://trivy.dev/latest/ +.. _ArgoCD: https://argo-cd.readthedocs.io/en/stable/ +.. _App of Apps: https://argo-cd.readthedocs.io/en/latest/operator-manual/cluster-bootstrapping/ + +.. _oom_argo_release_deploy: + +OOM Deployment using ArgoCD +=========================== + +Besides the deployment of ONAP using helm as described in :ref:`oom_helm_release_repo_deploy`, you +can use GitOps based deployment of ONAP components using ArgoCD or Flux (see `GitOps deployment`_). +This document shows an example for an ArgoCD (see `ArgoCD`_) based installation. + +General principles of GitOps and ArgoCD +--------------------------------------- + +GitOps is a modern approach to continuous delivery and infrastructure management +that uses Git as the source of truth for both application and infrastructure configurations. + +In GitOps, all changes to the system, such as updates or rollbacks, are made through pull +requests in Git repositories, which then trigger automated deployment pipelines. + +This ensures that the environment is always aligned with the desired state defined in the Git +repository, making the system more predictable and auditable. + +ArgoCD is a Kubernetes-native continuous delivery tool that implements GitOps principles. +It monitors Git repositories for changes in configuration files +(such as YAML or Helm charts) and automatically syncs the state of the Kubernetes +clusters to match the desired configuration. +With ArgoCD, users can track application deployments and changes visually through +a web UI or CLI, providing transparency and easy rollback options. +It also supports multi-cluster deployments and offers strong access control mechanisms +to manage who can trigger changes. +The system is highly automated and allows for fast, secure delivery and operational +consistency across environments. + +OOM support for ArgoCD deployment +--------------------------------- + +In the OOM repository a subtree is provided, which contains ArgoCD +Application definitions and other files supporting the installation +using ArgoCD: + +An example structure of the OOM common helm charts is shown below: + +.. code-block:: bash + + argo + ├── argocd + │   ├── app-argocd.yaml + │   ├── kustomization.yaml + │   ├── argo-project.yaml + │   ├── argo-secret.yaml + │   ├── argocd.yaml + │   ├── values + │   │   └── argocd.yaml + ├── infra + │   ├── app-infra.yaml + │   ├── kustomization.yaml + │   ├── certmanager.yaml + │   ├── chartmuseum.yaml + │   ├── compile-onap.yaml + │   ├── ... + │   ├── values + │   │   ├── certmanager.yaml + │   │   ├── chartmuseum.yaml + │   │   ├── compile-onap.yaml + │   │   ├── ... + │   │   └── xxx.yaml + │   ├── compile-onap + │   │   └── helm + │   │      ├── Chart.yaml + │   │      ├── values.yaml + │   │      └── templates + │   │         └── onap-helm-render-job.yaml + │   ├── ... + ├── onap + │   ├── app-onap.yaml + │   ├── kustomization.yaml + │   ├── a1policymanagement.yaml + │   ├── aai.yaml + │   ├── authentication.yaml + │   ├── cds.yaml + │   ├── ... + │   ├── values + │   │   ├── a1policymanagement.yaml + │   │   ├── aai.yaml + │   │   ├── authentication.yaml + │   │   ├── ... + │   │   └── xxx.yaml + ├── onap-test + │   ├── app-onap-test.yaml + │   ├── kustomization.yaml + │   ├── kafka-ui.yaml + │   ├── onap-test-ingress.yaml + │   ├── testkube.yaml + │   ├── trivy-operator.yaml + │   ├── values + │   │   ├── kafka-ui.yaml + │   │   ├── onap-test-ingress.yaml + │   │   ├── testkube.yaml + │   │   └── trivy-operator.yaml + │   ├── ingress-routes + │   │   └── helm + │   │      ├── Chart.yaml + │   │      ├── values.yaml + │   │      └── templates + │   │         └── ingress-kafka-ui.yaml + │   ├── ... + └── update-variables.sh + +The main folders are: + +* argocd + + * Application definition for the ArgoCD deployment + +* infra + + * Application definitions for required infrastructure components + (e.g. Istio, CertManager, DB Operators, ...) + * Required Helm Charts for IngressRoutes, Kiali, ONAP Chart compilation + +* onap + + * Application definitions for ONAP components (e.g. AAI, CDS, SO, ...) + +* onap-test + + * Application definitions for ONAP Test components and tools + (e.g. Trivy Scan, Testkube, Kafka-UI) + +General hints and preparation +----------------------------- + +Prerequisites +^^^^^^^^^^^^^ + +As prerequisite you would need a Kubernetes cluster with the required +capacity to deploy the components into. + +The Infrastructure (e.g. Bare Metal servers, Virtual Hosts) and the +way of deployment (e.g. ClusterAPI, Kubespray) is not restricted. + +In the tests of the OOM team it is done: + +* On a vanilla Openstack cluster +* Using Terraform to create the tenant, VMs and networking +* Using Kubespray to create the K8S cluster +* Use a GitLab-CI pipeline to orchestrate the creation + +At the end of the deployment you need to install ArgoCD in this cluster +for the further process of installation. + +As a input parameters for the ONAP deployment you would need to provide: + +* A local Git(lab) project to store the "argo" Application definitions (or the oom project) +* Storage Class the cluster provides for PVs +* (Optional) A local helm registry to store the ONAP helmcharts, + if you don't use the installed ChartMuseum + +Preparation +^^^^^^^^^^^ + +* Clone the OOM repository into a new Git(Lab) project +* Replace the following variables with the script 'updateVariables.sh' (in argo subdir): + + * with the URL of the new git repo + * with the default K8S storage class + * with the base DNS zone (e.g. "simpledemo.onap.org") + * with the postfix for the hosts (optional) (e.g. "-onap-00") + * URL of the docker repository ('docker.io') + * URL of the ONAP docker repository ('nexus3.onap.org:10001') + * URL of the Elastic docker repository ('docker.elastic.co') + * URL of the Quay.io docker repository ('quay.io') + * URL of the K8S docker repository ('gcr.io') + * URL of the GoogleK8S docker repository ('registry.k8s.io') + * URL of the Github docker repository ('ghcr.io') +* after setting the variables start the script in the argo dir: + './updateVariables.sh' +* check-in the git project + +To allow ArgoCD to access the + +- Git Repository, which contains the application definitions, +- (optional) Helm Repository, which contains the compiled charts + +you need to create secrets to define the repository and the access credentials. +E.g.: + +.. collapse:: argo-secret.yaml + + .. include:: ../../../../argo/argocd/argo-secret.yaml + :code: yaml + +The secrets will be created during the ArgoCD "self-managed" deployment described in the later section. + +General info about the installation of applications +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +In this example we use the "App of Apps" Pattern (see `App of Apps`_) to install bundles of applications. +E.g. we create an "onap" application containing multiple ONAP component applications (e.g. so, aai). + +As definition of the "onap" application an "Application" resource is defined, which points to +the directory 'argo/onap' in the examples. + +.. collapse:: app-onap.yaml + + .. include:: ../../../../argo/onap/app-onap.yaml + :code: yaml + +The directory contains a kustomization.yaml file, which contains a resource definition pointing to +the ONAP component application files in its subdirectories. + +.. collapse:: kustomization.yaml + + .. include:: ../../../../argo/onap/kustomization.yaml + :code: yaml + +To add the ONAP application to ArgoCD for management, you can add it via kubectl command:: + + > kubectl apply -f argo/onap/app-onap.yaml + +If you don't want to use the "App of Apps" Pattern, you can also install the single applications, e.g.:: + + > kubectl apply -f argo/onap/so.yaml + +User Guide for ArgoCD example +----------------------------- + +After preparation of the environment and git repository the following steps are executed: + +* Installation of "self-managed" ArgoCD +* Installation of the Infrastructure Applications and compilation and storage of the ONAP charts +* Installation of the ONAP Applications +* Installation of the ONAP Test Applications + +The separation of the deployment steps is done to ease the installation procedure and avoid +dependency problems. But generally it should also be possible to install all applications at once +and let ArgoCD deal with the deployment. + +Installation of "self-managed" ArgoCD +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +After ArgoCD has been installed, you can add an "argocd" application to force ArgoCD to manage itself. + +The definition files can be found in the directory 'argo/argocd': + +* app-argocd.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml +* kustomization.yaml - Kustomize file with resources collection (argocd.yaml, argo-project.yaml, argo-secrets.yaml) +* argocd.yaml - Application definition for ArgoCD +* app-secrets.yaml - Secrets for needed Git/Helm-repositories and credentials +* app-project.yaml - ArgoCD Project definition +* values/argocd.yaml - values definition used by argocd.yaml + +To deploy the ArgoCD "self-managed" (AppOfApps-)application, you can add it via kubectl command:: + + > kubectl apply -f argo/argocd/app-argocd.yaml + +You can now try to access the ArgoCD UI via Port Forwarding of the "argo-service". +The access credentials are "admin/gating" + +Installation of the Infrastructure Applications +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +As ONAP requires a number of platform/infrastructure components, the installation of those are bundled in +this "App of Apps" Application. + +The definition files can be found in the directory 'argo/infra': + +* app-infra.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml +* kustomization.yaml - Kustomize file with resources collection for the "App of Apps" Application +* cert-manager.yaml - Application definition for Certificate Manager +* chartmuseum.yaml - Application definition for ChartMuseum (required for compile-onap) +* compile-onap.yaml - Application definition a local helm chart used for local ONAP chart compilation +* compile-onap/helm/* - Helm chart used for local ONAP chart compilation +* django-defectdojo.yaml - Application definition for Defect-Dojo (used as Trivy Report UI) +* gateway-api.yaml - Application definition for Gateway-API CRDs +* gateway-api/* - CRD definitions of Gateway-API +* infra-ingress.yaml - Application definition for a local helm chart for Ingress routes (ingress-routes) +* ingress-routes/helm - Helm chart with ingress definition for Infra Applications and Ingress Gateway +* istio.yaml - Application definition for Istio ServiceMesh +* jaeger.yaml - Application definition for Jaeger +* k8ssandra-operator.yaml - Application definition for K8ssandra-Operator +* keycloak-db.yaml - Application definition for the Database instance for Keycloak +* keycloak.yaml - Application definition for Keycloak +* kiali-operator.yaml - Application definition for the Kiali-Operator +* kiali.yaml - Application definition for the Kiali Instance +* kiali-instance/* - Definition of the Kiali Instance +* mariadb-operator-crds.yaml - Application definition for the MariaDB-Operator CRDs +* mariadb-operator.yaml - Application definition for the MariaDB-Operator +* mongodb-operator.yaml - Application definition for the MongoDB-Operator +* nfs-server-provisioner.yaml - Application definition for the NFS Server Provisioner +* postgres-operator.yaml - Application definition for the Postgres-Operator +* prometheus.yaml - Application definition for the Prometheus +* strimzi.yaml - Application definition for the Strimzi-Kafka-Operator +* trivy-dojo-report-operator.yaml - Application definition for the Trivy-DefectDojo Connector +* values/* - values definition for all infra applications + +To deploy the Infrastructure (AppOfApps-)application, you can add it via kubectl command:: + + > kubectl apply -f argo/infra/app-infra.yaml + +After the successful installation of the Ingress setup you should be able to start the ArgoCD UI via the URL: + +``https://argocd.`` + +Access credentials are "admin/gating" + +.. figure:: ../../resources/images/argocd/login.jpg + :align: right + +You should see in the UI the Application trees of "argo-management" and "infra-components" + +.. figure:: ../../resources/images/argocd/argocd.jpg + :align: right + +.. figure:: ../../resources/images/argocd/infra.jpg + :align: right + +Within the Infrastructure components the "compile-onap" App creates a job, which downloads the "OOM" +git repository, compiles the ONAP charts and stores them into the "ChartMuseum" App. + +The ChartMuseum is used as Helm Repository for the ONAP Applications. +Within the ONAP Application definitions (e.g. in 'argo/onap/aai.yaml') you see as source definition +the internal Chart Museum Service URL ('repoURL'). + +If you want to use another repository, you need to change the value. +The Chart version ('targetRevision') is set as "*", so it uses the latest version it finds. + +If you want, you can specify here a fixed release version (e.g. '16.0.0'). + +.. code-block:: yaml + + apiVersion: argoproj.io/v1alpha1 + kind: Application + metadata: + name: onap-aai + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + spec: + ... + sources: + - repoURL: '' + targetRevision: + ref: defaultValues + - repoURL: http://chartmuseum.chartmuseum:8080 + chart: aai + targetRevision: "*" + helm: + ignoreMissingValueFiles: true + valueFiles: + - $defaultValues/argo/onap/values/values-global.yaml + - $defaultValues/argo/onap/values/aai.yaml + ... + +Installation of the ONAP Applications +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The deployment of ONAP components is shown here as "App of Apps" application. + +The selection of the ONAP component can be done via the kustomization.yaml file. + +If the "App of Apps" pattern is not wanted, the components an also be deployed individually. + +The definition files can be found in the directory 'argo/onap': + +* app-onap.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml +* kustomization.yaml - Kustomize file with resources collection for the "App of Apps" Application +* a1policymanagement.yaml - Application definition for A1 Policy Management +* aai.yaml - Application definition for AAI component +* authentication.yaml - Application definition for Authentication component +* cds.yaml - Application definition for CDS component +* common/cassandra.yaml - Application definition for the common CASSANDRA DB instance +* common/mariadb-galera.yaml - Application definition for the common MariaDB instance +* common/postgres.yaml - Application definition for the common Postgres DB instance +* common/repository-wrapper.yaml - Application definition for the common Repository Wrapper +* common/roles-wrapper.yaml - Application definition for the common Roles Wrapper (optional) +* cps.yaml - Application definition for CPS component +* dcaegen2-services.yaml - Application definition for DCAEGEN2-SERVICES component +* multicloud.yaml - Application definition for MULTICLOUD component +* platform.yaml - Application definition for PLATFORM component +* policy.yaml - Application definition for POLICY component +* portal-ng.yaml - Application definition for PORTAL-NG component +* sdc.yaml - Application definition for SDC component +* sdnc.yaml - Application definition for SDNC component +* so.yaml - Application definition for SO component +* strimzi.yaml - Application definition for STRIMZI component +* uui.yaml - Application definition for UUI component +* values/* - values definition for all ONAP applications + common values-global.yaml + +To deploy the ONAP (AppOfApps-)application, you can add it via kubectl command:: + + > kubectl apply -f argo/onap/app-onap.yaml + +You should see in the UI the Application trees of "onap" + +.. figure:: ../../resources/images/argocd/onap.jpg + :align: right + +Installation of the ONAP Test Applications +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +As we use the ArgoCD deployment also for testing the ONAP components, +we decided to add an application set to deploy testing components. + +The definition files can be found in the directory 'argo/onap-test': + +* app-onap-test.yaml - (AppOfApps-)Application definition file points to the same directory and uses kustomization.yaml +* kustomization.yaml - Kustomize file with resources collection for the "App of Apps" Application +* kafka-ui.yaml - Application definition for Kafka UI +* onap-test-ingress.yaml - Application definition for a local helm chart for Ingress routes (ingress-routes) +* ingress-routes/helm - Helm chart with ingress definition for KAfka UI Application and Ingress Gateway +* testkube.yaml - Application definition for the TESTKUBE Chart deployent for running ONAP tests +* testkube/helm/* - Helm chart for the TESTKUBE application +* testkube/pythonsdk-tests/* - TESTKUBE test definitions based on ONAP PythonSDK +* values/* - values definition for all ONAP Test applications + +To deploy the ONAP-Test (AppOfApps-)application, you can add it via kubectl command:: + + > kubectl apply -f argo/onap-test/app-onap-test.yaml + +URLs of Applications +^^^^^^^^^^^^^^^^^^^^ + +Besides the ONAP applications the following applications are exposed via Ingress: + +* ArgoCD: ``https://argocd.`` (admin/gating) +* Kafka-UI: ``https://kafka-ui.`` +* Cassandra-Reaper: ``https://reaper-dc1.`` (see secret "cassandra-reaper-ui") +* Testkube: ``https://testkube.`` +* DefectDojo: ``https://defectdojo.`` (admin/gating) +* Grafana: ``https://grafana.`` (admin/prom-operator) +* Kiali: ``https://kiali.`` +* Jaeger: ``https://jaeger.`` +* Keycloak: ``https://keycloak-ui.`` (admin/secret) + +ONAP applications follow the same schema, e.g. portal-ng: + +* PortalNG: ``https://portal-ng-ui.`` +* ... diff --git a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst index a49543cc0c..52fb7e5d5b 100644 --- a/docs/sections/guides/deployment_guides/oom_customize_overrides.rst +++ b/docs/sections/guides/deployment_guides/oom_customize_overrides.rst @@ -11,19 +11,22 @@ OOM Custom Overrides #################### -The OOM `helm deploy`_ plugin requires deployment configuration as input, usually in the form of override yaml files. -These input files determine what ONAP components get deployed, and the configuration of the OOM deployment. +The OOM `helm deploy`_ plugin requires deployment configuration as input, +usually in the form of override yaml files. +These input files determine what ONAP components get deployed, and the +configuration of the OOM deployment. Other helm config options like `--set log.enabled=true|false` are available. -See the `helm deploy`_ plugin usage section for more detail, or it the plugin has already been installed, execute the following:: +See the `helm deploy`_ plugin usage section for more detail, or it the plugin +has already been installed, execute the following:: > helm deploy --help Users can customize the override files to suit their required deployment. .. note:: - Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-istio.yaml`) + Standard and example override files (e.g. `onap-all.yaml`, `onap-all-ingress-gatewayapi.yaml`) can be found in the `oom/kubernetes/onap/resources/overrides/` directory. * Users can selectively enable or disable ONAP components by changing the ``enabled: true/false`` flags. @@ -32,7 +35,8 @@ Users can customize the override files to suit their required deployment. Enabling/Disabling Components -***************************** +============================= + Here is an example of the nominal entries that need to be provided. Different values files are available for different contexts. @@ -43,26 +47,58 @@ Different values files are available for different contexts. | -(Optional) "ONAP on Service Mesh" -********************************* +ONAP "Production" Setup +======================= + +The production setup deploys ONAP components exposing its external services +via Ingress with TLS termination. +Internal traffic encryption will be ensured by using Istio ServiceMesh. + +For external access we start to establish Authentication via Oauth2-proxy +and Keycloak, which will be completed in the coming release. + +To enable both "ServiceMesh" and "Ingress" configuration entries need +to be set before deployment. -To enable "ONAP on Service Mesh" both "ServiceMesh" and "Ingress" -configuration entries need to be configured before deployment. +Service Mesh and Ingress configuration +-------------------------------------- -Global settings relevant for ServiceMesh: +Global settings relevant for ServiceMesh and Ingress: .. code-block:: yaml global: ingress: # generally enable ingress for ONAP components - enabled: false + enabled: true # enable all component's Ingress interfaces enable_all: false + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + # default Ingress base URL - # can be overwritten in component by setting ingress.baseurlOverride + # All http requests via ingress will be redirected virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" # All http requests via ingress will be redirected on Ingress controller # only valid for Istio Gateway (ServiceMesh enabled) config: @@ -80,6 +116,7 @@ Global settings relevant for ServiceMesh: tls: true # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + ... aafEnabled: false cmpv2Enabled: false tlsEnabled: false @@ -87,24 +124,66 @@ Global settings relevant for ServiceMesh: ServiceMesh settings: -- enabled: true → enables ServiceMesh functionality in the ONAP Namespace (Istio: enables Sidecar deployment) +- enabled: true → enables ServiceMesh functionality in the ONAP Namespace + (Istio: enables Sidecar deployment) - tls: true → enables mTLS encryption in Sidecar communication - engine: istio → sets the SM engine (currently only Istio is supported) - aafEnabled: false → disables AAF usage for TLS interfaces - tlsEnabled: false → disables creation of TLS in component services - cmpv2Enabled: false → disable cmpv2 feature -- msbEnabled: false → MSB is not used in Istio setup (Open, if all components are MSB independend) +- msbEnabled: false → MSB is not used in Istio setup (Open, if all components + are MSB independend) Ingress settings: -- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio IngressGateway (when SM enabled) +- enabled: true → enables Ingress using: Nginx (when SM disabled), Istio + IngressGateway (when SM enabled) - enable_all: true → enables Ingress configuration in each component -- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all Interfaces set by the components, - resulting in e.g. "aai-api.simpledemo.onap.org", can be overwritten in the component via: ingress.baseurlOverride -- config.ssl: redirect → sets in the Ingress globally the redirection of all Interfaces from http (port 80) to https (port 443) -- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL certificate with a certificate stored in the specified secret -- namespace: istio-ingress → (optional) overrides the namespace of the ingress gateway which is used for the created SSL certificate +- provider: "..." → sets the Ingress provider (ingress, istio, gw-api) +- ingressClass: "" → Ingress class (only for provider "ingress"): e.g. nginx, + traefik +- ingressSelector: "" → Selector (only for provider "istio") to match with the + ingress pod label "istio=ingress" +- commonGateway: "" → optional: common used Gateway (for Istio, GW-API) and + http(s) listener names +- virtualhost.baseurl: "simpledemo.onap.org" → sets globally the URL for all + Interfaces set by the components, resulting in e.g. + "aai-api.simpledemo.onap.org", can be overwritten in the component via: + ingress.baseurlOverride +- virtualhost.preaddr: "pre-" → sets globally a prefix for the Application name + for all Interfaces set by the components, resulting in e.g. + "pre-aai-api.simpledemo.onap.org", can be overwritten in the component via: + ingress.preaddrOverride +- virtualhost.postaddr: "-post" → sets globally a postfix for the Application + name for all Interfaces set by the components, resulting in e.g. + "aai-api-post.simpledemo.onap.org", can be overwritten in the component via: + ingress.postaddrOverride +- config.ssl: redirect → sets in the Ingress globally the redirection of all + Interfaces from http (port 80) to https (port 443) +- config.tls.secret: "..." → (optional) overrides the default selfsigned SSL + certificate with a certificate stored in the specified secret +- namespace: istio-ingress → (optional) overrides the namespace of the ingress + gateway which is used for the created SSL certificate .. note:: - For "ONAP on Istio" an example override file (`onap-all-ingress-istio.yaml`) + For the Ingress setup example override files (`onap-all-ingress-istio.yaml`, `onap-all-ingress-gatewayapi.yaml`) can be found in the `oom/kubernetes/onap/resources/overrides/` directory. + +External Authentication configuration +------------------------------------- + +For enabling of external authentication via Oauth2-Proxy and Keycloak +the following settings have to be done in the ONAP values override. +It will enable the deployment of the ONAP Realm to Keycloak and +installation and integration of the Oauth2-Proxy as external Auth-Provider. + +.. code-block:: yaml + + platform: + enabled: true + cmpv2-cert-service: + enabled: false + keycloak-init: + enabled: true + oauth2-proxy: + enabled: true \ No newline at end of file diff --git a/docs/sections/guides/deployment_guides/oom_deployment.rst b/docs/sections/guides/deployment_guides/oom_deployment.rst index 110736939e..093a5fec54 100644 --- a/docs/sections/guides/deployment_guides/oom_deployment.rst +++ b/docs/sections/guides/deployment_guides/oom_deployment.rst @@ -4,7 +4,7 @@ .. Copyright (C) 2022 Nordix Foundation .. Links -.. _ONAP Release Long Term Roadmap: https://wiki.onap.org/display/DW/Long+Term+Roadmap +.. _ONAP Release Long Term Roadmap: https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16220234/Long+Term+Release+Roadmap .. _oom_deploy_guide: @@ -14,11 +14,13 @@ OOM Deployment Guide .. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png :align: right -ONAP OOM supports several options for the deployment of ONAP using it's helm charts. +ONAP OOM supports several options for the deployment of ONAP using it's helm +charts. * :ref:`oom_helm_release_repo_deploy` * :ref:`oom_helm_testing_repo_deploy` * :ref:`oom_dev_testing_local_deploy` + * :ref:`oom_argo_release_deploy` .. warning:: | **Pre-requisites** @@ -27,16 +29,18 @@ ONAP OOM supports several options for the deployment of ONAP using it's helm cha | :ref:`Set up your base platform` -Each deployment method can be customized to deploy a subset of ONAP component applications. +Each deployment method can be customized to deploy a subset of ONAP component +applications. See the :ref:`oom_customize_overrides` section for more details. .. toctree:: - :hidden: + :maxdepth: 1 oom_customize_overrides.rst oom_helm_release_repo_deploy.rst oom_helm_testing_repo_deploy.rst oom_dev_testing_local_deploy.rst + oom_argo_release_deploy.rst diff --git a/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst index 50701dd597..debca31918 100644 --- a/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_dev_testing_local_deploy.rst @@ -10,8 +10,8 @@ OOM Developer Testing Deployment ================================ -Developing and testing changes to the existing OOM project can be done locally by setting up some additional -tools to host the updated helm charts. +Developing and testing changes to the existing OOM project can be done locally +by setting up some additional tools to host the updated helm charts. **Step 1.** Clone the OOM repository from ONAP gerrit:: @@ -31,13 +31,10 @@ tools to host the updated helm charts. **Step 3.** Install Chartmuseum -Chart museum is required to host the helm charts locally when deploying in a development environment:: +Chart museum is required to host the helm charts locally when deploying in a +development environment:: - > curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum - - > chmod +x ./chartmuseum - - > mv ./chartmuseum /usr/local/bin + > curl https://raw.githubusercontent.com/helm/chartmuseum/main/scripts/get-chartmuseum | bash **Step 4.** To setup a local Helm server to store the ONAP charts:: @@ -45,7 +42,8 @@ Chart museum is required to host the helm charts locally when deploying in a dev > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & -Note the port number that is listed and use it in the Helm repo add as follows:: +Note the port number that is listed and use it in the Helm repo add as +follows:: > helm repo add local http://127.0.0.1:8879 diff --git a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst index f932360e44..5e3115da6b 100644 --- a/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_helm_release_repo_deploy.rst @@ -5,7 +5,7 @@ .. Links .. _ONAP helm release repository: https://nexus3.onap.org/service/rest/repository/browse/onap-helm-release/ -.. _ONAP Release Long Term Roadmap: https://wiki.onap.org/display/DW/Long+Term+Roadmap +.. _ONAP Release Long Term Roadmap: https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16220234/Long+Term+Release+Roadmap .. _oom_helm_release_repo_deploy: @@ -32,7 +32,8 @@ Add the repository: To customize what applications are deployed, see the :ref:`oom_customize_overrides` section for more details, to provide your own custom overrides yaml file. -- To deploy a release, execute the following, substituting the tag with your preferred release (ie. 11.0.0):: +- To deploy a release, execute the following, substituting the tag with + your preferred release (ie. 13.0.0):: > helm deploy dev onap-release/onap --namespace onap --create-namespace --set global.masterPassword=myAwesomePasswordThatINeedToChange --version -f oom/kubernetes/onap/resources/overrides/onap-all.yaml diff --git a/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst index a0dafcef9b..92c0e68dff 100644 --- a/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst +++ b/docs/sections/guides/deployment_guides/oom_helm_testing_repo_deploy.rst @@ -12,12 +12,14 @@ OOM Helm Testing Deployment =========================== -ONAP hosts the OOM `testing` helm charts in it's `ONAP helm testing repository`_. +ONAP hosts the OOM `testing` helm charts in it's +`ONAP helm testing repository`_. This is helm repo contains: * The `latest` charts built from the head of the `OOM`_ project's master - branch, tagged with the version number of the current development cycle (ie. 11.0.0). + branch, tagged with the version number of the current development cycle + (ie. 15.0.0). Add the OOM testing repo & Deploy diff --git a/docs/sections/guides/development_guides/oom_dev_config_management.rst b/docs/sections/guides/development_guides/oom_dev_config_management.rst index 36a02dc85d..c6f1c4735d 100644 --- a/docs/sections/guides/development_guides/oom_dev_config_management.rst +++ b/docs/sections/guides/development_guides/oom_dev_config_management.rst @@ -441,4 +441,4 @@ SO deployment specification excerpt: - --container-name - so-mariadb env: - ... \ No newline at end of file + ... diff --git a/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst b/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst index b137bff8b6..ecbaabd7be 100644 --- a/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst +++ b/docs/sections/guides/development_guides/oom_dev_container_orchestration.rst @@ -363,4 +363,4 @@ containers and any state information within it. To avoid a loss of state, a persistent volume should be used to store all data that needs to be persisted over the re-creation of a container. Persistent volumes have been created for the database components of each of the projects and the same technique can be -used for all persistent state information. \ No newline at end of file +used for all persistent state information. diff --git a/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst b/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst index 533f60e29b..0299c9579f 100644 --- a/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst +++ b/docs/sections/guides/development_guides/oom_dev_helm_chart_info.rst @@ -22,9 +22,9 @@ in a hierarchy as found in the `aai`_ ONAP component. Charts are created as files laid out in a particular directory tree, then they can be packaged into versioned archives to be deployed. There is a public -archive of `Helm Charts`_ on ArtifactHUB that includes many technologies applicable -to ONAP. Some of these charts have been used in ONAP and all of the ONAP charts -have been created following the guidelines provided. +archive of `Helm Charts`_ on ArtifactHUB that includes many technologies +applicable to ONAP. Some of these charts have been used in ONAP and all of the +ONAP charts have been created following the guidelines provided. An example structure of the OOM common helm charts is shown below: diff --git a/docs/sections/guides/infra_guides/oom_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_base_config_setup.rst deleted file mode 100644 index d228f5df56..0000000000 --- a/docs/sections/guides/infra_guides/oom_base_config_setup.rst +++ /dev/null @@ -1,187 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright (C) 2022 Nordix Foundation - -.. Links -.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements -.. _helm installation guide: https://helm.sh/docs/intro/install/ -.. _kubectl installation guide: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ -.. _Curated applications for Kubernetes: https://github.com/kubernetes/charts -.. _Cert-Manager Installation documentation: https://cert-manager.io/docs/installation/kubernetes/ -.. _Cert-Manager kubectl plugin documentation: https://cert-manager.io/docs/usage/kubectl-plugin/ -.. _Strimzi Apache Kafka Operator helm Installation documentation: https://strimzi.io/docs/operators/in-development/deploying.html#deploying-cluster-operator-helm-chart-str - -.. _oom_base_setup_guide: - -OOM Base Platform -################# - -As part of the initial base setup of the host Kubernetes cluster, -the following mandatory installation and configuration steps must be completed. - -.. contents:: - :backlinks: top - :depth: 1 - :local: -.. - -For additional platform add-ons, see the :ref:`oom_base_optional_addons` section. - -Install & configure kubectl -*************************** -The Kubernetes command line interface used to manage a Kubernetes cluster needs to be installed -and configured to run as non root. - -For additional information regarding kubectl installation and configuration see the `kubectl installation guide`_ - -To install kubectl, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > curl -LO https://dl.k8s.io/release/v/bin/linux/amd64/kubectl - - > chmod +x ./kubectl - - > sudo mv ./kubectl /usr/local/bin/kubectl - - > mkdir ~/.kube - - > cp kube_config_cluster.yml ~/.kube/config.onap - - > export KUBECONFIG=~/.kube/config.onap - - > kubectl config use-context onap - -Validate the installation:: - - > kubectl get nodes - -:: - - NAME STATUS ROLES AGE VERSION - onap-control-1 Ready controlplane,etcd 3h53m v1.23.8 - onap-control-2 Ready controlplane,etcd 3h53m v1.23.8 - onap-k8s-1 Ready worker 3h53m v1.23.8 - onap-k8s-2 Ready worker 3h53m v1.23.8 - onap-k8s-3 Ready worker 3h53m v1.23.8 - onap-k8s-4 Ready worker 3h53m v1.23.8 - onap-k8s-5 Ready worker 3h53m v1.23.8 - onap-k8s-6 Ready worker 3h53m v1.23.8 - - -Install & configure helm -************************ -Helm is used for package and configuration management of the relevant helm charts. -For additional information, see the `helm installation guide`_ - -To install helm, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > wget https://get.helm.sh/helm-v-linux-amd64.tar.gz - - > tar -zxvf helm-v-linux-amd64.tar.gz - - > sudo mv linux-amd64/helm /usr/local/bin/helm - -Verify the helm version with:: - - > helm version - -Helm's default CNCF provided `Curated applications for Kubernetes`_ repository called -*stable* can be removed to avoid confusion:: - - > helm repo remove stable - -Install the additional OOM plugins required to un/deploy the OOM helm charts:: - - > git clone http://gerrit.onap.org/r/oom - - > cp -R ~/oom/kubernetes/helm/plugins/ /usr/local/bin/helm/plugins - -Verify the plugins are installed:: - - > helm plugin ls - -:: - - NAME VERSION DESCRIPTION - deploy 1.0.0 install (upgrade if release exists) parent charty and all subcharts as separate but related releases - undeploy 1.0.0 delete parent chart and subcharts that were deployed as separate releases - - -Install the strimzi kafka operator -********************************** -Strimzi Apache Kafka provides a way to run an Apache Kafka cluster on Kubernetes -in various deployment configurations by using kubernetes operators. -Operators are a method of packaging, deploying, and managing Kubernetes applications. - -Strimzi Operators extend the Kubernetes functionality, automating common -and complex tasks related to a Kafka deployment. By implementing -knowledge of Kafka operations in code, the Kafka administration -tasks are simplified and require less manual intervention. - -The Strimzi cluster operator is deployed using helm to install the parent chart -containing all of the required custom resource definitions. This should be done -by a kubernetes administrator to allow for deployment of custom resources in to -any kubernetes namespace within the cluster. - -Full installation instructions can be found in the -`Strimzi Apache Kafka Operator helm Installation documentation`_. - -To add the required helm repository, execute the following:: - - > helm repo add strimzi https://strimzi.io/charts/ - -To install the strimzi kafka operator, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version --set watchAnyNamespace=true --create-namespace - -Verify the installation:: - - > kubectl get po -n strimzi-system - -:: - - NAME READY STATUS RESTARTS AGE - strimzi-cluster-operator-7f7d6b46cf-mnpjr 1/1 Running 0 2m - - -Install Cert-Manager -******************** - -Cert-Manager is a native Kubernetes certificate management controller. -It can help with issuing certificates from a variety of sources, such as -Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, self -signed or external issuers. It ensures certificates are valid and up to -date, and attempt to renew certificates at a configured time before expiry. - -Cert-Manager is deployed using regular YAML manifests which include all -the needed resources (the CustomResourceDefinitions, cert-manager, -namespace, and the webhook component). - -Full installation instructions, including details on how to configure extra -functionality in Cert-Manager can be found in the -`Cert-Manager Installation documentation`_. - -There is also a kubectl plugin (kubectl cert-manager) that can help you -to manage cert-manager resources inside your cluster. For installation -steps, please refer to `Cert-Manager kubectl plugin documentation`_. - - -To install cert-manager, execute the following, replacing the with the version defined -in the :ref:`versions_table` table:: - - > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v/cert-manager.yaml - -Verify the installation:: - - > kubectl get po -n cert-manager - -:: - - NAME READY STATUS RESTARTS AGE - cert-manager-776c4cfcb6-vgnpw 1/1 Running 0 2m - cert-manager-cainjector-7d9668978d-hdxf7 1/1 Running 0 2m - cert-manager-webhook-66c8f6c75-dxmtz 1/1 Running 0 2m - diff --git a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst b/docs/sections/guides/infra_guides/oom_base_optional_addons.rst deleted file mode 100644 index 5f81a363e9..0000000000 --- a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst +++ /dev/null @@ -1,182 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright (C) 2022 Nordix Foundation - -.. Links -.. _Prometheus stack README: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#readme -.. _ONAP Next Generation Security & Logging Structure: https://wiki.onap.org/pages/viewpage.action?pageId=103417456 -.. _Istio best practices: https://docs.solo.io/gloo-mesh-enterprise/latest/setup/prod/namespaces/ -.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ -.. _Kiali setup guide: https://kiali.io/docs/installation/installation-guide/example-install/ - -.. _oom_base_optional_addons: - -OOM Optional Addons -################### - -The following optional applications can be added to your kubernetes environment. - -Install Prometheus Stack -************************ - -Prometheus is an open-source systems monitoring and alerting toolkit with -an active ecosystem. - -Kube Prometheus Stack is a collection of Kubernetes manifests, Grafana -dashboards, and Prometheus rules combined with documentation and scripts to -provide easy to operate end-to-end Kubernetes cluster monitoring with -Prometheus using the Prometheus Operator. As it includes both Prometheus -Operator and Grafana dashboards, there is no need to set up them separately. -See the `Prometheus stack README`_ for more information. - -To install the prometheus stack, execute the following: - -- Add the prometheus-community Helm repository:: - - > helm repo add prometheus-community https://prometheus-community.github.io/helm-charts - -- Update your local Helm chart repository cache:: - - > helm repo update - -- To install prometheus, execute the following, replacing the with the version defined in the :ref:`versions_table` table:: - - > helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version= - -ONAP on Service Mesh -******************** - -.. warning:: - "ONAP on Service Mesh" is not fully supported in "Kohn". Full support is - planned for London release to support the - `ONAP Next Generation Security & Logging Structure`_ - -.. figure:: ../../resources/images/servicemesh/ServiceMesh.png - :align: center - -ONAP is currenty planned to support Istio as default ServiceMesh platform. -Therefor the following instructions describe the setup of Istio and required tools. -Used `Istio best practices`_ and `Istio setup guide`_ - -Istio Platform Installation -=========================== - -Install Istio Basic Platform ----------------------------- - -- Configure the Helm repository:: - - > helm repo add istio https://istio-release.storage.googleapis.com/charts - - > helm repo update - -- Create a namespace for "mesh-level" configurations:: - - > kubectl create namespace istio-config - -- Create a namespace istio-system for Istio components:: - - > kubectl create namespace istio-system - -- Install the Istio Base chart which contains cluster-wide resources used by the - Istio control plane, replacing the with the version - defined in the :ref:`versions_table` table:: - - > helm upgrade -i istio-base istio/base -n istio-system --version - -- Install the Istio Base Istio Discovery chart which deploys the istiod service, replacing the - with the version defined in the :ref:`versions_table` table - (enable the variable to enforce the (sidecar) proxy startup before the container start):: - - > helm upgrade -i istiod istio/istiod -n istio-system --version - --wait --set global.proxy.holdApplicationUntilProxyStarts=true --set meshConfig.rootNamespace=istio-config - -Add an EnvoyFilter for HTTP header case ---------------------------------------- - -When handling HTTP/1.1, Envoy will normalize the header keys to be all lowercase. -While this is compliant with the HTTP/1.1 spec, in practice this can result in issues -when migrating existing systems that might rely on specific header casing. -In our case a problem was detected in the SDC client implementation, which relies on -uppercase header values. To solve this problem in general we add a EnvoyFilter to keep -the uppercase header in the istio-config namespace to apply for all namespaces, but -set the context to SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and Services - -- Create a EnvoyFilter file (e.g. envoyfilter-case.yaml) - - .. collapse:: envoyfilter-case.yaml - - .. include:: ../../resources/yaml/envoyfilter-case.yaml - :code: yaml - -- Apply the change to Istio:: - - > kubectl apply -f envoyfilter-case.yaml - -Install Istio Gateway ---------------------- - -- Create a namespace istio-ingress for the Istio Ingress gateway - and enable istio-injection:: - - > kubectl create namespace istio-ingress - - > kubectl label namespace istio-ingress istio-injection=enabled - -- Install the Istio Gateway chart,replacing the - with the version defined in - the :ref:`versions_table` table:: - - > helm upgrade -i istio-ingressgateway istio/gateway -n istio-ingress - --version --wait - -Kiali Installation -================== - -Kiali is used to visualize the Network traffic in a ServiceMesh enabled cluster -For setup the kiali operator is used, see `Kiali setup guide`_ - -- Install kiali-operator namespace:: - - > kubectl create namespace kiali-operator - - > kubectl label namespace kiali-operator istio-injection=enabled - -- Install the kiali-operator:: - - > helm repo add kiali https://kiali.org/helm-charts - - > helm repo update kiali - - > helm install --namespace kiali-operator kiali/kiali-operator - -- Create Kiali CR file (e.g. kiali.yaml) - - .. collapse:: kiali.yaml - - .. include:: ../../resources/yaml/kiali.yaml - :code: yaml - -- Install kiali:: - - > kubectl apply -f kiali.yaml - -- Create Ingress gateway entry for the kiali web interface - using the configured Ingress (here "simpledemo.onap.org") - as described in :ref:`oom_customize_overrides` - - .. collapse:: kiali-ingress.yaml - - .. include:: ../../resources/yaml/kiali-ingress.yaml - :code: yaml - -- Add the Ingress entry for Kiali:: - - > kubectl -n istio-system apply -f kiali-ingress.yaml - - -Jaeger Installation -=================== - -To be done... \ No newline at end of file diff --git a/docs/sections/guides/infra_guides/oom_infra.rst b/docs/sections/guides/infra_guides/oom_infra.rst new file mode 100644 index 0000000000..5c1d1f1434 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra.rst @@ -0,0 +1,33 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ + + +.. _oom_infra_guide: + +OOM Infrastructure Guide +======================== + +.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png + :align: right + +OOM deploys and manages ONAP on a pre-established Kubernetes_ cluster - the +creation of this cluster is outside of the scope of the OOM project as there +are many options including public clouds with pre-established environments. +If creation of a Kubernetes cluster is required, the life-cycle of this +cluster is independent of the life-cycle of the ONAP components themselves. + +For more information about functionality and processes please refer to the +following documents: + +.. toctree:: + :maxdepth: 1 + + oom_infra_deployment_options.rst + oom_infra_deployment_requirements.rst + oom_infra_base_config_setup.rst + oom_infra_optional_addons.rst diff --git a/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst new file mode 100644 index 0000000000..6638eb71b6 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_base_config_setup.rst @@ -0,0 +1,428 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _HELM Best Practices Guide: https://docs.helm.sh/chart_best_practices/#requirements +.. _helm installation guide: https://helm.sh/docs/intro/install/ +.. _kubectl installation guide: https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/ +.. _Curated applications for Kubernetes: https://github.com/kubernetes/charts +.. _Cert-Manager Installation documentation: https://cert-manager.io/docs/installation/kubernetes/ +.. _Cert-Manager kubectl plugin documentation: https://cert-manager.io/docs/usage/kubectl-plugin/ +.. _Strimzi Apache Kafka Operator helm Installation documentation: https://strimzi.io/docs/operators/in-development/deploying.html#deploying-cluster-operator-helm-chart-str +.. _ONAP Next Generation Security & Logging Architecture: https://lf-onap.atlassian.net/wiki/x/bVn7 +.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ +.. _Gateway-API: https://gateway-api.sigs.k8s.io/ +.. _Istio-Gateway: https://istio.io/latest/docs/reference/config/networking/gateway/ +.. _DefaultStorageClass: https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/ + +.. _oom_base_setup_guide: + +OOM Base Platform +================= + +As part of the initial base setup of the host Kubernetes cluster, +the following mandatory installation and configuration steps must be completed. + +.. contents:: + :backlinks: top + :depth: 1 + :local: +.. + +For additional platform add-ons, see the :ref:`oom_base_optional_addons` +section. + +Install & configure kubectl +--------------------------- + +The Kubernetes command line interface used to manage a Kubernetes cluster needs +to be installed and configured to run as non root. + +For additional information regarding kubectl installation and configuration see +the `kubectl installation guide`_ + +To install kubectl, execute the following, replacing the + with the version defined in the +:ref:`versions_table` table:: + + > curl -LO https://dl.k8s.io/release/v/bin/linux/amd64/kubectl + + > chmod +x ./kubectl + + > sudo mv ./kubectl /usr/local/bin/kubectl + + > mkdir ~/.kube + + > cp kube_config_cluster.yml ~/.kube/config.onap + + > export KUBECONFIG=~/.kube/config.onap + + > kubectl config use-context onap + +Validate the installation:: + + > kubectl get nodes + +:: + + NAME STATUS ROLES AGE VERSION + onap-control-1 Ready controlplane,etcd 3h53m v1.28.6 + onap-control-2 Ready controlplane,etcd 3h53m v1.28.6 + onap-k8s-1 Ready worker 3h53m v1.28.6 + onap-k8s-2 Ready worker 3h53m v1.28.6 + onap-k8s-3 Ready worker 3h53m v1.28.6 + onap-k8s-4 Ready worker 3h53m v1.28.6 + onap-k8s-5 Ready worker 3h53m v1.28.6 + onap-k8s-6 Ready worker 3h53m v1.28.6 + + +Install & configure helm +------------------------ + +Helm is used for package and configuration management of the relevant helm +charts. For additional information, see the `helm installation guide`_ + +To install helm, execute the following, replacing the + with the version defined in the +:ref:`versions_table` table:: + + > wget https://get.helm.sh/helm-v-linux-amd64.tar.gz + + > tar -zxvf helm-v-linux-amd64.tar.gz + + > sudo mv linux-amd64/helm /usr/local/bin/helm + +Verify the helm version with:: + + > helm version + +Helm's default CNCF provided `Curated applications for Kubernetes`_ repository +called *stable* can be removed to avoid confusion:: + + > helm repo remove stable + +Install the additional OOM plugins required to un/deploy the OOM helm charts:: + + > git clone http://gerrit.onap.org/r/oom + + > helm plugin install ~/oom/kubernetes/helm/plugins/deploy + + > helm plugin install ~/oom/kubernetes/helm/plugins/undeploy + +Verify the plugins are installed:: + + > helm plugin ls + +:: + + NAME VERSION DESCRIPTION + deploy 1.0.0 install (upgrade if release exists) parent chart and all subcharts as separate but related releases + undeploy 1.0.0 delete parent chart and subcharts that were deployed as separate releases + +Set the default StorageClass +---------------------------- + +In some ONAP components it is important to have a default storageClass defined +(e.g. cassandra), if you don't want to explicitly set it during the deployment +via helm overrides. + +Therefor you should set the default storageClass (if not done during the K8S +cluster setup) via the command:: + + > kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' + +see `DefaultStorageClass`_ + +Install the Strimzi Kafka Operator +---------------------------------- + +Strimzi Apache Kafka provides a way to run an Apache Kafka cluster on +Kubernetes in various deployment configurations by using kubernetes operators. +Operators are a method of packaging, deploying, and managing Kubernetes +applications. + +Strimzi Operators extend the Kubernetes functionality, automating common +and complex tasks related to a Kafka deployment. By implementing +knowledge of Kafka operations in code, the Kafka administration +tasks are simplified and require less manual intervention. + +The Strimzi cluster operator is deployed using helm to install the parent chart +containing all of the required custom resource definitions. This should be done +by a kubernetes administrator to allow for deployment of custom resources in to +any kubernetes namespace within the cluster. + +Full installation instructions can be found in the +`Strimzi Apache Kafka Operator helm Installation documentation`_. + +To add the required helm repository, execute the following:: + + > helm repo add strimzi https://strimzi.io/charts/ + +To install the strimzi kafka operator, execute the following, replacing the + with the version defined in the +:ref:`versions_table` table:: + + > helm install strimzi-kafka-operator strimzi/strimzi-kafka-operator --namespace strimzi-system --version --set watchAnyNamespace=true --create-namespace + +Verify the installation:: + + > kubectl get po -n strimzi-system + +:: + + NAME READY STATUS RESTARTS AGE + strimzi-cluster-operator-7f7d6b46cf-mnpjr 1/1 Running 0 2m + + +.. _oom_base_setup_cert_manager: + +Install Cert-Manager +-------------------- + +Cert-Manager is a native Kubernetes certificate management controller. +It can help with issuing certificates from a variety of sources, such as +Let’s Encrypt, HashiCorp Vault, Venafi, a simple signing key pair, self +signed or external issuers. It ensures certificates are valid and up to +date, and attempt to renew certificates at a configured time before expiry. + +Cert-Manager is deployed using regular YAML manifests which include all +the needed resources (the CustomResourceDefinitions, cert-manager, +namespace, and the webhook component). + +Full installation instructions, including details on how to configure extra +functionality in Cert-Manager can be found in the +`Cert-Manager Installation documentation`_. + +There is also a kubectl plugin (kubectl cert-manager) that can help you +to manage cert-manager resources inside your cluster. For installation +steps, please refer to `Cert-Manager kubectl plugin documentation`_. + + +To install cert-manager, execute the following, replacing the + with the version defined in the +:ref:`versions_table` table:: + + > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v/cert-manager.yaml + +Verify the installation:: + + > kubectl get po -n cert-manager + +:: + + NAME READY STATUS RESTARTS AGE + cert-manager-776c4cfcb6-vgnpw 1/1 Running 0 2m + cert-manager-cainjector-7d9668978d-hdxf7 1/1 Running 0 2m + cert-manager-webhook-66c8f6c75-dxmtz 1/1 Running 0 2m + +Istio Service Mesh +------------------ + +.. note:: + The ONAP deployment supports the + `ONAP Next Generation Security & Logging Architecture`_ + +ONAP is currenty supporting Istio as default ServiceMesh platform. +Therefor the following instructions describe the setup of Istio and required +tools. Used `Istio setup guide`_ + +.. _oom_base_optional_addons_istio_installation: + +Istio Platform Installation +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Install Istio Basic Platform +"""""""""""""""""""""""""""" + +- Configure the Helm repository:: + + > helm repo add istio https://istio-release.storage.googleapis.com/charts + + > helm repo update + +- Create a namespace for "mesh-level" configurations:: + + > kubectl create namespace istio-config + +- Create a namespace istio-system for Istio components:: + + > kubectl create namespace istio-system + +- Install the Istio Base chart which contains cluster-wide resources used by the + Istio control plane, replacing the with the version + defined in the :ref:`versions_table` table:: + + > helm upgrade -i istio-base istio/base -n istio-system --version + +- Create an override for istiod (e.g. istiod.yaml) to add the oauth2-proxy as + external authentication provider and apply some specific config settings + Be aware, that from Istio version 1.21.0 the format of the values.yaml + changes. Additionally a new feature (Native Sidecars) can be enabled, if it + is enabled in Kubernetes (version > 1.28) + + .. collapse:: istiod.yaml (version => 1.21) + + .. include:: ../../resources/yaml/istiod-1_21.yaml + :code: yaml + + .. collapse:: istiod.yaml (version < 1.21) + + .. include:: ../../resources/yaml/istiod.yaml + :code: yaml + +- Install the Istio Base Istio Discovery chart which deploys the istiod + service, replacing the with the version + defined in the :ref:`versions_table` table:: + + > helm upgrade -i istiod istio/istiod -n istio-system --version + --wait -f ./istiod.yaml + +Add an EnvoyFilter for HTTP header case +""""""""""""""""""""""""""""""""""""""" + +When handling HTTP/1.1, Envoy will normalize the header keys to be all +lowercase. While this is compliant with the HTTP/1.1 spec, in practice this +can result in issues when migrating existing systems that might rely on +specific header casing. In our case a problem was detected in the SDC client +implementation, which relies on uppercase header values. To solve this problem +in general we add a EnvoyFilter to keep the uppercase header in the +istio-config namespace to apply for all namespaces, but set the context to +SIDECAR_INBOUND to avoid problems in the connection between Istio-Gateway and +Services + +- Create a EnvoyFilter file (e.g. envoyfilter-case.yaml) + + .. collapse:: envoyfilter-case.yaml + + .. include:: ../../resources/yaml/envoyfilter-case.yaml + :code: yaml + +- Apply the change to Istio:: + + > kubectl apply -f envoyfilter-case.yaml + + +Ingress Controller Installation +------------------------------- + +In the production setup 2 different Ingress setups are supported. + +- Gateway API `Gateway-API`_ (recommended) +- Istio Gateway `Istio-Gateway`_ (alternative, but in the future deprecated) + +Depending on the solution, the ONAP helm values.yaml has to be configured. +See the :ref:`OOM customized deployment` section for +more details. + +Gateway-API (recommended) +^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Install the Gateway-API CRDs replacing the + with the version defined in + the :ref:`versions_table` table:: + + > kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download//experimental-install.yaml + +- Create a common Gateway instance named "common-gateway" + The following example uses provides listeners for HTTP(s), UDP and TCP + + .. collapse:: common-gateway.yaml + + .. include:: ../../resources/yaml/common-gateway.yaml + :code: yaml + +- Apply the change:: + + > kubectl apply -f common-gateway.yaml + +Istio Gateway (alternative) +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- Create a namespace istio-ingress for the Istio Ingress gateway + and enable istio-injection:: + + > kubectl create namespace istio-ingress + + > kubectl label namespace istio-ingress istio-injection=enabled + +- To expose additional ports besides HTTP/S (e.g. for external Kafka access, + SDNC-callhome) create an override file (e.g. istio-ingress.yaml) + + .. collapse:: istio-ingress.yaml + + .. include:: ../../resources/yaml/istio-ingress.yaml + :code: yaml + +- Install the Istio Gateway chart using the override file, replacing the + with the version defined in + the :ref:`versions_table` table:: + + > helm upgrade -i istio-ingress istio/gateway -n istio-ingress + --version -f ingress-istio.yaml --wait + + +Keycloak Installation +--------------------- + +- Add helm repositories:: + + > helm repo add bitnami https://charts.bitnami.com/bitnami + + > helm repo add codecentric https://codecentric.github.io/helm-charts + + > helm repo update + +- create keycloak namespace:: + + > kubectl create namespace keycloak + > kubectl label namespace keycloak istio-injection=disabled + +Install Keycloak-Database +^^^^^^^^^^^^^^^^^^^^^^^^^ + +- To configure the Postgres DB + create an override file (e.g. keycloak-db-values.yaml) + + .. collapse:: keycloak-db-values.yaml + + .. include:: ../../resources/yaml/keycloak-db-values.yaml + :code: yaml + +- Install the Postgres DB:: + + > helm -n keycloak upgrade -i keycloak-db bitnami/postgresql --values ./keycloak-db-values.yaml + +Configure Keycloak +^^^^^^^^^^^^^^^^^^ + +- To configure the Keycloak instance + create an override file (e.g. keycloak-server-values.yaml) and use + the "image.tag" of the keycloak version (here 26.0.6) + + .. collapse:: keycloak-server-values.yaml + + .. include:: ../../resources/yaml/keycloak-server-values.yaml + :code: yaml + +- Install keycloak:: + + > helm -n keycloak upgrade -i keycloak codecentric/keycloakx --values ./keycloak-server-values.yaml + +The required Ingress entry and REALM will be provided by the ONAP "Platform" +component. + +- Create Ingress gateway entry for the keycloak web interface + using the configured Ingress (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: keycloak-ingress.yaml + + .. include:: ../../resources/yaml/keycloak-ingress.yaml + :code: yaml + +- Add the Ingress entry for Keycloak:: + + > kubectl -n keycloak apply -f keycloak-ingress.yaml + diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst new file mode 100644 index 0000000000..3b198cf1d6 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_options.rst @@ -0,0 +1,40 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ +.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ +.. _kubelet config guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ + + + +ONAP Deployment Options +======================= + +OOM supports 2 different deployment options of ONAP. + +- Development Setup +- Production Setup + +In the following sections describe the different setups. + +Development setup +----------------- + +The development setup deploys ONAP components exposing its external services +via NodePorts and without TLS termination and internal traffic encryption. + +Production setup +---------------- + +The production setup deploys ONAP components exposing its external services +via Ingress with TLS termination. +Internal traffic encryption will be ensured by using Istio ServiceMesh. + +.. figure:: ../../resources/images/servicemesh/ServiceMesh.png + :align: center + +For external access we propose to establish Authentication via Oauth2-proxy +and Keycloak which is described in this document. diff --git a/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst new file mode 100644 index 0000000000..208c21d453 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_deployment_requirements.rst @@ -0,0 +1,76 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Kubernetes: https://kubernetes.io/ +.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ +.. _kubelet config guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ + + + +ONAP Deployment Requirements +============================ + +.. rubric:: Minimum Hardware Configuration + +Some recommended hardware requirements are provided below. Note that this is +for a full ONAP deployment (all components). + +.. table:: OOM Hardware Requirements + + ===== ===== ====== ==================== + RAM HD vCores Ports + ===== ===== ====== ==================== + 224GB 160GB 112 0.0.0.0/0 (all open) + ===== ===== ====== ==================== + +Customizing ONAP to deploy only components that are needed will drastically +reduce these requirements. +See the :ref:`OOM customized deployment` section for +more details. + +.. note:: + | Kubernetes supports a maximum of 110 pods per node - this can be overcome by modifying your kubelet config. + | See the `kubelet config guide`_ for more information. + + | The use of many small nodes is preferred over a few larger nodes (for example 14 x 16GB - 8 vCores each). + + | OOM can be deployed on a private set of physical hosts or VMs (or even a combination of the two). + +.. rubric:: Software Requirements + +The versions of software that are supported and tested by OOM are as follows: + +.. _versions_table: + +.. table:: OOM Software Requirements (base) + + ============== =========== ======= ======== ======== ============= ======== + Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi + ============== =========== ======= ======== ======== ============= ======== + New Delhi 1.28.6 3.13.1 1.28.x 20.10.x 1.14.4 0.41.0 + Oslo 1.28.6 3.13.1 1.30.x 23.0.x 1.16.2 0.44.0 + Paris 1.32.5 3.16.4 1.32.x 23.0.x 1.17.2 0.46.0 + ============== =========== ======= ======== ======== ============= ======== + +.. table:: OOM Software Requirements (production) + + ============== ====== ============ ============== + Release Istio Gateway-API Keycloak + ============== ====== ============ ============== + New Delhi 1.21.0 v1.0.0 22.0.4 + Oslo 1.24.1 v1.2.1 26.0.6 + Paris 1.25.2 v1.2.1 26.0.6 + ============== ====== ============ ============== + +.. table:: OOM Software Requirements (optional) + + ============== =========== ========== =========== ============ =========== + Release Prometheus K8ssandra MariaDB-Op Postgres-Op MongoDB-Op + ============== =========== ========== =========== ============ =========== + New Delhi 45.x 1.16.0 0.28.1 - - + Oslo 45.x 1.20.2 0.36.0 5.7.2 1.18.0 + Paris 71.x 1.21.2 0.38.1 5.7.2 1.19.1 + ============== =========== ========== =========== ============ =========== diff --git a/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst new file mode 100644 index 0000000000..ce623f3d14 --- /dev/null +++ b/docs/sections/guides/infra_guides/oom_infra_optional_addons.rst @@ -0,0 +1,232 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 +.. International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright (C) 2022 Nordix Foundation + +.. Links +.. _Prometheus stack README: https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/README.md +.. _ONAP Next Generation Security & Logging Architecture: https://lf-onap.atlassian.net/wiki/x/bVn7 +.. _Istio setup guide: https://istio.io/latest/docs/setup/install/helm/ +.. _Kiali setup guide: https://kiali.io/docs/installation/installation-guide/example-install/ +.. _Kserve setup guide: https://kserve.github.io/website/0.10/admin/kubernetes_deployment/ +.. _K8ssandra setup guide: https://docs.k8ssandra.io/install/ +.. _Mariadb-Operator setup guide: https://github.com/mariadb-operator/mariadb-operator +.. _Postgres-Operator setup guide: https://github.com/CrunchyData/postgres-operator +.. _MongoDB-Operator setup guide: https://docs.percona.com/percona-operator-for-mongodb/helm.html + +.. _oom_base_optional_addons: + +OOM Optional Addons +=================== + +The following optional applications can be added to your kubernetes +environment. + +Install Prometheus Stack +------------------------ + +Prometheus is an open-source systems monitoring and alerting toolkit with +an active ecosystem. + +Kube Prometheus Stack is a collection of Kubernetes manifests, Grafana +dashboards, and Prometheus rules combined with documentation and scripts to +provide easy to operate end-to-end Kubernetes cluster monitoring with +Prometheus using the Prometheus Operator. As it includes both Prometheus +Operator and Grafana dashboards, there is no need to set up them separately. +See the `Prometheus stack README`_ for more information. + +To install the prometheus stack, execute the following: + +- Add the prometheus-community Helm repository:: + + > helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + +- Update your local Helm chart repository cache:: + + > helm repo update + +- To install prometheus, execute the following, replacing the + with the version defined in the + :ref:`versions_table` table:: + + > helm install prometheus prometheus-community/kube-prometheus-stack --namespace=prometheus --create-namespace --version= + + +Kiali Installation +------------------ + +Kiali is used to visualize the Network traffic in a ServiceMesh enabled cluster +For setup the kiali operator is used, see `Kiali setup guide`_ + +- Install kiali-operator namespace:: + + > kubectl create namespace kiali-operator + + > kubectl label namespace kiali-operator istio-injection=enabled + +- Install the kiali-operator:: + + > helm repo add kiali https://kiali.org/helm-charts + + > helm repo update kiali + + > helm install --namespace kiali-operator kiali/kiali-operator + +- Create Kiali CR file (e.g. kiali.yaml) + + .. collapse:: kiali.yaml + + .. include:: ../../resources/yaml/kiali.yaml + :code: yaml + +- Install kiali:: + + > kubectl apply -f kiali.yaml + +- Create Ingress gateway entry for the kiali web interface + using the configured Ingress (here "simpledemo.onap.org") + as described in :ref:`oom_customize_overrides` + + .. collapse:: kiali-ingress.yaml + + .. include:: ../../resources/yaml/kiali-ingress.yaml + :code: yaml + +- Add the Ingress entry for Kiali:: + + > kubectl -n istio-system apply -f kiali-ingress.yaml + +Jaeger Installation +------------------- + +To be done... + +K8ssandra-Operator Installation +------------------------------- + +K8ssandra-Operator is used to ease the installation and lifecycle management +Cassandra clusters, including monitoring and backup + +For setup the K8ssandra operator is used, see `K8ssandra setup guide`_ + +- Install k8ssandra-operator namespace:: + + > kubectl create namespace k8ssandra-operator + + > kubectl label namespace k8ssandra-operator istio-injection=enabled + +- Install the k8ssandra-operator replacing the with the + version defined in the :ref:`versions_table` table:: + + > helm repo add k8ssandra https://helm.k8ssandra.io/stable + + > helm repo update k8ssandra + + > helm install k8ssandra-operator --namespace k8ssandra-operator + k8ssandra/k8ssandra-operator --set global.clusterScoped=true + --version= + +Mariadb-Operator Installation +----------------------------- + +Mariadb-Operator is used to ease the installation and lifecycle management of +MariaDB Galera and Replication clusters, including monitoring and backup + +For setup the Mariadb-Operator is used, see `Mariadb-Operator setup guide`_ + +- Install mariadb-operator namespace:: + + > kubectl create namespace mariadb-operator + + > kubectl label namespace mariadb-operator istio-injection=enabled + +- Install the mariadb-operator replacing the with the + version defined in the :ref:`versions_table` table:::: + + > helm repo add mariadb-operator https://helm.mariadb.com/mariadb-operator + + > helm repo update mariadb-operator + + > helm install mariadb-operator-crds --namespace mariadb-operator --version= + + > helm install mariadb-operator --namespace mariadb-operator + mariadb-operator/mariadb-operator --set ha.enabled=true + --set metrics.enabled=true --set webhook.certificate.certManager=true + --version= + +Postgres-Operator Installation +------------------------------ + +Postgres-Operator is used to ease the installation and lifecycle management of +Postgres DB clusters, including monitoring and backup + +For setup the Postgres-Operator is used, see `Postgres-Operator setup guide`_ + +MongoDB-Operator Installation +------------------------------ + +MongoDB-Operator is used to ease the installation and lifecycle management of +MongoDB DB instances, including monitoring and backup + +For setup the MongoDB-Operator is used, see `MongoDB-Operator setup guide`_ + +- Install mongodb-operator namespace:: + + > kubectl create namespace mongodb-operator + + > kubectl label namespace mongodb-operator istio-injection=enabled + +- Install the mongodb-operator replacing the with the + version defined in the :ref:`versions_table` table:: + + > helm repo add percona https://percona.github.io/percona-helm-charts + + > helm repo update percona + + > helm install mongodb-operator --namespace mongodb-operator + percona/psmdb-operator --version= + +Kserve Installation +------------------- + +KServe is a standard Model Inference Platform on Kubernetes. It supports +RawDeployment mode to enable InferenceService deployment with Kubernetes +resources. Comparing to serverless deployment it unlocks Knative limitations +such as mounting multiple volumes, on the other hand Scale down and from Zero +is not supported in RawDeployment mode. + +This installation is necessary for the ML models to be deployed as inference +service. Once deployed, the inference services can be queried for the +prediction. + +**Kserve participant component in Policy ACM requires this installation.** +**Kserve participant deploy/undeploy inference services in Kserve.** + +Dependent component version compatibility details and installation instructions +can be found at `Kserve setup guide`_ + +Kserve installation requires the following components: + +- Istio. Its installation instructions can be found at + :ref:`oom_base_optional_addons_istio_installation` + +- Cert-Manager. Its installation instructions can be found at + :ref:`oom_base_setup_cert_manager` + +Installation instructions as follows, + +- Create kserve namespace:: + + > kubectl create namespace kserve + +- Install Kserve:: + + > kubectl apply -f https://github.com/kserve/kserve/releases/download/v/kserve.yaml + +- Install Kserve default serving runtimes:: + + > kubectl apply -f https://github.com/kserve/kserve/releases/download/v/kserve-runtimes.yaml + +- Patch ConfigMap inferenceservice-config as follows:: + + > kubectl patch configmap/inferenceservice-config -n kserve --type=strategic -p '{"data": {"deploy": "{\"defaultDeploymentMode\": \"RawDeployment\"}"}}' diff --git a/docs/sections/guides/infra_guides/oom_infra_setup.rst b/docs/sections/guides/infra_guides/oom_infra_setup.rst deleted file mode 100644 index ed7b05a103..0000000000 --- a/docs/sections/guides/infra_guides/oom_infra_setup.rst +++ /dev/null @@ -1,81 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright (C) 2022 Nordix Foundation - -.. Links -.. _Kubernetes: https://kubernetes.io/ -.. _Kubernetes best practices: https://kubernetes.io/docs/setup/best-practices/cluster-large/ -.. _kubelet confg guide: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ - -.. _oom_infra_setup_guide: - -OOM Infrastructure Guide -######################## - -.. figure:: ../../resources/images/oom_logo/oomLogoV2-medium.png - :align: right - -OOM deploys and manages ONAP on a pre-established Kubernetes_ cluster - the -creation of this cluster is outside of the scope of the OOM project as there -are many options including public clouds with pre-established environments. -If creation of a Kubernetes cluster is required, the life-cycle of this -cluster is independent of the life-cycle of the ONAP components themselves. - -.. rubric:: Minimum Hardware Configuration - -Some recommended hardware requirements are provided below. Note that this is for a -full ONAP deployment (all components). - -.. table:: OOM Hardware Requirements - - ===== ===== ====== ==================== - RAM HD vCores Ports - ===== ===== ====== ==================== - 224GB 160GB 112 0.0.0.0/0 (all open) - ===== ===== ====== ==================== - -Customizing ONAP to deploy only components that are needed will drastically reduce these requirements. -See the :ref:`OOM customized deployment` section for more details. - -.. note:: - | Kubernetes supports a maximum of 110 pods per node - this can be overcome by modifying your kubelet config. - | See the `kubelet confg guide`_ for more information. - - | The use of many small nodes is preferred over a few larger nodes (for example 14 x 16GB - 8 vCores each). - - | OOM can be deployed on a private set of physical hosts or VMs (or even a combination of the two). - -.. rubric:: Software Requirements - -The versions of software that are supported by OOM are as follows: - -.. _versions_table: - -.. table:: OOM Software Requirements (base) - - ============== =========== ======= ======== ======== ============ ======= - Release Kubernetes Helm kubectl Docker Cert-Manager Strimzi - ============== =========== ======= ======== ======== ============ ======= - Jakarta 1.22.4 3.6.3 1.22.4 20.10.x 1.8.0 0.28.0 - Kohn 1.23.8 3.8.2 1.23.8 20.10.x 1.8.0 0.32.0 - ============== =========== ======= ======== ======== ============ ======= - -.. table:: OOM Software Requirements (optional) - - ============== ================= ====== - Release Prometheus Stack Istio - ============== ================= ====== - Jakarta 35.x --- - Kohn 35.x 1.15.1 - ============== ================= ====== - - -.. toctree:: - :hidden: - - oom_base_config_setup.rst - oom_base_optional_addons.rst - oom_setup_ingress_controller.rst - - diff --git a/docs/sections/guides/infra_guides/oom_setup_ingress_controller.rst b/docs/sections/guides/infra_guides/oom_setup_ingress_controller.rst deleted file mode 100644 index 8c261fdfd7..0000000000 --- a/docs/sections/guides/infra_guides/oom_setup_ingress_controller.rst +++ /dev/null @@ -1,176 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 -.. International License. -.. http://creativecommons.org/licenses/by/4.0 -.. Copyright 2020, Samsung Electronics -.. Modification copyright (C) 2022 Nordix Foundation - -.. Links -.. _metallb Metal Load Balancer installation: https://metallb.universe.tf/installation/ - -.. _oom_setup_ingress_controller: - -OOM Ingress controller setup -############################ - -.. warning:: - This guide should prob go in the Optional addons section - -This optional guide provides instruction how to setup experimental ingress controller -feature. For this, we are hosting our cluster on OpenStack VMs and using the -Rancher Kubernetes Engine (RKE) to deploy and manage our Kubernetes Cluster and -ingress controller - -.. contents:: - :backlinks: top - :depth: 1 - :local: -.. - -The result at the end of this tutorial will be: - -#. Customization of the cluster.yaml file for ingress controller support - -#. Installation and configuration test DNS server for ingress host resolution - on testing machines - -#. Installation and configuration MLB (Metal Load Balancer) required for - exposing ingress service - -#. Installation and configuration NGINX ingress controller - -#. Additional info how to deploy ONAP with services exposed via Ingress - controller - -Customize cluster.yml file -************************** -Before setup cluster for ingress purposes DNS cluster IP and ingress provider -should be configured and following: - -.. code-block:: yaml - - --- - <...> - restore: - restore: false - snapshot_name: "" - ingress: - provider: none - dns: - provider: coredns - upstreamnameservers: - - :31555 - -Where the should be set to the same IP as the CONTROLPANE -node. - -For external load balancer purposes, minimum one of the worker node should be -configured with external IP address accessible outside the cluster. It can be -done using the following example node configuration: - -.. code-block:: yaml - - --- - <...> - - address: - internal_address: - port: "22" - role: - - worker - hostname_override: "onap-worker-0" - user: ubuntu - ssh_key_path: "~/.ssh/id_rsa" - <...> - -Where the is external worker node IP address, and -is internal node IP address if it is required. - - -DNS server configuration and installation -***************************************** -DNS server deployed on the Kubernetes cluster makes it easy to use services -exposed through ingress controller because it resolves all subdomain related to -the ONAP cluster to the load balancer IP. Testing ONAP cluster requires a lot -of entries on the target machines in the /etc/hosts. Adding many entries into -the configuration files on testing machines is quite problematic and error -prone. The better wait is to create central DNS server with entries for all -virtual host pointed to simpledemo.onap.org and add custom DNS server as a -target DNS server for testing machines and/or as external DNS for Kubernetes -cluster. - -DNS server has automatic installation and configuration script, so installation -is quite easy:: - - > cd kubernetes/contrib/dns-server-for-vhost-ingress-testing - - > ./deploy\_dns.sh - -After DNS deploy you need to setup DNS entry on the target testing machine. -Because DNS listen on non standard port configuration require iptables rules -on the target machine. Please follow the configuration proposed by the deploy -scripts. -Example output depends on the IP address and example output looks like bellow:: - - DNS server already deployed: - 1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination 10.10.13.14:31555 - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 - 2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine - - -MetalLB Load Balancer installation and configuration -**************************************************** - -By default pure Kubernetes cluster requires external load balancer if we want -to expose external port using LoadBalancer settings. For this purpose MetalLB -can be used. Before installing the MetalLB you need to ensure that at least one -worker has assigned IP accessible outside the cluster. - -MetalLB Load balancer can be easily installed using automatic install script:: - - > cd kubernetes/contrib/metallb-loadbalancer-inst - - > ./install-metallb-on-cluster.sh - - -Configuration of the Nginx ingress controller -********************************************* - -After installation of the DNS server and ingress controller, we can install and -configure ingress controller. -It can be done using the following commands:: - - > cd kubernetes/contrib/ingress-nginx-post-inst - - > kubectl apply -f nginx_ingress_cluster_config.yaml - - > kubectl apply -f nginx_ingress_enable_optional_load_balacer_service.yaml - -After deploying the NGINX ingress controller, you can ensure that the ingress port is -exposed as load balancer service with an external IP address:: - - > kubectl get svc -n ingress-nginx - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE - default-http-backend ClusterIP 10.10.10.10 80/TCP 25h - ingress-nginx LoadBalancer 10.10.10.11 10.12.13.14 80:31308/TCP,443:30314/TCP 24h - - -ONAP with ingress exposed services -********************************** -If you want to deploy onap with services exposed through ingress controller you -can use full onap deploy yaml:: - - > onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml - -Ingress also can be enabled on any onap setup override using following code: - -.. code-block:: yaml - - --- - <...> - global: - <...> - ingress: - enabled: true - diff --git a/docs/sections/guides/user_guides/oom_user_guide.rst b/docs/sections/guides/user_guides/oom_user_guide.rst index 449d5de3fa..85e4eefc9f 100644 --- a/docs/sections/guides/user_guides/oom_user_guide.rst +++ b/docs/sections/guides/user_guides/oom_user_guide.rst @@ -23,7 +23,7 @@ OOM User Guide .. warning:: - **THIS PAGE NEEDS TO BE EITHER REWRITTEN OR SOMETING AS SOME INFO IS NO LONGER RELEVANT** + **THIS PAGE NEEDS TO BE EITHER REWRITTEN OR SOMETHING AS SOME INFO IS NO LONGER RELEVANT** The ONAP Operations Manager (OOM) provide the ability to manage the entire life-cycle of an ONAP installation, from the initial deployment to final @@ -44,7 +44,8 @@ The following sections describe the life-cycle operations: - Monitor_ - real-time health monitoring feeding to a Consul UI and Kubernetes - Heal_- failed ONAP containers are recreated automatically - Scale_ - cluster ONAP services to enable seamless scaling -- Upgrade_ - change-out containers or configuration with little or no service impact +- Upgrade_ - change-out containers or configuration with little or no service + impact - Delete_ - cleanup individual containers or entire deployments .. figure:: ../../resources/images/oom_logo/oomLogoV2-Deploy.png @@ -59,7 +60,8 @@ describe the composition of each of the ONAP components and the relationship within and between components. Using this model Helm is able to deploy all of ONAP with a few simple commands. -Please refer to the :ref:`oom_deploy_guide` for deployment pre-requisites and options +Please refer to the :ref:`oom_deploy_guide` for deployment pre-requisites and +options .. note:: Refer to the :ref:`oom_customize_overrides` section on how to update overrides.yaml and values.yaml @@ -186,7 +188,7 @@ Here is an excerpt of this file: dependencies: <...> - name: so - version: ~11.0.0 + version: ~12.0.0 repository: '@local' condition: so.enabled <...> @@ -334,10 +336,10 @@ Below is the example for the same:: > helm list NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE - dev 1 Wed Oct 14 13:49:52 2020 DEPLOYED onap-11.0.0 Kohn onap - dev-cassandra 5 Thu Oct 15 14:45:34 2020 DEPLOYED cassandra-11.0.0 onap - dev-contrib 1 Wed Oct 14 13:52:53 2020 DEPLOYED contrib-11.0.0 onap - dev-mariadb-galera 1 Wed Oct 14 13:55:56 2020 DEPLOYED mariadb-galera-11.0.0 onap + dev 1 Wed Oct 14 13:49:52 2020 DEPLOYED onap-12.0.0 london onap + dev-cassandra 5 Thu Oct 15 14:45:34 2020 DEPLOYED cassandra-12.0.0 onap + dev-contrib 1 Wed Oct 14 13:52:53 2020 DEPLOYED contrib-12.0.0 onap + dev-mariadb-galera 1 Wed Oct 14 13:55:56 2020 DEPLOYED mariadb-galera-12.0.0 onap Here the Name column shows the RELEASE NAME, In our case we want to try the scale operation on cassandra, thus the RELEASE NAME would be dev-cassandra. @@ -351,10 +353,10 @@ Below is the example for the same:: > helm search cassandra NAME CHART VERSION APP VERSION DESCRIPTION - local/cassandra 11.0.0 ONAP cassandra - local/portal-cassandra 11.0.0 Portal cassandra - local/aaf-cass 11.0.0 ONAP AAF cassandra - local/sdc-cs 11.0.0 ONAP Service Design and Creation Cassandra + local/cassandra 12.0.0 ONAP cassandra + local/portal-cassandra 12.0.0 Portal cassandra + local/aaf-cass 12.0.0 ONAP AAF cassandra + local/sdc-cs 12.0.0 ONAP Service Design and Creation Cassandra Here the Name column shows the chart name. As we want to try the scale operation for cassandra, thus the corresponding chart name is local/cassandra @@ -416,7 +418,7 @@ Prior to doing an upgrade, determine of the status of the deployed charts:: > helm list NAME REVISION UPDATED STATUS CHART NAMESPACE - so 1 Mon Feb 5 10:05:22 2020 DEPLOYED so-11.0.0 onap + so 1 Mon Feb 5 10:05:22 2020 DEPLOYED so-12.0.0 onap When upgrading a cluster a parameter controls the minimum size of the cluster during the upgrade while another parameter controls the maximum number of nodes @@ -439,21 +441,21 @@ sequence of events described in the previous paragraph would be initiated. For example, to upgrade a container by changing configuration, specifically an environment value:: - > helm upgrade so onap/so --version 11.0.1 --set enableDebug=true + > helm upgrade so onap/so --version 12.0.1 --set enableDebug=true Issuing this command will result in the appropriate container being stopped by Kubernetes and replaced with a new container with the new environment value. To upgrade a component to a new version with a new configuration file enter:: - > helm upgrade so onap/so --version 11.0.1 -f environments/demo.yaml + > helm upgrade so onap/so --version 12.0.1 -f environments/demo.yaml To fetch release history enter:: > helm history so REVISION UPDATED STATUS CHART DESCRIPTION - 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-11.0.0 Install complete - 2 Mon Jul 5 10:10:55 2022 DEPLOYED so-11.0.1 Upgrade complete + 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-12.0.0 Install complete + 2 Mon Jul 5 10:10:55 2022 DEPLOYED so-12.0.1 Upgrade complete Unfortunately, not all upgrades are successful. In recognition of this the lineup of pods within an ONAP deployment is tagged such that an administrator @@ -475,9 +477,9 @@ For example, to roll-back back to previous system revision enter:: > helm history so REVISION UPDATED STATUS CHART DESCRIPTION - 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-11.0.0 Install complete - 2 Mon Jul 5 10:10:55 2022 SUPERSEDED so-11.0.1 Upgrade complete - 3 Mon Jul 5 10:14:32 2022 DEPLOYED so-11.0.0 Rollback to 1 + 1 Mon Jul 5 10:05:22 2022 SUPERSEDED so-12.0.0 Install complete + 2 Mon Jul 5 10:10:55 2022 SUPERSEDED so-12.0.1 Upgrade complete + 3 Mon Jul 5 10:14:32 2022 DEPLOYED so-12.0.0 Rollback to 1 .. note:: diff --git a/docs/sections/oom_project_description.rst b/docs/sections/oom_project_description.rst index 404a410931..402c64aa31 100644 --- a/docs/sections/oom_project_description.rst +++ b/docs/sections/oom_project_description.rst @@ -11,7 +11,7 @@ ONAP Operations Manager Project .. warning:: - THIS PAGE PROB NEEDS A REWRITE ALSO + THIS PAGE PROB NEEDS A REWRITE AS IT IS OUTDATED The ONAP Operations Manager (OOM) is responsible for life-cycle management of the ONAP platform itself; components such as SO, SDNC, etc. It is not @@ -38,20 +38,21 @@ In summary OOM provides the following capabilities: service impact - **Delete** - cleanup individual containers or entire deployments -OOM supports a wide variety of Kubernetes private clouds - built with Rancher, -Kubeadm or Cloudify - and public cloud infrastructures such as: Microsoft +OOM supports a wide variety of Kubernetes private clouds - built with +ClusterAPI, Kubespray - and public cloud infrastructures such as: Microsoft Azure, Amazon AWS, Google GCD, VMware VIO, and OpenStack. The OOM documentation is broken into four different areas each targeted at a different user: - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_setup_guide` - a guide for those setting up the environments that OOM will use -- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance -- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications - - +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications The :ref:`release_notes` for OOM describe the incremental features per release. diff --git a/docs/sections/release_notes/release-notes-amsterdam.rst b/docs/sections/release_notes/release-notes-amsterdam.rst index 6fc229696c..262291fc17 100644 --- a/docs/sections/release_notes/release-notes-amsterdam.rst +++ b/docs/sections/release_notes/release-notes-amsterdam.rst @@ -33,7 +33,7 @@ The main goal of the Amsterdam release was to: **Bug Fixes** The full list of implemented user stories and epics is available on - `JIRA `_ + `JIRA `_ This is the first release of OOM, the defects fixed in this release were raised during the course of the release. Anything not closed is captured below under Known Issues. If you want to @@ -41,14 +41,14 @@ The main goal of the Amsterdam release was to: above. **Known Issues** - - `OOM-6 `_ Automated platform deployment on Docker/Kubernetes + - `OOM-6 `_ Automated platform deployment on Docker/Kubernetes VFC, AAF, MSB minor issues. Workaround: Manual configuration changes - however the reference vFirewall use case does not currently require these components. - - `OOM-10 `_ Platform configuration management. + - `OOM-10 `_ Platform configuration management. OOM ONAP Configuration Management - Handling of Secrets. diff --git a/docs/sections/release_notes/release-notes-beijing.rst b/docs/sections/release_notes/release-notes-beijing.rst index 84f86c100d..f07af9b143 100644 --- a/docs/sections/release_notes/release-notes-beijing.rst +++ b/docs/sections/release_notes/release-notes-beijing.rst @@ -23,394 +23,394 @@ Previous Release Notes Epic **** -* [`OOM-6 `_] - Automated platform deployment on Docker/Kubernetes -* [`OOM-7 `_] - Platform monitoring and auto-healing -* [`OOM-8 `_] - Automated platform scalability -* [`OOM-9 `_] - Platform upgradability & rollbacks -* [`OOM-10 `_] - Platform configuration management -* [`OOM-46 `_] - Platform infrastructure deployment with TOSCA -* [`OOM-109 `_] - Platform Centralized Logging -* [`OOM-138 `_] - Using Optimization framework -* [`OOM-346 `_] - Platform Resiliency (including Recoverability, High-Availability, Backup/Restore, Geo-Redundancy) -* [`OOM-376 `_] - ONAP deployment options standardization -* [`OOM-486 `_] - HELM upgrade from 2.3 to 2.8.0 -* [`OOM-535 `_] - Upgrade Kubernetes from 1.8.6 to 1.9.2 -* [`OOM-590 `_] - OOM Wiki documentation of deployment options +* [`OOM-6 `_] - Automated platform deployment on Docker/Kubernetes +* [`OOM-7 `_] - Platform monitoring and auto-healing +* [`OOM-8 `_] - Automated platform scalability +* [`OOM-9 `_] - Platform upgradability & rollbacks +* [`OOM-10 `_] - Platform configuration management +* [`OOM-46 `_] - Platform infrastructure deployment with TOSCA +* [`OOM-109 `_] - Platform Centralized Logging +* [`OOM-138 `_] - Using Optimization framework +* [`OOM-346 `_] - Platform Resiliency (including Recoverability, High-Availability, Backup/Restore, Geo-Redundancy) +* [`OOM-376 `_] - ONAP deployment options standardization +* [`OOM-486 `_] - HELM upgrade from 2.3 to 2.8.0 +* [`OOM-535 `_] - Upgrade Kubernetes from 1.8.6 to 1.9.2 +* [`OOM-590 `_] - OOM Wiki documentation of deployment options Story ***** -* [`OOM-11 `_] - Add AAF containers to ONAP Kubernetes -* [`OOM-13 `_] - Add CLI containers to ONAP Kubernetes -* [`OOM-15 `_] - Add DMAAP containers to ONAP Kubernetes -* [`OOM-20 `_] - State Monitoring: MSO/mso -* [`OOM-21 `_] - State Monitoring: A&AI/aai-service -* [`OOM-22 `_] - State Monitoring: SDNC/sdc-be -* [`OOM-24 `_] - State Monitoring: message-router -* [`OOM-25 `_] - State Monitoring: MSB -* [`OOM-29 `_] - State Monitoring: VID -* [`OOM-31 `_] - State Monitoring: APPC/dbhost -* [`OOM-32 `_] - State Monitoring: VFC -* [`OOM-33 `_] - State Monitoring: Multi-VIM -* [`OOM-34 `_] - Auto-Restart on failure: ... -* [`OOM-35 `_] - State Monitoring: A&AI/hbase -* [`OOM-36 `_] - State Monitoring: A&AI/model-loader-service -* [`OOM-37 `_] - State Monitoring: APPC/dgbuilder -* [`OOM-38 `_] - State Monitoring: APPC/sdnctldb01 -* [`OOM-39 `_] - State Monitoring: APPC/sdnctldb02 -* [`OOM-40 `_] - State Monitoring: APPC/sdnhost -* [`OOM-41 `_] - State Monitoring: MSO/mariadb -* [`OOM-42 `_] - State Monitoring: SDNC/dbhost -* [`OOM-43 `_] - State Monitoring: SDNC/sdnc-dgbuilder -* [`OOM-44 `_] - State Monitoring: SDNC/sdnc-portal -* [`OOM-45 `_] - State Monitoring: SDNC/sdnctldb01 -* [`OOM-51 `_] - OOM ONAP Configuration Management - Externalize hardwired values -* [`OOM-52 `_] - OOM ONAP Configuration Management - Parameterization of docker images -* [`OOM-53 `_] - OOM ONAP Configuration Management - Parameterization for Sizing -* [`OOM-63 `_] - Kubernetes cluster created by TOSCA description -* [`OOM-85 `_] - Test the code in the "Lab" project environment -* [`OOM-86 `_] - Monitoring the health status of ONAP components -* [`OOM-87 `_] - Configure TOSCA description via dashboard -* [`OOM-88 `_] - Deploy Holmes on K8S cluster by TOSCA description -* [`OOM-89 `_] - Deploy CLAMP on K8S cluster by TOSCA description -* [`OOM-91 `_] - Deploy MSB on K8S cluster by TOSCA description -* [`OOM-92 `_] - Deploy AAF on K8S cluster by TOSCA description -* [`OOM-93 `_] - Deploy VF-C on K8S cluster by TOSCA description -* [`OOM-94 `_] - Deploy Multi-VIM on K8S cluster by TOSCA description -* [`OOM-95 `_] - Deploy DCAEGen2 on K8S cluster by TOSCA description -* [`OOM-96 `_] - Deploy AAI on K8S cluster by TOSCA description -* [`OOM-97 `_] - Deploy APPC on K8S cluster by TOSCA description -* [`OOM-98 `_] - Deploy MSO on K8S cluster by TOSCA description -* [`OOM-99 `_] - Deploy Policy on K8S cluster by TOSCA description -* [`OOM-100 `_] - Deploy SDC on K8S cluster by TOSCA description -* [`OOM-102 `_] - Deploy VID on K8S cluster by TOSCA description -* [`OOM-110 `_] - OOM ONAP Logging - Elastic Stack components deployment -* [`OOM-111 `_] - OOM ONAP Logging - FileBeat deployment aside ONAP components -* [`OOM-112 `_] - OOM ONAP Logging - Configuration of all ONAP components to emit canonical logs -* [`OOM-116 `_] - ignore intellj files -* [`OOM-145 `_] - update directory path from dockerdata-nfs to configured directory name (make it configurable) -* [`OOM-235 `_] - Service endpoint annotation for Usecase UI -* [`OOM-242 `_] - Modify DCAE seed for Helm -* [`OOM-262 `_] - Remove "oneclick" kubectl scripts. -* [`OOM-265 `_] - Top level helm chart for ONAP -* [`OOM-268 `_] - Persist and externalize database directories via persistent volumes -* [`OOM-271 `_] - Copy app config files from source -* [`OOM-272 `_] - Set application environment variables from source -* [`OOM-277 `_] - add automatic ONAP config parameter substitution -* [`OOM-280 `_] - MSB automatically re-synch service data on restart. -* [`OOM-292 `_] - Expose LOG Volume via /dockerdata-nfs -* [`OOM-293 `_] - OOM ONAP Configuration Management - Handling of Secrets -* [`OOM-298 `_] - Provide script to cleanup configuration data created by createConfig.sh -* [`OOM-322 `_] - Clean-up config files that are generated at system startup -* [`OOM-341 `_] - Provide an example of a partial deployment of ONAP components (e.g. no VFC) -* [`OOM-342 `_] - Add pointer to Wiki page on the readme file. -* [`OOM-344 `_] - Break the configuration tarball per appplication -* [`OOM-345 `_] - Re-validate # of containers and configuration for DCAEgen2 -* [`OOM-356 `_] - Add 'Usecase UI' containers to ONAP Kubernetes -* [`OOM-359 `_] - SDC logback chef failure -* [`OOM-375 `_] - F2F: ONAP/OOM for Developers -* [`OOM-382 `_] - Robot Version 1.1 OpenO tests -* [`OOM-406 `_] - In Kubernetes 1.8, the annotations are no longer supported and must be converted to the PodSpec field. -* [`OOM-457 `_] - In Kubernetes 1.8, init-container annotations to be converted to PodSpec field for aaf, clamp and vfc -* [`OOM-460 `_] - Segregating configuration of ONAP components -* [`OOM-476 `_] - Parameterize values.yaml docker image repos into global config variables -* [`OOM-528 `_] - Confirm k8s context with a prompt for deleteAll.bash -* [`OOM-534 `_] - Need to provide support for creating different sized OOM deployments -* [`OOM-546 `_] - Provide option to collect ONAP env details for issue investigations -* [`OOM-569 `_] - Investigate containerizing Cloudify Manager -* [`OOM-579 `_] - Document a Cloudify deployment of OOM Beijing -* [`OOM-633 `_] - Provide direct access to ONAP Portal without the need to use VNC -* [`OOM-677 `_] - Update all source code files with the Apache 2 License header -* [`OOM-678 `_] - Enforce MSB dockers dependencies using init-container -* [`OOM-681 `_] - updating docker images/components to latest code -* [`OOM-682 `_] - deployment of sdc workflow designer -* [`OOM-695 `_] - Improve Readiness-check prob -* [`OOM-722 `_] - OOM - Run all ONAP components in one namespace -* [`OOM-725 `_] - Use Blueprint to install Helm and k8s dashboard while creating k8s cluster -* [`OOM-727 `_] - Add Standardized Configuration to SO -* [`OOM-728 `_] - Add Standardized Configuration to ROBOT -* [`OOM-729 `_] - Add Standardized Configuration to VID -* [`OOM-730 `_] - Add Standardized Configuration to Consul -* [`OOM-731 `_] - Add Standardized Configuration to DMaaP Message Router -* [`OOM-732 `_] - Add Standardized Configuration to AAF -* [`OOM-733 `_] - Add Standardized Configuration to APPC -* [`OOM-734 `_] - Add Standardized Configuration to AAI -* [`OOM-735 `_] - Add Standardized Configuration to CLAMP -* [`OOM-736 `_] - Add Standardized Configuration to CLI -* [`OOM-737 `_] - Add Standardized Configuration to DCAEGEN2 -* [`OOM-738 `_] - Add Standardized Configuration to ESR -* [`OOM-739 `_] - Add Standardized Configuration to KUBE2MSB -* [`OOM-740 `_] - Add Standardized Configuration to LOG -* [`OOM-742 `_] - Add Standardized Configuration to MSB -* [`OOM-743 `_] - Replace deprecated MSO Helm Chart with Standardized SO Helm Chart -* [`OOM-744 `_] - Add Standardized Configuration to MULTICLOUD -* [`OOM-746 `_] - Add Standardized Configuration to PORTAL -* [`OOM-747 `_] - Add Standardized Configuration to SDC -* [`OOM-748 `_] - Add Standardized Configuration to SDNC -* [`OOM-749 `_] - Add Standardized Configuration to UUI -* [`OOM-750 `_] - Add Standardized Configuration to VFC -* [`OOM-751 `_] - Add Standardized Configuration to VNFSDK -* [`OOM-758 `_] - Common Mariadb Galera Helm Chart to be reused by many applications -* [`OOM-771 `_] - OOM - update master with new policy db deployment -* [`OOM-777 `_] - Add Standardized Configuration Helm Starter Chart -* [`OOM-779 `_] - OOM APPC ODL (MDSAL) persistent storage -* [`OOM-780 `_] - Update MSO to latest working version. -* [`OOM-786 `_] - Re-add support for multiple instances of ONAP -* [`OOM-788 `_] - Abstract docker secrets -* [`OOM-789 `_] - Abstract cluster role binding -* [`OOM-811 `_] - Make kube2msb use secret instead of passing token as environment variable -* [`OOM-822 `_] - Update Documentation for the Beijing Release -* [`OOM-823 `_] - Add CDT image to APPC chart -* [`OOM-827 `_] - Add quick start documentation README -* [`OOM-828 `_] - Remove oneclick scripts -* [`OOM-857 `_] - kube2msb fails to start -* [`OOM-914 `_] - Add LOG component robot healthcheck -* [`OOM-960 `_] - OOM Healthcheck lockdown - currently 32/39 : 20180421 -* [`OOM-979 `_] - Enhance OOM TOSCA solution to support standardized Helm Chart -* [`OOM-1006 `_] - VNFSDK healthcheck fails -* [`OOM-1073 `_] - Change the Repository location in the image oomk8s/config-init:2.0.0-SNAPSHOT -* [`OOM-1078 `_] - Update Kubectl, docker, helm version +* [`OOM-11 `_] - Add AAF containers to ONAP Kubernetes +* [`OOM-13 `_] - Add CLI containers to ONAP Kubernetes +* [`OOM-15 `_] - Add DMAAP containers to ONAP Kubernetes +* [`OOM-20 `_] - State Monitoring: MSO/mso +* [`OOM-21 `_] - State Monitoring: A&AI/aai-service +* [`OOM-22 `_] - State Monitoring: SDNC/sdc-be +* [`OOM-24 `_] - State Monitoring: message-router +* [`OOM-25 `_] - State Monitoring: MSB +* [`OOM-29 `_] - State Monitoring: VID +* [`OOM-31 `_] - State Monitoring: APPC/dbhost +* [`OOM-32 `_] - State Monitoring: VFC +* [`OOM-33 `_] - State Monitoring: Multi-VIM +* [`OOM-34 `_] - Auto-Restart on failure: ... +* [`OOM-35 `_] - State Monitoring: A&AI/hbase +* [`OOM-36 `_] - State Monitoring: A&AI/model-loader-service +* [`OOM-37 `_] - State Monitoring: APPC/dgbuilder +* [`OOM-38 `_] - State Monitoring: APPC/sdnctldb01 +* [`OOM-39 `_] - State Monitoring: APPC/sdnctldb02 +* [`OOM-40 `_] - State Monitoring: APPC/sdnhost +* [`OOM-41 `_] - State Monitoring: MSO/mariadb +* [`OOM-42 `_] - State Monitoring: SDNC/dbhost +* [`OOM-43 `_] - State Monitoring: SDNC/sdnc-dgbuilder +* [`OOM-44 `_] - State Monitoring: SDNC/sdnc-portal +* [`OOM-45 `_] - State Monitoring: SDNC/sdnctldb01 +* [`OOM-51 `_] - OOM ONAP Configuration Management - Externalize hardwired values +* [`OOM-52 `_] - OOM ONAP Configuration Management - Parameterization of docker images +* [`OOM-53 `_] - OOM ONAP Configuration Management - Parameterization for Sizing +* [`OOM-63 `_] - Kubernetes cluster created by TOSCA description +* [`OOM-85 `_] - Test the code in the "Lab" project environment +* [`OOM-86 `_] - Monitoring the health status of ONAP components +* [`OOM-87 `_] - Configure TOSCA description via dashboard +* [`OOM-88 `_] - Deploy Holmes on K8S cluster by TOSCA description +* [`OOM-89 `_] - Deploy CLAMP on K8S cluster by TOSCA description +* [`OOM-91 `_] - Deploy MSB on K8S cluster by TOSCA description +* [`OOM-92 `_] - Deploy AAF on K8S cluster by TOSCA description +* [`OOM-93 `_] - Deploy VF-C on K8S cluster by TOSCA description +* [`OOM-94 `_] - Deploy Multi-VIM on K8S cluster by TOSCA description +* [`OOM-95 `_] - Deploy DCAEGen2 on K8S cluster by TOSCA description +* [`OOM-96 `_] - Deploy AAI on K8S cluster by TOSCA description +* [`OOM-97 `_] - Deploy APPC on K8S cluster by TOSCA description +* [`OOM-98 `_] - Deploy MSO on K8S cluster by TOSCA description +* [`OOM-99 `_] - Deploy Policy on K8S cluster by TOSCA description +* [`OOM-100 `_] - Deploy SDC on K8S cluster by TOSCA description +* [`OOM-102 `_] - Deploy VID on K8S cluster by TOSCA description +* [`OOM-110 `_] - OOM ONAP Logging - Elastic Stack components deployment +* [`OOM-111 `_] - OOM ONAP Logging - FileBeat deployment aside ONAP components +* [`OOM-112 `_] - OOM ONAP Logging - Configuration of all ONAP components to emit canonical logs +* [`OOM-116 `_] - ignore intellj files +* [`OOM-145 `_] - update directory path from dockerdata-nfs to configured directory name (make it configurable) +* [`OOM-235 `_] - Service endpoint annotation for Usecase UI +* [`OOM-242 `_] - Modify DCAE seed for Helm +* [`OOM-262 `_] - Remove "oneclick" kubectl scripts. +* [`OOM-265 `_] - Top level helm chart for ONAP +* [`OOM-268 `_] - Persist and externalize database directories via persistent volumes +* [`OOM-271 `_] - Copy app config files from source +* [`OOM-272 `_] - Set application environment variables from source +* [`OOM-277 `_] - add automatic ONAP config parameter substitution +* [`OOM-280 `_] - MSB automatically re-synch service data on restart. +* [`OOM-292 `_] - Expose LOG Volume via /dockerdata-nfs +* [`OOM-293 `_] - OOM ONAP Configuration Management - Handling of Secrets +* [`OOM-298 `_] - Provide script to cleanup configuration data created by createConfig.sh +* [`OOM-322 `_] - Clean-up config files that are generated at system startup +* [`OOM-341 `_] - Provide an example of a partial deployment of ONAP components (e.g. no VFC) +* [`OOM-342 `_] - Add pointer to Wiki page on the readme file. +* [`OOM-344 `_] - Break the configuration tarball per appplication +* [`OOM-345 `_] - Re-validate # of containers and configuration for DCAEgen2 +* [`OOM-356 `_] - Add 'Usecase UI' containers to ONAP Kubernetes +* [`OOM-359 `_] - SDC logback chef failure +* [`OOM-375 `_] - F2F: ONAP/OOM for Developers +* [`OOM-382 `_] - Robot Version 1.1 OpenO tests +* [`OOM-406 `_] - In Kubernetes 1.8, the annotations are no longer supported and must be converted to the PodSpec field. +* [`OOM-457 `_] - In Kubernetes 1.8, init-container annotations to be converted to PodSpec field for aaf, clamp and vfc +* [`OOM-460 `_] - Segregating configuration of ONAP components +* [`OOM-476 `_] - Parameterize values.yaml docker image repos into global config variables +* [`OOM-528 `_] - Confirm k8s context with a prompt for deleteAll.bash +* [`OOM-534 `_] - Need to provide support for creating different sized OOM deployments +* [`OOM-546 `_] - Provide option to collect ONAP env details for issue investigations +* [`OOM-569 `_] - Investigate containerizing Cloudify Manager +* [`OOM-579 `_] - Document a Cloudify deployment of OOM Beijing +* [`OOM-633 `_] - Provide direct access to ONAP Portal without the need to use VNC +* [`OOM-677 `_] - Update all source code files with the Apache 2 License header +* [`OOM-678 `_] - Enforce MSB dockers dependencies using init-container +* [`OOM-681 `_] - updating docker images/components to latest code +* [`OOM-682 `_] - deployment of sdc workflow designer +* [`OOM-695 `_] - Improve Readiness-check prob +* [`OOM-722 `_] - OOM - Run all ONAP components in one namespace +* [`OOM-725 `_] - Use Blueprint to install Helm and k8s dashboard while creating k8s cluster +* [`OOM-727 `_] - Add Standardized Configuration to SO +* [`OOM-728 `_] - Add Standardized Configuration to ROBOT +* [`OOM-729 `_] - Add Standardized Configuration to VID +* [`OOM-730 `_] - Add Standardized Configuration to Consul +* [`OOM-731 `_] - Add Standardized Configuration to DMaaP Message Router +* [`OOM-732 `_] - Add Standardized Configuration to AAF +* [`OOM-733 `_] - Add Standardized Configuration to APPC +* [`OOM-734 `_] - Add Standardized Configuration to AAI +* [`OOM-735 `_] - Add Standardized Configuration to CLAMP +* [`OOM-736 `_] - Add Standardized Configuration to CLI +* [`OOM-737 `_] - Add Standardized Configuration to DCAEGEN2 +* [`OOM-738 `_] - Add Standardized Configuration to ESR +* [`OOM-739 `_] - Add Standardized Configuration to KUBE2MSB +* [`OOM-740 `_] - Add Standardized Configuration to LOG +* [`OOM-742 `_] - Add Standardized Configuration to MSB +* [`OOM-743 `_] - Replace deprecated MSO Helm Chart with Standardized SO Helm Chart +* [`OOM-744 `_] - Add Standardized Configuration to MULTICLOUD +* [`OOM-746 `_] - Add Standardized Configuration to PORTAL +* [`OOM-747 `_] - Add Standardized Configuration to SDC +* [`OOM-748 `_] - Add Standardized Configuration to SDNC +* [`OOM-749 `_] - Add Standardized Configuration to UUI +* [`OOM-750 `_] - Add Standardized Configuration to VFC +* [`OOM-751 `_] - Add Standardized Configuration to VNFSDK +* [`OOM-758 `_] - Common Mariadb Galera Helm Chart to be reused by many applications +* [`OOM-771 `_] - OOM - update master with new policy db deployment +* [`OOM-777 `_] - Add Standardized Configuration Helm Starter Chart +* [`OOM-779 `_] - OOM APPC ODL (MDSAL) persistent storage +* [`OOM-780 `_] - Update MSO to latest working version. +* [`OOM-786 `_] - Re-add support for multiple instances of ONAP +* [`OOM-788 `_] - Abstract docker secrets +* [`OOM-789 `_] - Abstract cluster role binding +* [`OOM-811 `_] - Make kube2msb use secret instead of passing token as environment variable +* [`OOM-822 `_] - Update Documentation for the Beijing Release +* [`OOM-823 `_] - Add CDT image to APPC chart +* [`OOM-827 `_] - Add quick start documentation README +* [`OOM-828 `_] - Remove oneclick scripts +* [`OOM-857 `_] - kube2msb fails to start +* [`OOM-914 `_] - Add LOG component robot healthcheck +* [`OOM-960 `_] - OOM Healthcheck lockdown - currently 32/39 : 20180421 +* [`OOM-979 `_] - Enhance OOM TOSCA solution to support standardized Helm Chart +* [`OOM-1006 `_] - VNFSDK healthcheck fails +* [`OOM-1073 `_] - Change the Repository location in the image oomk8s/config-init:2.0.0-SNAPSHOT +* [`OOM-1078 `_] - Update Kubectl, docker, helm version Task **** -* [`OOM-57 `_] - Agree on configuration contract/YAML with each of the project teams -* [`OOM-105 `_] - TOSCA based orchestration demo -* [`OOM-257 `_] - DevOps: OOM config reset procedure for new /dockerdata-nfs content -* [`OOM-305 `_] - Rename MSO to SO in OOM -* [`OOM-332 `_] - Add AAI filebeat container - blocked by LOG-67 -* [`OOM-428 `_] - Add log container healthcheck to mark failed creations - see OOM-427 -* [`OOM-429 `_] - DOC: Document HELM server version 2.7.2 required for tpl usage -* [`OOM-489 `_] - Update values.yaml files for tag name changes for docker images and versions. -* [`OOM-543 `_] - SDNC adjust docker pullPolicy to IfNotPresent to speed up initial deployment slowdown introduced by SDNC-163 -* [`OOM-604 `_] - Update OOM and HEAT AAI sparky master from v1.1.0 to v1.1.1 - match INT-288 -* [`OOM-614 `_] - SDC, SDNC, AAI Healthcheck failures last 12 hours 20180124:1100EST -* [`OOM-624 `_] - CII security badging: cleartext password for keystone and docker repo creds -* [`OOM-726 `_] - Mirror AAI docker version changes into OOM from AAI-791 -* [`OOM-772 `_] - Remove old DCAE from Release -* [`OOM-801 `_] - Policy docker images rename - key off new name in POLICY-674 -* [`OOM-810 `_] - Improve emsdriver code -* [`OOM-819 `_] - expose log/logstash 5044 as nodeport for external log producers outside of the kubernetes cluster -* [`OOM-820 `_] - Bypass vnc-portal for ONAP portal access -* [`OOM-943 `_] - Upgrade prepull_docker.sh to work with new helm based master refactor - post OOM-328 -* [`OOM-947 `_] - Update AAI to latest images -* [`OOM-975 `_] - Notes are missing in multicloud -* [`OOM-1031 `_] - Config Changes for consul to make vid, so, log health checks pass -* [`OOM-1032 `_] - Making consul Stateful -* [`OOM-1122 `_] - Update APPC OOM chart to use Beijing release artifacts +* [`OOM-57 `_] - Agree on configuration contract/YAML with each of the project teams +* [`OOM-105 `_] - TOSCA based orchestration demo +* [`OOM-257 `_] - DevOps: OOM config reset procedure for new /dockerdata-nfs content +* [`OOM-305 `_] - Rename MSO to SO in OOM +* [`OOM-332 `_] - Add AAI filebeat container - blocked by LOG-67 +* [`OOM-428 `_] - Add log container healthcheck to mark failed creations - see OOM-427 +* [`OOM-429 `_] - DOC: Document HELM server version 2.7.2 required for tpl usage +* [`OOM-489 `_] - Update values.yaml files for tag name changes for docker images and versions. +* [`OOM-543 `_] - SDNC adjust docker pullPolicy to IfNotPresent to speed up initial deployment slowdown introduced by SDNC-163 +* [`OOM-604 `_] - Update OOM and HEAT AAI sparky master from v1.1.0 to v1.1.1 - match INT-288 +* [`OOM-614 `_] - SDC, SDNC, AAI Healthcheck failures last 12 hours 20180124:1100EST +* [`OOM-624 `_] - CII security badging: cleartext password for keystone and docker repo creds +* [`OOM-726 `_] - Mirror AAI docker version changes into OOM from AAI-791 +* [`OOM-772 `_] - Remove old DCAE from Release +* [`OOM-801 `_] - Policy docker images rename - key off new name in POLICY-674 +* [`OOM-810 `_] - Improve emsdriver code +* [`OOM-819 `_] - expose log/logstash 5044 as nodeport for external log producers outside of the kubernetes cluster +* [`OOM-820 `_] - Bypass vnc-portal for ONAP portal access +* [`OOM-943 `_] - Upgrade prepull_docker.sh to work with new helm based master refactor - post OOM-328 +* [`OOM-947 `_] - Update AAI to latest images +* [`OOM-975 `_] - Notes are missing in multicloud +* [`OOM-1031 `_] - Config Changes for consul to make vid, so, log health checks pass +* [`OOM-1032 `_] - Making consul Stateful +* [`OOM-1122 `_] - Update APPC OOM chart to use Beijing release artifacts Bug *** -* [`OOM-4 `_] - deleteAll.bash fails to properly delete services and ports -* [`OOM-153 `_] - test - Sample Bug -* [`OOM-212 `_] - deleteAll script does not have an option to delete the services -* [`OOM-215 `_] - configure_app for helm apps is not correct -* [`OOM-218 `_] - createConfig.sh needs a chmod 755 in release-1.0.0 only -* [`OOM-239 `_] - mso.tar created in dockerdatanfs -* [`OOM-258 `_] - AAI logs are not being written outside the pods -* [`OOM-282 `_] - vnc-portal requires /etc/hosts url fix for SDC sdc.ui should be sdc.api -* [`OOM-283 `_] - No longer able to deploy instances in specified namespace -* [`OOM-290 `_] - config_init pod fails when /dockerdata-nfs is nfs-mounted -* [`OOM-300 `_] - cat: /config-init/onap/mso/mso/encryption.key: No such file or directory -* [`OOM-333 `_] - vfc-workflow fails [VFC BUG] - fixed - 20180117 vfc-ztevnfmdriver has docker pull issue -* [`OOM-334 `_] - Change kubernetes startup user -* [`OOM-351 `_] - Apply standard convention across the "template deployment YML" file -* [`OOM-352 `_] - failed to start VFC containers -* [`OOM-363 `_] - DCAE tests NOK with Robot E2E tests -* [`OOM-366 `_] - certificates in consul agent config are not in the right directory -* [`OOM-389 `_] - sdc-be and sdc-fe do not initialize correctly on latest master -* [`OOM-409 `_] - Update Vid yaml file to point to the ONAPPORTAL URL -* [`OOM-413 `_] - In portal VNC pod refresh /etc/hosts entries -* [`OOM-414 `_] - MSB Healtcheck failure on $*_ENDPOINT variables -* [`OOM-424 `_] - DCAE installation is not possible today -* [`OOM-430 `_] - Portal healthcheck passing on vnc-portal down -* [`OOM-467 `_] - Optimize config-init process -* [`OOM-493 `_] - Kubernetes infrastructure for ESR -* [`OOM-496 `_] - Readiness check is marking full availability of some components like SDC and SDNC before they would pass healthcheck -* [`OOM-514 `_] - Readiness prob fails sometimes even though the relevant pods are running -* [`OOM-539 `_] - Kube2MSB registrator doesn't support https REST service registration -* [`OOM-570 `_] - Wrong value is assigned to kube2msb AUTH_TOKEN environment variable -* [`OOM-574 `_] - OOM configuration for robot does not copy heat templatese in dockerdata-nfs -* [`OOM-577 `_] - Incorrect evaluation of bash command in yaml template file (portal-vnc-dep.yaml) -* [`OOM-578 `_] - Hard coded token in oom/kubernetes/kube2msb/values.yaml file -* [`OOM-589 `_] - Can not acces CLI in vnc-portal -* [`OOM-598 `_] - createAll.bash base64: invalid option -- d -* [`OOM-600 `_] - Unable to open CLI by clicking CLI application icon -* [`OOM-630 `_] - Red herring config pod deletion error on deleteAll - after we started deleting onap-config automatically -* [`OOM-645 `_] - Kube2MSB RBAC security issues -* [`OOM-653 `_] - sdnc-dbhost-0 deletion failure -* [`OOM-657 `_] - Look into DCAEGEN2 failure on duplicate servicePort -* [`OOM-672 `_] - hardcoded clusterIP for aai breaks auto installation -* [`OOM-680 `_] - ONAP Failure install with kubernetes 1.8+ -* [`OOM-687 `_] - Typo in README_HELM -* [`OOM-724 `_] - License Update in TOSCA -* [`OOM-767 `_] - data-router-logs and elasticsearch-data mapped to same folder -* [`OOM-768 `_] - Hardcoded onap in config files -* [`OOM-769 `_] - sdc-es data mapping in sdc-be and sdc-fe redundant -* [`OOM-783 `_] - UUI health check is failing -* [`OOM-784 `_] - make new so chart one namespace compatible -* [`OOM-791 `_] - After OOM-722 merge - docker pulls are timing out - switch to pullPolicy IfNotPresent -* [`OOM-794 `_] - demo-k8s.sh name not modified in the usage string -* [`OOM-795 `_] - HEAT templates for robot instantiateVFW missing -* [`OOM-796 `_] - robot asdc/sdngc interface in synch for Master -* [`OOM-797 `_] - GLOBAL_INJECTED_SCRIPT_VERSION missing from vm_properties.py -* [`OOM-804 `_] - VFC vfc-ztevnfmdriver container failure -* [`OOM-815 `_] - OOM Robot container helm failure after OOM-728 35909 merge -* [`OOM-829 `_] - Can not make multicloud helm chart -* [`OOM-830 `_] - Fix OOM build dependencies -* [`OOM-835 `_] - CLAMP mariadb pv is pointing to a wrong location -* [`OOM-836 `_] - champ and gizmo yaml validation issue -* [`OOM-845 `_] - Global repository should not be set by default -* [`OOM-846 `_] - Add liveness enabled fix to helm starter -* [`OOM-847 `_] - log-elasticsearch external ports are not externally accessible -* [`OOM-848 `_] - log-logstash logstash pipeline fails to start after oom standard config changes -* [`OOM-851 `_] - sdc chart validation error -* [`OOM-856 `_] - appc mysql fails deployment -* [`OOM-858 `_] - Fail to deploy onap chart due to config map size -* [`OOM-870 `_] - Missing CLAMP configuration -* [`OOM-871 `_] - log kibana container fails to start after oom standard config changes -* [`OOM-872 `_] - APPC-helm Still need config pod -* [`OOM-873 `_] - OOM doc typo -* [`OOM-874 `_] - Inconsistent repository references in ONAP charts -* [`OOM-875 `_] - Cannot retrieve robot logs -* [`OOM-876 `_] - Some containers ignore the repository setting -* [`OOM-878 `_] - MySQL slave nodes don't deploy when mysql.replicaCount > 1 -* [`OOM-881 `_] - SDN-C Portal pod fails to come up -* [`OOM-882 `_] - Some SDNC service names should be prefixed with the helm release name -* [`OOM-884 `_] - VID-VID mariadb pv is pointing to a wrong location -* [`OOM-885 `_] - Beijing oom component log messages missing in Elasticsearch -* [`OOM-886 `_] - kube2msb not starting up -* [`OOM-887 `_] - SDN-C db schema and sdnctl db user not reliably being created -* [`OOM-888 `_] - aaf-cs mapping wrong -* [`OOM-889 `_] - restore pv&pvc for mysql when NFS provisioner is disabled -* [`OOM-898 `_] - Multicloud-framework config file is not volume-mounted -* [`OOM-899 `_] - SDNC main pod does not come up -* [`OOM-900 `_] - portal-cassandra missing pv and pvc -* [`OOM-904 `_] - OOM problems bringing up components and passing healthchecks -* [`OOM-905 `_] - Charts use nsPrefix instead of release namespace -* [`OOM-906 `_] - Make all services independent of helm Release.Name -* [`OOM-907 `_] - Make all persistent volume to be mapped to a location defined by helm Release.Name -* [`OOM-908 `_] - Job portal-db-config fails due to missing image config -* [`OOM-909 `_] - SO Health Check fails -* [`OOM-910 `_] - VID Health Check fails -* [`OOM-911 `_] - VFC Health Check fails for 9 components -* [`OOM-912 `_] - Multicloud Health Check fails for 1 of its components -* [`OOM-913 `_] - Consul agent pod is failing -* [`OOM-916 `_] - Used to fix testing issues related to usability -* [`OOM-918 `_] - Policy - incorrect configmap mount causes base.conf to disappear -* [`OOM-920 `_] - Issue with CLAMP configuration -* [`OOM-921 `_] - align onap/values.yaml and onap/resources/environments/dev.yaml - different /dockerdata-nfs -* [`OOM-926 `_] - Disable clustering for APP-C out-of-the-box -* [`OOM-927 `_] - Need a production grade configuration override file of ONAP deployment -* [`OOM-928 `_] - Some charts use /dockerdata-nfs by default -* [`OOM-929 `_] - DMaaP message router docker image fails to pull -* [`OOM-930 `_] - New AAF Helm Charts required -* [`OOM-931 `_] - Reintroduce VNC pod into OOM -* [`OOM-932 `_] - Unblock integration testing -* [`OOM-935 `_] - sdc-cassandra pod fails to delete using helm delete - forced kubectl delete -* [`OOM-936 `_] - Readiness-check prob version is inconsistent across components -* [`OOM-937 `_] - Portal Cassandra config map points to wrong directory -* [`OOM-938 `_] - Can't install aai alone using helm -* [`OOM-945 `_] - SDNC some bundles failing to start cleanly -* [`OOM-948 `_] - make vfc got an error -* [`OOM-951 `_] - Update APPC charts based on on changes for ccsdk and Nitrogen ODL -* [`OOM-953 `_] - switch aai haproxy/hbase repo from hub.docker.com to nexus3 -* [`OOM-958 `_] - SDC-be deployment missing environment parameter -* [`OOM-964 `_] - SDC Healthcheck failure on sdc-be and sdc-kb containers down -* [`OOM-968 `_] - warning on default deployment values.yaml -* [`OOM-969 `_] - oomk8s images have no Dockerfile's -* [`OOM-971 `_] - Common service name template should allow for chart name override -* [`OOM-974 `_] - Cassandra bootstrap is done incorrectly -* [`OOM-977 `_] - The esr-gui annotations should include a "path" param when register to MSB -* [`OOM-985 `_] - DMAAP Redis fails to start -* [`OOM-986 `_] - SDC BE and FE logs are missing -* [`OOM-989 `_] - Sync ete-k8.sh and ete.sh for new log file numbering -* [`OOM-990 `_] - AUTO.json in SDC has unreachable addresses -* [`OOM-993 `_] - AAI model-loader.properties not in sync with project file -* [`OOM-994 `_] - DCAE cloudify controller docker image 1.1.0 N/A - use 1.2.0/1.3.0 -* [`OOM-1003 `_] - dcae-cloudify-manager chart references obsolete image version -* [`OOM-1004 `_] - aai-resources constantly fails due to cassandra hostname -* [`OOM-1005 `_] - AAI Widgets not loading due to duplicate volumes -* [`OOM-1007 `_] - Update dcae robot health check config -* [`OOM-1008 `_] - Set default consul server replica count to 1 -* [`OOM-1010 `_] - Fix broken property names in DCAE input files -* [`OOM-1011 `_] - Policy config correction after Service Name changes because of OOM-906 -* [`OOM-1013 `_] - Update DCAE container versions -* [`OOM-1014 `_] - Portal login not working due to inconsistent zookeeper naming -* [`OOM-1015 `_] - Champ fails to start -* [`OOM-1016 `_] - DOC-OPS Review: Helm install command is wrong on oom_user_guide - missing namespace -* [`OOM-1017 `_] - DOC-OPS review: Docker/Kubernetes versions wrong for master in oom_cloud_setup_guide -* [`OOM-1018 `_] - DOC-OPS review: global repo override does not match git in oom quick start guide -* [`OOM-1019 `_] - DOC-OPS review: Add Ubuntu 16.04 reference to oom_user_guide to avoid 14/16 confusion -* [`OOM-1021 `_] - Update APPC resources for Nitrogen ODL -* [`OOM-1022 `_] - Fix SDC startup dependencies -* [`OOM-1023 `_] - "spring.datasource.cldsdb.url" in clamp has wrong clampdb name -* [`OOM-1024 `_] - Cassandra data not persisted -* [`OOM-1033 `_] - helm error during deployment 20180501:1900 - all builds under 2.7.2 -* [`OOM-1034 `_] - VID Ports incorrect in deployment.yaml -* [`OOM-1037 `_] - Enable CLI health check -* [`OOM-1039 `_] - Service distribution to SO fails -* [`OOM-1041 `_] - aai-service was renamed, but old references remain -* [`OOM-1042 `_] - portalapps service was renamed, but old references remain -* [`OOM-1045 `_] - top level values.yaml missing entry for dmaap chart -* [`OOM-1049 `_] - SDNC_UEB_LISTENER db -* [`OOM-1050 `_] - Impossible to deploy consul using cache docker registry -* [`OOM-1051 `_] - Fix aaf deployment -* [`OOM-1052 `_] - SO cloud config file points to Rackspace cloud -* [`OOM-1054 `_] - Portal LoadBalancer Ingress IP is on the wrong network -* [`OOM-1060 `_] - Incorrect MR Kafka references prevent aai champ from starting -* [`OOM-1061 `_] - ConfigMap size limit exceeded -* [`OOM-1064 `_] - Improve docker registry secret management -* [`OOM-1066 `_] - Updating TOSCA blueprint to sync up with helm configuration changes (add dmaap and oof/delete message-router) -* [`OOM-1068 `_] - Update SO with new AAI cert -* [`OOM-1076 `_] - some charts still using readiness check image from amsterdam 1.x -* [`OOM-1077 `_] - AAI resources and traversal deployment failure on non-rancher envs -* [`OOM-1079 `_] - Robot charts do not allow over ride of pub_key, dcae_collector_ip and dcae_collector_port -* [`OOM-1081 `_] - Remove component 'mock' from TOSCA deployment -* [`OOM-1082 `_] - Wrong pv location of dcae postgres -* [`OOM-1085 `_] - appc hostname is incorrect in url -* [`OOM-1086 `_] - clamp deployment changes /dockerdata-nfs/ReleaseName dir permissions -* [`OOM-1088 `_] - APPC returns error for vCPE restart message from Policy -* [`OOM-1089 `_] - DCAE pods are not getting purged -* [`OOM-1093 `_] - Line wrapping issue in redis-cluster-config.sh script -* [`OOM-1094 `_] - Fix postgres startup -* [`OOM-1095 `_] - common makefile builds out of order -* [`OOM-1096 `_] - node port conflict SDNC (Geo enabled) & other charts -* [`OOM-1097 `_] - Nbi needs dep-nbi - crash on make all -* [`OOM-1099 `_] - Add External Interface NBI project into OOM TOSCA -* [`OOM-1102 `_] - Incorrect AAI services -* [`OOM-1103 `_] - Cannot disable NBI -* [`OOM-1104 `_] - Policy DROOLS configuration across container restarts -* [`OOM-1110 `_] - Clamp issue when connecting Policy -* [`OOM-1111 `_] - Please revert to using VNFSDK Postgres container -* [`OOM-1114 `_] - APPC is broken in latest helm chart -* [`OOM-1115 `_] - SDNC DGBuilder cant operate on DGs in database - need NodePort -* [`OOM-1116 `_] - Correct values needed by NBI chart -* [`OOM-1124 `_] - Update OOM APPC chart to enhance AAF support -* [`OOM-1126 `_] - Incorrect Port mapping between CDT Application and APPC main application -* [`OOM-1127 `_] - SO fails healthcheck -* [`OOM-1128 `_] - AAF CS fails to start in OpenLab +* [`OOM-4 `_] - deleteAll.bash fails to properly delete services and ports +* [`OOM-153 `_] - test - Sample Bug +* [`OOM-212 `_] - deleteAll script does not have an option to delete the services +* [`OOM-215 `_] - configure_app for helm apps is not correct +* [`OOM-218 `_] - createConfig.sh needs a chmod 755 in release-1.0.0 only +* [`OOM-239 `_] - mso.tar created in dockerdatanfs +* [`OOM-258 `_] - AAI logs are not being written outside the pods +* [`OOM-282 `_] - vnc-portal requires /etc/hosts url fix for SDC sdc.ui should be sdc.api +* [`OOM-283 `_] - No longer able to deploy instances in specified namespace +* [`OOM-290 `_] - config_init pod fails when /dockerdata-nfs is nfs-mounted +* [`OOM-300 `_] - cat: /config-init/onap/mso/mso/encryption.key: No such file or directory +* [`OOM-333 `_] - vfc-workflow fails [VFC BUG] - fixed - 20180117 vfc-ztevnfmdriver has docker pull issue +* [`OOM-334 `_] - Change kubernetes startup user +* [`OOM-351 `_] - Apply standard convention across the "template deployment YML" file +* [`OOM-352 `_] - failed to start VFC containers +* [`OOM-363 `_] - DCAE tests NOK with Robot E2E tests +* [`OOM-366 `_] - certificates in consul agent config are not in the right directory +* [`OOM-389 `_] - sdc-be and sdc-fe do not initialize correctly on latest master +* [`OOM-409 `_] - Update Vid yaml file to point to the ONAPPORTAL URL +* [`OOM-413 `_] - In portal VNC pod refresh /etc/hosts entries +* [`OOM-414 `_] - MSB Healtcheck failure on $*_ENDPOINT variables +* [`OOM-424 `_] - DCAE installation is not possible today +* [`OOM-430 `_] - Portal healthcheck passing on vnc-portal down +* [`OOM-467 `_] - Optimize config-init process +* [`OOM-493 `_] - Kubernetes infrastructure for ESR +* [`OOM-496 `_] - Readiness check is marking full availability of some components like SDC and SDNC before they would pass healthcheck +* [`OOM-514 `_] - Readiness prob fails sometimes even though the relevant pods are running +* [`OOM-539 `_] - Kube2MSB registrator doesn't support https REST service registration +* [`OOM-570 `_] - Wrong value is assigned to kube2msb AUTH_TOKEN environment variable +* [`OOM-574 `_] - OOM configuration for robot does not copy heat templatese in dockerdata-nfs +* [`OOM-577 `_] - Incorrect evaluation of bash command in yaml template file (portal-vnc-dep.yaml) +* [`OOM-578 `_] - Hard coded token in oom/kubernetes/kube2msb/values.yaml file +* [`OOM-589 `_] - Can not acces CLI in vnc-portal +* [`OOM-598 `_] - createAll.bash base64: invalid option -- d +* [`OOM-600 `_] - Unable to open CLI by clicking CLI application icon +* [`OOM-630 `_] - Red herring config pod deletion error on deleteAll - after we started deleting onap-config automatically +* [`OOM-645 `_] - Kube2MSB RBAC security issues +* [`OOM-653 `_] - sdnc-dbhost-0 deletion failure +* [`OOM-657 `_] - Look into DCAEGEN2 failure on duplicate servicePort +* [`OOM-672 `_] - hardcoded clusterIP for aai breaks auto installation +* [`OOM-680 `_] - ONAP Failure install with kubernetes 1.8+ +* [`OOM-687 `_] - Typo in README_HELM +* [`OOM-724 `_] - License Update in TOSCA +* [`OOM-767 `_] - data-router-logs and elasticsearch-data mapped to same folder +* [`OOM-768 `_] - Hardcoded onap in config files +* [`OOM-769 `_] - sdc-es data mapping in sdc-be and sdc-fe redundant +* [`OOM-783 `_] - UUI health check is failing +* [`OOM-784 `_] - make new so chart one namespace compatible +* [`OOM-791 `_] - After OOM-722 merge - docker pulls are timing out - switch to pullPolicy IfNotPresent +* [`OOM-794 `_] - demo-k8s.sh name not modified in the usage string +* [`OOM-795 `_] - HEAT templates for robot instantiateVFW missing +* [`OOM-796 `_] - robot asdc/sdngc interface in synch for Master +* [`OOM-797 `_] - GLOBAL_INJECTED_SCRIPT_VERSION missing from vm_properties.py +* [`OOM-804 `_] - VFC vfc-ztevnfmdriver container failure +* [`OOM-815 `_] - OOM Robot container helm failure after OOM-728 35909 merge +* [`OOM-829 `_] - Can not make multicloud helm chart +* [`OOM-830 `_] - Fix OOM build dependencies +* [`OOM-835 `_] - CLAMP mariadb pv is pointing to a wrong location +* [`OOM-836 `_] - champ and gizmo yaml validation issue +* [`OOM-845 `_] - Global repository should not be set by default +* [`OOM-846 `_] - Add liveness enabled fix to helm starter +* [`OOM-847 `_] - log-elasticsearch external ports are not externally accessible +* [`OOM-848 `_] - log-logstash logstash pipeline fails to start after oom standard config changes +* [`OOM-851 `_] - sdc chart validation error +* [`OOM-856 `_] - appc mysql fails deployment +* [`OOM-858 `_] - Fail to deploy onap chart due to config map size +* [`OOM-870 `_] - Missing CLAMP configuration +* [`OOM-871 `_] - log kibana container fails to start after oom standard config changes +* [`OOM-872 `_] - APPC-helm Still need config pod +* [`OOM-873 `_] - OOM doc typo +* [`OOM-874 `_] - Inconsistent repository references in ONAP charts +* [`OOM-875 `_] - Cannot retrieve robot logs +* [`OOM-876 `_] - Some containers ignore the repository setting +* [`OOM-878 `_] - MySQL slave nodes don't deploy when mysql.replicaCount > 1 +* [`OOM-881 `_] - SDN-C Portal pod fails to come up +* [`OOM-882 `_] - Some SDNC service names should be prefixed with the helm release name +* [`OOM-884 `_] - VID-VID mariadb pv is pointing to a wrong location +* [`OOM-885 `_] - Beijing oom component log messages missing in Elasticsearch +* [`OOM-886 `_] - kube2msb not starting up +* [`OOM-887 `_] - SDN-C db schema and sdnctl db user not reliably being created +* [`OOM-888 `_] - aaf-cs mapping wrong +* [`OOM-889 `_] - restore pv&pvc for mysql when NFS provisioner is disabled +* [`OOM-898 `_] - Multicloud-framework config file is not volume-mounted +* [`OOM-899 `_] - SDNC main pod does not come up +* [`OOM-900 `_] - portal-cassandra missing pv and pvc +* [`OOM-904 `_] - OOM problems bringing up components and passing healthchecks +* [`OOM-905 `_] - Charts use nsPrefix instead of release namespace +* [`OOM-906 `_] - Make all services independent of helm Release.Name +* [`OOM-907 `_] - Make all persistent volume to be mapped to a location defined by helm Release.Name +* [`OOM-908 `_] - Job portal-db-config fails due to missing image config +* [`OOM-909 `_] - SO Health Check fails +* [`OOM-910 `_] - VID Health Check fails +* [`OOM-911 `_] - VFC Health Check fails for 9 components +* [`OOM-912 `_] - Multicloud Health Check fails for 1 of its components +* [`OOM-913 `_] - Consul agent pod is failing +* [`OOM-916 `_] - Used to fix testing issues related to usability +* [`OOM-918 `_] - Policy - incorrect configmap mount causes base.conf to disappear +* [`OOM-920 `_] - Issue with CLAMP configuration +* [`OOM-921 `_] - align onap/values.yaml and onap/resources/environments/dev.yaml - different /dockerdata-nfs +* [`OOM-926 `_] - Disable clustering for APP-C out-of-the-box +* [`OOM-927 `_] - Need a production grade configuration override file of ONAP deployment +* [`OOM-928 `_] - Some charts use /dockerdata-nfs by default +* [`OOM-929 `_] - DMaaP message router docker image fails to pull +* [`OOM-930 `_] - New AAF Helm Charts required +* [`OOM-931 `_] - Reintroduce VNC pod into OOM +* [`OOM-932 `_] - Unblock integration testing +* [`OOM-935 `_] - sdc-cassandra pod fails to delete using helm delete - forced kubectl delete +* [`OOM-936 `_] - Readiness-check prob version is inconsistent across components +* [`OOM-937 `_] - Portal Cassandra config map points to wrong directory +* [`OOM-938 `_] - Can't install aai alone using helm +* [`OOM-945 `_] - SDNC some bundles failing to start cleanly +* [`OOM-948 `_] - make vfc got an error +* [`OOM-951 `_] - Update APPC charts based on on changes for ccsdk and Nitrogen ODL +* [`OOM-953 `_] - switch aai haproxy/hbase repo from hub.docker.com to nexus3 +* [`OOM-958 `_] - SDC-be deployment missing environment parameter +* [`OOM-964 `_] - SDC Healthcheck failure on sdc-be and sdc-kb containers down +* [`OOM-968 `_] - warning on default deployment values.yaml +* [`OOM-969 `_] - oomk8s images have no Dockerfile's +* [`OOM-971 `_] - Common service name template should allow for chart name override +* [`OOM-974 `_] - Cassandra bootstrap is done incorrectly +* [`OOM-977 `_] - The esr-gui annotations should include a "path" param when register to MSB +* [`OOM-985 `_] - DMAAP Redis fails to start +* [`OOM-986 `_] - SDC BE and FE logs are missing +* [`OOM-989 `_] - Sync ete-k8.sh and ete.sh for new log file numbering +* [`OOM-990 `_] - AUTO.json in SDC has unreachable addresses +* [`OOM-993 `_] - AAI model-loader.properties not in sync with project file +* [`OOM-994 `_] - DCAE cloudify controller docker image 1.1.0 N/A - use 1.2.0/1.3.0 +* [`OOM-1003 `_] - dcae-cloudify-manager chart references obsolete image version +* [`OOM-1004 `_] - aai-resources constantly fails due to cassandra hostname +* [`OOM-1005 `_] - AAI Widgets not loading due to duplicate volumes +* [`OOM-1007 `_] - Update dcae robot health check config +* [`OOM-1008 `_] - Set default consul server replica count to 1 +* [`OOM-1010 `_] - Fix broken property names in DCAE input files +* [`OOM-1011 `_] - Policy config correction after Service Name changes because of OOM-906 +* [`OOM-1013 `_] - Update DCAE container versions +* [`OOM-1014 `_] - Portal login not working due to inconsistent zookeeper naming +* [`OOM-1015 `_] - Champ fails to start +* [`OOM-1016 `_] - DOC-OPS Review: Helm install command is wrong on oom_user_guide - missing namespace +* [`OOM-1017 `_] - DOC-OPS review: Docker/Kubernetes versions wrong for master in oom_cloud_setup_guide +* [`OOM-1018 `_] - DOC-OPS review: global repo override does not match git in oom quick start guide +* [`OOM-1019 `_] - DOC-OPS review: Add Ubuntu 16.04 reference to oom_user_guide to avoid 14/16 confusion +* [`OOM-1021 `_] - Update APPC resources for Nitrogen ODL +* [`OOM-1022 `_] - Fix SDC startup dependencies +* [`OOM-1023 `_] - "spring.datasource.cldsdb.url" in clamp has wrong clampdb name +* [`OOM-1024 `_] - Cassandra data not persisted +* [`OOM-1033 `_] - helm error during deployment 20180501:1900 - all builds under 2.7.2 +* [`OOM-1034 `_] - VID Ports incorrect in deployment.yaml +* [`OOM-1037 `_] - Enable CLI health check +* [`OOM-1039 `_] - Service distribution to SO fails +* [`OOM-1041 `_] - aai-service was renamed, but old references remain +* [`OOM-1042 `_] - portalapps service was renamed, but old references remain +* [`OOM-1045 `_] - top level values.yaml missing entry for dmaap chart +* [`OOM-1049 `_] - SDNC_UEB_LISTENER db +* [`OOM-1050 `_] - Impossible to deploy consul using cache docker registry +* [`OOM-1051 `_] - Fix aaf deployment +* [`OOM-1052 `_] - SO cloud config file points to Rackspace cloud +* [`OOM-1054 `_] - Portal LoadBalancer Ingress IP is on the wrong network +* [`OOM-1060 `_] - Incorrect MR Kafka references prevent aai champ from starting +* [`OOM-1061 `_] - ConfigMap size limit exceeded +* [`OOM-1064 `_] - Improve docker registry secret management +* [`OOM-1066 `_] - Updating TOSCA blueprint to sync up with helm configuration changes (add dmaap and oof/delete message-router) +* [`OOM-1068 `_] - Update SO with new AAI cert +* [`OOM-1076 `_] - some charts still using readiness check image from amsterdam 1.x +* [`OOM-1077 `_] - AAI resources and traversal deployment failure on non-rancher envs +* [`OOM-1079 `_] - Robot charts do not allow over ride of pub_key, dcae_collector_ip and dcae_collector_port +* [`OOM-1081 `_] - Remove component 'mock' from TOSCA deployment +* [`OOM-1082 `_] - Wrong pv location of dcae postgres +* [`OOM-1085 `_] - appc hostname is incorrect in url +* [`OOM-1086 `_] - clamp deployment changes /dockerdata-nfs/ReleaseName dir permissions +* [`OOM-1088 `_] - APPC returns error for vCPE restart message from Policy +* [`OOM-1089 `_] - DCAE pods are not getting purged +* [`OOM-1093 `_] - Line wrapping issue in redis-cluster-config.sh script +* [`OOM-1094 `_] - Fix postgres startup +* [`OOM-1095 `_] - common makefile builds out of order +* [`OOM-1096 `_] - node port conflict SDNC (Geo enabled) & other charts +* [`OOM-1097 `_] - Nbi needs dep-nbi - crash on make all +* [`OOM-1099 `_] - Add External Interface NBI project into OOM TOSCA +* [`OOM-1102 `_] - Incorrect AAI services +* [`OOM-1103 `_] - Cannot disable NBI +* [`OOM-1104 `_] - Policy DROOLS configuration across container restarts +* [`OOM-1110 `_] - Clamp issue when connecting Policy +* [`OOM-1111 `_] - Please revert to using VNFSDK Postgres container +* [`OOM-1114 `_] - APPC is broken in latest helm chart +* [`OOM-1115 `_] - SDNC DGBuilder cant operate on DGs in database - need NodePort +* [`OOM-1116 `_] - Correct values needed by NBI chart +* [`OOM-1124 `_] - Update OOM APPC chart to enhance AAF support +* [`OOM-1126 `_] - Incorrect Port mapping between CDT Application and APPC main application +* [`OOM-1127 `_] - SO fails healthcheck +* [`OOM-1128 `_] - AAF CS fails to start in OpenLab Sub-task ******** -* [`OOM-304 `_] - Service endpoint annotation for Data Router -* [`OOM-306 `_] - Handle mariadb secrets -* [`OOM-510 `_] - Increase vm.max_map_count to 262144 when running Rancher 1.6.11+ via helm 2.6+ - for elasticsearch log mem failure -* [`OOM-512 `_] - Push the reviewed and merged ReadMe content to RTD -* [`OOM-641 `_] - Segregating of configuration for SDNC-UEB component -* [`OOM-655 `_] - Create alternate prepull script which provides more user feedback and logging -* [`OOM-753 `_] - Create Helm Sub-Chart for SO's embedded mariadb -* [`OOM-754 `_] - Create Helm Chart for SO -* [`OOM-774 `_] - Create Helm Sub-Chart for APPC's embedded mySQL database -* [`OOM-775 `_] - Create Helm Chart for APPC -* [`OOM-778 `_] - Replace NFS Provisioner with configurable PV storage solution -* [`OOM-825 `_] - Apache 2 License updation for All sqls and .js file -* [`OOM-849 `_] - Policy Nexus component needs persistent volume for /sonatype-work -* [`OOM-991 `_] - Adjust SDC-BE init job timing from 10 to 30s to avoid restarts on single node systems -* [`OOM-1036 `_] - update helm from 2.7.2 to 2.8.2 wiki/rtd -* [`OOM-1063 `_] - Document Portal LoadBalancer Ingress IP Settings +* [`OOM-304 `_] - Service endpoint annotation for Data Router +* [`OOM-306 `_] - Handle mariadb secrets +* [`OOM-510 `_] - Increase vm.max_map_count to 262144 when running Rancher 1.6.11+ via helm 2.6+ - for elasticsearch log mem failure +* [`OOM-512 `_] - Push the reviewed and merged ReadMe content to RTD +* [`OOM-641 `_] - Segregating of configuration for SDNC-UEB component +* [`OOM-655 `_] - Create alternate prepull script which provides more user feedback and logging +* [`OOM-753 `_] - Create Helm Sub-Chart for SO's embedded mariadb +* [`OOM-754 `_] - Create Helm Chart for SO +* [`OOM-774 `_] - Create Helm Sub-Chart for APPC's embedded mySQL database +* [`OOM-775 `_] - Create Helm Chart for APPC +* [`OOM-778 `_] - Replace NFS Provisioner with configurable PV storage solution +* [`OOM-825 `_] - Apache 2 License updation for All sqls and .js file +* [`OOM-849 `_] - Policy Nexus component needs persistent volume for /sonatype-work +* [`OOM-991 `_] - Adjust SDC-BE init job timing from 10 to 30s to avoid restarts on single node systems +* [`OOM-1036 `_] - update helm from 2.7.2 to 2.8.2 wiki/rtd +* [`OOM-1063 `_] - Document Portal LoadBalancer Ingress IP Settings **Security Notes** @@ -418,7 +418,7 @@ OOM code has been formally scanned during build time using NexusIQ and no Critical vulnerability was found. Quick Links: - - `OOM project page `_ + - `OOM project page `_ - `Passing Badge information for OOM `_ diff --git a/docs/sections/release_notes/release-notes-casablanca.rst b/docs/sections/release_notes/release-notes-casablanca.rst index 6b857309aa..7585e119c2 100644 --- a/docs/sections/release_notes/release-notes-casablanca.rst +++ b/docs/sections/release_notes/release-notes-casablanca.rst @@ -55,7 +55,7 @@ Critical vulnerability was found. Quick Links: - - `OOM project page `_ + - `OOM project page `_ - `Passing Badge information for OOM `_ @@ -71,8 +71,8 @@ Quick Links: Kubernetes version (1.12) - `K8S Bug Report `_ - - `OOM-1532 `_ - - `OOM-1516 `_ - - `OOM-1520 `_ + - `OOM-1532 `_ + - `OOM-1516 `_ + - `OOM-1520 `_ End of Release Notes diff --git a/docs/sections/release_notes/release-notes-dublin.rst b/docs/sections/release_notes/release-notes-dublin.rst index 7a32297210..243f32cf1a 100644 --- a/docs/sections/release_notes/release-notes-dublin.rst +++ b/docs/sections/release_notes/release-notes-dublin.rst @@ -62,9 +62,9 @@ Summary *Known Security Issues* -* In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside of cluster. [`OJSI-134 `_] -* Hard coded password used for all oom deployments [`OJSI-188 `_] -* CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 [`OJSI-202 `_] +* In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside of cluster. [`OJSI-134 `_] +* Hard coded password used for all oom deployments [`OJSI-188 `_] +* CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 [`OJSI-202 `_] *Known Vulnerabilities in Used Modules* @@ -73,7 +73,7 @@ Critical vulnerability was found. Quick Links: - - `OOM project page `_ + - `OOM project page `_ - `Passing Badge information for OOM `_ diff --git a/docs/sections/release_notes/release-notes-elalto.rst b/docs/sections/release_notes/release-notes-elalto.rst index b4059028e5..71d19bb6b4 100644 --- a/docs/sections/release_notes/release-notes-elalto.rst +++ b/docs/sections/release_notes/release-notes-elalto.rst @@ -28,7 +28,7 @@ Summary The focus of this release was on maintenance and as such no new features were delivered. -A list of issues resolved in this release can be found here: https://jira.onap.org/projects/OOM/versions/10726 +A list of issues resolved in this release can be found here: https://lf-onap.atlassian.net/projects/OOM/versions/10726 **New Features** @@ -40,14 +40,14 @@ A list of issues resolved in this release can be found here: https://jira.onap.o The following known issues will be addressed in a future release: -* [`OOM-1480 `_] - postgres chart does not set root password when installing on an existing database instances -* [`OOM-1966 `_] - ONAP on HA Kubernetes Cluster - Documentation update -* [`OOM-1995 `_] - Mariadb Galera cluster pods keep failing -* [`OOM-2061 `_] - Details Missing for installing the kubectl section -* [`OOM-2075 `_] - Invalid MTU for Canal CNI interfaces -* [`OOM-2080 `_] - Need for "ReadWriteMany" access on storage when deploying on Kubernetes? -* [`OOM-2091 `_] - incorrect release deployed -* [`OOM-2132 `_] - Common Galera server.cnf does not contain Camunda required settings +* [`OOM-1480 `_] - postgres chart does not set root password when installing on an existing database instances +* [`OOM-1966 `_] - ONAP on HA Kubernetes Cluster - Documentation update +* [`OOM-1995 `_] - Mariadb Galera cluster pods keep failing +* [`OOM-2061 `_] - Details Missing for installing the kubectl section +* [`OOM-2075 `_] - Invalid MTU for Canal CNI interfaces +* [`OOM-2080 `_] - Need for "ReadWriteMany" access on storage when deploying on Kubernetes? +* [`OOM-2091 `_] - incorrect release deployed +* [`OOM-2132 `_] - Common Galera server.cnf does not contain Camunda required settings **Security Notes** @@ -55,9 +55,9 @@ The following known issues will be addressed in a future release: *Known Security Issues* -* In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside of cluster. [`OJSI-134 `_] -* Hard coded password used for all oom deployments [`OJSI-188 `_] -* CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 [`OJSI-202 `_] +* In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside of cluster. [`OJSI-134 `_] +* Hard coded password used for all oom deployments [`OJSI-188 `_] +* CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 [`OJSI-202 `_] *Known Vulnerabilities in Used Modules* @@ -66,7 +66,7 @@ Critical vulnerability was found. Quick Links: - - `OOM project page `_ + - `OOM project page `_ - `Passing Badge information for OOM `_ diff --git a/docs/sections/release_notes/release-notes-frankfurt.rst b/docs/sections/release_notes/release-notes-frankfurt.rst index c0374a6dd8..db515dc480 100644 --- a/docs/sections/release_notes/release-notes-frankfurt.rst +++ b/docs/sections/release_notes/release-notes-frankfurt.rst @@ -55,36 +55,36 @@ New features **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/10826 +https://lf-onap.atlassian.net/projects/OOM/versions/10826 **Known Issues** -- `OOM-1237 `_ Source Helm Charts from +- `OOM-1237 `_ Source Helm Charts from ONAP Repo. Having helm charts repo is not possible for Frankfurt release. -- `OOM-1720 `_ galera container is +- `OOM-1720 `_ galera container is outdated. containers used for mariadb are outdated and not supported anymore. -- `OOM-1817 `_ Use of global.repository +- `OOM-1817 `_ Use of global.repository inconsistent across Helm Charts. it's then may be hard to retrieve some containers when deploying in constrained environment. -- `OOM-2075 `_ Invalid MTU for Canal CNI +- `OOM-2075 `_ Invalid MTU for Canal CNI interfaces -- `OOM-2227 `_ Cassandra Backup Mechanism +- `OOM-2227 `_ Cassandra Backup Mechanism works only on "static PV" mode. -- `OOM-2230 `_ Missing requests/limits +- `OOM-2230 `_ Missing requests/limits for some PODS. This can lead to "memory bombing" so cautious monitoring of Kubernetes resources usage must be set up. -- `OOM-2279 `_ OOM El Alto and master +- `OOM-2279 `_ OOM El Alto and master clamp mariadb resources doesn't match chart. -- `OOM-2285 `_ deploy.sh does not work +- `OOM-2285 `_ deploy.sh does not work for mariadb-galera. deploy script doesn't behave well with "-" in the component name. -- `OOM-2369 `_ DMAAP Helm install takes +- `OOM-2369 `_ DMAAP Helm install takes too long and often fails. -- `OOM-2418 `_ Readiness-check 2.0.2 not +- `OOM-2418 `_ Readiness-check 2.0.2 not working properly for stateful set. -- `OOM-2421 `_ OOM NBI chart deployment +- `OOM-2421 `_ OOM NBI chart deployment error. In some case, NBI deployment fails. -- `OOM-2422 `_ Portal App is unreachable +- `OOM-2422 `_ Portal App is unreachable when deploying without HTTPs @@ -107,21 +107,21 @@ Known Vulnerabilities Workarounds ----------- -- `OOM-1237 `_ Workaround is to generate +- `OOM-1237 `_ Workaround is to generate them as explained in documentation. -- `OOM-1817 `_ Workaround is to use +- `OOM-1817 `_ Workaround is to use offline installer if needed. -- `OOM-2227 `_ Workaround is to stick to +- `OOM-2227 `_ Workaround is to stick to "static PV" (so, not using storage class) if backup is needed. -- `OOM-2285 `_ Workaround is to use +- `OOM-2285 `_ Workaround is to use directly helm upgrade if needed. -- `OOM-2369 `_ Workaround is to play +- `OOM-2369 `_ Workaround is to play postinstall jobs by hand. -- `OOM-2418 `_ Workaround is to use +- `OOM-2418 `_ Workaround is to use version 2.2.2 in global part of override file if the new check is needed. -- `OOM-2421 `_ Workaround is to +- `OOM-2421 `_ Workaround is to undeploy/redeploy NBI. -- `OOM-2422 `_ Workaround is to create +- `OOM-2422 `_ Workaround is to create first portal app service with service type Cluster IP then changing it to NodePort or LoadBalancer so all the port are available. @@ -131,9 +131,9 @@ Security Notes **Fixed Security Issues** - In default deployment OOM (consul-server-ui) exposes HTTP port 30270 outside - of cluster. [`OJSI-134 `_] + of cluster. [`OJSI-134 `_] - CVE-2019-12127 - OOM exposes unprotected API/UI on port 30270 - [`OJSI-202 `_] + [`OJSI-202 `_] References ========== @@ -147,6 +147,6 @@ For more information on the ONAP Frankfurt release, please see: .. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-guilin.rst b/docs/sections/release_notes/release-notes-guilin.rst index e8fda544c2..d6e00d0100 100644 --- a/docs/sections/release_notes/release-notes-guilin.rst +++ b/docs/sections/release_notes/release-notes-guilin.rst @@ -57,30 +57,30 @@ New features **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/10826 +https://lf-onap.atlassian.net/projects/OOM/versions/10826 **Known Issues** -- `OOM-1237 `_ Source Helm Charts from +- `OOM-1237 `_ Source Helm Charts from ONAP Repo. Having helm charts repo is not possible for Frankfurt release. -- `OOM-1720 `_ galera container is +- `OOM-1720 `_ galera container is outdated. containers used for mariadb are outdated and not supported anymore. -- `OOM-1817 `_ Use of global.repository +- `OOM-1817 `_ Use of global.repository inconsistent across Helm Charts. it's then may be hard to retrieve some containers when deploying in constrained environment. -- `OOM-2227 `_ Cassandra Backup Mechanism +- `OOM-2227 `_ Cassandra Backup Mechanism works only on "static PV" mode. -- `OOM-2285 `_ deploy.sh does not work +- `OOM-2285 `_ deploy.sh does not work for mariadb-galera. deploy script doesn't behave well with "-" in the component name. -- `OOM-2421 `_ OOM nbi chart deployment +- `OOM-2421 `_ OOM nbi chart deployment error -- `OOM-2534 `_ Cert-Service leverages +- `OOM-2534 `_ Cert-Service leverages runtime external dependency -- `OOM-2554 `_ Common pods have java 8 -- `OOM-2588 `_ Various subcharts not +- `OOM-2554 `_ Common pods have java 8 +- `OOM-2588 `_ Various subcharts not installing due to helm size issues -- `OOM-2629 `_ NetBox demo entry setup +- `OOM-2629 `_ NetBox demo entry setup not complete @@ -104,20 +104,20 @@ Known Vulnerabilities --------------------- - Hard coded password used for all OOM deployments - [`OJSI-188 `_] + [`OJSI-188 `_] Workarounds ----------- -- `OOM-1237 `_ Workaround is to generate +- `OOM-1237 `_ Workaround is to generate them as explained in documentation. -- `OOM-1817 `_ Workaround is to use +- `OOM-1817 `_ Workaround is to use offline installer if needed. -- `OOM-2227 `_ Workaround is to stick to +- `OOM-2227 `_ Workaround is to stick to "static PV" (so, not using storage class) if backup is needed. -- `OOM-2285 `_ Workaround is to use +- `OOM-2285 `_ Workaround is to use directly helm upgrade if needed. -- `OOM-2534 `_ Workaround is to download +- `OOM-2534 `_ Workaround is to download in advance docker.io/openjdk:11-jre-slim where you will generate the charts Security Notes @@ -137,6 +137,6 @@ For more information on the ONAP Frankfurt release, please see: .. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-honolulu.rst b/docs/sections/release_notes/release-notes-honolulu.rst index 3a7891a1ba..1d72d767e4 100644 --- a/docs/sections/release_notes/release-notes-honolulu.rst +++ b/docs/sections/release_notes/release-notes-honolulu.rst @@ -67,7 +67,7 @@ New features **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11073 +https://lf-onap.atlassian.net/projects/OOM/versions/11073 major issues solved: @@ -77,29 +77,29 @@ major issues solved: **Known Issues** -- `OOM-2554 `_ Common pods have java 8 -- `OOM-2435 `_ SDNC karaf shell: +- `OOM-2554 `_ Common pods have java 8 +- `OOM-2435 `_ SDNC karaf shell: log:list: Error executing command: Unrecognized configuration -- `OOM-2629 `_ NetBox demo entry setup +- `OOM-2629 `_ NetBox demo entry setup not complete -- `OOM-2706 `_ CDS Blueprint Processor +- `OOM-2706 `_ CDS Blueprint Processor does not work with local DB -- `OOM-2713 `_ Problem on onboarding +- `OOM-2713 `_ Problem on onboarding custom cert to SDNC ONAP during deployment -- `OOM-2698 `_ SO helm override fails in +- `OOM-2698 `_ SO helm override fails in for value with multi-level replacement -- `OOM-2697 `_ SO with local MariaDB +- `OOM-2697 `_ SO with local MariaDB deployment fails -- `OOM-2538 `_ strange error with +- `OOM-2538 `_ strange error with CertInitializer template -- `OOM-2547 `_ Health Check failures +- `OOM-2547 `_ Health Check failures seen after bringing down/up control plane & worker node VM instances on which ONAP hosted -- `OOM-2699 `_ SO so-mariadb +- `OOM-2699 `_ SO so-mariadb readinessCheck fails for local MariaDB instance -- `OOM-2705 `_ SDNC DB installation fails +- `OOM-2705 `_ SDNC DB installation fails on local MariaDB instance -- `OOM-2603 `_ [SDNC] allign password for +- `OOM-2603 `_ [SDNC] allign password for scaleoutUser/restconfUser/odlUser Deliverables @@ -122,13 +122,13 @@ Known Vulnerabilities --------------------- - Hard coded password used for all OOM deployments - [`OJSI-188 `_] + [`OJSI-188 `_] - `Hard coded certificates <../oom_hardcoded_certificates>` in Helm packages Workarounds ----------- -- ``_ +- ``_ Workaround is to generate a password with "short" strength or pregenerate passwords without single quote in it. Default deployment is using "short" password generation for mariadb. @@ -150,6 +150,6 @@ For more information on the ONAP Frankfurt release, please see: .. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-istanbul.rst b/docs/sections/release_notes/release-notes-istanbul.rst index a29b1e2f2d..05f08b5198 100644 --- a/docs/sections/release_notes/release-notes-istanbul.rst +++ b/docs/sections/release_notes/release-notes-istanbul.rst @@ -56,7 +56,7 @@ New features **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11074 +https://lf-onap.atlassian.net/projects/OOM/versions/11074 **Known Issues** @@ -84,7 +84,7 @@ Known Vulnerabilities Workarounds ----------- -- `OOM-2754 `_ +- `OOM-2754 `_ Because of *updateEndpoint* property added to *cmpv2issuer* CRD it is impossible to upgrade platform component from Honolulu to Istanbul release without manual steps. Actions that should be performed: @@ -119,6 +119,6 @@ For more information on the ONAP Istanbul release, please see: .. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-jakarta.rst b/docs/sections/release_notes/release-notes-jakarta.rst index cfc57888a6..335c6ba968 100644 --- a/docs/sections/release_notes/release-notes-jakarta.rst +++ b/docs/sections/release_notes/release-notes-jakarta.rst @@ -57,7 +57,7 @@ New features **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11498 +https://lf-onap.atlassian.net/projects/OOM/versions/11498 **Known Issues** @@ -84,7 +84,7 @@ Known Vulnerabilities Workarounds ----------- -- `OOM-2754 `_ +- `OOM-2754 `_ Because of *updateEndpoint* property added to *cmpv2issuer* CRD it is impossible to upgrade platform component from Istanbul to Jakarta release without manual steps. Actions that should be performed: @@ -119,6 +119,6 @@ For more information on the ONAP Istanbul release, please see: .. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-kohn.rst b/docs/sections/release_notes/release-notes-kohn.rst new file mode 100644 index 0000000000..cdd1889440 --- /dev/null +++ b/docs/sections/release_notes/release-notes-kohn.rst @@ -0,0 +1,133 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_kohn: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Kohn release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Kohn | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2022/12/05 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.23.8 +* Helm support for version up to Helm: 3.8.2 +* Kubespray version used for automated deployment 2.19 (used for automated + deployment) +* Initial Setup for "ONAP on ServiceMesh" deployment + + * using Istio 1.14.1 as SM platform + * including Istio Ingress Gateway for external access + * modify 90% of ONAP component charts to support SeviceMesh + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://lf-onap.atlassian.net/projects/OOM/versions/11499 + + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers + of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +* Cassandra version needs to be updated to support new Python version + see `OOM-2900 `_ + +Workarounds +----------- + + +Security Notes +-------------- + +**Fixed Security Issues** + +* Fixed vulnerabilities for oom-platform-cert-service + see `Fixes `_ + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-london.rst b/docs/sections/release_notes/release-notes-london.rst new file mode 100644 index 0000000000..6ccbac0a27 --- /dev/null +++ b/docs/sections/release_notes/release-notes-london.rst @@ -0,0 +1,151 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_london: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Kohn ` +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the London release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | London | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2023/06/xx | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Introduction of "Production" ONAP setup, including: + + * Istio Service Mesh based deployment + * Ingress (Istio-Gateway) deployment and usage as standard external access + method + * Internal Security provided by ServiceMesh and Component2Component + AuthorizationPolicies + * External Security by introducing AuthN/Z using Keycloak and OAuth2Proxy for + Ingress Access + +* Removal of unsupported components (AAF, Portal, Contrib,...) +* Update of Helmcharts to use common templates and practices +* Optional support for Cassandra 4.x using k8ssandra-operator + +* `REQ-1349 `_ Removal of AAF. + Internal communication encryption and authorization is offered by ServiceMesh + +* `REQ-1350 `_ All component must be + able to run without MSB. Component helm charts modified to use MSB optionally + and test the components during Daily and Gating with and without MSB + +* `REQ-1351 `_ External secure + communication only via Ingress. + Ingress resources created by templates and Ingress installation is described + in the OOM documents + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://lf-onap.atlassian.net/projects/OOM/versions/11500 + +**Known Issues** + +* Components not working under ServiceMesh + + * CDS UI + * SO Monitor UI + * CLI + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers + of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +* Cassandra version needs to be updated to support new Python version + see `OOM-2900 `_ + In London supported as option (using k8ssandra-operator), see :ref:`oom_base_optional_addons` + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/sections/release_notes/release-notes-montreal.rst b/docs/sections/release_notes/release-notes-montreal.rst new file mode 100644 index 0000000000..ab12d1e4f6 --- /dev/null +++ b/docs/sections/release_notes/release-notes-montreal.rst @@ -0,0 +1,135 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_montreal: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`London ` +- :ref:`Kohn ` +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Montreal release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Montreal | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2023/12/14 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Introduction of "Production" ONAP setup, including: + + * Besides the Istio Ingress APIs now the support for `Gateway-API`_ + is added to the templates, which includes: + + * TCP Routes + * UDP Routes + +* Update of Helmcharts to use common templates and practices +* Default support for Cassandra 4.x using k8ssandra-operator +* Default support for MariaDB 11.x using mariadb-operator + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://lf-onap.atlassian.net/projects/OOM/versions/11501 + +**Known Issues** + +* Components not working under ServiceMesh + + * SO Monitor UI + * Policy UI + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers + of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/release_notes/release-notes-newdelhi.rst b/docs/sections/release_notes/release-notes-newdelhi.rst new file mode 100644 index 0000000000..cf7cee510b --- /dev/null +++ b/docs/sections/release_notes/release-notes-newdelhi.rst @@ -0,0 +1,138 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_newdelhi: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Montreal ` +- :ref:`London ` +- :ref:`Kohn ` +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the New Delhi release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | New Delhi | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2024/06/13 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* authentication (14.0.0) - add configurable Keycloak Realm and enable Ingress + Interface Authentication and Authorization +* Update the helm common templates (13.2.0) to: + + * Support the latest Database Operators: + + * MariaDB-Operator (0.28.1) + * K8ssandra-Operator (v0.16.0) + * Postgres-Operator (CrunchyData) (5.5.0) + +* cassandra (13.1.0) - support for new K8ssandra-Operator +* mariadb-galera (13.1.0) - support for new MariaDB-Operator +* mongodb (14.12.3) - update to latest bitnami chart version +* postgres (13.1.0) - support for new Postgres-Operator +* postgres-init (13.0.1) - support for new Postgres-Operator +* readinessCheck (13.1.0) - added check for "Service" readiness +* serviceAccount (13.0.1) - add default role creation + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://lf-onap.atlassian.net/projects/OOM/versions/11502 + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers + of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/release_notes/release-notes-oslo.rst b/docs/sections/release_notes/release-notes-oslo.rst new file mode 100644 index 0000000000..e64f10fb2a --- /dev/null +++ b/docs/sections/release_notes/release-notes-oslo.rst @@ -0,0 +1,175 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_oslo: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`New Delhi ` +- :ref:`Montreal ` +- :ref:`London ` +- :ref:`Kohn ` +- :ref:`Jakarta ` +- :ref:`Istanbul ` +- :ref:`Honolulu ` +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Oslo release. + +Summary +======= + + + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Oslo | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2025/01/09 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Support the latest Database Operators: + + * MariaDB-Operator (0.36.0) + * K8ssandra-Operator (v0.20.2) + * Postgres-Operator (CrunchyData) (5.7.2) + * MongoDB-Operator (Percona) (1.18.0) + +* authentication (15.0.0) + + * support for REALM Client AuthorizationSettings + * update oauth2-proxy and keycloak-config-cli versions + * add support for latest keycloak version 26.x + +* Update the helm common templates (13.2.10) to: + + * add SecurityContext settings for Production readiness + +* cassandra (13.1.1) + + * support for new cassandra version (4.1.6) + * add SecurityContext settings for Production readiness + +* mariadb-galera (13.2.3) + + * add SecurityContext settings for Production readiness + +* mariadb-init (13.0.2) + + * add SecurityContext settings for Production readiness + +* mongodb (14.12.4) + + * add SecurityContext settings for Production readiness + +* mongodb-init (13.0.2) + + * new chart to support external mongodb initialization + +* postgres (13.1.0) + + * add SecurityContext settings for Production readiness + +* postgres-init (13.0.3) + + * add SecurityContext settings for Production readiness + +* readinessCheck (13.1.1) + + * add SecurityContext settings for Production readiness + +* serviceAccount (13.0.2) + + * adjust default role mapping + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://lf-onap.atlassian.net/projects/OOM/versions/10783 + +**Known Issues** + + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :ref:`Project Description ` - a guide for developers + of OOM +- :ref:`oom_dev_guide` - a guide for developers of OOM +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud +- :ref:`oom_user_guide` - a guide for operators of an OOM instance +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + + +Workarounds +----------- + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Istanbul release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/release_notes/release-notes.rst b/docs/sections/release_notes/release-notes.rst index 4b1552dd40..2ba12a87dd 100644 --- a/docs/sections/release_notes/release-notes.rst +++ b/docs/sections/release_notes/release-notes.rst @@ -11,6 +11,11 @@ ONAP Operations Manager Release Notes Previous Release Notes ====================== +- :ref:`Oslo ` +- :ref:`New Delhi ` +- :ref:`Montreal ` +- :ref:`London ` +- :ref:`Kohn ` - :ref:`Jakarta ` - :ref:`Istanbul ` - :ref:`Honolulu ` @@ -25,13 +30,11 @@ Previous Release Notes Abstract ======== -This document provides the release notes for the Kohn release. +This document provides the release notes for the Paris release. Summary ======= - - Release Data ============ @@ -42,30 +45,82 @@ Release Data | **Docker images** | N/A | | | | +--------------------------------------+--------------------------------------+ -| **Release designation** | Kohn | +| **Release designation** | Paris | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | | +| **Release date** | 2025/06/26 | | | | +--------------------------------------+--------------------------------------+ New features ------------ -* Kubernetes support for version up to 1.23.8 -* Helm support for version up to Helm: 3.8.2 -* Kubespray version used for automated deployment 2.19 (used for automated deployment) -* Initial Setup for "ONAP on ServiceMesh" deployment +* Tested on the latest K8S Infrastructure + + * Kubernetes (v1.32.5) + * CertManager (1.17.2) + * Istio (v1.26.1) + * Keycloak (26.0.6) + +* Support the latest Database Operators: + + * MariaDB-Operator (0.38.1) + * K8ssandra-Operator (v1.23.2) + * Postgres-Operator (CrunchyData) (5.8.1) + * MongoDB-Operator (Percona) (1.19.1) + * Strimzi Kafka Operator (0.46.0) + +* Update the helm common templates (13.2.19) to: + + * Make Jobs GitOps ready + * Fix security vulnerabilities + +* cassandra (16.0.0) + + * Support for new cassandra version (4.1.8) + * Fix security vulnerabilities + +* mariadb-galera (16.0.0) + + * Support for new mariadb version (11.7.2) + * Fix security vulnerabilities + +* mariadb-init (16.0.0) + + * Use ‘mariadb’ client instead of ‘mysql’ + * Add Job Annotations + +* mongodb (16.5.7) - * using Istio 1.14.1 as SM platform - * including Istio Ingress Gateway for external access - * modify 90% of ONAP component charts to support SeviceMesh + * Use the latest Bitnami charts + +* mongodb-init (13.0.6) + + * Add Job Annotations + * Harmonize resource labeling + +* nginx (18.3.5) + + * New (Bitnami) Chart used for UUI + +* postgres-init (13.0.6) + + * Add Job Annotations + * Harmonize resource labeling + +* readinessCheck (13.1.4) + + * Update to the latest image + * Harmonize resource labeling + +* timescaleDB (13.0.2) + + * Harmonize resource labeling **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11499 - +https://lf-onap.atlassian.net/projects/OOM/versions/10791 **Known Issues** @@ -81,12 +136,16 @@ OOM provides `Helm charts ` - a guide for developers of OOM +- :ref:`Project Description ` - a guide for developers + of OOM - :ref:`oom_dev_guide` - a guide for developers of OOM -- :ref:`oom_infra_setup_guide` - a guide for those setting up the environments that OOM will use -- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing cloud +- :ref:`oom_infra_guide` - a guide for those setting up the environments that + OOM will use +- :ref:`oom_deploy_guide` - a guide for those deploying OOM on an existing + cloud - :ref:`oom_user_guide` - a guide for operators of an OOM instance -- :ref:`oom_access_info_guide` - a guide for operators who require access to OOM applications +- :ref:`oom_access_info_guide` - a guide for operators who require access to + OOM applications Known Limitations, Issues and Workarounds ========================================= @@ -94,21 +153,15 @@ Known Limitations, Issues and Workarounds Known Vulnerabilities --------------------- -* Cassandra version needs to be updated to support new Python version - see `OOM-2900 `_ Workarounds ----------- - Security Notes -------------- **Fixed Security Issues** -* Fixed vulnerabilities for oom-platform-cert-service - see `Fixes `_ - References ========== @@ -121,6 +174,7 @@ For more information on the ONAP Istanbul release, please see: .. _`ONAP Home Page`: https://www.onap.org -.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Wiki Page`: https://lf-onap.atlassian.net/wiki .. _`ONAP Documentation`: https://docs.onap.org .. _`ONAP Release Downloads`: https://git.onap.org +.. _`Gateway-API`: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ diff --git a/docs/sections/resources/csv/nodeports.csv b/docs/sections/resources/csv/nodeports.csv index b1c6fb5333..096e25eada 100644 --- a/docs/sections/resources/csv/nodeports.csv +++ b/docs/sections/resources/csv/nodeports.csv @@ -1,35 +1,21 @@ NodePort,Component,Service name,targetPort,Port -30200,VID,vid,8443,8443 30201,SDNC,sdnc-portal,8443,8443 30203,SDNC,sdnc-dgbuilder,3100,3000 30204,SDC,sdc-be-external,8443,8443 30207,SDC,sdc-fe,9443,9443 30209,ROBOT,robot,443,443 30210,AAI,aai-modelloader,8080,8080 -30211,APPC,appc,9191,9090 -30212,PORTAL,portal-sdk,8443,8443 30218,POLICY,pap,9091,9091 30219,POLICY,pap,8443,8443 30220,AAI,aai-sparky-be,8000,8000 -30222,DCAE,xdcae-hv-ves-collector,6061,6061 -30225,PORTAL,portal-app,8443,8443 +30222,DCAE,dcae-hv-ves-collector,6061,6061 30226,DMAAP,message-router-external,3905,3905 -30228,APPC,appc-dgbuilder,3100,3000 30229,AAI,aai-modelloader,8443,8443 -30230,APPC,appc,8443,8443 -30231,APPC,appc,1830,1830 30233,AAI,aai,8443,8443 -30234,POMBA*),pomba-kibana,5601,5601 30242,DMAAP,dmaap-bc,8443,8443 30248,OOF,oof-osdf,8699,8698 -30249,POMBA*),pomba-data-router,9502,9502 -30251,AAF,aaf-gui,8200,8200 -30253,LOG*),log-kibana,5601,5601 -30254,LOG*),log-es,9200,9200 -30255,LOG*),log-ls,5044,5044 30256,SDC,sdc-wfd-fe,8443,8443 30257,SDC,sdc-wfd-be,8443,8443 -30258,CLAMP,clamp-external,2443,2443 30260,CLI,cli,443,443 30264,DCAE,sdc-dcae-fe,9444,9444 30266,DCAE,sdc-dcae-dt,9446,9446 @@ -42,19 +28,13 @@ NodePort,Component,Service name,targetPort,Port 30279,AAI,aai-babel,9516,9516 30283,MSB,msb-iag,443,443 30284,MSB,msb-eag,443,443 -30288,SNIRO*),sniro-emulator,9999,80 -30289,APPC,appc-cdt,18080,18080 -30290,CLAMP,cdash-kibana,5601,5601 30297,VNFSDK,refrepo,8703,8703 -30299,POMBA*),pomba-networkdiscovery,8443,9531 30398,UUI,uui,8443,8443 30399,UUI,uui-server,8082,8082 30406,SO,so-vnfm-adapter,9092,9092 30407,MUSIC,music,8443,8443 30417,DCAE,xdcae-ves-collector,8443,8443 30418,DCAE,dashboard,8443,8443 -30420,NETBOX,netbox-nginx,8080,8080 -30478,AWX,awx-web,8080,80 30490,DMAAP,message-router-kafka-0,9091,9091 30491,DMAAP,message-router-kafka-1,9091,9091 30492,DMAAP,message-router-kafka-2,9091,9091 diff --git a/docs/sections/resources/helm/helm-search.txt b/docs/sections/resources/helm/helm-search.txt index 75c274957b..b854c7adce 100644 --- a/docs/sections/resources/helm/helm-search.txt +++ b/docs/sections/resources/helm/helm-search.txt @@ -1,42 +1,24 @@ NAME CHART VERSION APP VERSION DESCRIPTION -local/onap 11.0.0 Kohn Open Network Automation Platform (ONAP) -local/aaf 11.0.0 ONAP Application Authorization Framework -local/aai 11.0.0 ONAP Active and Available Inventory -local/appc 11.0.0 Application Controller -local/cassandra 11.0.0 ONAP cassandra -local/cds 11.0.0 ONAP Controller Design Studio (CDS) -local/clamp 11.0.0 ONAP Clamp -local/cli 11.0.0 ONAP Command Line Interface -local/common 11.0.0 Common templates for inclusion in other charts -local/consul 11.0.0 ONAP Consul Agent -local/contrib 11.0.0 ONAP optional tools -local/cps 11.0.0 ONAP Configuration Persistene Service (CPS) -local/dcaegen2 11.0.0 ONAP DCAE Gen2 -local/dgbuilder 11.0.0 D.G. Builder application -local/dmaap 11.0.0 ONAP DMaaP components -local/log 11.0.0 ONAP Logging ElasticStack -local/mariadb-galera 11.0.0 Chart for MariaDB Galera cluster -local/mongo 11.0.0 MongoDB Server -local/msb 11.0.0 ONAP MicroServices Bus -local/multicloud 11.0.0 ONAP multicloud broker -local/music 11.0.0 MUSIC - Multi-site State Coordination Service -local/mysql 11.0.0 MySQL Server -local/nbi 11.0.0 ONAP Northbound Interface -local/network-name-gen 11.0.0 Name Generation Micro Service -local/nfs-provisioner 11.0.0 NFS provisioner -local/oof 11.0.0 ONAP Optimization Framework -local/policy 11.0.0 ONAP Policy Administration Point -local/pomba 11.0.0 ONAP Post Orchestration Model Based Audit -local/portal 11.0.0 ONAP Web Portal -local/postgres 11.0.0 ONAP Postgres Server -local/robot 11.0.0 A helm Chart for kubernetes-ONAP Robot -local/sdc 11.0.0 Service Design and Creation Umbrella Helm charts -local/sdnc 11.0.0 SDN Controller -local/sdnc-prom 11.0.0 ONAP SDNC Policy Driven Ownership Management -local/sniro-emulator 11.0.0 ONAP Mock Sniro Emulator -local/so 11.0.0 ONAP Service Orchestrator -local/strimzi 11.0.0 ONAP Strimzi Apache Kafka -local/uui 11.0.0 ONAP uui -local/vfc 11.0.0 ONAP Virtual Function Controller (VF-C) -local/vid 11.0.0 ONAP Virtual Infrastructure Deployment -local/vnfsdk 11.0.0 ONAP VNF SDK +local/onap 15.0.0 Oslo Open Network Automation Platform (ONAP) +local/a1policymanagement 13.0.0 ONAP A1 Policy Management +local/aai 15.0.1 ONAP Active and Available Inventory +local/authentication 15.0.0 ONAP Realm creation, Oauth2Proxy installation and configuration +local/cassandra 13.1.1 ONAP cassandra +local/cds 13.0.2 ONAP Controller Design Studio (CDS) +local/common 13.2.10 Common templates for inclusion in other charts +local/cps 13.0.1 ONAP Configuration Persistene Service (CPS) +local/dcaegen2 15.0.1 ONAP DCAE Gen2 +local/mariadb-galera 13.2.3 Chart for MariaDB Galera cluster +local/multicloud 15.0.2 ONAP multicloud broker +local/platform 13.0.1 ONAP platform components +local/policy 15.0.1 ONAP Policy Administration Point +local/portal-ng 13.0.1 ONAP Next Generation Portal +local/postgres 13.1.0 ONAP Postgres Server +local/repository-wrapper 13.0.0 Wrapper chart to allow docker secret to be shared all instances +local/robot 13.0.0 A helm Chart for kubernetes-ONAP Robot +local/roles-wrapper 13.0.0 Wrapper chart to allow default roles to be shared among onap instances +local/sdc 13.0.1 Service Design and Creation Umbrella Helm charts +local/sdnc 15.1.0 SDN Controller +local/so 13.0.1 ONAP Service Orchestrator +local/strimzi 13.0.2 ONAP Strimzi Apache Kafka +local/uui 13.1.0 ONAP uui diff --git a/docs/sections/resources/images/argocd/argocd.jpg b/docs/sections/resources/images/argocd/argocd.jpg new file mode 100644 index 0000000000..f1fa2df25a Binary files /dev/null and b/docs/sections/resources/images/argocd/argocd.jpg differ diff --git a/docs/sections/resources/images/argocd/infra.jpg b/docs/sections/resources/images/argocd/infra.jpg new file mode 100644 index 0000000000..db456350e3 Binary files /dev/null and b/docs/sections/resources/images/argocd/infra.jpg differ diff --git a/docs/sections/resources/images/argocd/login.jpg b/docs/sections/resources/images/argocd/login.jpg new file mode 100644 index 0000000000..f41022a32c Binary files /dev/null and b/docs/sections/resources/images/argocd/login.jpg differ diff --git a/docs/sections/resources/images/argocd/onap-test.jpg b/docs/sections/resources/images/argocd/onap-test.jpg new file mode 100644 index 0000000000..514bf7647c Binary files /dev/null and b/docs/sections/resources/images/argocd/onap-test.jpg differ diff --git a/docs/sections/resources/images/argocd/onap.jpg b/docs/sections/resources/images/argocd/onap.jpg new file mode 100644 index 0000000000..57531a3820 Binary files /dev/null and b/docs/sections/resources/images/argocd/onap.jpg differ diff --git a/docs/sections/resources/yaml/common-gateway.yaml b/docs/sections/resources/yaml/common-gateway.yaml new file mode 100644 index 0000000000..cc6ed61a6d --- /dev/null +++ b/docs/sections/resources/yaml/common-gateway.yaml @@ -0,0 +1,96 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: common-gateway + namespace: istio-ingress +spec: + gatewayClassName: istio + listeners: + - name: http-80 + hostname: "*.{{ onap_baseurl }}" + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: All + - name: https-443 + hostname: "*.{{ onap_baseurl }}" + port: 443 + protocol: HTTPS + allowedRoutes: + namespaces: + from: All + tls: + mode: Terminate + certificateRefs: + - kind: Secret + group: "" + name: ingress-tls-secret + - name: udp-162 + protocol: UDP + port: 162 + allowedRoutes: + kinds: + - kind: UDPRoute + namespaces: + from: All + - name: tcp-4334 + protocol: TCP + port: 4334 + allowedRoutes: + kinds: + - kind: TCPRoute + namespaces: + from: All + - name: tcp-9000 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9000 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9001 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9001 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9002 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9002 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate + - name: tcp-9010 + allowedRoutes: + namespaces: + from: All + hostname: "kafka-bootstrap-api{{ onap_postaddr }}.{{ onap_baseurl }}" + port: 9010 + protocol: TLS + tls: + certificateRefs: + - group: "" + kind: Secret + name: ingress-tls-secret + mode: Terminate diff --git a/docs/sections/resources/yaml/environments_onap_demo.yaml b/docs/sections/resources/yaml/environments_onap_demo.yaml index 8b697cbda2..f49325a361 100644 --- a/docs/sections/resources/yaml/environments_onap_demo.yaml +++ b/docs/sections/resources/yaml/environments_onap_demo.yaml @@ -11,9 +11,9 @@ global: # image repositories repository: nexus3.onap.org:10001 - repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== + repositorySecret: # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.1.1 # logging agent loggingRepository: docker.elastic.co @@ -32,36 +32,22 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false -appc: - enabled: false -clamp: - enabled: true cli: enabled: false -consul: # Consul Health Check Monitoring - enabled: false cps: enabled: false dcaegen2: enabled: false -log: - enabled: false message-router: enabled: false -mock: - enabled: false msb: enabled: false multicloud: enabled: false policy: enabled: false -portal: - enabled: false robot: # Robot Health Check enabled: true sdc: @@ -97,7 +83,5 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/docs/sections/resources/yaml/envoyfilter-case.yaml b/docs/sections/resources/yaml/envoyfilter-case.yaml index c919319ecc..31e80374e2 100644 --- a/docs/sections/resources/yaml/envoyfilter-case.yaml +++ b/docs/sections/resources/yaml/envoyfilter-case.yaml @@ -21,6 +21,49 @@ spec: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: MERGE + value: + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: header-casing-outbound + namespace: istio-config + #annotations: + # argocd.argoproj.io/hook: PostSync +spec: + configPatches: + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + patch: + operation: MERGE + value: + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + use_downstream_protocol_config: + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig - applyTo: NETWORK_FILTER match: listener: diff --git a/docs/sections/resources/yaml/istio-ingress.yaml b/docs/sections/resources/yaml/istio-ingress.yaml new file mode 100644 index 0000000000..ae215c118a --- /dev/null +++ b/docs/sections/resources/yaml/istio-ingress.yaml @@ -0,0 +1,36 @@ +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: kafka-bootstrap + port: 9010 + targetPort: 9010 + protocol: TCP + - name: kafka-0 + port: 9000 + targetPort: 9000 + protocol: TCP + - name: kafka-1 + port: 9001 + targetPort: 9001 + protocol: TCP + - name: kafka-2 + port: 9002 + targetPort: 9002 + protocol: TCP + - name: sdnc-callhome + port: 4334 + targetPort: 4334 + protocol: TCP \ No newline at end of file diff --git a/docs/sections/resources/yaml/istiod-1_21.yaml b/docs/sections/resources/yaml/istiod-1_21.yaml new file mode 100644 index 0000000000..d85ec1137f --- /dev/null +++ b/docs/sections/resources/yaml/istiod-1_21.yaml @@ -0,0 +1,21 @@ +defaults: + #global: + #logging: + # level: "default:debug" + meshConfig: + rootNamespace: istio-config + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: true + extensionProviders: + - name: oauth2-proxy + envoyExtAuthzHttp: + service: oauth2-proxy.default.svc.cluster.local + port: 80 + timeout: 1.5s + includeHeadersInCheck: ["authorization", "cookie"] + headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"] + headersToDownstreamOnDeny: ["content-type", "set-cookie"] + pilot: + env: + PILOT_HTTP10: true + ENABLE_NATIVE_SIDECARS: true \ No newline at end of file diff --git a/docs/sections/resources/yaml/istiod.yaml b/docs/sections/resources/yaml/istiod.yaml new file mode 100644 index 0000000000..792f686cc6 --- /dev/null +++ b/docs/sections/resources/yaml/istiod.yaml @@ -0,0 +1,20 @@ +global: + proxy: + # Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready + holdApplicationUntilProxyStarts: true + #logging: + # level: "default:debug" +meshConfig: + rootNamespace: istio-config + extensionProviders: + - name: oauth2-proxy + envoyExtAuthzHttp: + service: oauth2-proxy.default.svc.cluster.local + port: 80 + timeout: 1.5s + includeHeadersInCheck: ["authorization", "cookie"] + headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"] + headersToDownstreamOnDeny: ["content-type", "set-cookie"] +pilot: + env: + PILOT_HTTP10: true \ No newline at end of file diff --git a/docs/sections/resources/yaml/keycloak-db-values.yaml b/docs/sections/resources/yaml/keycloak-db-values.yaml new file mode 100644 index 0000000000..ae1459bea7 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-db-values.yaml @@ -0,0 +1,7 @@ +# See https://github.com/bitnami/charts/tree/master/bitnami/postgresql +global: + postgresql: + auth: + username: dbusername + password: dbpassword + database: keycloak \ No newline at end of file diff --git a/docs/sections/resources/yaml/keycloak-ingress.yaml b/docs/sections/resources/yaml/keycloak-ingress.yaml new file mode 100644 index 0000000000..9318b374e2 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-ingress.yaml @@ -0,0 +1,55 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-80 + rules: + Filters: + Request Redirect: + Port: 443 + Scheme: https + Status Code: 301 + Type: RequestRedirect + Matches: + Path: + Type: PathPrefix + Value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + labels: + app.kubernetes.io/managed-by: Helm + name: keycloak-ui-http-route + namespace: keycloak +spec: + hostnames: + - keycloak-ui.simpledemo.onap.org + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: common-gateway + namespace: istio-ingress + sectionName: https-443 + rules: + - backendRefs: + - group: "" + kind: Service + name: keycloak-http + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: / diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml new file mode 100644 index 0000000000..8f13e1fac6 --- /dev/null +++ b/docs/sections/resources/yaml/keycloak-server-values.yaml @@ -0,0 +1,57 @@ +--- +fullnameOverride: keycloak + +image: + tag: "26.0.6" + +command: + - "/opt/keycloak/bin/kc.sh" + - "--verbose" + - "start" + - "--proxy-headers=forwarded" + - "--http-enabled=true" + - "--http-port=8080" + - "--hostname-strict=false" + - "--spi-events-listener-jboss-logging-success-level=info" + - "--spi-events-listener-jboss-logging-error-level=warn" + +extraEnv: | + - name: KEYCLOAK_ADMIN + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: user + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "keycloak.fullname" . }}-admin-creds + key: password + - name: JAVA_OPTS_APPEND + value: >- + -XX:+UseContainerSupport + -XX:MaxRAMPercentage=50.0 + -Djava.awt.headless=true + -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless + - name: PROXY_ADDRESS_FORWARDING + value: "true" + +dbchecker: + enabled: true + +database: + vendor: postgres + hostname: keycloak-db-postgresql + port: 5432 + username: dbusername + password: dbpassword + database: keycloak + +secrets: + admin-creds: + stringData: + user: admin + password: secret + +http: + # For backwards compatibility reasons we set this to the value used by previous Keycloak versions. + relativePath: "" # "/auth" diff --git a/kubernetes/log/components/log-kibana/resources/config/kibana-onboarding.json b/docs/spelling_wordlist.txt similarity index 100% rename from kubernetes/log/components/log-kibana/resources/config/kibana-onboarding.json rename to docs/spelling_wordlist.txt diff --git a/docs/tox.ini b/docs/tox.ini index 8bec1b5ba0..b0a7bbafa3 100644 --- a/docs/tox.ini +++ b/docs/tox.ini @@ -7,26 +7,32 @@ skipsdist = true basepython = python3.8 deps = -r{toxinidir}/requirements-docs.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo commands = + sudo apt install graphviz sphinx-build -W -q -b html -n -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/html [testenv:docs-linkcheck] basepython = python3.8 deps = -r{toxinidir}/requirements-docs.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo commands = + sudo apt install graphviz sphinx-build -W -q -b linkcheck -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/linkcheck [testenv:docs-spellcheck] basepython = python3.8 deps = -r{toxinidir}/requirements-docs.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master +allowlist_externals = sudo commands = + sudo apt install graphviz sphinx-build -b spelling -d {envtmpdir}/doctrees {toxinidir} {toxinidir}/_build/spellcheck diff --git a/kubernetes/README.md b/kubernetes/README.md index 696ede70c0..46636b9385 100644 --- a/kubernetes/README.md +++ b/kubernetes/README.md @@ -54,7 +54,6 @@ Step 5. Display the charts that are available to be deployed: ``` > helm search -l NAME VERSION DESCRIPTION -local/appc 2.0.0 Application Controller local/clamp 2.0.0 ONAP Clamp local/onap 2.0.0 Open Network Automation Platform (ONAP) local/robot 2.0.0 A helm Chart for kubernetes-ONAP Robot diff --git a/kubernetes/a1policymanagement/Chart.yaml b/kubernetes/a1policymanagement/Chart.yaml index 1fa512a50d..5bd25f0280 100644 --- a/kubernetes/a1policymanagement/Chart.yaml +++ b/kubernetes/a1policymanagement/Chart.yaml @@ -20,18 +20,15 @@ apiVersion: v2 appVersion: "1.0.0" description: A Helm chart for A1 Policy Management Service name: a1policymanagement -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/a1policymanagement/resources/config/application.yaml b/kubernetes/a1policymanagement/resources/config/application.yaml index 05fddb2628..789f3eb673 100644 --- a/kubernetes/a1policymanagement/resources/config/application.yaml +++ b/kubernetes/a1policymanagement/resources/config/application.yaml @@ -39,36 +39,33 @@ management: logging: # Configuration of logging level: - ROOT: DEBUG - org.springframework: DEBUG - org.springframework.data: DEBUG - org.springframework.web.reactive.function.client.ExchangeFunctions: DEBUG - org.onap.ccsdk.oran.a1policymanagementservice: DEBUG + ROOT: ERROR + org.springframework: ERROR + org.springframework.data: ERROR + org.springframework.web.reactive.function.client.ExchangeFunctions: ERROR + org.onap.ccsdk.oran.a1policymanagementservice: INFO file: name: /var/log/policy-agent/application.log server: # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework. # See springboot documentation. - port: 8433 + #port: 8081 http-port: 8081 ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false key-store-type: PKCS12 - key-store-password: ${KEYSTORE_PASSWORD} - key-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 - key-password: ${KEYSTORE_PASSWORD} - key-alias: {{ .Values.certInitializer.fqi }} + key-store-password: "" + key-store: "" + key-password: "" + key-alias: "" app: # Location of the component configuration file. The file will only be used if the Consul database is not used; # configuration from the Consul will override the file. filepath: /opt/app/policy-agent/data/application_configuration.json webclient: - # Configuration of the trust store used for the HTTP client (outgoing requests) - # The file location and the password for the truststore is only relevant if trust-store-used == true - # Note that the same keystore as for the server is used. trust-store-used: false - trust-store-password: ${TRUSTSORE_PASSWORD} - trust-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks + trust-store-password: "" + trust-store: "" # Configuration of usage of HTTP Proxy for the southbound accesses. # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s http.proxy-host: diff --git a/kubernetes/a1policymanagement/resources/config/application_configuration.json b/kubernetes/a1policymanagement/resources/config/application_configuration.json index 757ee04f35..837ce0c5b8 100644 --- a/kubernetes/a1policymanagement/resources/config/application_configuration.json +++ b/kubernetes/a1policymanagement/resources/config/application_configuration.json @@ -3,27 +3,11 @@ "controller": [ { "name": "controller1", - "baseUrl": "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.sdncLink .Values.sdncLinkHttp }}", + "baseUrl": "{{ .Values.sdncLink }}", "userName": "${A1CONTROLLER_USER}", "password": "${A1CONTROLLER_PASSWORD}" } ], - "ric": {{ include "a1p.generateRics" . | indent 6 | trim }}, - "streams_publishes": { - "dmaap_publisher": { - "type": "message_router", - "dmaap_info": { - "topic_url": "{{ .Values.streamPublish }}" - } - } - }, - "streams_subscribes": { - "dmaap_subscriber": { - "type": "message_router", - "dmaap_info": { - "topic_url": "{{ .Values.streamSubscribe }}" - } - } - } + "ric": {{ include "a1p.generateRics" . | indent 6 | trim}} } } diff --git a/kubernetes/a1policymanagement/templates/configmap.yaml b/kubernetes/a1policymanagement/templates/configmap.yaml index e84beac2ab..13dd4dbd05 100644 --- a/kubernetes/a1policymanagement/templates/configmap.yaml +++ b/kubernetes/a1policymanagement/templates/configmap.yaml @@ -18,7 +18,6 @@ apiVersion: v1 kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} - name: {{ include "common.fullname" . }}-policy-conf +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "policy-conf" ) | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml b/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml index 99449638f4..f12d60127f 100644 --- a/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml +++ b/kubernetes/a1policymanagement/templates/envsubst-configmap.yaml @@ -17,7 +17,6 @@ */}} apiVersion: v1 kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} - name: {{ include "common.fullname" . }}-envsubst-scripts +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "envsubst-scripts" ) | nindent 2 }} data: {{ tpl (.Files.Glob "resources/envsubst/*").AsConfig . | indent 2 }} diff --git a/kubernetes/a1policymanagement/templates/ingress.yaml b/kubernetes/a1policymanagement/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/a1policymanagement/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/a1policymanagement/templates/statefulset.yaml b/kubernetes/a1policymanagement/templates/statefulset.yaml index 89d131e26c..4458744a55 100644 --- a/kubernetes/a1policymanagement/templates/statefulset.yaml +++ b/kubernetes/a1policymanagement/templates/statefulset.yaml @@ -28,9 +28,8 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + initContainers: - name: {{ include "common.name" . }}-bootstrap-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -39,10 +38,6 @@ spec: args: - -c - | - {{- if (include "common.needTLS" .) }} - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\ - | xargs -0) - {{- end }} cd /config-input for PFILE in `ls -1` do @@ -55,7 +50,7 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - name: A1CONTROLLER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - mountPath: /config-input name: {{ include "common.fullname" . }}-policy-conf-input - mountPath: /config @@ -97,10 +92,10 @@ spec: httpGet: path: /status port: {{ .Values.liveness.port }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - name: config mountPath: /opt/app/policy-agent/data/application_configuration.json subPath: application_configuration.json @@ -111,7 +106,7 @@ spec: mountPath: "/var/policy-management-service/database" resources: {{ include "common.resources" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} + volumes: - name: {{ include "common.fullname" . }}-policy-conf-input configMap: name: {{ include "common.fullname" . }}-policy-conf diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index 71d8852b53..9ae6b60626 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -30,40 +30,7 @@ secrets: password: '{{ .Values.a1controller.password }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: a1p-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: a1p - fqi: a1p@a1p.onap.org - public_fqdn: a1p.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.a1p - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - -image: onap/ccsdk-oran-a1policymanagementservice:1.3.2 +image: onap/ccsdk-oran-a1policymanagementservice:1.5.0 userID: 1000 #Should match with image-defined user ID groupID: 999 #Should match with image-defined group ID pullPolicy: IfNotPresent @@ -72,21 +39,25 @@ replicaCount: 1 service: type: NodePort name: a1policymanagement - both_tls_and_plain: true ports: - name: api - port: 8433 - plain_port: 8081 + port: 8081 port_protocol: http nodePort: '94' +ingress: + enabled: false + service: + - baseaddr: 'a1policymanagement-api' + name: 'a1policymanagement' + port: 8081 + # SDNC Credentials are used here a1controller: user: admin password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -sdncLink: https://sdnc.onap:8443 -sdncLinkHttp: http://sdnc.onap:8282 +sdncLink: http://sdnc.onap:8282 # The information about A1-Mediator/RICs can be added here. # The A1 policy management service supports both STD & OSC versions. # Alternatively, the A1 simulator from ORAN-SC can also be used. It provides STD & OSC versions for A1 termination. @@ -105,8 +76,6 @@ sdncLinkHttp: http://sdnc.onap:8282 # - kista3 # - kista4 rics: -streamPublish: http://message-router:3904/events/A1-POLICY-AGENT-WRITE -streamSubscribe: http://message-router:3904/events/A1-POLICY-AGENT-READ/users/policy-agent?timeout=15000&limit=100 liveness: port: api @@ -123,18 +92,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 300Mi + cpu: "2" + memory: "600Mi" requests: - cpu: 1 - memory: 150Mi + cpu: "1" + memory: "300Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} ## Persist data to a persistent volume diff --git a/kubernetes/aaf/.gitignore b/kubernetes/aaf/.gitignore deleted file mode 100644 index 71fbb5cbb9..0000000000 --- a/kubernetes/aaf/.gitignore +++ /dev/null @@ -1,2 +0,0 @@ -/sms/ -components/dist diff --git a/kubernetes/aaf/Chart.yaml b/kubernetes/aaf/Chart.yaml deleted file mode 100644 index ef46ad605e..0000000000 --- a/kubernetes/aaf/Chart.yaml +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2018 ZTE -# Modifications Copyright © 2018 AT&T, Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Application Authorization Framework -name: aaf -version: 12.0.0 - -dependencies: - - name: aaf-cass - version: ~12.x-0 - repository: 'file://components/aaf-cass' - condition: aaf-authz.enabled - - name: aaf-cm - version: ~12.x-0 - repository: 'file://components/aaf-cm' - condition: aaf-authz.enabled - - name: aaf-fs - version: ~12.x-0 - repository: 'file://components/aaf-fs' - condition: aaf-authz.enabled - - name: aaf-gui - version: ~12.x-0 - repository: 'file://components/aaf-gui' - condition: aaf-authz.enabled - - name: aaf-locate - version: ~12.x-0 - repository: 'file://components/aaf-locate' - condition: aaf-authz.enabled - - name: aaf-oauth - version: ~12.x-0 - repository: 'file://components/aaf-oauth' - condition: aaf-authz.enabled - - name: aaf-service - version: ~12.x-0 - repository: 'file://components/aaf-service' - condition: aaf-authz.enabled - - name: aaf-sms - version: ~12.x-0 - repository: 'file://components/aaf-sms' - condition: aaf-sms.enabled - - name: aaf-sshsm - version: ~12.x-0 - repository: 'file://components/aaf-sshsm' - condition: aaf-sshsm.enabled diff --git a/kubernetes/aaf/Makefile b/kubernetes/aaf/Makefile deleted file mode 100644 index 75247b44b7..0000000000 --- a/kubernetes/aaf/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/Makefile b/kubernetes/aaf/components/Makefile deleted file mode 100644 index e1b6f31886..0000000000 --- a/kubernetes/aaf/components/Makefile +++ /dev/null @@ -1,65 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -PROCESSED_FIRST := aaf-templates -TO_FILTER := $(PROCESSED_FIRST) $(EXCLUDES) - -HELM_CHARTS := $(filter-out $(TO_FILTER), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(PROCESSED_FIRST): - @echo "\n[$@]" - @make package-$@ - -$(HELM_CHARTS): $(PROCESSED_FIRST) - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-cass/.helmignore b/kubernetes/aaf/components/aaf-cass/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/aaf/components/aaf-cass/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-cass/Chart.yaml b/kubernetes/aaf/components/aaf-cass/Chart.yaml deleted file mode 100644 index 86dba6c827..0000000000 --- a/kubernetes/aaf/components/aaf-cass/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF cassandra -name: aaf-cass -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat deleted file mode 100644 index 8a923b2bff..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat +++ /dev/null @@ -1,74 +0,0 @@ -a1p@a1p.onap.org|a1p|local|/opt/app/osaaf/local||mailto:|org.onap.a1p|root|30|{'a1policymanagement.onap', 'a1policymanagement', 'a1policymanagement.api.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'pkcs12'} -aaf@aaf.osaaf.org|aaf-hello|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf-hello', 'aaf-hello.api.simpledemo.onap.org', 'aaf-hello.onap', 'aaf.osaaf.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -aaf@aaf.osaaf.org|aaf|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf', 'aaf.api.simpledemo.onap.org', 'aaf.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'file'} -aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'} -aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-babel.onap', 'aai-babel', 'aai-graphadmin', 'aai-graphadmin.onap', 'aai-modelloader.onap', 'aai-modelloader', 'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'} -aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -aai-resources@aai-resources.onap.org|aai-resources|local|/opt/app/osaaf/local||mailto:|org.onap.aai-resources|root|30|{'aai-resources', 'aai-resources.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai-schema-service@aai-schema-service.onap.org|aai-schema-service|local|/opt/app/osaaf/local||mailto:|org.onap.aai-schema-service|root|30|{'aai-schema-service', 'aai-schema-service.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -aai-traversal@aai-traversal.onap.org|aai-traversal|local|/opt/app/osaaf/local||mailto:|org.onap.aai-traversal|root|30|{'aai-traversal', 'aai-traversal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'} -appc-cdt@appc-cdt.onap.org|appc-cdt|local|/opt/app/osaaf/local||mailto:|org.onap.appc-cdt|root|30|{'appc-cdt', 'appc-cdt.api.simpledemo.onap.org', 'appc-cdt.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'} -clamp@clamp.onap.org|clamp|local|/opt/app/osaaf/local||mailto:|org.onap.clamp|root|30|{'clamp', 'clamp-onap', 'clamp.api.simpledemo.onap.org', 'clamp.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -clamp@clamp.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.clamp|jg1555|30|{'clamp.api.simpledemo.onap.org', 'clamp.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -cli@cli.onap.org|cli|local|/opt/app/osaaf/local||mailto:|org.onap.cli|root|30|{'cli', 'cli.api.simpledemo.onap.org', 'cli.onap'}|mmanager@osaaf.org|{'file', 'pkcs12', 'jks'} -dcae@dcae.onap.org|dcae|local|/opt/app/osaaf/local||mailto:|org.onap.dcae|root|60|{'bbs-event-processor', 'bbs-event-processor.onap', 'bbs-event-processor.onap.svc.cluster.local', 'config-binding-service', 'config-binding-service.onap', 'config-binding-service.onap.svc.cluster.local', 'dashboard', 'dashboard.onap', 'dashboard.onap.svc.cluster.local', 'dcae-cloudify-manager', 'dcae-cloudify-manager.onap', 'dcae-cloudify-manager.onap.svc.cluster.local', 'dcae-datafile-collector', 'dcae-datafile-collector.onap', 'dcae-datafile-collector.onap.svc.cluster.local', 'dcae-hv-ves-collector', 'dcae-hv-ves-collector.onap', 'dcae-hv-ves-collector.onap.svc.cluster.local', 'dcae-pm-mapper', 'dcae-pm-mapper.onap', 'dcae-pm-mapper.onap.svc.cluster.local', 'dcae-pmsh', 'dcae-pmsh.onap', 'dcae-pmsh.onap.svc.cluster.local', 'dcae-prh', 'dcae-prh.onap', 'dcae-prh.onap.svc.cluster.local', 'dcae-tca-analytics', 'dcae-tca-analytics.onap', 'dcae-tca-analytics.onap.svc.cluster.local', 'dcae-ves-collector', 'dcae-ves-collector.onap', 'dcae-ves-collector.onap.svc.cluster.local', 'deployment-handler', 'deployment-handler.onap', 'deployment-handler.onap.svc.cluster.local', 'holmes-engine-mgmt', 'holmes-engine-mgmt.onap', 'holmes-engine-mgmt.onap.svc.cluster.local', 'holmes-rule-mgmt', 'holmes-rules-mgmt.onap', 'holmes-rules-mgmt.onap.svc.cluster.local', 'inventory', 'inventory.onap', 'inventory.onap.svc.cluster.local', 'policy-handler', 'policy-handler.onap', 'policy-handler.onap.svc.cluster.local'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-bc@dmaap-bc.onap.org|dmaap-bc|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc|root|30|{'dmaap-bc', 'dmaap-bc.api.simpledemo.onap.org', 'dmaap-bc.onap'}|mmanager@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|dmaap-bc-mm-prov|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc-mm-prov|root|30|{'dmaap-bc-mm-prov', 'dmaap-bc-mm-prov.api.simpledemo.onap.org', 'dmaap-bc-mm-prov.onap', 'onap.dmaap-bc-mm-prov'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|dmaap-bc-topic-mgr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-bc-topic-mgr|root|30|{'dmaap-bc-topic-mgr', 'dmaap-bc-topic-mgr.api.simpledemo.onap.org', 'dmaap-bc-topic-mgr.onap', 'onap.dmaap-bc-topic-mgr'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-dr@dmaap-dr.onap.org|dmaap-dr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr', 'dmaap-dr.api.simpledemo.onap.org', 'dmaap-dr.onap', 'onap.dmaap-dr'}|aaf_admin@osaaf.org|{'jks', 'script'} -dmaap-dr-node@dmaap-dr-node.onap.org|dmaap-dr-node|local|/opt/app/osaaf/local||mailto:|onap.dmaap-dr-node|root|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-dr-node@dmaap-dr.onap.org|dmaap-dr-node|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-dr-node@dmaap-dr.onap.org|mithril|local|/Volumes/Data/open/authz/auth/docker/dmaap_dr_node||mailto:|org.onap.dmaap-dr|jg1555|30|{'dmaap-dr-node', 'dmaap-dr-node.api.simpledemo.onap.org', 'dmaap-dr-node.onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr.onap.org|dmaap-dr-prov|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-dr|root|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr.onap.org|mithril|local|/tmp/temp||mailto:|org.onap.dmaap-dr|jg1555|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -dmaap-dr-prov@dmaap-dr-prov.onap.org|dmaap-dr-prov|local|/opt/app/osaaf/local||mailto:|onap.dmaap-dr-prov|root|30|{'dmaap-dr-prov', 'dmaap-dr-prov.api.simpledemo.onap.org', 'dmaap-dr-prov.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap-mr@dmaap-mr.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap-mr|root|30|{'dmaap-mr', 'dmaap-mr.onap', 'message-router', 'message-router.onap', 'mr.api.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|10.12.25.177|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|@osaaf.org|{'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaapmr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router', 'message-router.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router-kafka-0', 'message-router-kafka-0.onap', '{{include "common.release" .}}-message-router-kafka-0.message-router-kafka.onap.svc.cluster.local', 'message-router-kafka-1', 'message-router-kafka-1.onap', '{{include "common.release" .}}-message-router-kafka-1.message-router-kafka.onap.svc.cluster.local', 'message-router-kafka-2', 'message-router-kafka-2.onap', '{{include "common.release" .}}-message-router-kafka-2.message-router-kafka.onap.svc.cluster.local', 'message-router', 'mr.api.simpledemo.onap.org', 'message-router.onap', 'dmaapmr dmaap.mr', 'dmaap-mr', 'dmaap.mr.onap', 'dmaap-mr.onap', 'dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaapmr@mr.dmaap.onap.org|dmaap.mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaap.mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaapmr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -dmaap.mr@mr.dmaap.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -holmes@holmes.onap.org|holmes|local|/opt/app/osaaf/local||mailto:|org.onap.holmes|root|30|{'holmes.api.simpledemo.onap.org', 'holmes.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|holmes-rule-mgmt|local|/opt/app/osaaf/local||mailto:|org.onap.holmes-rule-mgmt|root|30|{'holmes-rule-mgmt', 'holmes-rule-mgmt.api.simpledemo.onap.org', 'holmes-rule-mgmt.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|holmes-engine-mgmt|local|/opt/app/osaaf/local||mailto:|org.onap.holmes-engine-mgmt|root|30|{'holmes-engine-mgmt', 'holmes-engine-mgmt.api.simpledemo.onap.org', 'holmes-engine-mgmt.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -msb-eag@msb-eag.onap.org|msb-eag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-eag|root|30|{'msb-eag', 'msb-eag.api.simpledemo.onap.org', 'msb-eag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} -msb-iag@msb-iag.onap.org|msb-iag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-iag|root|30|{'msb-iag', 'msb-iag.api.simpledemo.onap.org', 'msb-iag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} -music@music.onap.org|music|aaf|/opt/app/aaf/local||mailto:|org.onap.music|root|30|{'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'pkcs12', 'script'} -music@music.onap.org|music.onap|local|/opt/app/osaaf/local||mailto:|org.onap.music|root|30|{'music-api', 'music-api.onap', 'music-onap', 'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -nbi@nbi.onap.org|nbi|local|/opt/app/osaaf/local||mailto:|org.onap.nbi|root|30|{'nbi', 'nbi.api.simpledemo.onap.org', 'nbi.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -ngi@ngi.onap.org|ngi|local|/opt/app/osaaf/local||mailto:|org.onap.ngi|root|30|{'ngi.api.simpledemo.onap.org', 'ngi.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -oof@oof.onap.org|oof.api.simpledemo.onap.org|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-opteng', 'oof-opteng.onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -oof@oof.onap.org|oof|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -oof@oof.onap.org|oof.onap|local|/opt/app/osaaf/local||mailto:jflood@att.com|org.onap.oof|root|30|{'cmso-onap', 'cmso.api.simpledemo.onap.org', 'cmso.onap', 'oof-cmso', 'oof-cmso-optimizer', 'oof-cmso-ticketmgt', 'oof-cmso-topology', 'oof-has-api', 'oof-has-api.onap', 'oof-onap', 'oof-opteng', 'oof-opteng.onap', 'oof-osdf', 'oof-osdf.onap', 'oof.api.simpledemo.onap.org', 'oof.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -policy@policy.onap.org|policy|local|/opt/app/osaaf/local||mailto:|org.onap.policy|root|60|{'policy-drools-pdp', 'policy-drools-pdp.onap', 'policy', 'policy-apex-pdp', 'policy-apex-pdp.onap', 'policy-api', 'policy-api.onap', 'policy-distribution', 'policy-distribution.onap', 'policy-pap', 'policy-pap.onap', 'policy-xacml-pdp', 'policy-xacml-pdp.onap', 'policy.api.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -pomba@pomba.onap.org|onap.pomba|local|/opt/app/osaaf/local||mailto:|org.onap.pomba|root|30|{'onap.pomba', 'onap_pomba', 'pomba', 'pomba.api.simpledemo.onap.org', 'pomba.onap', 'pomba_onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -portal@portal.onap.org|portal|local|/opt/app/osaaf/local||mailto:|org.onap.portal|root|30|{'onap.portal', 'onap_portal', 'portal', 'portal-app', 'portal.api.simpledemo.onap.org', 'portal.onap', 'portal_onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -refrepo@refrepo.onap.org|refrepo|local|/opt/app/osaaf/local||mailto:|org.onap.refrepo|root|30|{'refrepo', 'refrepo.api.simpledemo.onap.org', 'refrepo.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} -sdc@sdc.onap.org|sdc-fe.onap|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|30|{'sdc-fe.onap', 'sdc.api.simpledemo.onap.org', 'sdc.onap'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdc@sdc.onap.org|sdc|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|60|{'*.onap', '*.onap.org', 'sdc', 'sdc-be.onap', 'sdc-dcae-be.onap', 'sdc-dcae-dt.onap', 'sdc-dcae-fe.onap', 'sdc-dcae-tosca-lab.onap', 'sdc-es.onap', 'sdc-fe.onap', 'sdc-kb.onap', 'sdc-onap.org', 'sdc-onboarding-be.onap', 'sdc-wfd-be.onap', 'sdc-wfd-fe.onap', 'sdc.api.fe.simpledemo.onap.org', 'sdc.api.simpledemo.onap.org', 'sdc.dcae.plugin.simpledemo.onap.org', 'sdc.workflow.plugin.simpledemo.onap.org', 'webseal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdc@sdc.onap.org|sdc.onap|local|/opt/app/osaaf/local||mailto:|org.onap.sdc|root|60|{'*.onap', '*.onap.org', 'sdc', 'sdc-be.onap', 'sdc-dcae-be.onap', 'sdc-dcae-dt.onap', 'sdc-dcae-fe.onap', 'sdc-dcae-tosca-lab.onap', 'sdc-es.onap', 'sdc-fe.onap', 'sdc-kb.onap', 'sdc-onap.org', 'sdc-onboarding-be.onap', 'sdc-wfd-be.onap', 'sdc-wfd-fe.onap', 'sdc.api.fe.simpledemo.onap.org', 'sdc.api.simpledemo.onap.org', 'sdc.dcae.plugin.simpledemo.onap.org', 'sdc.workflow.plugin.simpledemo.onap.org', 'webseal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -sdnc-cds@sdnc-cds.onap.org|sdnc-cds|local|/opt/app/osaaf/local||mailto:|org.onap.sdnc-cds|root|30|{'c1.vm1.sdnc-cds.simpledemo.onap', 'c2.vm1.sdnc-cds.simpledemo.onap', 'c3.vm1.sdnc-cds.simpledemo.onap', 'c4.vm1.sdnc-cds.simpledemo.onap', 'onap-sdnc-cds', 'onap-sdnc-cds.onap', 'sdnc-cds', 'sdnc-cds.api.simpledemo.onap.org', 'sdnc-cds.onap', 'vm1.sdnc-cds.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'pkcs12', 'script'} -sdnc@sdnc.onap.org|ccsdk-sdnc-heat-dev|local|/home/ubuntu/cert||mailto:|org.onap.sdnc|ubuntu|60|{'c1.vm1.sdnc.simpledemo.onap', 'c2.vm1.sdnc.simpledemo.onap', 'c3.vm1.sdnc.simpledemo.onap', 'c4.vm1.sdnc.simpledemo.onap', 'onap-sdnc', 'onap-sdnc.onap', 'sdnc', 'sdnc.api.simpledemo.onap.org', 'sdnc.onap', 'vm1.sdnc.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -sdnc@sdnc.onap.org|sdnc|local|/opt/app/osaaf/local||mailto:|org.onap.sdnc|root|60|{'c1.vm1.sdnc.simpledemo.onap', 'c2.vm1.sdnc.simpledemo.onap', 'c3.vm1.sdnc.simpledemo.onap', 'c4.vm1.sdnc.simpledemo.onap', 'onap-sdnc', 'onap-sdnc.onap', 'sdnc', 'sdnc.api.simpledemo.onap.org', 'sdnc.onap', 'vm1.sdnc.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'} -shi@shi.onap.org|onap.shi|local|/opt/app/osaaf/local||mailto:|onap.shi|root|30|{'onap_shi', 'shi', 'shi.api.simpledemo.onap.org', 'shi_onap'}|aaf_admin@osaaf.org|{'jks', 'pkcs12', 'script'} -so@so.onap.org|aai-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'aai-simulator', 'localhost'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|bpmn-infra|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'bpmn-infra', 'bpmn-infra.onap'}|mmanager@osaaf.org|{'pkcs12'} -so@so.onap.org|sdc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|sdnc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdnc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|so-apih|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30|{'mso-asdc-controller-svc', 'mso-bpmn-infra-svc', 'mso-catalog-db-adapter-svc', 'mso-openstack-adapter-svc', 'mso-request-db-adapter-svc', 'mso-sdnc-adapter-svc'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -so@so.onap.org|so-client|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30||mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -so@so.onap.org|so|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so.api.simpledemo.onap.org', 'so.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'} -so@so.onap.org|so-vnfm-adapter|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-adapter', 'so-vnfm-adapter.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -so@so.onap.org|so-vnfm-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-simulator', 'so-vnfm-simulator.onap'}|aaf_admin@osaaf.org|{'pkcs12'} -tester1@test.portal.onap.org|tester1|aaf|/||mailto:|org.onap.portal.test|root|30||@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} -vfc@vfc.onap.org|vfc|local|/opt/app/osaaf/local||mailto:|org.onap.vfc|root|30|{'vfc.api.simpledemo.onap.org vfc.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid1@vid1.onap.org|vid1|local|/opt/app/osaaf/local||mailto:|org.onap.vid1|root|30|{'onap', 'onap.vid1', 'vid1', 'vid1.api.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid2@vid2.onap.org|vid2|local|/opt/app/osaaf/local||mailto:|org.onap.vid2|root|30|{'onap.vid2', 'vid2', 'vid2.api.simpledemo.onap.org', 'vid2.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} -vid@vid.onap.org|vid|local|/opt/app/osaaf/local||mailto:|org.onap.vid|root|30|{'vid.api.simpledemo.onap.org', 'vid.onap'}|mmanager@osaaf.org|{'jks', 'pkcs12'} -uui@uui.onap.org|uui|local|/opt/app/osaaf/local||mailto:|org.onap.uui|root|30|{'uui', 'uui.api.simpledemo.onap.org', 'uui.onap','uui-server', 'uui-server.api.simpledemo.onap.org', 'uui-server.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat deleted file mode 100644 index 18b5c90fd6..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/config.dat +++ /dev/null @@ -1,10 +0,0 @@ -aaf|aaf_env|DEV -aaf|aaf_oauth2_introspect_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.introspect:2.1/introspect -aaf|aaf_oauth2_token_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.token:2.1/token -aaf|aaf_url_cm|https://AAF_LOCATE_URL/%CNS.%AAF_NS.cm:2.1 -aaf|aaf_url_fs|https://AAF_LOCATE_URL/%CNS.%AAF_NS.fs:2.1 -aaf|aaf_url_gui|https://AAF_LOCATE_URL/%CNS.%AAF_NS.gui:2.1 -aaf|aaf_url|https://AAF_LOCATE_URL/%CNS.%AAF_NS.service:2.1 -aaf|aaf_url_oauth|https://AAF_LOCATE_URL/%CNS.%AAF_NS.oauth:2.1 -aaf|cadi_protocols|TLSv1.1,TLSv1.2 -aaf|cadi_x509_issuers|CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat deleted file mode 100644 index 1279c363b5..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat +++ /dev/null @@ -1,59 +0,0 @@ -portal@portal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.portal|53344|| -shi@shi.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.shi|53344|| -a1p@a1p.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.a1p|53344|| -aaf@aaf.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.aaf|53344|| -aaf-sms@aaf-sms.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aaf-sms|53344|| -clamp@clamp.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.clamp|53344|| -aai@aai.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai|53344|| -aai-resources@aai-resources.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-resources|53344|| -aai-schema-service@aai-schema-service.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-schema-service|53344|| -aai-traversal@aai-traversal.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.aai-traversal|53344|| -appc@appc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc|53344|| -appc-cdt@appc-cdt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.appc-cdt|53344|| -cli@cli.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.cli|53344|| -dcae@dcae.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dcae|53344|| -oof@oof.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.oof|53344|| -so@so.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.so|53344|| -sdc@sdc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdc|53344|| -sdnc@sdnc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdnc|53344|| -sdnc-cds@sdnc-cds.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.sdnc-cds|53344|| -vfc@vfc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vfc|53344|| -policy@policy.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.policy|53344|| -pomba@pomba.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.pomba|53344|| -holmes@holmes.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes|53344|| -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes-engine-mgmt|53344|| -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes-rule-mgmt|53344|| -nbi@nbi.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.nbi|53344|| -msb-eag@msb-eag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-eag|53344|| -msb-iag@msb-iag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-iag|53344|| -music@music.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.music|53344|| -refrepo@refrepo.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.refrepo|53344|| -vid@vid.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid|53344|| -vid1@vid1.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid1|53344|| -vid2@vid2.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid2|53344|| -dmaap-bc@dmaap-bc.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc|53344|| -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc-topic-mgr|53344|| -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-bc-mm-prov|53344|| -dmaap-dr@dmaap-dr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr|53344|| -dmaap-dr-prov@dmaap-dr-prov.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr-prov|53344|| -dmaap-dr-node@dmaap-dr-node.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-dr-node|53344|| -dmaap-mr@dmaap-mr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaap-mr|53344|| -dmaapmr@dmaapmr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.dmaapmr|53344|| -#dmaap.mr@#dmaap.mr.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.mr.#dmaap|53344|| -iowna@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -mmanager@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -bdevl@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -mmarket@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -demo@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -jh0003@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -cs0008@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -jm0007@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -op0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -gv0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -pm0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -gs0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -ps0001@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -aaf_admin@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -deployer@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -portal_admin@people.osaaf.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|| -uui@uui.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.uui|53344|| diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat deleted file mode 100644 index 7d20d55c31..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat +++ /dev/null @@ -1,88 +0,0 @@ -org.onap.a1p||org.onap||3 -org.onap.aaf-sms||org.onap||3 -org.onap.aai||org.onap||3 -org.onap.aai-resources||org.onap||3 -org.onap.aai-schema-service||org.onap||3 -org.onap.aai-traversal||org.onap||3 -org.onap.appc||org.onap||3 -org.onap.appc-cdt||org.onap||3 -org.onap.cds||org.onap||3 -org.onap.clampdemo|Onap clamp demo NS|org.onap|2|2 -org.onap.clamp||org.onap||3 -org.onap.clamptest|Onap clamp test NS|org.onap|2|2 -org.onap.cli||org.onap||3 -org.onap.dcae||org.onap||3 -org.onap.dmaap-bc.api||org.onap.dmaap-bc||3 -org.onap.dmaap-bc-mm-prov||org.onap||3 -org.onap.dmaap-bc||org.onap||3 -org.onap.dmaap.bc||org.onap||3 -org.onap.dmaapbc||org.onap||3 -org.onap.dmaap-bc-topic-mgr||org.onap||3 -org.onap.dmaap-dr||org.onap||3 -org.onap.dmaap.mr.aNewTopic-123450||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-123451||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-1547667570||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aNewTopic-||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547665517||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666628||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666760||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547666950||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTest-1547667031||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-123456||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-123457||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547660509||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547660861||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547661011||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547662122||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547662451||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547664813||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547664928||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTestTopic-1547666068||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.aTopic-1547654909||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.dgl000||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.dgl_ready||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.IdentityTopic-12345||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.IdentityTopic-1547839476||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.mirrormakeragent||org.onap.dmaap.mr||3 -org.onap.dmaap-mr||org.onap||3 -org.onap.dmaap.mr||org.onap||3 -org.onap.dmaap.mr.partitionTest-1546033194||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PM_MAPPER||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PNF_READY||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.PNF_REGISTRATION||org.onap.dmaap.mr||3 -org.onap.dmaap-mr.sunil||org.onap.dmaap-mr||3 -org.onap.dmaap-mr.test||org.onap.dmaap-mr||3 -org.onap.dmaap.mr.topic-000||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.topic-001||org.onap.dmaap.mr||3 -org.onap.dmaap.mr.topic-002||org.onap.dmaap.mr||3 -org.onap.dmaap||org.onap||3 -org.onap.holmes||org.onap||3 -org.onap.holmes-engine-mgmt||org.onap||3 -org.onap.holmes-rule-mgmt||org.onap||3 -org.onap.music||org.onap||3 -org.onap.msb-eag||org.onap||3 -org.onap.msb-iag||org.onap||3 -org.onap.nbi||org.onap||3 -org.onap|ONAP|org|2|2 -org.onap.oof||org.onap||3 -org.onap.policy||org.onap||3 -org.onap.pomba||org.onap||3 -org.onap.portal|ONAP Portal|org.onap.portal|3|3 -org.onap.portal.test||org.onap.portal||3 -org.onap.refrepo||org.onap||3 -org.onap.sdc||org.onap||3 -org.onap.sdnc-cds||org.onap||3 -org.onap.sdnc||org.onap||3 -org.onap.so||org.onap||3 -org.onap.vfc||org.onap||3 -org.onap.vid1||org.onap||3 -org.onap.vid2||org.onap||3 -org.onap.vid||org.onap||3 -org.onap.uui||org.onap||3 -org.openecomp.dcae|DCAE Namespace Org|org.openecomp|3|3 -org.openecomp.dmaapBC|DMaap NS|org.openecomp|3|3 -org.openecomp|Open EComp NS|org|2|2 -org.osaaf.aaf|Application Authorization Framework|org.osaaf|3|3 -org.osaaf|OSAAF Namespace|org|2|2 -org.osaaf.people||org.osaaf||3 -org|Root Namespace|.|1|1 diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat deleted file mode 100644 index 89c726f9ec..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat +++ /dev/null @@ -1,547 +0,0 @@ -org|access|*|*|Org Write Access|{'org.admin'} -org|access|*|read,approve|Org Read Access|{'org.owner'} -org|access|*|read|Org Read Access|{'org.owner'} -org.onap.a1p|access|*|*|AAF Namespace Write Access|"{'org.onap.a1p|admin', 'org.onap.a1p|service'}" -org.onap.a1p|access|*|read|AAF Namespace Read Access|"{'org.onap.a1p|owner'}" -org.onap.a1p|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aaf-sms|access|*|*|AAF Namespace Write Access|"{'org.onap.aaf-sms|admin'}" -org.onap.aaf-sms|access|*|read|AAF Namespace Read Access|"{'org.onap.aaf-sms|owner'}" -org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai|access|*|*|AAF Namespace Write Access|"{'org.onap.aai|admin'}" -org.onap.aai|access|*|read|AAF Namespace Read Access|"{'org.onap.aai|owner'}" -org.onap.aai|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai|resources|*|delete||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|get||"{'org.onap.aai|resources_all', 'org.onap.aai|resources_readonly'}" -org.onap.aai|resources|*|patch||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|post||"{'org.onap.aai|resources_all'}" -org.onap.aai|resources|*|put||"{'org.onap.aai|resources_all'}" -org.onap.aai|traversal|*|advanced||"{'org.onap.aai|traversal_advanced'}" -org.onap.aai|traversal|*|basic||"{'org.onap.aai|traversal_basic'}" -org.onap.aai-resources|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-resources|admin', 'org.onap.aai-resources|service'}" -org.onap.aai-resources|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-resources|owner'}" -org.onap.aai-resources|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai-schema-service|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-schema-service|admin', 'org.onap.aai-schema-service|service'}" -org.onap.aai-schema-service|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-schema-service|owner'}" -org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.aai-traversal|access|*|*|AAF Namespace Write Access|"{'org.onap.aai-traversal|admin', 'org.onap.aai-traversal|service'}" -org.onap.aai-traversal|access|*|read|AAF Namespace Read Access|"{'org.onap.aai-traversal|owner'}" -org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap|access|*|*|Onap Write Access|{'org.onap.admin'} -org.onap|access|*|read|Onap Read Access|{'org.onap.owner'} -org.onap.appc|access|*|*|AAF Namespace Write Access|"{'org.onap.appc|admin', 'org.onap.appc|service'}" -org.onap.appc|access|*|read|AAF Namespace Read Access|"{'org.onap.appc|owner'}" -org.onap.appc|apidoc|/apidoc/.*|ALL||"{'org.onap.appc|apidoc'}" -org.onap.appc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.appc|odl|odl-api|*|Appc ODL API Access|"{'org.onap.appc.odl', 'org.onap.appc|admin'}" -org.onap.appc|restconf|/restconf/.*|ALL||"{'org.onap.appc|restconf'}" -org.onap.appc-cdt|access|*|*|AAF Namespace Write Access|"{'org.onap.appc-cdt|admin', 'org.onap.appc-cdt|service'}" -org.onap.appc-cdt|access|*|read|AAF Namespace Read Access|"{'org.onap.appc-cdt|owner'}" -org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.cds|access|*|*|AAF Namespace Write Access|"{'org.onap.cds|admin'}" -org.onap.cds|access|*|read|AAF Namespace Read Access|"{'org.onap.cds|owner'}" -org.onap.clamp|access|*|*|AAF Namespace Write Access|"{'org.onap.clamp|admin', 'org.onap.clamp|service'}" -org.onap.clamp|access|*|read|Onap Clamp Read Access|{'org.onap.clamp.owner'} -org.onap.clamp|certman|local|request,ignoreIPs,showpass||"{'org.onap.clamp|admin', 'org.onap.clamp|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.clamp|clds.cl|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.cl|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.cl|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.cl.event|dev|*|Onap Clamp Dev Write Access|{'org.onap.clamp.clds.designer.dev'} -org.onap.clamp|clds.cl.manage|dev|*|Onap Clamp Dev Manage Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|service'}" -org.onap.clamp|clds.filter.vf|dev|*|Onap Clamp Filter All Dev Access|"{'org.onap.clamp.clds.vf_filter_all.dev', 'org.onap.clamp|service'}" -org.onap.clamp|clds.template|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.template|dev|read|Onap Clamp Dev Read Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.template|dev|update|Onap Clamp Dev Update Access|"{'org.onap.clamp.clds.designer.dev', 'org.onap.clamp|clds.admin.dev'}" -org.onap.clamp|clds.tosca|dev|*||"{'org.onap.clamp|service'}" -org.onap.clamp|clds.policies|dev|*||"{'org.onap.clamp|service'}" -org.onap.clampdemo|access|*|*|ClampDemo Write Access|{'org.onap.clampdemo.admin'} -org.onap.clampdemo|access|*|read|ClampDemo Read Access|{'org.onap.clampdemo.owner'} -org.onap.clamptest|access|*|*|Onap Write Access|{'org.onap.clamptest.admin'} -org.onap.clamptest|access|*|read|Onap Read Access|{'org.onap.clamptest.owner'} -org.onap.cli|access|*|*|AAF Namespace Write Access|"{'org.onap.cli|admin', 'org.onap.cli|service'}" -org.onap.cli|access|*|read|AAF Namespace Read Access|"{'org.onap.cli|owner'}" -org.onap.cli|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dcae|access|*|*|AAF Namespace Write Access|"{'org.onap.dcae|admin', 'org.onap.dmaap-bc-topic-mgr|admin', 'org.onap.dmaap-bc|admin'}" -org.onap.dcae|access|*|read|AAF Namespace Read Access|"{'org.onap.dcae|owner'}" -org.onap.dcae|certman|local|request,ignoreIPs,showpass||"{'org.onap.dcae|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dcae|dmaap.topicFactory|:com.att.dcae.dmaap.FTL.mr.topic:com.att.dcae.dmaap.FTL|create|| -org.onap.dcae|dmaap.topicFactory|:null.FTL.mr.topic:null.FTL|create|| -org.onap.dmaap|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap|admin'}" -org.onap.dmaap|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap|owner'}" -org.onap.dmaap-bc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc|admin'}" -org.onap.dmaapbc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaapbc|admin'}" -org.onap.dmaap.bc|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.bc|admin', 'org.onap.dmaap.bc|service'}" -org.onap.dmaap-bc|access|*|read|AAF Namespace Read Access|"{'org.onap.dcae|admin', 'org.onap.dmaap-bc|owner'}" -org.onap.dmaap.bc|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.bc|owner'}" -org.onap.dmaapbc|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaapbc|owner'}" -org.onap.dmaap-bc.api|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc.api|admin', 'org.onap.dmaap-bc|admin'}" -org.onap.dmaap-bc.api|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc.api|owner', 'org.onap.dmaap-bc|admin', 'org.onap.dmaap-bc|service'}" -org.onap.dmaap-bc.api|bridge|onapdemo|GET||"{'org.onap.dmaap-bc.api|Metrics'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dcaeLocations|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|GET||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|boot|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dmaap|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_nodes|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|feeds|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|mr_clusters|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller'}" -org.onap.dmaap-bc.api|topics|onapdemo|DELETE||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc.api|topics|onapdemo|GET||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Inventory', 'org.onap.dmaap-bc.api|Metrics', 'org.onap.dmaap-bc.api|Orchestrator', 'org.onap.dmaap-bc.api|PortalUser'}" -org.onap.dmaap-bc.api|topics|onapdemo|POST||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc.api|topics|onapdemo|PUT||"{'org.onap.dmaap-bc.api|Controller', 'org.onap.dmaap-bc.api|Orchestrator'}" -org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass||"{'org.onap.dmaap-bc|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dmaap-bc-mm-prov|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc-mm-prov|admin'}" -org.onap.dmaap-bc-mm-prov|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc-mm-prov|owner'}" -org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap-bc-topic-mgr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc-topic-mgr|admin'}" -org.onap.dmaap-bc-topic-mgr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-bc-topic-mgr|owner'}" -org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap-dr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-dr|admin'}" -org.onap.dmaap-dr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-dr|owner'}" -org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass||"{'org.onap.dmaap-dr|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.dmaap-dr|feed|*|approveSub||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap|dr.feed|*|create|| -org.onap.dmaap-dr|feed|*|create||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|delete||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|edit||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|*||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|publish||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|restore||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|subscribe||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|feed|*|suspend||"{'org.onap.dmaap-dr|feed.admin'}" -org.onap.dmaap-dr|sub|*|delete||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|edit||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|*||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|publish||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|restore||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap-dr|sub|*|suspend||"{'org.onap.dmaap-dr|sub.admin'}" -org.onap.dmaap.mr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-bc|service', 'org.onap.dmaap.mr|admin'}" -org.onap.dmaap-mr|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr|admin'}" -org.onap.dmaap-mr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr|owner'}" -org.onap.dmaap.mr|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr|owner', 'org.onap.dmaap.mr|service'}" -org.onap.dmaap.mr.aNewTopic-123450|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-123450|admin'}" -org.onap.dmaap.mr.aNewTopic-123450|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-123450|owner'}" -org.onap.dmaap.mr.aNewTopic-123451|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-123451|admin'}" -org.onap.dmaap.mr.aNewTopic-123451|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-123451|owner'}" -org.onap.dmaap.mr.aNewTopic-1547667570|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-1547667570|admin'}" -org.onap.dmaap.mr.aNewTopic-1547667570|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-1547667570|owner'}" -org.onap.dmaap.mr.aNewTopic-|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aNewTopic-|admin'}" -org.onap.dmaap.mr.aNewTopic-|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aNewTopic-|owner'}" -org.onap.dmaap.mr.aTest-1547665517|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547665517|admin'}" -org.onap.dmaap.mr.aTest-1547665517|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547665517|owner'}" -org.onap.dmaap.mr.aTest-1547666628|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666628|admin'}" -org.onap.dmaap.mr.aTest-1547666628|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666628|owner'}" -org.onap.dmaap.mr.aTest-1547666760|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666760|admin'}" -org.onap.dmaap.mr.aTest-1547666760|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666760|owner'}" -org.onap.dmaap.mr.aTest-1547666950|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547666950|admin'}" -org.onap.dmaap.mr.aTest-1547666950|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547666950|owner'}" -org.onap.dmaap.mr.aTest-1547667031|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTest-1547667031|admin'}" -org.onap.dmaap.mr.aTest-1547667031|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTest-1547667031|owner'}" -org.onap.dmaap.mr.aTestTopic-123456|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-123456|admin'}" -org.onap.dmaap.mr.aTestTopic-123456|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-123456|owner'}" -org.onap.dmaap.mr.aTestTopic-123457|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-123457|admin'}" -org.onap.dmaap.mr.aTestTopic-123457|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-123457|owner'}" -org.onap.dmaap.mr.aTestTopic-1547660509|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547660509|admin'}" -org.onap.dmaap.mr.aTestTopic-1547660509|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547660509|owner'}" -org.onap.dmaap.mr.aTestTopic-1547660861|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547660861|admin'}" -org.onap.dmaap.mr.aTestTopic-1547660861|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547660861|owner'}" -org.onap.dmaap.mr.aTestTopic-1547661011|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547661011|admin'}" -org.onap.dmaap.mr.aTestTopic-1547661011|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547661011|owner'}" -org.onap.dmaap.mr.aTestTopic-1547662122|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547662122|admin'}" -org.onap.dmaap.mr.aTestTopic-1547662122|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547662122|owner'}" -org.onap.dmaap.mr.aTestTopic-1547662451|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547662451|admin'}" -org.onap.dmaap.mr.aTestTopic-1547662451|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547662451|owner'}" -org.onap.dmaap.mr.aTestTopic-1547664813|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547664813|admin'}" -org.onap.dmaap.mr.aTestTopic-1547664813|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547664813|owner'}" -org.onap.dmaap.mr.aTestTopic-1547664928|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547664928|admin'}" -org.onap.dmaap.mr.aTestTopic-1547664928|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547664928|owner'}" -org.onap.dmaap.mr.aTestTopic-1547666068|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTestTopic-1547666068|admin'}" -org.onap.dmaap.mr.aTestTopic-1547666068|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTestTopic-1547666068|owner'}" -org.onap.dmaap.mr.aTopic-1547654909|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.aTopic-1547654909|admin'}" -org.onap.dmaap.mr.aTopic-1547654909|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.aTopic-1547654909|owner'}" -org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.dmaap.mr.dgl000|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.dgl000|admin'}" -org.onap.dmaap.mr.dgl000|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.dgl000|owner'}" -org.onap.dmaap.mr.dgl_ready|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.dgl_ready|admin'}" -org.onap.dmaap.mr.dgl_ready|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.dgl_ready|owner'}" -org.onap.dmaap.mr.IdentityTopic-12345|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.IdentityTopic-12345|admin'}" -org.onap.dmaap.mr.IdentityTopic-12345|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.IdentityTopic-12345|owner'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|admin'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|owner'}" -org.onap.dmaap.mr|mirrormaker|*|admin||"{'org.onap.dmaap.mr|mirrormaker.admin'}" -org.onap.dmaap.mr.mirrormakeragent|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.mirrormakeragent|admin'}" -org.onap.dmaap.mr.mirrormakeragent|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.mirrormakeragent|owner'}" -org.onap.dmaap.mr|mirrormaker|*|user||"{'org.onap.dmaap.mr|mirrormaker.user'}" -org.onap.dmaap.mr.partitionTest-1546033194|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.partitionTest-1546033194|admin'}" -org.onap.dmaap.mr.partitionTest-1546033194|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.partitionTest-1546033194|owner'}" -org.onap.dmaap.mr.PM_MAPPER|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PM_MAPPER|admin'}" -org.onap.dmaap.mr.PM_MAPPER|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PM_MAPPER|owner'}" -org.onap.dmaap.mr.PNF_READY|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PNF_READY|admin'}" -org.onap.dmaap.mr.PNF_READY|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PNF_READY|owner'}" -org.onap.dmaap.mr.PNF_REGISTRATION|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.PNF_REGISTRATION|admin'}" -org.onap.dmaap.mr.PNF_REGISTRATION|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.PNF_REGISTRATION|owner'}" -org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub||"{'org.onap.dmaap-mr|admin', 'org.onap.dmaap-mr|sai'}" -org.onap.dmaap-mr.sunil|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr.sunil|admin'}" -org.onap.dmaap-mr.sunil|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr.sunil|owner'}" -org.onap.dmaap-mr.sunil|test|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub||"{'org.onap.dmaap-mr.sunil|admin2'}" -org.onap.dmaap-mr.test|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap-mr.test|admin'}" -org.onap.dmaap-mr.test|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap-mr.test|owner'}" -org.onap.dmaap.mr.topic-000|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-000|admin'}" -org.onap.dmaap.mr.topic-000|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-000|owner'}" -org.onap.dmaap.mr.topic-001|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-001|admin'}" -org.onap.dmaap.mr.topic-001|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-001|owner'}" -org.onap.dmaap.mr.topic-002|access|*|*|AAF Namespace Write Access|"{'org.onap.dmaap.mr.topic-002|admin'}" -org.onap.dmaap.mr.topic-002|access|*|read|AAF Namespace Read Access|"{'org.onap.dmaap.mr.topic-002|owner'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create,destroy||"{'org.onap.dmaap-bc|service'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create||"{'org.onap.dmaap-bc-topic-mgr|client', 'org.onap.dmaap.mr|create'}" -org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy||"{'org.onap.dmaap-bc-topic-mgr|client', 'org.onap.dmaap.mr|destroy'}" -org.onap.dmaap.mr|topic|*|*||"{'org.onap.dmaap-bc|service'}" -org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|pub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|sub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topictest|*|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539200479|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.dglk8s.dglTest1539201873|view|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|pub||"{'org.onap.dcae|pnfPublisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|sub||"{'org.onap.dcae|pnfSubscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view||"{'org.onap.dcae|pnfPublisher', 'org.onap.dcae|pnfSubscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|pub||"{'org.onap.dmaap.mr.dgl_ready|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|sub||"{'org.onap.dmaap.mr.dgl_ready|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view||"{'org.onap.dmaap.mr.dgl_ready|publisher', 'org.onap.dmaap.mr.dgl_ready|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1529190699|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|pub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|sub||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|view||"{'org.onap.dmaap-mr|Publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest201810100530|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|pub||"{'org.onap.dmaap.mr.IdentityTopic-12345|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|sub||"{'org.onap.dmaap.mr.IdentityTopic-12345|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view||"{'org.onap.dmaap.mr.IdentityTopic-12345|publisher', 'org.onap.dmaap.mr.IdentityTopic-12345|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|pub||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|sub||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view||"{'org.onap.dmaap.mr.IdentityTopic-1547839476|publisher', 'org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub||"{'org.onap.dmaap.mr.mirrormakeragent|pub', 'org.onap.dmaap.mr.mirrormakeragent|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub||"{'org.onap.dmaap.mr.mirrormakeragent|sub', 'org.onap.dmaap.mr.mirrormakeragent|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view||"{'org.onap.dmaap.mr.mirrormakeragent|publisher', 'org.onap.dmaap.mr.mirrormakeragent|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|pub||"{'org.onap.dmaap.mr|mmagent.pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|sub||"{'org.onap.dmaap.mr|mmagent.sub', 'org.onap.dmaap.mr|mmagent.sub1'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtest|pub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|pub||"{'org.onap.dmaap.mr|mrtesttopic.pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|sub||"{'org.onap.dmaap.mr|mrtesttopic.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|pub||"{'org.onap.dmaap.mr.PM_MAPPER|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|sub||"{'org.onap.dmaap.mr.PM_MAPPER|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view||"{'org.onap.dmaap.mr.PM_MAPPER|publisher', 'org.onap.dmaap.mr.PM_MAPPER|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub||"{'org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr.PNF_READY|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|sub||"{'org.onap.dmaap.mr.PNF_READY|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view||"{'org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr.PNF_READY|publisher', 'org.onap.dmaap.mr.PNF_READY|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|pub||"{'org.onap.dmaap.mr.PNF_REGISTRATION|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub||"{'org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr.PNF_REGISTRATION|subscriber', 'org.onap.dmaap.mr|PNF_REGISTRATION.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view||"{'org.onap.dmaap.mr.PNF_REGISTRATION|publisher', 'org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr.PNF_REGISTRATION|subscriber', 'org.onap.dmaap.mr|PNF_REGISTRATION.sub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|pub||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|sub|| -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|view||"{'org.onap.dmaap.mr.PNF_READY|pub'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.test1|pub||"{'org.onap.dmaap.mr|test1'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub||"{'org.onap.dcae|pnfPublisher', 'org.onap.dmaap.mr.topic-000|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|sub||"{'org.onap.dmaap.mr.topic-000|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view||"{'org.onap.dcae|pnfPublisher', 'org.onap.dmaap.mr.topic-000|publisher', 'org.onap.dmaap.mr.topic-000|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|pub||"{'org.onap.dmaap.mr.topic-001|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|sub||"{'org.onap.dmaap.mr.topic-001|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view||"{'org.onap.dmaap.mr.topic-001|publisher', 'org.onap.dmaap.mr.topic-001|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|pub||"{'org.onap.dmaap.mr.topic-002|publisher'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|sub||"{'org.onap.dmaap.mr.topic-002|subscriber'}" -org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view||"{'org.onap.dmaap.mr.topic-002|publisher', 'org.onap.dmaap.mr.topic-002|subscriber'}" -org.onap.dmaap.mr|topic|*|view||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap.mr|view'}" -org.onap.dmaap.mr|viewtest|*|view||"{'org.onap.dmaap.mr|viewtest'}" -org.onap.holmes|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes|admin'}" -org.onap.holmes|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes|owner'}" -org.onap.holmes-engine-mgmt|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes-engine-mgmt|admin', 'org.onap.holmes-engine-mgmt|service'}" -org.onap.holmes-engine-mgmt|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes-engine-mgmt|owner'}" -org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass||"{'org.onap.holmes-engine-mgmt|admin', 'org.onap.holmes-engine-mgmt|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.holmes-rule-mgmt|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes-rule-mgmt|admin', 'org.onap.holmes-rule-mgmt|service'}" -org.onap.holmes-rule-mgmt|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes-rule-mgmt|owner'}" -org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass||"{'org.onap.holmes-rule-mgmt|admin', 'org.onap.holmes-rule-mgmt|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.msb-eag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-eag|admin', 'org.onap.msb-eag|service'}" -org.onap.msb-eag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-eag|owner'}" -org.onap.msb-eag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.msb-iag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-iag|admin', 'org.onap.msb-iag|service'}" -org.onap.msb-iag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-iag|owner'}" -org.onap.msb-iag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.music|access|*|*|AAF Namespace Write Access|"{'org.onap.music|admin'}" -org.onap.music|access|*|read|AAF Namespace Read Access|"{'org.onap.music|owner'}" -org.onap.music|certman|local|request,ignoreIPs,showpass||"{'org.onap.music|admin', 'org.osaaf.aaf|deploy'}" -org.onap.nbi|access|*|*|AAF Namespace Write Access|"{'org.onap.nbi|admin', 'org.onap.nbi|service'}" -org.onap.nbi|access|*|read|AAF Namespace Read Access|"{'org.onap.nbi|owner'}" -org.onap.nbi|certman|local|request,ignoreIPs,showpass||"{'org.onap.nbi|admin', 'org.onap.nbi|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.ngi|access|*|*|AAF Namespace Write Access|"{'org.onap.ngi|admin'}" -org.onap.ngi|access|*|read|AAF Namespace Read Access|"{'org.onap.ngi|owner'}" -org.onap.oof|access|*|*|AAF Namespace Write Access|"{'org.onap.oof|admin'}" -org.onap.oof|access|*|read|AAF Namespace Read Access|"{'org.onap.oof|owner'}" -org.onap.oof|certman|local|request,ignoreIPs,showpass||"{'org.onap.oof|admin', 'org.onap.sdc|admin', 'org.osaaf.aaf|deploy'}" -org.onap.policy|access|*|*|AAF Namespace Write Access|"{'org.onap.policy|admin', 'org.onap.policy|pdpd.admin'}" -org.onap.policy|access|*|read|AAF Namespace Read Access|"{'org.onap.policy|owner', 'org.onap.policy|pdpd.admin'}" -org.onap.policy|certman|local|request,ignoreIPs,showpass||"{'org.onap.policy|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.policy|menu|menu_admin|*|Admin Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_ajax|*|Ajax Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_concept|*|CoNCEPT| -org.onap.policy|menu|menu_customer_create|*|Customer Create|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_customer|*|Customer Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_doclib|*|Document Library Menu| -org.onap.policy|menu|menu_feedback|*|Feedback Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_help|*|Help Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_home|*|Home Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_itracker|*|iTracker Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_job_create|*|Job Create|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_job_designer|*|Process in Designer view| -org.onap.policy|menu|menu_job|*|Job Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_logout|*|Logout Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_map|*|Map Menu|"{'org.onap.policy|Standard_User'}" -org.onap.policy|menu|menu_notes|*|Notes Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_policy|*|Policy|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|menu|menu_process|*|Process List|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile_create|*|Profile Create|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile_import|*|Profile Import|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_profile|*|Profile Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_reports|*|Reports Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_sample|*|Sample Pages Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_tab|*|Sample Tab Menu|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|menu|menu_task_search|*|Task Search| -org.onap.policy|menu|menu_task|*|Task Menu| -org.onap.policy|menu|menu_test|*|Test Menu|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|pdpd.healthcheck.configuration|*|get||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.healthcheck|*|get||"{'org.onap.policy|pdpd.admin', 'org.onap.policy|pdpd.monitor'}" -org.onap.policy|pdpd.telemetry|*|delete||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.telemetry|*|get||"{'org.onap.policy|pdpd.admin', 'org.onap.policy|pdpd.monitor'}" -org.onap.policy|pdpd.telemetry|*|post||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpd.telemetry|*|put||"{'org.onap.policy|pdpd.admin'}" -org.onap.policy|pdpx.config|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.createDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.createPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.decision|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getConfigByPolicyName|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getConfig|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getDecision|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.getMetrics|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.listConfig|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.list|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.listPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.policyEngineImport|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.pushPolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.sendEvent|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.updateDictionary|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|pdpx.updatePolicy|*|*||"{'org.onap.policy|pdpx.admin'}" -org.onap.policy|url|doclib_admin|*|Document Library Admin|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|url|doclib|*|Document Library|"{'org.onap.policy|System_Administrator'}" -org.onap.policy|url|login|*|Login|"{'org.onap.policy|Standard_User', 'org.onap.policy|System_Administrator'}" -org.onap.policy|url|policy_admin|*|Policy Admin|"{'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_dashboard|*|Policy Dashboard|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_dictionary|*|Policy Dictionary|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_editor|*|Policy Editor|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_pdp|*|Policy PDP|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Guest', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Policy_Super_Guest', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_push|*|Policy Push|"{'org.onap.policy|Policy_Admin', 'org.onap.policy|Policy_Editor', 'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|policy_roles|*|Policy Roles|"{'org.onap.policy|Policy_Super_Admin', 'org.onap.policy|Standard_User'}" -org.onap.policy|url|view_reports|*|View Raptor reports| -org.onap.pomba|access|*|*|AAF Namespace Write Access|"{'org.onap.pomba|admin'}" -org.onap.pomba|access|*|read|AAF Namespace Read Access|"{'org.onap.pomba|owner'}" -org.onap.pomba|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.portal|access|*|*|Portal Write Access|{'org.onap.portal.admin'} -org.onap.portal|access|*|read|Portal Read Access| -org.onap.portal|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.portal|menu|menu_acc_admin|*|Admin Account Menu|"{'org.onap.portal|Account_Administrator', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_admin|*|Admin Menu|"{'org.onap.portal|System_Administrator', 'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_ajax|*|Ajax Menu| -org.onap.portal|menu|menu_customer_create|*|Customer Create| -org.onap.portal|menu|menu_customer|*|Customer Menu| -org.onap.portal|menu|menu_feedback|*|Feedback Menu| -org.onap.portal|menu|menu_help|*|Help Menu| -org.onap.portal|menu|menu_home|*|Home Menu|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_job_create|*|Job Create| -org.onap.portal|menu|menu_job_designer|*|Process in Designer view| -org.onap.portal|menu|menu_job|*|Job Menu| -org.onap.portal|menu|menu_logout|*|Logout Menu|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|menu|menu_map|*|Map Menu| -org.onap.portal|menu|menu_notes|*|Notes Menu| -org.onap.portal|menu|menu_process|*|Process List| -org.onap.portal|menu|menu_profile_create|*|Profile Create| -org.onap.portal|menu|menu_profile_import|*|Profile Import| -org.onap.portal|menu|menu_profile|*|Profile Menu| -org.onap.portal|menu|menu_reports|*|Reports Menu| -org.onap.portal|menu|menu_sample|*|Sample Pages Menu| -org.onap.portal|menu|menu_tab|*|Sample Tab Menu| -org.onap.portal|menu|menu_task_search|*|Task Search|"{'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_task|*|Task Menu|"{'org.onap.portal|Usage_Analyst'}" -org.onap.portal|menu|menu_web_analytics|*|Web Analytics|"{'org.onap.portal|Portal_Usage_Analyst', 'org.onap.portal|Usage_Analyst'}" -org.onap.portal.test|aaaa|*|write|| -org.onap.portal.test|access1|*|read|| -org.onap.portal.test|access|*|*|AAF Namespace Write Access|"{'org.onap.portal.test|admin'}" -org.onap.portal.test|access|*|read|AAF Namespace Read Access|"{'org.onap.portal.test|owner'}" -org.onap.portal.test|myaccess|*|read|| -org.onap.portal.test|user1.access|*|read|| -org.onap.portal.test|user1.myaccess|*|read|| -org.onap.portal|url|addWebAnalyticsReport|*|Add Web Analytics Report| -org.onap.portal|url|appsFullList|*|Apps Full List| -org.onap.portal|url|centralizedApps|*|Centralized Apps|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|edit_notification|*|User Notification|"{'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|functionalMenu|*|Functional Menu| -org.onap.portal|url|getAdminNotifications|*|Admin Notifications|"{'org.onap.portal|Account_Administrator', 'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|getAllWebAnalytics|*|Get All Web Analytics|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getFunctionalMenuRole|*|Get Functional Menu Role|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getNotificationAppRoles|*|Get Notification App Roles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|get_role_functions%2f%2a|*|Get Role Functions|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|get_roles%2f%2a|*|getRolesOfApp|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getUserAppsWebAnalytics|*|Get User Apps Web Analytics|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|getUserJourneyAnalyticsReport|*|Get User Journey Report|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|login|*|Login|"{'org.onap.portal|Standard_User', 'org.onap.portal|System_Administrator'}" -org.onap.portal|url|notification_code|*|Notification Code|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|role_function_list%2fsaveRoleFunction%2f%2a|*|Save Role Function|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|saveNotification|*|publish notifications|"{'org.onap.portal|Portal_Notification_Admin'}" -org.onap.portal|url|syncRoles|*|SyncRoles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|url_role.htm|*|role page| -org.onap.portal|url|url_welcome.htm|*|welcome page| -org.onap.portal|url|userAppRoles|*|userAppRoles|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|userApps|*|User Apps|"{'org.onap.portal|Account_Administrator'}" -org.onap.portal|url|view_reports|*|View Raptor reports| -org.onap.refrepo|access|*|*|AAF Namespace Write Access|"{'org.onap.refrepo|admin', 'org.onap.refrepo|service'}" -org.onap.refrepo|access|*|read|AAF Namespace Read Access|"{'org.onap.refrepo|owner'}" -org.onap.refrepo|certman|local|request,ignoreIPs,showpass||"{'org.onap.refrepo|admin', 'org.onap.refrepo|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.sdc|access|*|*|AAF Namespace Write Access|"{'org.onap.sdc|admin'}" -org.onap.sdc|access|*|read|AAF Namespace Read Access|"{'org.onap.sdc|owner'}" -org.onap.sdc|administrator.access|*|*||"{'org.onap.sdc|admin'}" -org.onap.sdc|certman|local|request,ignoreIPs,showpass||"{'org.onap.sdc|admin', 'org.osaaf.aaf|deploy'}" -org.onap.sdc|designer.access|*|*||"{'org.onap.sdc|designer'}" -org.onap.sdc|governance.access|*|*||"{'org.onap.sdc|governor'}" -org.onap.sdc|operations.access|*|*||"{'org.onap.sdc|ops'}" -org.onap.sdc|tester.access|*|*||"{'org.onap.sdc|tester'}" -org.onap.sdnc|access|*|*|AAF Namespace Write Access|"{'org.onap.sdnc|admin'}" -org.onap.sdnc|access|*|read|AAF Namespace Read Access|"{'org.onap.sdnc|owner'}" -org.onap.sdnc-cds|access|*|*|AAF Namespace Write Access|"{'org.onap.sdnc-cds|admin', 'org.onap.sdnc-cds|service'}" -org.onap.sdnc-cds|access|*|read|AAF Namespace Read Access|"{'org.onap.sdnc-cds|owner'}" -org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.sdnc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.sdnc|odl|odl-api|create||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|delete||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|*||"{'org.onap.sdnc|admin', 'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|read||"{'org.onap.sdnc|service'}" -org.onap.sdnc|odl|odl-api|update||"{'org.onap.sdnc|service'}" -org.onap.so|access|*|*|AAF Namespace Write Access|"{'org.onap.so|admin', 'org.onap.so|app'}" -org.onap.so|access|*|read|AAF Namespace Read Access|"{'org.onap.so|owner'}" -org.onap.so|certman|local|request,ignoreIPs,showpass||"{'org.onap.so|admin', 'org.onap.so|seeCerts', 'org.osaaf.aaf|deploy'}" -org.onap.vfc|access|*|*|AAF Namespace Write Access|"{'org.onap.vfc|admin', 'org.onap.vfc|service'}" -org.onap.vfc|access|*|read|AAF Namespace Read Access|"{'org.onap.vfc|owner'}" -org.onap.vfc|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid1|access|*|*|AAF Namespace Write Access|"{'org.onap.vid1|admin'}" -org.onap.vid1|access|*|read|AAF Namespace Read Access|"{'org.onap.vid1|owner'}" -org.onap.vid1|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid2|access|*|*|AAF Namespace Write Access|"{'org.onap.vid2|admin'}" -org.onap.vid2|access|*|read|AAF Namespace Read Access|"{'org.onap.vid2|owner'}" -org.onap.vid2|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid|access|*|*|AAF Namespace Write Access|"{'org.onap.vid|admin'}" -org.onap.vid|access|*|read|AAF Namespace Read Access|"{'org.onap.vid|owner'}" -org.onap.vid|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.onap.vid|menu|menu_admin|*|Admin Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_ajax|*|Ajax Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_changemanagement|*|VNF Changes|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_concept|*|CoNCEPT| -org.onap.vid|menu|menu_customer_create|*|Customer Create|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_customer|*|Customer Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_doclib|*|Document Library Menu| -org.onap.vid|menu|menu_feedback|*|Feedback Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_help|*|Help Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_home|*|Home Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_itracker|*|iTracker Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_job_create|*|Job Create|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_job_designer|*|Process in Designer view| -org.onap.vid|menu|menu_job|*|Job Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_logout|*|Logout Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_map|*|Map Menu|"{'org.onap.vid|Standard_User'}" -org.onap.vid|menu|menu_newserinstance|*|Create New Service Instance|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_notes|*|Notes Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_process|*|Process List|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile_create|*|Profile Create|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile_import|*|Profile Import|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_profile|*|Profile Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_reports|*|Reports Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_sample|*|Sample Pages Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_searchexisting|*|Search for Existing Service Instances|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_servicemodels|*|Browse SDC Service Instances|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_tab|*|Sample Tab Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_task_search|*|Task Search| -org.onap.vid|menu|menu_task|*|Task Menu| -org.onap.vid|menu|menu_test|*|Test Menu|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|menu|menu_viewlog|*|Log Menu|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|url|doclib_admin|*|Document Library Admin|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|url|doclib|*|Document Library|"{'org.onap.vid|System_Administrator'}" -org.onap.vid|url|login|*|Login|"{'org.onap.vid|Standard_User', 'org.onap.vid|System_Administrator'}" -org.onap.vid|url|view_reports|*|View Raptor reports| -org.onap.uui|access|*|*|AAF Namespace Write Access|"{'org.onap.uui|admin', 'org.onap.uui|service'}" -org.onap.uui|access|*|read|AAF Namespace Read Access|"{'org.onap.uui|owner'}" -org.onap.uui|certman|local|request,ignoreIPs,showpass||"{'org.onap.uui|admin', 'org.onap.uui|seeCerts', 'org.osaaf.aaf|deploy'}" -org.openecomp|access|*|*|OpenEcomp Write Access|{'org.openecomp.admin'} -org.openecomp|access|*|read|OpenEcomp Read Access|{'org.openecomp.owner'} -org.openecomp.dmaapBC|access|*|*|DMaap Write Access|{'org.openecomp.dmaapBC.admin'} -org.openecomp.dmaapBC|access|*|read|DMaap Read Access|{'org.openecomp.dmaapBC.owner'} -org.osaaf.aaf|access|*|*|AAF Write Access|{'org.osaaf.aaf.admin'} -org.osaaf.aaf|access|*|read,approve|AAF Read Access|{'org.osaaf.aaf.owner'} -org.osaaf.aaf|cache|all|clear||"{'org.osaaf.aaf|admin'}" -org.osaaf.aaf|cache|*|clear||"{'org.osaaf.aaf|admin', 'org.osaaf.aaf|service'}" -org.osaaf.aaf|cache|role|clear||"{'org.osaaf.aaf|admin'}" -org.osaaf.aaf|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" -org.osaaf.aaf|password|*|create,reset||"{'org.osaaf.aaf|admin'}" -org.osaaf|access|*|*|OSAAF Write Access|{'org.osaaf.admin'} -org.osaaf|access|*|read,appove|OSAAF Read Access|{'org.osaaf.owner'} -org.osaaf.people|access|*|*|AAF Namespace Write Access|"{'org.osaaf.people|admin'}" -org.osaaf.people|access|*|read|AAF Namespace Read Access|"{'org.osaaf.people|owner'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat deleted file mode 100644 index 111b94e6a8..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat +++ /dev/null @@ -1,352 +0,0 @@ -org|admin|Org Admins|"{'org.access|*|*'}" -org.onap.a1p|admin|AAF Namespace Administrators|"{'org.onap.a1p|access|*|*'}" -org.onap.a1p|owner|AAF Namespace Owners|"{'org.onap.a1p|access|*|read'}" -org.onap.a1p|service||"{'org.onap.a1p|access|*|*'}" -org.onap.aaf-sms|admin|AAF Namespace Administrators|"{'org.onap.aaf-sms|access|*|*'}" -org.onap.aaf-sms|owner|AAF Namespace Owners|"{'org.onap.aaf-sms|access|*|read'}" -org.onap.aaf-sms|service||"{'org.onap.aaf-sms|access|*|read'}" -org.onap.aai|aaiui|| -org.onap.aai|Account_Administrator|| -org.onap.aai|admin|AAF Namespace Administrators|"{'org.onap.aai|access|*|*'}" -org.onap.aai|owner|AAF Namespace Owners|"{'org.onap.aai|access|*|read'}" -org.onap.aai|resources_all|resources_all|"{'org.onap.aai|resources|*|delete', 'org.onap.aai|resources|*|get', 'org.onap.aai|resources|*|patch', 'org.onap.aai|resources|*|post', 'org.onap.aai|resources|*|put'}" -org.onap.aai|resources_readonly|resources_readonly|"{'org.onap.aai|resources|*|get'}" -org.onap.aai|traversal_advanced|traversal_advanced|"{'org.onap.aai|traversal|*|advanced'}" -org.onap.aai|traversal_basic|traversal_basic|"{'org.onap.aai|traversal|*|basic'}" -org.onap.aai-resources|admin|AAF Namespace Administrators|"{'org.onap.aai-resources|access|*|*'}" -org.onap.aai-resources|owner|AAF Namespace Owners|"{'org.onap.aai-resources|access|*|read'}" -org.onap.aai-resources|service||"{'org.onap.aai-resources|access|*|*'}" -org.onap.aai-schema-service|admin|AAF Namespace Administrators|"{'org.onap.aai-schema-service|access|*|*'}" -org.onap.aai-schema-service|owner|AAF Namespace Owners|"{'org.onap.aai-schema-service|access|*|read'}" -org.onap.aai-schema-service|service||"{'org.onap.aai-schema-service|access|*|*'}" -org.onap.aai-traversal|admin|AAF Namespace Administrators|"{'org.onap.aai-traversal|access|*|*'}" -org.onap.aai-traversal|owner|AAF Namespace Owners|"{'org.onap.aai-traversal|access|*|read'}" -org.onap.aai-traversal|service||"{'org.onap.aai-traversal|access|*|*'}" -org.onap|admin|Onap Admins|"{'org.onap.access|*|*'}" -org.onap.appc|admin|AAF Namespace Administrators|"{'org.onap.appc|access|*|*'}" -org.onap.appc|apidoc||"{'org.onap.appc|apidoc|/apidoc/.*|ALL'}" -org.onap.appc|jolokia|| -org.onap.appc|odl|Onap APPC ODL Admins|"{'org.onap.appc.odl|odl-api|*'}" -org.onap.appc|owner|AAF Namespace Owners|"{'org.onap.appc|access|*|read'}" -org.onap.appc|restconf||"{'org.onap.appc|restconf|/restconf/.*|ALL'}" -org.onap.appc|service||"{'org.onap.appc|access|*|*'}" -org.onap.appc-cdt|admin|AAF Namespace Administrators|"{'org.onap.appc-cdt|access|*|*'}" -org.onap.appc-cdt|owner|AAF Namespace Owners|"{'org.onap.appc-cdt|access|*|read'}" -org.onap.appc-cdt|service||"{'org.onap.appc-cdt|access|*|*'}" -org.onap.cds|admin|AAF Namespace Administrators|"{'org.onap.cds|access|*|*'}" -org.onap.cds|owner|AAF Namespace Owners|"{'org.onap.cds|access|*|read'}" -org.onap.clamp|admin|AAF Namespace Administrators|"{'org.onap.clamp|access|*|*', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|clds.admin.dev|Onap clamp Admin Dev|"{'org.onap.clamp.clds.template|dev|update', 'org.onap.clamp|clds.cl|dev|read', 'org.onap.clamp|clds.cl|dev|update', 'org.onap.clamp|clds.template|dev|read', 'org.onap.clamp|clds.template|dev|update'}" -org.onap.clamp|clds.designer.dev|Onap clamp Designer Dev|"{'org.onap.clamp.clds.template|dev|update'}" -org.onap.clamp|clds.vf_filter_all.dev|Onap clamp Filter All Dev|"{'org.onap.clamp.clds.filter.vf|dev|*'}" -org.onap.clampdemo|admin|Onap Clamp Test Admins|"{'org.onap.clampdemo.access|*|*'}" -org.onap.clampdemo|owner|onap clamp Test Owners|"{'org.onap.clampdemo.access|*|read'}" -org.onap.clamp|owner|AAF Namespace Owners| -org.onap.clamp|seeCerts||"{'org.onap.clamp|certman|local|request,ignoreIPs,showpass'}" -org.onap.clamp|service||"{'org.onap.clamp|access|*|*', 'org.onap.clamp|clds.cl.manage|dev|*', 'org.onap.clamp|clds.cl|dev|*', 'org.onap.clamp|clds.filter.vf|dev|*', 'org.onap.clamp|clds.template|dev|*', 'org.onap.clamp|clds.tosca|dev|*', 'org.onap.clamp|clds.policies|dev|*'}" -org.onap.clamptest|admin|Onap Clamp Test Admins|"{'org.onap.clamptest.access|*|*'}" -org.onap.clamptest|owner|onap clamp Test Owners|"{'org.onap.clamptest.access|*|read'}" -org.onap.cli|admin|AAF Namespace Administrators|"{'org.onap.cli|access|*|*'}" -org.onap.cli|owner|AAF Namespace Owners|"{'org.onap.cli|access|*|read'}" -org.onap.cli|service||"{'org.onap.cli|access|*|*'}" -org.onap.dcae|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc|access|*|read'}" -org.onap.dcae|owner|AAF Namespace Owners|"{'org.onap.dcae|access|*|read'}" -org.onap.dcae|pmPublisher|| -org.onap.dcae|pmSubscriber|| -org.onap.dcae|pnfPublisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view', 'org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|pub', 'org.onap.dmaap.mr|topic|org.onap.dmaap.mr.PM_MAPPER|sub'}" -org.onap.dcae|pnfSubscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aPnfTopic-1540492548|view'}" -org.onap.dcae|seeCerts||"{'org.onap.dcae|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap|admin|AAF Namespace Administrators|"{'org.onap.dmaap|access|*|*'}" -org.onap.dmaap-bc|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc.api|access|*|*', 'org.onap.dmaap-bc.api|access|*|read', 'org.onap.dmaap-bc|access|*|*'}" -org.onap.dmaap.bc|admin|AAF Namespace Administrators|"{'org.onap.dmaap.bc|access|*|*'}" -org.onap.dmaapbc|admin|AAF Namespace Administrators|"{'org.onap.dmaapbc|access|*|*'}" -org.onap.dmaap-bc.api|admin|AAF Namespace Administrators|"{'org.onap.dmaap-bc.api|access|*|*'}" -org.onap.dmaap-bc.api|Controller||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|POST', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|PUT', 'org.onap.dmaap-bc.api|dmaap|boot|DELETE', 'org.onap.dmaap-bc.api|dmaap|boot|GET', 'org.onap.dmaap-bc.api|dmaap|boot|POST', 'org.onap.dmaap-bc.api|dmaap|boot|PUT', 'org.onap.dmaap-bc.api|dmaap|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|POST', 'org.onap.dmaap-bc.api|dmaap|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|DELETE', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|PUT', 'org.onap.dmaap-bc.api|topics|onapdemo|DELETE', 'org.onap.dmaap-bc.api|topics|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|POST', 'org.onap.dmaap-bc.api|topics|onapdemo|PUT'}" -org.onap.dmaap-bc.api|Inventory||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc.api|Metrics||"{'org.onap.dmaap-bc.api|bridge|onapdemo|GET', 'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc.api|Orchestrator||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|DELETE', 'org.onap.dmaap-bc.api|topics|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|POST', 'org.onap.dmaap-bc.api|topics|onapdemo|PUT'}" -org.onap.dmaap-bc.api|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc.api|access|*|read'}" -org.onap.dmaap-bc.api|PortalUser||"{'org.onap.dmaap-bc.api|dcaeLocations|onapdemo|GET', 'org.onap.dmaap-bc.api|dmaap|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_nodes|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_pubs|onapdemo|PUT', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|DELETE', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|GET', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|POST', 'org.onap.dmaap-bc.api|dr_subs|onapdemo|PUT', 'org.onap.dmaap-bc.api|feeds|onapdemo|DELETE', 'org.onap.dmaap-bc.api|feeds|onapdemo|GET', 'org.onap.dmaap-bc.api|feeds|onapdemo|POST', 'org.onap.dmaap-bc.api|feeds|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|DELETE', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|GET', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|POST', 'org.onap.dmaap-bc.api|mr_clients|onapdemo|PUT', 'org.onap.dmaap-bc.api|mr_clusters|onapdemo|GET', 'org.onap.dmaap-bc.api|topics|onapdemo|GET'}" -org.onap.dmaap-bc-mm-prov|admin|AAF Namespace Administrators|"{'org.onap.dmaap-bc-mm-prov|access|*|*'}" -org.onap.dmaap-bc-mm-prov|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc-mm-prov|access|*|read'}" -org.onap.dmaap-bc|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc|access|*|read'}" -org.onap.dmaap.bc|owner|AAF Namespace Owners|"{'org.onap.dmaap.bc|access|*|read'}" -org.onap.dmaapbc|owner|AAF Namespace Owners|"{'org.onap.dmaapbc|access|*|read'}" -org.onap.dmaap-bc|seeCerts||"{'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap.bc|service||"{'org.onap.dmaap.bc|access|*|*'}" -org.onap.dmaap-bc|service||"{'org.onap.dmaap-bc.api|access|*|read', 'org.onap.dmaap-dr|feed|*|*', 'org.onap.dmaap-dr|sub|*|*', 'org.onap.dmaap.mr|access|*|*', 'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create,destroy', 'org.onap.dmaap.mr|topic|*|*', 'org.onap.dmaap.mr|topic|*|view'}" -org.onap.dmaap-bc-topic-mgr|admin|AAF Namespace Administrators|"{'org.onap.dcae|access|*|*', 'org.onap.dmaap-bc-topic-mgr|access|*|*'}" -org.onap.dmaap-bc-topic-mgr|client||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create', 'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy'}" -org.onap.dmaap-bc-topic-mgr|owner|AAF Namespace Owners|"{'org.onap.dmaap-bc-topic-mgr|access|*|read'}" -org.onap.dmaap-dr|admin|AAF Namespace Administrators|"{'org.onap.dmaap-dr|access|*|*'}" -org.onap.dmaap-dr|feed.admin||"{'org.onap.dmaap-dr|feed|*|*'}" -org.onap.dmaap-dr|owner|AAF Namespace Owners|"{'org.onap.dmaap-dr|access|*|read'}" -org.onap.dmaap-dr|seeCerts||"{'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass'}" -org.onap.dmaap-dr|sub.admin||"{'org.onap.dmaap-dr|sub|*|*'}" -org.onap.dmaap.mr|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr|access|*|*'}" -org.onap.dmaap-mr|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr|access|*|*', 'org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap.mr.aNewTopic-123450|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-123450|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-123450|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-123450|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-123450|publisher|| -org.onap.dmaap.mr.aNewTopic-123450|subscriber|| -org.onap.dmaap.mr.aNewTopic-123451|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-123451|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-123451|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-123451|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-123451|publisher|| -org.onap.dmaap.mr.aNewTopic-123451|subscriber|| -org.onap.dmaap.mr.aNewTopic-1547667570|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-1547667570|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-1547667570|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-1547667570|access|*|read'}" -org.onap.dmaap.mr|aNewTopic-1547667571.publisher|| -org.onap.dmaap.mr|aNewTopic-1547667571.subscriber|| -org.onap.dmaap.mr.aNewTopic-|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aNewTopic-|access|*|*'}" -org.onap.dmaap.mr.aNewTopic-|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aNewTopic-|access|*|read'}" -org.onap.dmaap.mr.aNewTopic-|publisher|| -org.onap.dmaap.mr.aNewTopic-|subscriber|| -org.onap.dmaap.mr.aTest-1547665517|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547665517|access|*|*'}" -org.onap.dmaap.mr.aTest-1547665517|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547665517|access|*|read'}" -org.onap.dmaap.mr.aTest-1547665517|publisher|| -org.onap.dmaap.mr|aTest-1547665518.subscriber|| -org.onap.dmaap.mr.aTest-1547666628|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666628|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666628|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666628|access|*|read'}" -org.onap.dmaap.mr|aTest-1547666629.publisher|| -org.onap.dmaap.mr|aTest-1547666629.subscriber|| -org.onap.dmaap.mr.aTest-1547666760|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666760|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666760|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666760|access|*|read'}" -org.onap.dmaap.mr|aTest-1547666761.publisher|| -org.onap.dmaap.mr|aTest-1547666761.subscriber|| -org.onap.dmaap.mr.aTest-1547666950|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547666950|access|*|*'}" -org.onap.dmaap.mr.aTest-1547666950|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547666950|access|*|read'}" -org.onap.dmaap.mr.aTest-1547666950|publisher|| -org.onap.dmaap.mr|aTest-1547666951.subscriber|| -org.onap.dmaap.mr.aTest-1547667031|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTest-1547667031|access|*|*'}" -org.onap.dmaap.mr.aTest-1547667031|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTest-1547667031|access|*|read'}" -org.onap.dmaap.mr|aTest-1547667032.publisher|| -org.onap.dmaap.mr|aTest-1547667032.subscriber|| -org.onap.dmaap.mr.aTestTopic-123456|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-123456|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-123456|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-123456|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-123456|publisher|| -org.onap.dmaap.mr.aTestTopic-123456|subscriber|| -org.onap.dmaap.mr.aTestTopic-123457|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-123457|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-123457|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-123457|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-123457|publisher|| -org.onap.dmaap.mr.aTestTopic-123457|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547660509|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547660509|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547660509|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547660509|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547660861|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547660861|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547660861|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547660861|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547661011|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547661011|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547661011|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547661011|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547661011|publisher|| -org.onap.dmaap.mr.aTestTopic-1547662122|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547662122|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547662122|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547662122|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547662122|publisher|| -org.onap.dmaap.mr.aTestTopic-1547662451|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547662451|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547662451|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547662451|access|*|read'}" -org.onap.dmaap.mr|aTestTopic-1547662452.publisher|| -org.onap.dmaap.mr.aTestTopic-1547664813|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547664813|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547664813|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547664813|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547664813|publisher|| -org.onap.dmaap.mr.aTestTopic-1547664813|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547664928|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547664928|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547664928|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547664928|access|*|read'}" -org.onap.dmaap.mr.aTestTopic-1547664928|publisher|| -org.onap.dmaap.mr.aTestTopic-1547664928|subscriber|| -org.onap.dmaap.mr.aTestTopic-1547666068|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTestTopic-1547666068|access|*|*'}" -org.onap.dmaap.mr.aTestTopic-1547666068|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTestTopic-1547666068|access|*|read'}" -org.onap.dmaap.mr.aTopic-1547654909|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.aTopic-1547654909|access|*|*'}" -org.onap.dmaap.mr.aTopic-1547654909|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.aTopic-1547654909|access|*|read'}" -org.onap.dmaap.mr|create||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|create'}" -org.onap.dmaap.mr|destroy||"{'org.onap.dmaap.mr|topicFactory|:org.onap.dmaap.mr.topic:org.onap.dmaap.mr|destroy'}" -org.onap.dmaap.mr.dgl000|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.dgl000|access|*|*'}" -org.onap.dmaap.mr.dgl000|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.dgl000|access|*|read'}" -org.onap.dmaap.mr.dgl000|publisher|| -org.onap.dmaap.mr.dgl000|subscriber|| -org.onap.dmaap.mr.dgl_ready|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.dgl_ready|access|*|*'}" -org.onap.dmaap.mr.dgl_ready|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.dgl_ready|access|*|read'}" -org.onap.dmaap.mr.dgl_ready|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view'}" -org.onap.dmaap.mr.dgl_ready|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dgl_ready|view'}" -org.onap.dmaap.mr.IdentityTopic-12345|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.IdentityTopic-12345|access|*|*'}" -org.onap.dmaap.mr.IdentityTopic-12345|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.IdentityTopic-12345|access|*|read'}" -org.onap.dmaap.mr.IdentityTopic-12345|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view'}" -org.onap.dmaap.mr.IdentityTopic-12345|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-12345|view'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|*'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.IdentityTopic-1547839476|access|*|read'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view'}" -org.onap.dmaap.mr.IdentityTopic-1547839476|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.IdentityTopic-1547839476|view'}" -org.onap.dmaap.mr|mirrormaker.admin||"{'org.onap.dmaap.mr|mirrormaker|*|admin'}" -org.onap.dmaap.mr.mirrormakeragent|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.mirrormakeragent|access|*|*'}" -org.onap.dmaap.mr.mirrormakeragent|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.mirrormakeragent|access|*|read'}" -org.onap.dmaap.mr.mirrormakeragent|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view'}" -org.onap.dmaap.mr.mirrormakeragent|pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|pub'}" -org.onap.dmaap.mr.mirrormakeragent|sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub'}" -org.onap.dmaap.mr.mirrormakeragent|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mirrormakeragent|view'}" -org.onap.dmaap.mr|mirrormaker.user||"{'org.onap.dmaap.mr|mirrormaker|*|user'}" -org.onap.dmaap.mr|mmagent.sub|| -org.onap.dmaap.mr|mmagent.sub1||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mmagent|sub'}" -org.onap.dmaap.mr|mrtesttopic.pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|pub'}" -org.onap.dmaap.mr|mrtesttopic.sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.mrtesttopic|sub'}" -org.onap.dmaap.mr|mrtestt.pub|| -org.onap.dmaap-mr|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr|access|*|read'}" -org.onap.dmaap.mr|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr|access|*|read'}" -org.onap.dmaap.mr.partitionTest-1546033194|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.partitionTest-1546033194|access|*|*'}" -org.onap.dmaap.mr.partitionTest-1546033194|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.partitionTest-1546033194|access|*|read'}" -org.onap.dmaap.mr.PM_MAPPER|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PM_MAPPER|access|*|*'}" -org.onap.dmaap.mr.PM_MAPPER|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PM_MAPPER|access|*|read'}" -org.onap.dmaap.mr.PM_MAPPER|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view'}" -org.onap.dmaap.mr.PM_MAPPER|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PM_MAPPER|view'}" -org.onap.dmaap.mr.PNF_READY|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PNF_READY|access|*|*'}" -org.onap.dmaap.mr.PNF_READY|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PNF_READY|access|*|read'}" -org.onap.dmaap.mr.PNF_READY|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view'}" -org.onap.dmaap.mr.PNF_READY|pub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540393649|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398384|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PolandSpring1540398410|view'}" -org.onap.dmaap.mr.PNF_READY|sub|| -org.onap.dmaap.mr.PNF_READY|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_READY|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.PNF_REGISTRATION|access|*|*'}" -org.onap.dmaap.mr.PNF_REGISTRATION|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.PNF_REGISTRATION|access|*|read'}" -org.onap.dmaap.mr.PNF_REGISTRATION|pub|| -org.onap.dmaap.mr.PNF_REGISTRATION|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr|PNF_REGISTRATION.sub||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap.mr.PNF_REGISTRATION|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.PNF_REGISTRATION|view'}" -org.onap.dmaap-mr|Publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic-1540491614|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539385466|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.aafIntegTest-1539628418|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539370708|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539371800|view', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.dglTest1539385250|view'}" -org.onap.dmaap-mr|sai||"{'org.onap.dmaap-mr|saitest|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap.mr|service||"{'org.onap.dmaap.mr|access|*|read'}" -org.onap.dmaap-mr.sunil|admin2||"{'org.onap.dmaap-mr.sunil|test|:topic.org.onap.dmaap-bc.mr.dglTest201810100535|pub'}" -org.onap.dmaap-mr.sunil|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr.sunil|access|*|*'}" -org.onap.dmaap-mr.sunil|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr.sunil|access|*|read'}" -org.onap.dmaap.mr|test1||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.test1|pub'}" -org.onap.dmaap-mr.test|admin|AAF Namespace Administrators|"{'org.onap.dmaap-mr.test|access|*|*'}" -org.onap.dmaap-mr.test|owner|AAF Namespace Owners|"{'org.onap.dmaap-mr.test|access|*|read'}" -org.onap.dmaap.mr.topic-000|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-000|access|*|*'}" -org.onap.dmaap.mr.topic-000|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-000|access|*|read'}" -org.onap.dmaap.mr.topic-000|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view'}" -org.onap.dmaap.mr.topic-000|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-000|view'}" -org.onap.dmaap.mr.topic-001|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-001|access|*|*'}" -org.onap.dmaap.mr.topic-001|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-001|access|*|read'}" -org.onap.dmaap.mr.topic-001|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view'}" -org.onap.dmaap.mr.topic-001|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-001|view'}" -org.onap.dmaap.mr.topic-002|admin|AAF Namespace Administrators|"{'org.onap.dmaap.mr.topic-002|access|*|*'}" -org.onap.dmaap.mr.topic-002|owner|AAF Namespace Owners|"{'org.onap.dmaap.mr.topic-002|access|*|read'}" -org.onap.dmaap.mr.topic-002|publisher||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|pub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view'}" -org.onap.dmaap.mr.topic-002|subscriber||"{'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|sub', 'org.onap.dmaap.mr|topic|:topic.org.onap.dmaap.mr.topic-002|view'}" -org.onap.dmaap.mr|view||"{'org.onap.dmaap.mr|topic|*|view'}" -org.onap.dmaap.mr|viewtest||"{'org.onap.dmaap.mr|viewtest|*|view'}" -org.onap.dmaap|owner|AAF Namespace Owners|"{'org.onap.dmaap|access|*|read'}" -org.onap.holmes|admin|AAF Namespace Administrators|"{'org.onap.holmes|access|*|*'}" -org.onap.holmes|owner|AAF Namespace Owners|"{'org.onap.holmes|access|*|read'}" -org.onap.holmes|service|| -org.onap.holmes-engine-mgmt|admin|AAF Namespace Administrators|"{'org.onap.holmes-engine-mgmt|access|*|*', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-engine-mgmt|owner|AAF Namespace Owners|"{'org.onap.holmes-engine-mgmt|access|*|read'}" -org.onap.holmes-engine-mgmt|seeCerts||"{'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-engine-mgmt|service||"{'org.onap.holmes-engine-mgmt|access|*|*'}" -org.onap.holmes-rule-mgmt|admin|AAF Namespace Administrators|"{'org.onap.holmes-rule-mgmt|access|*|*', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-rule-mgmt|owner|AAF Namespace Owners|"{'org.onap.holmes-rule-mgmt|access|*|read'}" -org.onap.holmes-rule-mgmt|seeCerts||"{'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass'}" -org.onap.holmes-rule-mgmt|service||"{'org.onap.holmes-rule-mgmt|access|*|*'}" -org.onap.msb-eag|admin|AAF Namespace Administrators|"{'org.onap.msb-eag|access|*|*'}" -org.onap.msb-eag|owner|AAF Namespace Owners|"{'org.onap.msb-eag|access|*|read'}" -org.onap.msb-eag|service||"{'org.onap.msb-eag|access|*|*'}" -org.onap.msb-iag|admin|AAF Namespace Administrators|"{'org.onap.msb-iag|access|*|*'}" -org.onap.msb-iag|owner|AAF Namespace Owners|"{'org.onap.msb-iag|access|*|read'}" -org.onap.msb-iag|service||"{'org.onap.msb-iag|access|*|*'}" -org.onap.music|admin|AAF Namespace Administrators|"{'org.onap.music|access|*|*', 'org.onap.music|certman|local|request,ignoreIPs,showpass'}" -org.onap.music|owner|AAF Namespace Owners|"{'org.onap.music|access|*|read'}" -org.onap.music|service|| -org.onap.nbi|admin|AAF Namespace Administrators|"{'org.onap.nbi|access|*|*', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass'}" -org.onap.nbi|owner|AAF Namespace Owners|"{'org.onap.nbi|access|*|read'}" -org.onap.nbi|seeCerts||"{'org.onap.nbi|certman|local|request,ignoreIPs,showpass'}" -org.onap.nbi|service||"{'org.onap.nbi|access|*|*'}" -org.onap.oof|admin|AAF Namespace Administrators|"{'org.onap.oof|access|*|*', 'org.onap.oof|certman|local|request,ignoreIPs,showpass'}" -org.onap.oof|owner|AAF Namespace Owners|"{'org.onap.oof|access|*|read'}" -org.onap.oof|service||"{'org.onap.oof|access|*|*'}" -org.onap|owner|onap Owners|"{'org.onap.access|*|read'}" -org.onap.policy|Account_Administrator|null| -org.onap.policy|admin||"{'org.onap.policy|access|*|*'}" -org.onap.policy|owner|AAF Namespace Owners|"{'org.onap.policy|access|*|read'}" -org.onap.policy|pdpd.admin|pdpd.admin|"{'org.onap.policy|access|*|*', 'org.onap.policy|access|*|read', 'org.onap.policy|pdpd.healthcheck.configuration|*|get', 'org.onap.policy|pdpd.healthcheck|*|get', 'org.onap.policy|pdpd.telemetry|*|delete', 'org.onap.policy|pdpd.telemetry|*|get', 'org.onap.policy|pdpd.telemetry|*|post', 'org.onap.policy|pdpd.telemetry|*|put'}" -org.onap.policy|pdpd.monitor|pdpd.monitor|"{'org.onap.policy|pdpd.healthcheck|*|get', 'org.onap.policy|pdpd.telemetry|*|get'}" -org.onap.policy|pdpx.admin|pdpx.admin|"{'org.onap.policy|pdpx.config|*|*', 'org.onap.policy|pdpx.createDictionary|*|*', 'org.onap.policy|pdpx.createPolicy|*|*', 'org.onap.policy|pdpx.decision|*|*', 'org.onap.policy|pdpx.getConfigByPolicyName|*|*', 'org.onap.policy|pdpx.getConfig|*|*', 'org.onap.policy|pdpx.getDecision|*|*', 'org.onap.policy|pdpx.getDictionary|*|*', 'org.onap.policy|pdpx.getMetrics|*|*', 'org.onap.policy|pdpx.listConfig|*|*', 'org.onap.policy|pdpx.listPolicy|*|*', 'org.onap.policy|pdpx.list|*|*', 'org.onap.policy|pdpx.policyEngineImport|*|*', 'org.onap.policy|pdpx.pushPolicy|*|*', 'org.onap.policy|pdpx.sendEvent|*|*', 'org.onap.policy|pdpx.updateDictionary|*|*', 'org.onap.policy|pdpx.updatePolicy|*|*'}" -org.onap.policy|pdpx.monitor|pdpx.monitor| -org.onap.policy|Policy_Admin|Policy_Admin|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*'}" -org.onap.policy|Policy_Editor|Policy_Editor|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*'}" -org.onap.policy|Policy_Guest|Policy_Guest|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*'}" -org.onap.policy|Policy_Super_Admin|Policy_Super_Admin|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_admin|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*', 'org.onap.policy|url|policy_roles|*'}" -org.onap.policy|Policy_Super_Guest|Policy_Super_Guest|"{'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*'}" -org.onap.policy|seeCerts|seeCerts|"{'org.onap.policy|certman|local|request,ignoreIPs,showpass'}" -org.onap.policy|Standard_User|Standard User|"{'org.onap.policy|menu|menu_ajax|*', 'org.onap.policy|menu|menu_customer_create|*', 'org.onap.policy|menu|menu_customer|*', 'org.onap.policy|menu|menu_home|*', 'org.onap.policy|menu|menu_itracker|*', 'org.onap.policy|menu|menu_logout|*', 'org.onap.policy|menu|menu_map|*', 'org.onap.policy|menu|menu_policy|*', 'org.onap.policy|menu|menu_profile|*', 'org.onap.policy|menu|menu_reports|*', 'org.onap.policy|menu|menu_tab|*', 'org.onap.policy|url|login|*', 'org.onap.policy|url|policy_admin|*', 'org.onap.policy|url|policy_dashboard|*', 'org.onap.policy|url|policy_dictionary|*', 'org.onap.policy|url|policy_editor|*', 'org.onap.policy|url|policy_pdp|*', 'org.onap.policy|url|policy_push|*', 'org.onap.policy|url|policy_roles|*'}" -org.onap.policy|System_Administrator|System Administrator|"{'org.onap.policy|menu|menu_admin|*', 'org.onap.policy|menu|menu_ajax|*', 'org.onap.policy|menu|menu_customer_create|*', 'org.onap.policy|menu|menu_customer|*', 'org.onap.policy|menu|menu_feedback|*', 'org.onap.policy|menu|menu_help|*', 'org.onap.policy|menu|menu_home|*', 'org.onap.policy|menu|menu_itracker|*', 'org.onap.policy|menu|menu_job_create|*', 'org.onap.policy|menu|menu_job|*', 'org.onap.policy|menu|menu_logout|*', 'org.onap.policy|menu|menu_notes|*', 'org.onap.policy|menu|menu_process|*', 'org.onap.policy|menu|menu_profile_create|*', 'org.onap.policy|menu|menu_profile_import|*', 'org.onap.policy|menu|menu_profile|*', 'org.onap.policy|menu|menu_reports|*', 'org.onap.policy|menu|menu_sample|*', 'org.onap.policy|menu|menu_tab|*', 'org.onap.policy|menu|menu_test|*', 'org.onap.policy|url|doclib_admin|*', 'org.onap.policy|url|doclib|*', 'org.onap.policy|url|login|*'}" -org.onap.pomba|admin|AAF Namespace Administrators|"{'org.onap.pomba|access|*|*'}" -org.onap.pomba|owner|AAF Namespace Owners|"{'org.onap.pomba|access|*|read'}" -org.onap.portal|Account_Administrator|Account Administrator|"{'org.onap.portal|menu|menu_acc_admin|*', 'org.onap.portal|url|centralizedApps|*', 'org.onap.portal|url|getAdminNotifications|*', 'org.onap.portal|url|getAllWebAnalytics|*', 'org.onap.portal|url|getFunctionalMenuRole|*', 'org.onap.portal|url|getNotificationAppRoles|*', 'org.onap.portal|url|getUserAppsWebAnalytics|*', 'org.onap.portal|url|getUserJourneyAnalyticsReport|*', 'org.onap.portal|url|get_role_functions%2f%2a|*', 'org.onap.portal|url|get_roles%2f%2a|*', 'org.onap.portal|url|notification_code|*', 'org.onap.portal|url|role_function_list%2fsaveRoleFunction%2f%2a|*', 'org.onap.portal|url|syncRoles|*', 'org.onap.portal|url|userAppRoles|*', 'org.onap.portal|url|userApps|*'}" -org.onap.portal|admin|Portal Admins|"{'org.onap.portal.access|*|*'}" -org.onap.portal|owner|Portal Owner|"{'org.onap.portal.access|*|read'}" -org.onap.portal|Portal_Notification_Admin|Portal Notification Admin|"{'org.onap.portal|url|edit_notification|*', 'org.onap.portal|url|getAdminNotifications|*', 'org.onap.portal|url|saveNotification|*'}" -org.onap.portal|Portal_Usage_Analyst|Portal Usage Analyst|"{'org.onap.portal|menu|menu_web_analytics|*'}" -org.onap.portal|Restricted_App_Role|Restricted App Role| -org.onap.portal|Standard_User|Standard User|"{'org.onap.portal|menu|menu_home|*', 'org.onap.portal|menu|menu_logout|*', 'org.onap.portal|url|login|*'}" -org.onap.portal|System_Administrator|System Administrator|"{'org.onap.portal|menu|menu_acc_admin|*', 'org.onap.portal|menu|menu_admin|*', 'org.onap.portal|menu|menu_home|*', 'org.onap.portal|menu|menu_logout|*', 'org.onap.portal|url|login|*'}" -org.onap.portal.test|admin|AAF Namespace Administrators|"{'org.onap.portal.test|access|*|*'}" -org.onap.portal.test|oof-homing|| -org.onap.portal.test|owner|AAF Namespace Owners|"{'org.onap.portal.test|access|*|read'}" -org.onap.portal.test|user1|| -org.onap.portal|Usage_Analyst|Usage Analyst|"{'org.onap.portal|menu|menu_admin|*', 'org.onap.portal|menu|menu_task_search|*', 'org.onap.portal|menu|menu_task|*', 'org.onap.portal|menu|menu_web_analytics|*'}" -org.onap.refrepo|admin|AAF Namespace Administrators|"{'org.onap.refrepo|access|*|*', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass'}" -org.onap.refrepo|owner|AAF Namespace Owners|"{'org.onap.refrepo|access|*|read'}" -org.onap.refrepo|seeCerts||"{'org.onap.refrepo|certman|local|request,ignoreIPs,showpass'}" -org.onap.refrepo|service||"{'org.onap.refrepo|access|*|*'}" -org.onap.sdc|Account_Administrator|| -org.onap.sdc|admin|AAF Namespace Administrators|"{'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|access|*|*', 'org.onap.sdc|administrator.access|*|*', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass'}" -org.onap.sdc|ADMIN|ADMIN| -org.onap.sdc|app|app| -org.onap.sdc|designer||"{'org.onap.sdc|designer.access|*|*'}" -org.onap.sdc|governor||"{'org.onap.sdc|governance.access|*|*'}" -org.onap.sdc|ops||"{'org.onap.sdc|operations.access|*|*'}" -org.onap.sdc|owner|AAF Namespace Owners|"{'org.onap.sdc|access|*|read'}" -org.onap.sdc|tester||"{'org.onap.sdc|tester.access|*|*'}" -org.onap.sdc|TESTOR|TESTOR| -org.onap.sdnc|admin|AAF Namespace Administrators|"{'org.onap.sdnc|access|*|*', 'org.onap.sdnc|odl|odl-api|*'}" -org.onap.sdnc-cds|admin|AAF Namespace Administrators|"{'org.onap.sdnc-cds|access|*|*'}" -org.onap.sdnc-cds|owner|AAF Namespace Owners|"{'org.onap.sdnc-cds|access|*|read'}" -org.onap.sdnc-cds|service||"{'org.onap.sdnc-cds|access|*|*'}" -org.onap.sdnc|owner|AAF Namespace Owners|"{'org.onap.sdnc|access|*|read'}" -org.onap.sdnc|service||"{'org.onap.sdnc|access|*|*', 'org.onap.sdnc|odl|odl-api|*', 'org.onap.sdnc|odl|odl-api|create', 'org.onap.sdnc|odl|odl-api|delete', 'org.onap.sdnc|odl|odl-api|read', 'org.onap.sdnc|odl|odl-api|update'}" -org.onap.so|admin|AAF Namespace Administrators|"{'org.onap.so|access|*|*', 'org.onap.so|certman|local|request,ignoreIPs,showpass'}" -org.onap.so|app||"{'org.onap.so|access|*|*'}" -org.onap.so|owner|AAF Namespace Owners|"{'org.onap.so|access|*|read'}" -org.onap.so|seeCerts||"{'org.onap.so|certman|local|request,ignoreIPs,showpass'}" -org.onap.vfc|admin|AAF Namespace Administrators|"{'org.onap.vfc|access|*|*'}" -org.onap.vfc|owner|AAF Namespace Owners|"{'org.onap.vfc|access|*|read'}" -org.onap.vfc|service||"{'org.onap.vfc|access|*|*'}" -org.onap.vid1|admin|AAF Namespace Administrators|"{'org.onap.vid1|access|*|*'}" -org.onap.vid1|owner|AAF Namespace Owners|"{'org.onap.vid1|access|*|read'}" -org.onap.vid2|admin|AAF Namespace Administrators|"{'org.onap.vid2|access|*|*'}" -org.onap.vid2|owner|AAF Namespace Owners|"{'org.onap.vid2|access|*|read'}" -org.onap.vid|Account_Administrator|| -org.onap.vid|admin|AAF Namespace Administrators|"{'org.onap.vid|access|*|*'}" -org.onap.vid|Demonstration___gNB|| -org.onap.vid|Demonstration___vCPE|| -org.onap.vid|Demonstration___vFW|| -org.onap.vid|Demonstration___vFWCL|| -org.onap.vid|Demonstration___vIMS|| -org.onap.vid|Demonstration___vLB|| -org.onap.vid|member|member| -org.onap.vid|owner|AAF Namespace Owners|"{'org.onap.vid|access|*|read'}" -org.onap.vid|seeCerts|seeCerts| -org.onap.vid|service|service| -org.onap.vid|Standard_User|Standard User|"{'org.onap.vid|menu|menu_ajax|*', 'org.onap.vid|menu|menu_changemanagement|*', 'org.onap.vid|menu|menu_customer_create|*', 'org.onap.vid|menu|menu_customer|*', 'org.onap.vid|menu|menu_home|*', 'org.onap.vid|menu|menu_itracker|*', 'org.onap.vid|menu|menu_logout|*', 'org.onap.vid|menu|menu_map|*', 'org.onap.vid|menu|menu_newserinstance|*', 'org.onap.vid|menu|menu_profile|*', 'org.onap.vid|menu|menu_reports|*', 'org.onap.vid|menu|menu_searchexisting|*', 'org.onap.vid|menu|menu_servicemodels|*', 'org.onap.vid|menu|menu_tab|*', 'org.onap.vid|menu|menu_viewlog|*', 'org.onap.vid|url|login|*'}" -org.onap.vid|System_Administrator|System Administrator|"{'org.onap.vid|menu|menu_admin|*', 'org.onap.vid|menu|menu_ajax|*', 'org.onap.vid|menu|menu_changemanagement|*', 'org.onap.vid|menu|menu_customer_create|*', 'org.onap.vid|menu|menu_customer|*', 'org.onap.vid|menu|menu_feedback|*', 'org.onap.vid|menu|menu_help|*', 'org.onap.vid|menu|menu_home|*', 'org.onap.vid|menu|menu_itracker|*', 'org.onap.vid|menu|menu_job_create|*', 'org.onap.vid|menu|menu_job|*', 'org.onap.vid|menu|menu_logout|*', 'org.onap.vid|menu|menu_newserinstance|*', 'org.onap.vid|menu|menu_notes|*', 'org.onap.vid|menu|menu_process|*', 'org.onap.vid|menu|menu_profile_create|*', 'org.onap.vid|menu|menu_profile_import|*', 'org.onap.vid|menu|menu_profile|*', 'org.onap.vid|menu|menu_reports|*', 'org.onap.vid|menu|menu_sample|*', 'org.onap.vid|menu|menu_searchexisting|*', 'org.onap.vid|menu|menu_servicemodels|*', 'org.onap.vid|menu|menu_tab|*', 'org.onap.vid|menu|menu_test|*', 'org.onap.vid|menu|menu_viewlog|*', 'org.onap.vid|url|doclib_admin|*', 'org.onap.vid|url|doclib|*', 'org.onap.vid|url|login|*'}" -org.onap.uui|admin|AAF Namespace Administrators|"{'org.onap.uui|access|*|*', 'org.onap.uui|certman|local|request,ignoreIPs,showpass'}" -org.onap.uui|owner|AAF Namespace Owners|"{'org.onap.uui|access|*|read'}" -org.onap.uui|seeCerts||"{'org.onap.uui|certman|local|request,ignoreIPs,showpass'}" -org.onap.uui|service||"{'org.onap.uui|access|*|*'}" -org.openecomp|admin|OpenEcomp Admins|"{'org.openecomp.access|*|*'}" -org.openecomp.dmaapBC|admin|AAF Admins|"{'org.openecomp.dmaapBC.access|*|*', 'org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|pub', 'org.openecomp.dmaapBC.mr.topic|:topic.org.openecomp.dmaapBC.newtopic|sub', 'org.openecomp.dmaapBC.topicFactory|:org.openecomp.dmaapBC.topic:org.openecomp.dmaapBC|create'}" -org.openecomp.dmaapBC|owner|AAF Owners|"{'org.openecomp.dmaapBC.access|*|read'}" -org.openecomp|owner|OpenEcomp Owners|"{'org.openecomp.access|*|read'}" -org.osaaf.aaf|admin|AAF Admins|"{'org.osaaf.aaf.access|*|*', 'org.osaaf.aaf|cache|all|clear', 'org.osaaf.aaf|cache|role|clear', 'org.osaaf.aaf|password|*|create,reset'}" -org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.a1p|certman|local|request,ignoreIPs,showpass', 'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-resources|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-schema-service|certman|local|request,ignoreIPs,showpass', 'org.onap.aai-traversal|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.appc-cdt|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.cli|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-engine-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.holmes-rule-mgmt|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.refrepo|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.onap.uui|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}" -org.osaaf.aaf|owner|AAF Owners|"{'org.osaaf.aaf.access|*|read,approve'}" -org.osaaf.aaf|service||"{'org.osaaf.aaf|cache|*|clear'}" -org.osaaf|admin|OSAAF Admins|"{'org.osaaf.access|*|*'}" -org.osaaf|owner|OSAAF Owners|"{'org.osaaf.access|*|read,approve'}" -org.osaaf.people|admin|AAF Namespace Administrators|"{'org.osaaf.people|access|*|*'}" -org.osaaf.people|owner|AAF Namespace Owners|"{'org.osaaf.people|access|*|read'}" -org|owner|Org Owners|"{'org.access|*|read,approve'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat deleted file mode 100644 index bc9f0ec833..0000000000 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat +++ /dev/null @@ -1,430 +0,0 @@ -mmanager@people.osaaf.org|org.onap.a1p.admin|2020-11-26 12:31:54.000+0000|org.onap.a1p|admin -mmanager@people.osaaf.org|org.onap.a1p.owner|2020-11-26 12:31:54.000+0000|org.onap.a1p|owner -mmanager@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -mmanager@people.osaaf.org|org.onap.aaf-sms.owner|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|owner -mmanager@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -mmanager@people.osaaf.org|org.onap.aai.owner|2020-11-26 12:31:54.000+0000|org.onap.aai|owner -mmanager@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -mmanager@people.osaaf.org|org.onap.aai-resources.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|owner -mmanager@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin -mmanager@people.osaaf.org|org.onap.aai-schema-service.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|owner -mmanager@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin -mmanager@people.osaaf.org|org.onap.aai-traversal.owner|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|owner -mmanager@people.osaaf.org|org.onap.admin|2020-11-26 12:31:54.000+0000|org.onap|admin -mmanager@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -mmanager@people.osaaf.org|org.onap.appc.owner|2020-11-26 12:31:54.000+0000|org.onap.appc|owner -mmanager@people.osaaf.org|org.onap.appc-cdt.admin|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|admin -mmanager@people.osaaf.org|org.onap.appc-cdt.owner|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|owner -mmanager@people.osaaf.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -mmanager@people.osaaf.org|org.onap.cds.owner|2020-11-26 12:31:54.000+0000|org.onap.cds|owner -mmanager@people.osaaf.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -mmanager@people.osaaf.org|org.onap.clamp.owner|2020-11-26 12:31:54.000+0000|org.onap.clamp|owner -mmanager@people.osaaf.org|org.onap.cli.admin|2020-11-26 12:31:54.000+0000|org.onap.cli|admin -mmanager@people.osaaf.org|org.onap.cli.owner|2020-11-26 12:31:54.000+0000|org.onap.cli|owner -mmanager@people.osaaf.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -mmanager@people.osaaf.org|org.onap.dcae.owner|2020-11-26 12:31:54.000+0000|org.onap.dcae|owner -mmanager@people.osaaf.org|org.onap.dmaap.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -mmanager@people.osaaf.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc-mm-prov.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|owner -mmanager@people.osaaf.org|org.onap.dmaap-bc.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|owner -mmanager@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -mmanager@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|owner -mmanager@people.osaaf.org|org.onap.dmaap-dr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123450.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123450|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123451.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-1547667570.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-1547667570|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547665517.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547665517|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666628.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666628|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666760.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666760|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547666950.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666950|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTest-1547667031.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547667031|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-123456.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123456|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-123457.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123457|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547660509.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660509|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547660861.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660861|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547661011.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547661011|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547662122.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662122|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547662451.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662451|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547664813.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664813|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547664928.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664928|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTestTopic-1547666068.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547666068|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.aTopic-1547654909.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTopic-1547654909|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.dgl000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|owner -mmanager@people.osaaf.org|org.onap.dmaap.mr.partitionTest-1546033194.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.partitionTest-1546033194|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.sunil.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|owner -mmanager@people.osaaf.org|org.onap.dmaap-mr.test.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|owner -mmanager@people.osaaf.org|org.onap.dmaap.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap|owner -mmanager@people.osaaf.org|org.onap.holmes.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes|owner -mmanager@people.osaaf.org|org.onap.holmes-engine-mgmt.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|owner -mmanager@people.osaaf.org|org.onap.holmes-rule-mgmt.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|owner -mmanager@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -mmanager@people.osaaf.org|org.onap.msb-eag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|owner -mmanager@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -mmanager@people.osaaf.org|org.onap.msb-iag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|owner -mmanager@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -mmanager@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -mmanager@people.osaaf.org|org.onap.nbi.owner|2020-11-26 12:31:54.000+0000|org.onap.nbi|owner -mmanager@people.osaaf.org|org.onap.ngi.owner|2020-11-26 12:31:54.000+0000|org.onap.ngi|owner -mmanager@people.osaaf.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -mmanager@people.osaaf.org|org.onap.oof.owner|2020-11-26 12:31:54.000+0000|org.onap.oof|owner -mmanager@people.osaaf.org|org.onap.owner|2020-11-26 12:31:54.000+0000|org.onap|owner -mmanager@people.osaaf.org|org.onap.policy.owner|2020-11-26 12:31:54.000+0000|org.onap.policy|owner -mmanager@people.osaaf.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -mmanager@people.osaaf.org|org.onap.pomba.owner|2020-11-26 12:31:54.000+0000|org.onap.pomba|owner -mmanager@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -mmanager@people.osaaf.org|org.onap.portal.owner|2020-11-26 12:31:54.000+0000|org.onap.portal|owner -mmanager@people.osaaf.org|org.onap.refrepo.owner|2020-11-26 12:31:54.000+0000|org.onap.refrepo|owner -mmanager@people.osaaf.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -mmanager@people.osaaf.org|org.onap.sdc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdc|owner -mmanager@people.osaaf.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -mmanager@people.osaaf.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -mmanager@people.osaaf.org|org.onap.sdnc-cds.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|owner -mmanager@people.osaaf.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -mmanager@people.osaaf.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -mmanager@people.osaaf.org|org.onap.so.owner|2020-11-26 12:31:54.000+0000|org.onap.so|owner -mmanager@people.osaaf.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -mmanager@people.osaaf.org|org.onap.vfc.owner|2020-11-26 12:31:54.000+0000|org.onap.vfc|owner -mmanager@people.osaaf.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -mmanager@people.osaaf.org|org.onap.vid1.owner|2020-11-26 12:31:54.000+0000|org.onap.vid1|owner -mmanager@people.osaaf.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -mmanager@people.osaaf.org|org.onap.vid2.owner|2020-11-26 12:31:54.000+0000|org.onap.vid2|owner -mmanager@people.osaaf.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -mmanager@people.osaaf.org|org.onap.vid.owner|2020-11-26 12:31:54.000+0000|org.onap.vid|owner -mmanager@people.osaaf.org|org.onap.uui.owner|2020-11-26 12:31:54.000+0000|org.onap.uui|owner -mmanager@people.osaaf.org|org.osaaf.people.owner|2020-11-26 12:31:54.000+0000|org.osaaf.people|owner -portal@portal.onap.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -portal@portal.onap.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -portal@portal.onap.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -portal@portal.onap.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -portal@portal.onap.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc -portal@portal.onap.org|org.onap.appc.restconf|2020-11-26 12:31:54.000+0000|org.onap.appc|restconf -portal@portal.onap.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -portal@portal.onap.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -portal@portal.onap.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -portal@portal.onap.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -portal@portal.onap.org|org.onap.dmaap-bc.api.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|admin -portal@portal.onap.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -portal@portal.onap.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -portal@portal.onap.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -portal@portal.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -portal@portal.onap.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -portal@portal.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -portal@portal.onap.org|org.onap.dmaap.mr.dgl_ready.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|owner -portal@portal.onap.org|org.onap.dmaap.mr.IdentityTopic-12345.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|owner -portal@portal.onap.org|org.onap.dmaap.mr.IdentityTopic-1547839476.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|owner -portal@portal.onap.org|org.onap.dmaap.mr.mirrormakeragent.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|owner -portal@portal.onap.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -portal@portal.onap.org|org.onap.dmaap.mr.PM_MAPPER.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|owner -portal@portal.onap.org|org.onap.dmaap.mr.PNF_READY.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|owner -portal@portal.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|owner -portal@portal.onap.org|org.onap.dmaap-mr.sunil.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|admin -portal@portal.onap.org|org.onap.dmaap.mr.test1|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|test1 -portal@portal.onap.org|org.onap.dmaap-mr.test.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|admin -portal@portal.onap.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|owner -portal@portal.onap.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner -portal@portal.onap.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner -portal@portal.onap.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin -portal@portal.onap.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -portal@portal.onap.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -portal@portal.onap.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -portal@portal.onap.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -portal@portal.onap.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin -portal@portal.onap.org|org.onap.ngi.admin|2020-11-26 12:31:54.000+0000|org.onap.ngi|admin -portal@portal.onap.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -portal@portal.onap.org|org.onap.policy.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|admin -portal@portal.onap.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -portal@portal.onap.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -portal@portal.onap.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -portal@portal.onap.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -portal@portal.onap.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -portal@portal.onap.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -portal@portal.onap.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -portal@portal.onap.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -portal@portal.onap.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -portal@portal.onap.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -portal@portal.onap.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -portal@portal.onap.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -portal@portal.onap.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -shi@portal.onap.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -demo@mr.dmaap.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -demo@people.osaaf.org|org.onap.aai.aaiui|2020-11-26 12:31:54.000+0000|org.onap.aai|aaiui -demo@people.osaaf.org|org.onap.aai.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.aai|Account_Administrator -demo@people.osaaf.org|org.onap.aai.resources_readonly|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_readonly -demo@people.osaaf.org|org.onap.aai.traversal_basic|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_basic -demo@people.osaaf.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -demo@people.osaaf.org|org.onap.dcae.pnfPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfPublisher -demo@people.osaaf.org|org.onap.dcae.pnfSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfSubscriber -demo@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -demo@people.osaaf.org|org.onap.dmaap.mr.aNewTopic-123451.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|publisher -demo@people.osaaf.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -demo@people.osaaf.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -demo@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -demo@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.pub -demo@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -demo@people.osaaf.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -demo@people.osaaf.org|org.onap.policy.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.policy|Account_Administrator -demo@people.osaaf.org|org.onap.policy.pdpd.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpd.admin -demo@people.osaaf.org|org.onap.policy.pdpx.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpx.admin -demo@people.osaaf.org|org.onap.policy.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.policy|System_Administrator -demo@people.osaaf.org|org.onap.portal.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.portal|Account_Administrator -demo@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -demo@people.osaaf.org|org.onap.portal.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.portal|System_Administrator -demo@people.osaaf.org|org.onap.portal.test.admin|2020-11-26 12:31:54.000+0000|org.onap.portal.test|admin -demo@people.osaaf.org|org.onap.portal.test.owner|2020-11-26 12:31:54.000+0000|org.onap.portal.test|owner -demo@people.osaaf.org|org.onap.portal.test.user1|2020-11-26 12:31:54.000+0000|org.onap.portal.test|user1 -demo@people.osaaf.org|org.onap.sdc.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.sdc|Account_Administrator -demo@people.osaaf.org|org.onap.sdc.ADMIN|2020-11-26 12:31:54.000+0000|org.onap.sdc|ADMIN -demo@people.osaaf.org|org.onap.vid.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|Account_Administrator -demo@people.osaaf.org|org.onap.vid.Demonstration___gNB|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___gNB -demo@people.osaaf.org|org.onap.vid.Demonstration___vCPE|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vCPE -demo@people.osaaf.org|org.onap.vid.Demonstration___vFW|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vFW -demo@people.osaaf.org|org.onap.vid.Demonstration___vFWCL|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vFWCL -demo@people.osaaf.org|org.onap.vid.Demonstration___vIMS|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vIMS -demo@people.osaaf.org|org.onap.vid.Demonstration___vLB|2020-11-26 12:31:54.000+0000|org.onap.vid|Demonstration___vLB -demo@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -jh0003@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -jh0003@people.osaaf.org|org.onap.sdc.Account_Administrator|2020-11-26 12:31:54.000+0000|org.onap.sdc|Account_Administrator -jh0003@people.osaaf.org|org.onap.sdc.ADMIN|2020-11-26 12:31:54.000+0000|org.onap.sdc|ADMIN -cs0008@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -jm0007@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -op0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -gv0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -pm0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -ps0001@people.osaaf.org|org.onap.sdc.TESTOR|2020-11-26 12:31:54.000+0000|org.onap.sdc|TESTOR -aaf_admin@people.osaaf.org|org.onap.a1p.admin|2020-11-26 12:31:54.000+0000|org.onap.a1p|admin -aaf_admin@people.osaaf.org|org.onap.aaf-sms.admin|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|admin -aaf_admin@people.osaaf.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -aaf_admin@people.osaaf.org|org.onap.aai-resources.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|admin -aaf_admin@people.osaaf.org|org.onap.aai-schema-service.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|admin -aaf_admin@people.osaaf.org|org.onap.aai-traversal.admin|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|admin -aaf_admin@people.osaaf.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -aaf_admin@people.osaaf.org|org.onap.appc.apidoc|2020-11-26 12:31:54.000+0000|org.onap.appc|apidoc -aaf_admin@people.osaaf.org|org.onap.appc.restconf|2020-11-26 12:31:54.000+0000|org.onap.appc|restconf -aaf_admin@people.osaaf.org|org.onap.appc-cdt.admin|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|admin -aaf_admin@people.osaaf.org|org.onap.cds.admin|2020-11-26 12:31:54.000+0000|org.onap.cds|admin -aaf_admin@people.osaaf.org|org.onap.clamp.admin|2020-11-26 12:31:54.000+0000|org.onap.clamp|admin -aaf_admin@people.osaaf.org|org.onap.cli.admin|2020-11-26 12:31:54.000+0000|org.onap.cli|admin -aaf_admin@people.osaaf.org|org.onap.dcae.admin|2020-11-26 12:31:54.000+0000|org.onap.dcae|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.api.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -aaf_admin@people.osaaf.org|org.onap.dmaap-bc-mm-prov.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-mm-prov|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-bc-topic-mgr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.dgl_ready.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.IdentityTopic-12345.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.IdentityTopic-1547839476.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.mirrormakeragent.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.mrtesttopic.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mrtesttopic.sub -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PM_MAPPER.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PNF_READY.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.PNF_REGISTRATION.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|owner -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.sunil.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.sunil|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.test1|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|test1 -aaf_admin@people.osaaf.org|org.onap.dmaap-mr.test.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|admin -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner -aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner -aaf_admin@people.osaaf.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin -aaf_admin@people.osaaf.org|org.onap.holmes-engine-mgmt.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|admin -aaf_admin@people.osaaf.org|org.onap.holmes-rule-mgmt.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|admin -aaf_admin@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin -aaf_admin@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin -aaf_admin@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin -aaf_admin@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner -aaf_admin@people.osaaf.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin -aaf_admin@people.osaaf.org|org.onap.ngi.admin|2020-11-26 12:31:54.000+0000|org.onap.ngi|admin -aaf_admin@people.osaaf.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -aaf_admin@people.osaaf.org|org.onap.policy.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|admin -aaf_admin@people.osaaf.org|org.onap.pomba.admin|2020-11-26 12:31:54.000+0000|org.onap.pomba|admin -aaf_admin@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -aaf_admin@people.osaaf.org|org.onap.refrepo.admin|2020-11-26 12:31:54.000+0000|org.onap.refrepo|admin -aaf_admin@people.osaaf.org|org.onap.sdc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdc|admin -aaf_admin@people.osaaf.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -aaf_admin@people.osaaf.org|org.onap.sdnc-cds.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|admin -aaf_admin@people.osaaf.org|org.onap.sdnc.owner|2020-11-26 12:31:54.000+0000|org.onap.sdnc|owner -aaf_admin@people.osaaf.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -aaf_admin@people.osaaf.org|org.onap.vfc.admin|2020-11-26 12:31:54.000+0000|org.onap.vfc|admin -aaf_admin@people.osaaf.org|org.onap.vid1.admin|2020-11-26 12:31:54.000+0000|org.onap.vid1|admin -aaf_admin@people.osaaf.org|org.onap.vid2.admin|2020-11-26 12:31:54.000+0000|org.onap.vid2|admin -aaf_admin@people.osaaf.org|org.onap.vid.admin|2020-11-26 12:31:54.000+0000|org.onap.vid|admin -aaf_admin@people.osaaf.org|org.onap.uui.admin|2020-11-26 12:31:54.000+0000|org.onap.uui|admin -aaf_admin@people.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -aaf_admin@people.osaaf.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -deployer@people.osaaf.org|org.osaaf.aaf.deploy|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|deploy -portal_admin@people.osaaf.org|org.onap.portal.admin|2020-11-26 12:31:54.000+0000|org.onap.portal|admin -aaf@aaf.osaaf.org|org.admin|2020-11-26 12:31:54.000+0000|org|admin -aaf@aaf.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -aaf@aaf.osaaf.org|org.osaaf.aaf.service|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|service -aaf@aaf.osaaf.org|org.osaaf.people.admin|2020-11-26 12:31:54.000+0000|org.osaaf.people|admin -osaaf@aaf.osaaf.org|org.osaaf.aaf.admin|2020-11-26 12:31:54.000+0000|org.osaaf.aaf|admin -a1p@a1p.onap.org|org.onap.a1p.service|2020-11-26 12:31:54.000+0000|org.onap.a1p|service -aaf-sms@aaf-sms.onap.org|org.onap.aaf-sms.service|2020-11-26 12:31:54.000+0000|org.onap.aaf-sms|service -aai@aai.onap.org|org.onap.aai.admin|2020-11-26 12:31:54.000+0000|org.onap.aai|admin -aai@aai.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -aai@aai.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -aai-resources@aai-resources.onap.org|org.onap.aai-resources.service|2020-11-26 12:31:54.000+0000|org.onap.aai-resources|service -aai-schema-service@aai-schema-service.onap.org|org.onap.aai-schema-service.service|2020-11-26 12:31:54.000+0000|org.onap.aai-schema-service|service -aai-traversal@aai-traversal.onap.org|org.onap.aai-traversal.service|2020-11-26 12:31:54.000+0000|org.onap.aai-traversal|service -appc@appc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -appc@appc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -appc@appc.onap.org|org.onap.appc.admin|2020-11-26 12:31:54.000+0000|org.onap.appc|admin -appc@appc.onap.org|org.onap.appc.odl|2020-11-26 12:31:54.000+0000|org.onap.appc|odl -appc@appc.onap.org|org.onap.appc.service|2020-11-26 12:31:54.000+0000|org.onap.appc|service -appc-cdt@appc-cdt.onap.org|org.onap.appc-cdt.service|2020-11-26 12:31:54.000+0000|org.onap.appc-cdt|service -cli@cli.onap.org|org.onap.cli.service|2020-11-26 12:31:54.000+0000|org.onap.cli|service -clamp@clampdemo.onap.org|org.onap.clampdemo.owner|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|owner -clamp@clampdemo.onap.org|org.onap.clampdemo.service|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|admin -clamp@clamp.onap.org|org.onap.clamp.clds.admin.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.admin.dev -clamp@clamp.onap.org|org.onap.clamp.clds.designer.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.designer.dev -clamp@clamp.onap.org|org.onap.clamp.clds.vf_filter_all.dev|2020-11-26 12:31:54.000+0000|org.onap.clamp|clds.vf_filter_all.dev -clamp@clamp.onap.org|org.onap.clampdemo.owner|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|owner -clamp@clamp.onap.org|org.onap.clampdemo.service|2020-11-26 12:31:54.000+0000|org.onap.clampdemo|admin -clamp@clamp.onap.org|org.onap.clamp.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.clamp|seeCerts -clamp@clamp.onap.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -clamp@clamp.onap.org|org.onap.clamptest.owner|2020-11-26 12:31:54.000+0000|org.onap.clamptest|owner -clamp@clamp.onap.org|org.onap.clamptest.service|2020-11-26 12:31:54.000+0000|org.onap.clamptest|admin -clamp@clamp.onap.org|org.onap.dmaap.mr.aNewTopic-123451.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|subscriber -clamp@clamp.onap.org|org.onap.dmaap.mr.dgl000.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|subscriber -clamp@clamp.osaaf.org|org.onap.clamp.service|2020-11-26 12:31:54.000+0000|org.onap.clamp|service -clamp@clamptest.onap.org|org.onap.clamptest.owner|2020-11-26 12:31:54.000+0000|org.onap.clamptest|owner -clamp@clamptest.onap.org|org.onap.clamptest.service|2020-11-26 12:31:54.000+0000|org.onap.clamptest|admin -dcae@dcae.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -dcae@dcae.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -dcae@dcae.onap.org|org.onap.dcae.pmPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pmPublisher -dcae@dcae.onap.org|org.onap.dcae.pmSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pmSubscriber -dcae@dcae.onap.org|org.onap.dcae.pnfPublisher|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfPublisher -dcae@dcae.onap.org|org.onap.dcae.pnfSubscriber|2020-11-26 12:31:54.000+0000|org.onap.dcae|pnfSubscriber -dcae@dcae.onap.org|org.onap.dcae.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dcae|seeCerts -dcae@dcae.onap.org|org.onap.dmaap-dr.feed.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|feed.admin -dcae@dcae.onap.org|org.onap.dmaap-dr.sub.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|sub.admin -dcae@dcae.onap.org|org.onap.dmaap.mr.aNewTopic-123451.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|subscriber -dcae@dcae.onap.org|org.onap.dmaap.mr.PM_MAPPER.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|publisher -dcae@dcae.onap.org|org.onap.dmaap.mr.PNF_READY.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|pub -dcae@dcae.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|sub -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|org.onap.holmes-engine-mgmt.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|seeCerts -holmes-engine-mgmt@holmes-engine-mgmt.onap.org|org.onap.holmes-engine-mgmt.service|2020-11-26 12:31:54.000+0000|org.onap.holmes-engine-mgmt|service -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|org.onap.holmes-rule-mgmt.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|seeCerts -holmes-rule-mgmt@holmes-rule-mgmt.onap.org|org.onap.holmes-rule-mgmt.service|2020-11-26 12:31:54.000+0000|org.onap.holmes-rule-mgmt|service -oof@oof.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -oof@oof.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -oof@oof.onap.org|org.onap.oof.admin|2020-11-26 12:31:54.000+0000|org.onap.oof|admin -oof@oof.onap.org|org.onap.oof.service|2020-11-26 12:31:54.000+0000|org.onap.oof|service -so@so.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -so@so.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -so@so.onap.org|org.onap.appc.service|2020-11-26 12:31:54.000+0000|org.onap.appc|service -so@so.onap.org|org.onap.sdnc.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc|service -so@so.onap.org|org.onap.so.admin|2020-11-26 12:31:54.000+0000|org.onap.so|admin -so@so.onap.org|org.onap.so.app|2020-11-26 12:31:54.000+0000|org.onap.so|app -so@so.onap.org|org.onap.so.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.so|seeCerts -sdc@sdc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -sdc@sdc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -sdnc@sdnc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -sdnc@sdnc.onap.org|org.onap.dmaap.mr.aNewTopic-123451.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|publisher -sdnc@sdnc.onap.org|org.onap.dmaap.mr.dgl000.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|publisher -sdnc@sdnc.onap.org|org.onap.sdnc.admin|2020-11-26 12:31:54.000+0000|org.onap.sdnc|admin -sdnc@sdnc.onap.org|org.onap.sdnc.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc|service -sdnc-cds@sdnc-cds.onap.org|org.onap.sdnc-cds.service|2020-11-26 12:31:54.000+0000|org.onap.sdnc-cds|service -vfc@vfc.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -vfc@vfc.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -vfc@vfc.onap.org|org.onap.dmaap-mr.Publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr|Publisher -vfc@vfc.onap.org|org.onap.vfc.service|2020-11-26 12:31:54.000+0000|org.onap.vfc|service -policy@policy.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -policy@policy.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -policy@policy.onap.org|org.onap.policy.pdpd.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpd.admin -policy@policy.onap.org|org.onap.policy.pdpx.admin|2020-11-26 12:31:54.000+0000|org.onap.policy|pdpx.admin -policy@policy.onap.org|org.onap.policy.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.policy|seeCerts -pomba@pomba.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -pomba@pomba.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -holmes@holmes.onap.org|org.onap.holmes.service|2020-11-26 12:31:54.000+0000|org.onap.holmes|service -msb-eag@msb-eag.onap.org|org.onap.msb-eag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|service -msb-iag@msb-iag.onap.org|org.onap.msb-iag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|service -nbi@nbi.onap.org|org.onap.nbi.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.nbi|seeCerts -nbi@nbi.onap.org|org.onap.nbi.service|2020-11-26 12:31:54.000+0000|org.onap.nbi|service -music@music.onap.org|org.onap.music.service|2020-11-26 12:31:54.000+0000|org.onap.music|service -refrepo@refrepo.onap.org|org.onap.refrepo.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.refrepo|seeCerts -refrepo@refrepo.onap.org|org.onap.refrepo.service|2020-11-26 12:31:54.000+0000|org.onap.refrepo|service -vid@vid.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all -vid@vid.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced -vid@vid.onap.org|org.onap.vid.service|2020-11-26 12:31:54.000+0000|org.onap.vid|service -vid1@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -vid2@people.osaaf.org|org.onap.vid.Standard_User|2020-11-26 12:31:54.000+0000|org.onap.vid|Standard_User -vid2@people.osaaf.org|org.onap.vid.System_Administrator|2020-11-26 12:31:54.000+0000|org.onap.vid|System_Administrator -uui@uui.onap.org|org.onap.uui.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.uui|seeCerts -uui@uui.onap.org|org.onap.uui.service|2020-11-26 12:31:54.000+0000|org.onap.uui|service -dmaap-bc@bc.dmaap.onap.org|org.onap.dmaap.bc.service|2020-11-26 12:31:54.000+0000|org.onap.dmaap.bc|service -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.api.Controller|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc.api|Controller -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|seeCerts -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap-bc.service|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc|service -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.dgl000.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl000|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.mirrormakeragent.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.PM_MAPPER.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PM_MAPPER|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.topic-001.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|admin -dmaap-bc@dmaap-bc.onap.org|org.onap.dmaap.mr.topic-002.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-bc-topic-mgr.client|2020-11-26 12:31:54.000+0000|org.onap.dmaap-bc-topic-mgr|client -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-dr.feed.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|feed.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap-dr.sub.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|sub.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-123450.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123450|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-123451.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-123451|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-1547667570.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-1547667570|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aNewTopic-.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aNewTopic-|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547665517.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547665517|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666628.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666628|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666760.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666760|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547666950.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547666950|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTest-1547667031.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTest-1547667031|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-123456.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123456|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-123457.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-123457|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547660509.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660509|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547660861.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547660861|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547661011.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547661011|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547662122.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662122|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547662451.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547662451|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547664813.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664813|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547664928.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547664928|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTestTopic-1547666068.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTestTopic-1547666068|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.aTopic-1547654909.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.aTopic-1547654909|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.dgl_ready.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.dgl_ready|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.IdentityTopic-12345.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-12345|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.IdentityTopic-1547839476.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.IdentityTopic-1547839476|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormaker.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.mirrormaker.user|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.user -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.partitionTest-1546033194.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.partitionTest-1546033194|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.PNF_READY.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_READY|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.PNF_REGISTRATION.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.PNF_REGISTRATION|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.topic-000.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-000|admin -dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.create|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|create -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.destroy|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|destroy -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormaker.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.admin -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.pub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|pub -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.publisher|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|publisher -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.sub|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|sub -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormakeragent.subscriber|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.mirrormakeragent|subscriber -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.mirrormaker.user|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|mirrormaker.user -dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org|org.onap.dmaap.mr.view|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|view -dmaap-dr@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaap-dr-prov@dmaap-dr.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -dmaap-dr-prov@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaap-dr-node@dmaap-dr.onap.org|org.onap.dmaap-dr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|admin -dmaap-dr-node@dmaap-dr.onap.org|org.onap.dmaap-dr.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.dmaap-dr|seeCerts -dmaapmr@mr.dmaap.onap.org|org.onap.dmaap.mr.admin|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr|admin diff --git a/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt b/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml b/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml deleted file mode 100644 index a10bb8a7a1..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/configmap.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# ============LICENSE_START==================================================== -# org.onap.aaf -# =========================================================================== -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# =========================================================================== -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-cass-init-dats - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/cass-init-dats/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml b/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml deleted file mode 100644 index 4e18b3b746..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - echo "*** Move files from configmap to emptyDir" - cp -L /config-input-dats/* /config-dats/ - echo "*** set righ user to the different folders" - chown -R 1000:1000 /config-dats - chown -R 1000:1000 /var/lib/cassandra - chown -R 1000:1000 /status - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /var/lib/cassandra - name: aaf-cass-vol - - mountPath: /config-input-dats - name: config-cass-init-dats - - mountPath: /config-dats - name: config-cass-dats - - mountPath: /status - name: aaf-status - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 30m - memory: 100Mi - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - # installing with cmd "onap" will not only initialize the DB, but add ONAP bootstrap data as well - command: ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh","onap"] - ports: {{ include "common.containerPorts" . | nindent 10 }} - env: - - name: CASSANDRA_CLUSTER_NAME - value: {{ .Values.config.cluster_name }} - - name: CASSANDRA_DC - value: {{ .Values.config.dc }} - - name: CQLSH - value: "/opt/cassandra/bin/cqlsh" - - name: HEAP_NEWSIZE - value: {{ .Values.config.heap_new_size }} - - name: MAX_HEAP_SIZE - value: {{ .Values.config.max_heap_size }} - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - volumeMounts: - - mountPath: /var/lib/cassandra - name: aaf-cass-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/aaf/cass_init/dats - name: config-cass-dats - - mountPath: /opt/app/aaf/status - name: aaf-status - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: tcp-cql - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: tcp-cql - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-status - emptyDir: {} - - name: aaf-cass-vol - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config-cass-init-dats - configMap: - name: {{ include "common.fullname" . }}-cass-init-dats - - name: config-cass-dats - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-cass/templates/pv.yaml b/kubernetes/aaf/components/aaf-cass/templates/pv.yaml deleted file mode 100644 index 187e9b75de..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/pv.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml b/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml deleted file mode 100644 index e56c98751c..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/pvc.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/aaf/components/aaf-cass/templates/service.yaml b/kubernetes/aaf/components/aaf-cass/templates/service.yaml deleted file mode 100644 index 149a8708a6..0000000000 --- a/kubernetes/aaf/components/aaf-cass/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-cass/values.yaml b/kubernetes/aaf/components/aaf-cass/values.yaml deleted file mode 100644 index a1a1abe55a..0000000000 --- a/kubernetes/aaf/components/aaf-cass/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application configuration -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: tcp-cql - -image: onap/aaf/aaf_cass:2.1.23 - -config: - cluster_name: osaaf - heap_new_size: 512M - max_heap_size: 1024M - dc: dc1 - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - -service: - name: aaf-cass - type: ClusterIP - ports: - - name: tcp-intra - port: 7000 - - name: tls - port: 7001 - - name: tcp-cql - port: 9042 - - name: tcp-thrift - port: 9160 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 2100m - memory: 1792Mi - requests: - cpu: 30m - memory: 1280Mi - large: - limits: - cpu: 4 - memory: 12000Mi - requests: - cpu: 40m - memory: 9000Mi - unlimited: {} - -persistence: - enabled: true - #existingClaim: - mountPath: /dockerdata-nfs - mountSubPath: "cass" - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 5Gi diff --git a/kubernetes/aaf/components/aaf-cm/.helmignore b/kubernetes/aaf/components/aaf-cm/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/aaf/components/aaf-cm/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/aaf/components/aaf-cm/Chart.yaml b/kubernetes/aaf/components/aaf-cm/Chart.yaml deleted file mode 100644 index 094d21020a..0000000000 --- a/kubernetes/aaf/components/aaf-cm/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T, ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Certificate Manager -name: aaf-cm -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt b/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml b/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml b/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-cm/templates/service.yaml b/kubernetes/aaf/components/aaf-cm/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-cm/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-cm/values.yaml b/kubernetes/aaf/components/aaf-cm/values.yaml deleted file mode 100644 index a8159dc2cd..0000000000 --- a/kubernetes/aaf/components/aaf-cm/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image -replicaCount: 1 - -binary: cm - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-cm - type: ClusterIP - ports: - - name: api - protocol: http - port: 8150 - -ingress: - enabled: false - service: - - baseaddr: "aaf-cm-api" - name: "aaf-cm" - port: 8150 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 1m - memory: 200Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 600Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-fs/Chart.yaml b/kubernetes/aaf/components/aaf-fs/Chart.yaml deleted file mode 100644 index 4573a51c19..0000000000 --- a/kubernetes/aaf/components/aaf-fs/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF File Server -name: aaf-fs -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt b/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml b/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml deleted file mode 100644 index 5d40538e49..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml b/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-fs/templates/service.yaml b/kubernetes/aaf/components/aaf-fs/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-fs/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-fs/values.yaml b/kubernetes/aaf/components/aaf-fs/values.yaml deleted file mode 100644 index a0e9fe9bae..0000000000 --- a/kubernetes/aaf/components/aaf-fs/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -replicaCount: 1 - -binary: fs - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-fs - type: ClusterIP - ports: - - name: api - port: 8096 - protocol: http - -ingress: - enabled: false - service: - - baseaddr: "aaf-fs-api" - name: "aaf-fs" - port: 8096 - config: - ssl: "none" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 110Mi - requests: - cpu: 1m - memory: 80Mi - large: - limits: - cpu: 500m - memory: 700Mi - requests: - cpu: 100m - memory: 400Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-gui/Chart.yaml b/kubernetes/aaf/components/aaf-gui/Chart.yaml deleted file mode 100644 index 4e49314946..0000000000 --- a/kubernetes/aaf/components/aaf-gui/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF GUI -name: aaf-gui -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt b/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml b/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml deleted file mode 100644 index 5d40538e49..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml b/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-gui/templates/service.yaml b/kubernetes/aaf/components/aaf-gui/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-gui/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-gui/values.yaml b/kubernetes/aaf/components/aaf-gui/values.yaml deleted file mode 100644 index fd416b64dc..0000000000 --- a/kubernetes/aaf/components/aaf-gui/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - -flavor: small -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -replicaCount: 1 - -binary: gui - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: gui - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: gui - -service: - name: aaf-gui - type: NodePort - ports: - - name: gui - protocol: http - port: 8200 - nodePort: 51 - -ingress: - enabled: false - service: - - baseaddr: "aaf-ui" - name: "aaf-gui" - port: 8200 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 280Mi - requests: - cpu: 1m - memory: 170Mi - large: - limits: - cpu: 200m - memory: 1Gi - requests: - cpu: 100m - memory: 500Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-locate/Chart.yaml b/kubernetes/aaf/components/aaf-locate/Chart.yaml deleted file mode 100644 index 8cb2cf6324..0000000000 --- a/kubernetes/aaf/components/aaf-locate/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Locate -name: aaf-locate -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt b/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml b/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml b/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml deleted file mode 100644 index 1b33c1f8d1..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/ingress.yaml +++ /dev/null @@ -1,2 +0,0 @@ - -{{ include "common.ingress" . }} diff --git a/kubernetes/aaf/components/aaf-locate/templates/service.yaml b/kubernetes/aaf/components/aaf-locate/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-locate/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-locate/values.yaml b/kubernetes/aaf/components/aaf-locate/values.yaml deleted file mode 100644 index 86a93214e7..0000000000 --- a/kubernetes/aaf/components/aaf-locate/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small -################################################################# -# Application configuration defaults. -################################################################# -# application image -replicaCount: 1 - -binary: locate - -sequence_order: - - service - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-locate - type: ClusterIP - ports: - - name: api - protocol: http - port: 8095 - -ingress: - enabled: false - service: - - baseaddr: "aaf-locate-api" - name: "aaf-locate" - port: 8095 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 500m - memory: 320Mi - requests: - cpu: 1m - memory: 210Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 500Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-oauth/Chart.yaml b/kubernetes/aaf/components/aaf-oauth/Chart.yaml deleted file mode 100644 index edd932d51c..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF OAuth -name: aaf-oauth -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' diff --git a/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt b/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt deleted file mode 100644 index bd74a42cd5..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml b/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml b/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml deleted file mode 100644 index 1b33c1f8d1..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/ingress.yaml +++ /dev/null @@ -1,2 +0,0 @@ - -{{ include "common.ingress" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/templates/service.yaml b/kubernetes/aaf/components/aaf-oauth/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-oauth/values.yaml b/kubernetes/aaf/components/aaf-oauth/values.yaml deleted file mode 100644 index a103fb2e22..0000000000 --- a/kubernetes/aaf/components/aaf-oauth/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image - -replicaCount: 1 - -binary: oauth - -sequence_order: - - service - - locate - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-oauth - type: ClusterIP - ports: - - name: api - protocol: http - port: 8140 - -ingress: - enabled: false - service: - - baseaddr: "aaf-oauth-api" - name: "aaf-oauth" - port: 8140 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 40m - memory: 320Mi - requests: - cpu: 1m - memory: 210Mi - large: - limits: - cpu: 400m - memory: 600Mi - requests: - cpu: 40m - memory: 200Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-service/Chart.yaml b/kubernetes/aaf/components/aaf-service/Chart.yaml deleted file mode 100644 index 3aafca3278..0000000000 --- a/kubernetes/aaf/components/aaf-service/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP AAF Service -name: aaf-service -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-templates - version: ~12.x-0 - repository: 'file://../aaf-templates' \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-service/templates/deployment.yaml b/kubernetes/aaf/components/aaf-service/templates/deployment.yaml deleted file mode 100644 index 656aa1746d..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/deployment.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "aaf.deployment" . }} diff --git a/kubernetes/aaf/components/aaf-service/templates/ingress.yaml b/kubernetes/aaf/components/aaf-service/templates/ingress.yaml deleted file mode 100644 index 40b4bba0ce..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/ingress.yaml +++ /dev/null @@ -1,4 +0,0 @@ - -{{ include "common.ingress" . }} - - diff --git a/kubernetes/aaf/components/aaf-service/templates/service.yaml b/kubernetes/aaf/components/aaf-service/templates/service.yaml deleted file mode 100644 index ea95e44497..0000000000 --- a/kubernetes/aaf/components/aaf-service/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Orange -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/aaf/components/aaf-service/values.yaml b/kubernetes/aaf/components/aaf-service/values.yaml deleted file mode 100644 index a6f3c5dc4e..0000000000 --- a/kubernetes/aaf/components/aaf-service/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - aaf: - image: onap/aaf/aaf_core:2.1.23 - config: - image: onap/aaf/aaf_config:2.1.23 - - -flavor: small - -################################################################# -# Application configuration defaults. -################################################################# -# application image - -replicaCount: 1 - -binary: service - -sequence_order: - - cass - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 5 - periodSeconds: 10 - port: api - -service: - name: aaf-service - type: ClusterIP - ports: - - name: api - port: 8100 - protocol: http - -ingress: - enabled: false - service: - - baseaddr: "aaf-service-api" - name: "aaf-service" - port: 8100 - config: - ssl: "redirect" - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 250m - memory: 360Mi - requests: - cpu: 10m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 40m - memory: 300Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/Chart.yaml b/kubernetes/aaf/components/aaf-sms/Chart.yaml deleted file mode 100644 index ef34888493..0000000000 --- a/kubernetes/aaf/components/aaf-sms/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Secret Management Service -name: aaf-sms -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: aaf-sms-quorumclient - version: ~12.x-0 - repository: 'file://components/aaf-sms-quorumclient' - - name: aaf-sms-vault - version: ~12.x-0 - repository: 'file://components/aaf-sms-vault' diff --git a/kubernetes/aaf/components/aaf-sms/components/Makefile b/kubernetes/aaf/components/aaf-sms/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml deleted file mode 100644 index 5af948eddc..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Secret Management Service Quorum Client -name: aaf-sms-quorumclient -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json deleted file mode 100644 index 3a43f00019..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/resources/config/config.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "url":"https://aaf-sms.{{ include "common.namespace" . }}:10443", - "cafile": "/quorumclient/certs/aaf_root_ca.cer", - "clientcert":"client.cert", - "clientkey":"client.key", - "timeout":"10s" -} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml deleted file mode 100644 index d855ae6fdf..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- $global := . }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml deleted file mode 100644 index 0e9e66dc47..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/templates/statefulset.yaml +++ /dev/null @@ -1,112 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- if .Values.persistence.enabled }} - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /quorumclient/auth - chown -R 100:1000 /quorumclient/auth - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /quorumclient/auth - name: {{ include "common.fullname" . }}-data -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/quorumclient/bin/quorumclient"] - workingDir: /quorumclient/ - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /quorumclient/config.json - name: {{ include "common.name" .}} - subPath: config.json -{{- if .Values.persistence.enabled }} - - mountPath: /quorumclient/auth - name: {{ include "common.fullname" . }}-data -{{- end }} - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name : {{ include "common.name" . }} - configMap: - name: {{ include "common.fullname" . }} - items: - - key: config.json - path: config.json - mode: 0755 -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml deleted file mode 100644 index d41d31ce82..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-quorumclient/values.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/smsquorumclient:4.0.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -service: - name: aaf-sms - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Mi - mountPath: /dockerdata-nfs - mountSubPath: sms/quorum/data - -ingress: - enabled: false - -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 40m - memory: 40Mi - requests: - cpu: 1m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 700Mi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml deleted file mode 100644 index 44554e3432..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Chart to launch Vault as SMS backend -name: aaf-sms-vault -appVersion: 0.9.5 -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml deleted file mode 100644 index 0d09221644..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-vault - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - config.json: | - {{ .Values.config.vault | toJson }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-consul - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - config.json: | - {{ .Values.config.consul | toJson }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml deleted file mode 100644 index d855ae6fdf..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- $global := . }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) }} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml deleted file mode 100644 index b642e39540..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.portName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml deleted file mode 100644 index 994e1555d3..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/templates/statefulset.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: -{{- if .Values.persistence.enabled }} - initContainers: - - name: fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /consul/data - chown -R 100:1000 /consul/data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /consul/data - name: {{ include "common.fullname" . }}-data -{{- end }} - containers: - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.vault }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: ["server"] - ports: - - containerPort: {{ .Values.service.internalPort }} - volumeMounts: - - mountPath: /vault/config/config.json - name: {{ include "common.fullname" . }}-vault - subPath: config.json - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 10 }} - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.consul }} - name: {{ include "common.name" . }}-backend - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: ["agent","-server","-bind","0.0.0.0","-bootstrap-expect=1","-config-file","/consul/config/config.json"] - ports: - - name: http - containerPort: 8500 - volumeMounts: -{{- if .Values.persistence.enabled }} - - mountPath: /consul/data - name: {{ include "common.fullname" . }}-data -{{- end }} - - mountPath: /consul/config/config.json - name: {{ include "common.fullname" . }}-consulconfiguration - subPath: config.json - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 10 }} - volumes: - - name: {{ include "common.fullname" . }}-consulconfiguration - configMap: - name: {{ include "common.fullname" . }}-consul - - name: {{ include "common.fullname" . }}-vault - configMap: - name: {{ include "common.fullname" . }}-vault - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml b/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml deleted file mode 100644 index e170ce7ef5..0000000000 --- a/kubernetes/aaf/components/aaf-sms/components/aaf-sms-vault/values.yaml +++ /dev/null @@ -1,109 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -# application image -image: - consul: library/consul:1.7.1 - vault: library/vault:1.3.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -################################################################# -# Application configuration defaults. -################################################################# -config: - consul: - server: true - log_level: INFO - data_dir: '/consul/data' - ports: - http: 8500 - https: -1 - - vault: - storage: - consul: - address: localhost:8500 - path: smsvault - listener: - tcp: - address: '[::]:8200' - tls_disable: true - disable_mlock: true - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: sms/consul/data - -service: - type: ClusterIP - name: aaf-sms-db - portName: aaf-sms-db - internalPort: 8200 - externalPort: 8200 - -ingress: - enabled: false - -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 400m - memory: 80Mi - requests: - cpu: 40m - memory: 40Mi - large: - limits: - cpu: 400m - memory: 700Mi - requests: - cpu: 40m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem b/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem deleted file mode 100644 index 7939846bf0..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN -MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL -neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d -o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 -nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV -v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO -15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw -gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ -BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q -ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl -u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ -+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ -QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht -8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX -kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 -aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky -uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w -tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep -BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= ------END CERTIFICATE----- diff --git a/kubernetes/aaf/components/aaf-sms/resources/config/has.json b/kubernetes/aaf/components/aaf-sms/resources/config/has.json deleted file mode 100644 index ef42ce98d3..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/config/has.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "domain": { - "name": "has", - "secrets": [ - { - "name": "aai", - "values": { - "username": "${AAI_USER}", - "password": "${AAI_PASS}" - } - }, - { - "name": "conductor_api", - "values": { - "username": "${CONDUCTOR_USER}", - "password": "${CONDUCTOR_PASS}" - } - }, - { - "name": "sdnc", - "values": { - "username": "${SDNC_USER}", - "password": "${SDNC_PASS}" - } - }, - { - "name": "music_api", - "values": { - "aafuser": "${MUSIC_USER}", - "aafpass": "${MUSIC_PASS}", - "aafns": "conductor" - } - }, - { - "name": "aaf_api", - "values": { - "username": "${AAF_USER}", - "password": "${AAF_PASS}", - "aaf_conductor_user": "oof@oof.onap.org" - } - }, - { - "name": "sdc", - "values": { - "username": "${SDC_USER}", - "password": "${SDC_PASS}" - } - } - ] - } -} diff --git a/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json b/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json deleted file mode 100644 index c14f7ee4ba..0000000000 --- a/kubernetes/aaf/components/aaf-sms/resources/config/osdf.json +++ /dev/null @@ -1,112 +0,0 @@ -{ - "domain": { - "name": "osdf", - "secrets": [ - { - "name": "so", - "values": { - "UserName": "${SO_USER}", - "Password": "${SO_PASS}" - } - }, - { - "name": "conductor", - "values": { - "UserName": "${CONDUCTOR_USER}", - "Password": "${CONDUCTOR_PASS}" - } - }, - { - "name": "policyPlatform", - "values": { - "UserName": "${POLICY_PLAT_USER}", - "Password": "${POLICY_PLAT_PASS}" - } - }, - { - "name": "policyClient", - "values": { - "UserName": "${POLICY_CLI_USER}", - "Password": "${POLICY_CLI_PASS}" - } - }, - { - "name": "dmaap", - "values": { - "UserName": "NA", - "Password": "NA" - } - }, - { - "name": "sdc", - "values": { - "UserName": "NA", - "Password": "NA" - } - }, - { - "name": "osdfPlacement", - "values": { - "UserName": "${OSDF_PLACEMENT_USER}", - "Password": "${OSDF_PLACEMENT_PASS}" - } - }, - { - "name": "osdfPlacementSO", - "values": { - "UserName": "${OSDF_PLACEMENT_SO_USER}", - "Password": "${OSDF_PLACEMENT_SO_PASS}" - } - }, - { - "name": "osdfPlacementVFC", - "values": { - "UserName": "${OSDF_PLACEMENT_VFC_USER}", - "Password": "${OSDF_PLACEMENT_VFC_PASS}" - } - }, - { - "name": "osdfCMScheduler", - "values": { - "UserName": "${OSDF_CM_SCHEDULER_USER}", - "Password": "${OSDF_CM_SCHEDULER_PASS}" - } - }, - { - "name": "configDb", - "values": { - "UserName": "${CONFIG_DB_USER}", - "Password": "${CONFIG_DB_PASS}" - } - }, - { - "name": "pciHMS", - "values": { - "UserName": "", - "Password": "" - } - }, - { - "name": "osdfPCIOpt", - "values": { - "UserName": "${OSDF_PCI_OPT_USER}", - "Password": "${OSDF_PCI_OPT_PASS}" - } - }, - { - "name": "osdfOptEngine", - "values": { - "UserName": "${OSDF_OPT_ENGINE_USER}", - "Password": "${OSDF_OPT_ENGINE_PASS}" - } - }{{ if .Values.cps.enabled }}, - { - "name": "cps", - "values": { - "UserName": "${CPS_USER}", - "Password": "${CPS_PASS}" - } - }{{ end }} - ] - } -} diff --git a/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml deleted file mode 100644 index a74fe277b7..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/configmap.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - smsconfig.json: | - {{ .Values.config | toJson }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-preload - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-preload - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml b/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml deleted file mode 100644 index cfe54cf07b..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/deployment.yaml +++ /dev/null @@ -1,149 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 8 }} - # Currently intermediate certificate is not given by AAF CM so we need - # to give it "by hand" - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-add-intermediate-cert - command: - - /bin/sh - args: - - -c - - | - cat /int-certs/intermediate_root_ca.pem >> {{ .Values.certInitializer.mountPath }}/local/org.onap.aaf-sms.crt - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /int-certs - name: {{ include "common.fullname" . }}-int-certs - readOnly: true - {{- end }} - - name: {{ include "common.fullname" . }}-fix-permission - command: - - /bin/sh - args: - - -c - - | - chmod -R 775 /sms/auth - chown -R 1000:1000 /sms/auth - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /sms/auth - name: {{ include "common.fullname" . }}-auth - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "aaf-sms-vault" - - --container-name - - "aaf-sms-vault-backend" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - command: ["/sms/bin/sms"] - workingDir: /sms/ - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - port: {{ .Values.service.internalPort }} - scheme: HTTPS - path: /v1/sms/quorum/status - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - httpGet: - port: {{ .Values.service.internalPort }} - scheme: HTTPS - path: /v1/sms/quorum/status - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /sms/smsconfig.json - name: {{ include "common.name" .}} - subPath: smsconfig.json - - mountPath: /sms/auth - name: {{ include "common.fullname" . }}-auth - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - name : {{ include "common.name" . }} - configMap: - name: {{ include "common.fullname" . }} - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-int-certs - secret: - secretName: {{ include "common.fullname" . }}-int-certs - {{- end }} - - name: {{ include "common.fullname" . }}-auth - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sms/templates/job.yaml b/kubernetes/aaf/components/aaf-sms/templates/job.yaml deleted file mode 100644 index 2370cf60de..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/job.yaml +++ /dev/null @@ -1,217 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-preload - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - "export AAI_PASS=${AAI_PASS_PLAIN}; - export CONDUCTOR_PASS=${CONDUCTOR_PASS_PLAIN}; - export SDNC_PASS=${SDNC_PASS_PLAIN}; - export MUSIC_PASS=${MUSIC_PASS_PLAIN}; - export AAF_PASS=${AAF_PASS_PLAIN}; - export POLICY_PLAT_PASS=${POLICY_PLAT_PASS_PLAIN}; - export POLICY_CLI_PASS=${POLICY_CLI_PASS_PLAIN}; - export OSDF_PLACEMENT_PASS=${OSDF_PLACEMENT_PASS_PLAIN}; - export OSDF_PLACEMENT_SO_PASS=${OSDF_PLACEMENT_SO_PASS_PLAIN}; - export OSDF_PLACMENET_VFC_PASS=${OSDF_PLACEMENT_VFC_PASS_PLAIN}; - export OSDF_CM_SCHEDULER_PASS=${OSDF_CM_SCHEDULER_PASS_PLAIN}; - export CONFIG_DB_PASS=${CONFIG_DB_PASS_PLAIN}; - export OSDF_PCI_OPT_PASS=${OSDF_PCI_OPT_PASS_PLAIN}; - export OSDF_OPT_ENGINE_PASS=${OSDF_OPT_ENGINE_PASS_PLAIN}; - export SO_PASS=${SO_PASS_PLAIN}; - export SDC_PASS=${SDC_PASS_PLAIN}; - {{- if .Values.cps.enabled }} - export CPS_PASS=${CPS_PASS_PLAIN}; - {{- end }} - cd /config-input; - for PFILE in `find . -not -type d | grep -v -F ..`; do - envsubst <${PFILE} >/config/${PFILE}; - done" - env: - - name: AAI_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-creds" "key" "login") | indent 10 }} - - name: AAI_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-creds" "key" "password") | indent 10 }} - - - name: CONDUCTOR_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "conductor-creds" "key" "login") | indent 10 }} - - name: CONDUCTOR_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "conductor-creds" "key" "password") | indent 10 }} - - - name: SDNC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "login") | indent 10 }} - - name: SDNC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-creds" "key" "password") | indent 10 }} - - - name: MUSIC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-creds" "key" "login") | indent 10 }} - - name: MUSIC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-creds" "key" "password") | indent 10 }} - - - name: AAF_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "login") | indent 10 }} - - name: AAF_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-creds" "key" "password") | indent 10 }} - - - name: POLICY_PLAT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-plat-creds" "key" "login") | indent 10 }} - - name: POLICY_PLAT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-plat-creds" "key" "password") | indent 10 }} - - - name: POLICY_CLI_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-cli-creds" "key" "login") | indent 10 }} - - name: POLICY_CLI_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-cli-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_SO_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-so-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_SO_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-so-creds" "key" "password") | indent 10 }} - - - name: OSDF_PLACEMENT_VFC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-vfc-creds" "key" "login") | indent 10 }} - - name: OSDF_PLACEMENT_VFC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-placement-vfc-creds" "key" "password") | indent 10 }} - - - name: OSDF_CM_SCHEDULER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-cm-scheduler-creds" "key" "login") | indent 10 }} - - name: OSDF_CM_SCHEDULER_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-cm-scheduler-creds" "key" "password") | indent 10 }} - - - name: CONFIG_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "config-db-creds" "key" "login") | indent 10 }} - - name: CONFIG_DB_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "config-db-creds" "key" "password") | indent 10 }} - - - name: OSDF_PCI_OPT_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-pci-opt-creds" "key" "login") | indent 10 }} - - name: OSDF_PCI_OPT_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-pci-opt-creds" "key" "password") | indent 10 }} - - - name: OSDF_OPT_ENGINE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-opt-engine-creds" "key" "login") | indent 10 }} - - name: OSDF_OPT_ENGINE_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "osdf-opt-engine-creds" "key" "password") | indent 10 }} - - - name: SO_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-creds" "key" "login") | indent 10 }} - - name: SO_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-creds" "key" "password") | indent 10 }} - - - name: SDC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "login") | indent 10 }} - - name: SDC_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-creds" "key" "password") | indent 10 }} - {{- if .Values.cps.enabled }} - - name: CPS_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "login") | indent 10 }} - - name: CPS_PASS_PLAIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "password") | indent 10 }} - {{- end }} - - volumeMounts: - - mountPath: /config-input - name: {{ include "common.name" . }}-preload-input - - mountPath: /config/ - name: {{ include "common.name" . }}-preload - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - "aaf-sms" - - --container-name - - "aaf-sms-quorumclient" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-preload - command: - - "/sms/bin/preload" - - "-cacert" - - "{{ .Values.certInitializer.mountPath }}/local/{{ .Values.certInitializer.root_ca_name }}" - - "-jsondir" - - "/preload/config" - - "-serviceport" - - "{{ .Values.service.internalPort }}" - - "-serviceurl" - - "https://aaf-sms.{{ include "common.namespace" . }}" - workingDir: /sms - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /preload/config - name: {{ include "common.name" . }}-preload - resources: -{{ include "common.resources" . | indent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.name" . }}-preload-input - configMap: - name: {{ include "common.fullname" . }}-preload - - name: {{ include "common.name" . }}-preload - emptyDir: - medium: Memory - restartPolicy: OnFailure - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sms/templates/pv.yaml b/kubernetes/aaf/components/aaf-sms/templates/pv.yaml deleted file mode 100644 index d06131feb5..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) }} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: {{ include "common.release" . }} - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml b/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml deleted file mode 100644 index c46d50607c..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sms/templates/secret.yaml b/kubernetes/aaf/components/aaf-sms/templates/secret.yaml deleted file mode 100644 index 7a0213f16c..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/secret.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} ---- -{{- if .Values.global.aafEnabled }} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-int-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-sms/templates/service.yaml b/kubernetes/aaf/components/aaf-sms/templates/service.yaml deleted file mode 100644 index 8f30164fec..0000000000 --- a/kubernetes/aaf/components/aaf-sms/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.PortName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/aaf/components/aaf-sms/values.yaml b/kubernetes/aaf/components/aaf-sms/values.yaml deleted file mode 100644 index 114ad23672..0000000000 --- a/kubernetes/aaf/components/aaf-sms/values.yaml +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - aafEnabled: true - -flavor: small - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: aaf-sms-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aaf-sms - fqi: aaf-sms@aaf-sms.onap.org - public_fqdn: aaf-sms.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - mountPath: /opt/app/osaaf - keystore: truststoreONAPall.jks - keystore_pass: changeit - root_ca_alias: onaptestca - root_ca_name: aaf_root_ca.cer - permission_user: 1000 - permission_group: 1000 - aaf_add_config: > - cd {{ .Values.mountPath }}/local; - keytool -exportcert -rfc -file {{ .Values.root_ca_name }} -keystore {{ .Values.keystore }} - -alias {{ .Values.root_ca_alias }} -storepass {{ .Values.keystore_pass }}; - chown -R {{.Values.permission_user}}:{{.Values.permission_group}} - {{ .Values.mountPath }}; - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/sms:4.0.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -config: - smsdbaddress: "http://aaf-sms-db:8200" - cafile: "/opt/app/osaaf/local/aaf_root_ca.cer" - servercert: "/opt/app/osaaf/local/org.onap.aaf-sms.crt" - serverkey: "/opt/app/osaaf/local/org.onap.aaf-sms.key" - password: "c2VjcmV0bWFuYWdlbWVudHNlcnZpY2VzZWNyZXRwYXNzd29yZA==" - -# subchart configuration -vault: - nameOverride: smsdb - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 30 - -service: - type: ClusterIP - name: aaf-sms - portName: aaf-sms - internalPort: 10443 - externalPort: 10443 - -#define value for aaf-sms-quorumclient subchart -aaf-sms-quorumclient: - service: - name: aaf-sms - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: sms/auth - -ingress: - enabled: false - -cps: - enabled: true - -secrets: - - uid: aai-creds - type: basicAuth - login: '{{ .Values.oofCreds.aaiUsername }}' - password: '{{ .Values.oofCreds.aaiPassword }}' - passwordPolicy: required - - uid: conductor-creds - type: basicAuth - login: '{{ .Values.oofCreds.conductorUsername }}' - password: '{{ .Values.oofCreds.conductorPassword }}' - passwordPolicy: required - - uid: sdnc-creds - type: basicAuth - login: '{{ .Values.oofCreds.sdncUsername }}' - password: '{{ .Values.oofCreds.sdncPassword }}' - passwordPolicy: required - - uid: music-creds - type: basicAuth - login: '{{ .Values.oofCreds.musicUsername }}' - password: '{{ .Values.oofCreds.musicPassword }}' - passwordPolicy: required - - uid: aaf-creds - type: basicAuth - login: '{{ .Values.oofCreds.aafUsername }}' - password: '{{ .Values.oofCreds.aafPassword }}' - passwordPolicy: required - - uid: policy-plat-creds - type: basicAuth - login: '{{ .Values.oofCreds.policyPlatUsername }}' - password: '{{ .Values.oofCreds.policyPlatPassword }}' - passwordPolicy: required - - uid: policy-cli-creds - type: basicAuth - login: '{{ .Values.oofCreds.policyCliUsername }}' - password: '{{ .Values.oofCreds.policyCliPassword }}' - passwordPolicy: required - - uid: osdf-placement-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementPassword }}' - passwordPolicy: required - - uid: osdf-placement-so-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementSOUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementSOPassword }}' - passwordPolicy: required - - uid: osdf-placement-vfc-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPlacementVFCUsername }}' - password: '{{ .Values.oofCreds.osdfPlacementVFCPassword }}' - passwordPolicy: required - - uid: osdf-cm-scheduler-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfCMSchedulerUsername }}' - password: '{{ .Values.oofCreds.osdfCMSchedulerPassword }}' - passwordPolicy: required - - uid: config-db-creds - type: basicAuth - login: '{{ .Values.oofCreds.configDbUsername }}' - password: '{{ .Values.oofCreds.configDbPassword }}' - passwordPolicy: required - - uid: osdf-pci-opt-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfPCIOptUsername }}' - password: '{{ .Values.oofCreds.osdfPCIOptPassword }}' - passwordPolicy: required - - uid: osdf-opt-engine-creds - type: basicAuth - login: '{{ .Values.oofCreds.osdfOptEngineUsername }}' - password: '{{ .Values.oofCreds.osdfOptEnginePassword }}' - passwordPolicy: required - - uid: so-creds - type: basicAuth - login: '{{ .Values.oofCreds.soUsername }}' - password: '{{ .Values.oofCreds.soPassword }}' - passwordPolicy: required - - uid: sdc-creds - type: basicAuth - login: '{{ .Values.oofCreds.sdcUsername }}' - password: '{{ .Values.oofCreds.sdcPassword }}' - passwordPolicy: required - - uid: cps-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.oofCreds.cpsUserExternalSecret) . }}' - login: '{{ .Values.oofCreds.cpsUsername }}' - password: '{{ .Values.oofCreds.cpsPassword }}' - passwordPolicy: required -oofCreds: - aaiUsername: oof@oof.onap.org - aaiPassword: demo123456! - - conductorUsername: admin1 - conductorPassword: plan.15 - - sdncUsername: admin - sdncPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - - musicUsername: conductor - musicPassword: c0nduct0r - - aafUsername: aaf_admin@people.osaaf.org - aafPassword: demo123456! - - policyPlatUsername: healthcheck - policyPlatPassword: zb!XztG34 - - policyCliUsername: healthcheck - policyCliPassword: zb!XztG34 - - osdfPlacementUsername: test - osdfPlacementPassword: testpwd - - osdfPlacementSOUsername: so_test - osdfPlacementSOPassword: so_testpwd - - osdfPlacementVFCUsername: vfc_test - osdfPlacementVFCPassword: vfc_testpwd - - osdfCMSchedulerUsername: test1 - osdfCMSchedulerPassword: testpwd1 - - configDbUsername: osdf - configDbPassword: passwd - - osdfPCIOptUsername: pci_test - osdfPCIOptPassword: pci_testpwd - - osdfOptEngineUsername: opt_test - osdfOptEnginePassword: opt_testpwd - - soUsername: apihBpmn - soPassword: password1$ - - sdcUsername: aai - sdcPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - - cpsUsername: '' - cpsPassword: '' - cpsUserExternalSecret: '{{ include "common.release" . }}-cps-core-app-user-creds' - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 100m - memory: 400Mi - requests: - cpu: 25m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 25m - memory: 100Mi - unlimited: {} - -wait_for_job_container: - containers: - - '{{ include "common.name" . }}-preload' - diff --git a/kubernetes/aaf/components/aaf-sshsm/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/Chart.yaml deleted file mode 100644 index b30fd76d90..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Hardware Security Components -name: aaf-sshsm -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: aaf-sshsm-abrmd - version: ~12.x-0 - repository: 'file://components/aaf-sshsm-abrmd' - condition: aaf-sshsm-abrmd.enabled - - name: aaf-sshsm-distcenter - version: ~12.x-0 - repository: 'file://components/aaf-sshsm-distcenter' - condition: aaf-sshsm-distcenter.enabled - - name: aaf-sshsm-testca - version: ~12.x-0 - repository: 'file://components/aaf-sshsm-testca' - condition: aaf-sshsm-testca.testca.enabled diff --git a/kubernetes/aaf/components/aaf-sshsm/Makefile b/kubernetes/aaf/components/aaf-sshsm/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sshsm/README.md b/kubernetes/aaf/components/aaf-sshsm/README.md deleted file mode 100644 index a6f2e62cb9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/README.md +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Helm Chart for ONAP Hardware Security Components - -This includes the following Kubernetes services: - -1. dist-center - A service that is used to create and distribute private keys -2. abrmd - A service that manages access to the TPM device - -# Service Dependencies - -All services depend on AAF \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/components/Makefile b/kubernetes/aaf/components/aaf-sshsm/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml deleted file mode 100644 index e6d6d6653d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Resource Manager -name: aaf-sshsm-abrmd -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml deleted file mode 100644 index 8555a3c153..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/configmap.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml deleted file mode 100644 index a2df4e53b9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/deployment.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - serviceName: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-job-complete - command: - - /app/ready.py - args: - - -j - - "{{ include "common.fullname" . }}-init" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/abrmd/bin/run_abrmd.sh"] - workingDir: /abrmd/bin - securityContext: - privileged: true - volumeMounts: - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - - name: {{ include "common.fullname" . }}-tpm-device - mountPath: /dev/tpm0 - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - nodeSelector: - {{- if .Values.nodeSelector }} - {{ toYaml .Values.nodeSelector | indent 8 | trim }} - {{- end }} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbus - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-dbus - - name: {{ include "common.fullname" . }}-tpm-device - hostPath: - path: /dev/tpm0 - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml deleted file mode 100644 index 8a8b6bd8fe..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/templates/job.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.tpm.enabled -}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - backoffLimit: 2 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - containers: - - name: {{ include "common.name" . }}-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/abrmd/bin/initialize_tpm.sh"] - workingDir: /abrmd/bin - securityContext: - privileged: true - env: - - name: TPM_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: ABRMD_DATA - value: /abrmd/data - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /abrmd/data - - name: {{ include "common.fullname" . }}-tpm-device - mountPath: /dev/tpm0 - - name: {{ include "common.fullname" . }}-tpmconfig - mountPath: "/abrmd/cred/" - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end -}} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-data - - name: {{ include "common.fullname" . }}-tpm-device - hostPath: - path: /dev/tpm0 - - name: {{ include "common.fullname" . }}-tpmconfig - secret: - secretName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml deleted file mode 100644 index e97519aa3e..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-abrmd/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - tpm: - enabled: true - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/abrmd:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -# TPM specific node selection is done at parent chart aaf-sshsm -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml deleted file mode 100644 index 0d57836d10..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Distribution Center -name: aaf-sshsm-distcenter -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml deleted file mode 100644 index 2e82f5bd26..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml deleted file mode 100644 index f74b5c8f2d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/job.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - serviceName: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: -{{- if .Values.global.tpm.enabled }} - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-aaf-sshsm-abrmd-init" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{ else }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-gen-passphrase - command: ["sh", "-c", "/usr/bin/openssl rand -base64 12 >/distcenter/data/passphrase"] - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /distcenter/data - resources: - limits: - cpu: 1 - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/entrypoint.sh"] - workingDir: /distcenter - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /distcenter/data - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml deleted file mode 100644 index 22acb2a609..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pv.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml deleted file mode 100644 index 1c7f6ffe4a..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/templates/pvc.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml deleted file mode 100644 index fb42843cb7..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-distcenter/values.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - tpm: - enabled: true - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/distcenter:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Mi - mountPath: /dockerdata-nfs - mountSubPath: sshsm/distcenter/data - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml deleted file mode 100644 index ec513a0748..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Trusted Platform Module Test CA Service -name: aaf-sshsm-testca -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml deleted file mode 100644 index 71e7c299bc..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/templates/job.yaml +++ /dev/null @@ -1,126 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: - - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-distcenter-ready - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-aaf-sshsm-distcenter" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- if .Values.global.tpm.enabled }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-abrmd-ready - command: ["sh", "/sshsm/bin/abrmd_ready.sh", "300"] - workingDir: /testca/bin - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - volumeMounts: - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - name: {{ include "common.name" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["./import.sh"] - workingDir: /testca/bin - env: -{{- if .Values.global.tpm.enabled }} - - name: TPM_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - - name: DATA_FOLDER - value: /testca/data/host_$(TPM_NODE_NAME) -{{ else }} - - name: DATA_FOLDER - value: /testca/data -{{- end }} - - name: SECRETS_FOLDER - value: /testca/secrets - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /testca/data - - name: {{ include "common.fullname" . }}-dbus - mountPath: /var/run/dbus - - name: {{ include "common.fullname" . }}-secrets - mountPath: /testca/secrets - readOnly: true - resources: {{ include "common.resources" . | nindent 10 }} - nodeSelector: - {{- if .Values.nodeSelector }} - {{ toYaml .Values.nodeSelector | indent 8 | trim }} - {{- end -}} - {{- if .Values.global.tpm.enabled }} - {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm - - name: {{ include "common.fullname" . }}-dbus - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-aaf-sshsm-dbus - - name: {{ include "common.fullname" . }}-secrets - secret: - secretName: {{ include "common.release" . }}-aaf-sshsm - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml b/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml deleted file mode 100644 index f116c6d5e9..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/components/aaf-sshsm-testca/values.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# - -global: - tpm: - enabled: true - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/aaf/testcaservice:4.0.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -# Configure resource requests and limits -flavor: small -resources: - small: - limits: - cpu: 50m - memory: 100Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd b/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd deleted file mode 100644 index 640b325898..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd +++ /dev/null @@ -1 +0,0 @@ -cHJpbWFyeXBhc3N3b3JkCg== diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle b/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle deleted file mode 100644 index b8b9d8ddb0..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle +++ /dev/null @@ -1 +0,0 @@ -MHg4MTAwMDAyMwo= diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml deleted file mode 100644 index b566b11458..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml deleted file mode 100644 index b3e7f9fabd..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PV" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml deleted file mode 100644 index b8971cc03c..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" (dict "dot" . "persistenceInfos" .Values.persistence.data) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml deleted file mode 100644 index 7297d6f81d..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.PVC" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }} diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml deleted file mode 100644 index 4be63fa18b..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ (.Files.Glob "resources/config/*").AsSecrets | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/components/aaf-sshsm/values.yaml b/kubernetes/aaf/components/aaf-sshsm/values.yaml deleted file mode 100644 index 7e8d4f1352..0000000000 --- a/kubernetes/aaf/components/aaf-sshsm/values.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - # Standard OOM - pullPolicy: "Always" - - tpm: - enabled: false - # if enabled, nodeselector will use the below - # values in the nodeselector section of the pod - nodeLabel: "tpm-node" - nodeLabelValue: "true" - persistence: {} - -aaf-sshsm-abrmd: - enabled: true -aaf-sshsm-distcenter: - enabled: true -aaf-sshsm-testca: - enabled: true - -persistence: - enabled: true - data: - enabled: true - size: 10Mi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: sshsm/data - dbus: - enabled: true - size: 10Mi - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: sshsm/dbus - - - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 20m - memory: 50Mi - requests: - cpu: 10m - memory: 10Mi - large: - limits: - cpu: 400m - memory: 1Gi - requests: - cpu: 10m - memory: 100Mi - unlimited: {} diff --git a/kubernetes/aaf/components/aaf-templates/Chart.yaml b/kubernetes/aaf/components/aaf-templates/Chart.yaml deleted file mode 100644 index 301f65c9b0..0000000000 --- a/kubernetes/aaf/components/aaf-templates/Chart.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright © 2020-2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Application Authorization Framework Templates -name: aaf-templates -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl b/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl deleted file mode 100644 index c0614b255e..0000000000 --- a/kubernetes/aaf/components/aaf-templates/templates/_deployment.tpl +++ /dev/null @@ -1,84 +0,0 @@ -{*/ -# Copyright © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/} - -{{- define "aaf.deployment" -}} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if (include "common.onServiceMesh" .) }} - annotations: - sidecar.istio.io/inject: "false" - {{- end }} - spec: {{ include "aaf.initContainers" . | nindent 6 }} - containers: - - name: {{ include "common.name" . }} - workingDir: /opt/app/aaf - command: ["bin/{{ .Values.binary }}"] - image: {{ include "repositoryGenerator.repository" . }}/{{.Values.global.aaf.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/osaaf/etc/org.osaaf.aaf.log4j.props - name: aaf-log - subPath: org.osaaf.aaf.log4j.props - - mountPath: /opt/app/osaaf/data/ - name: config-identity - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{.Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aaf-config-vol - emptyDir: {} - - name: aaf-log - configMap: - name: {{ include "common.release" . }}-aaf-log - - name: config-init-identity - configMap: - name: {{ include "common.release" . }}-aaf-identity - - name: config-identity - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" -{{- end -}} diff --git a/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl b/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl deleted file mode 100644 index 755315296d..0000000000 --- a/kubernetes/aaf/components/aaf-templates/templates/_initContainers.tpl +++ /dev/null @@ -1,130 +0,0 @@ -{*/ -# Copyright © 2020 AT&T, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/} - -{{- define "aaf.permissionFixer" -}} -- name: onboard-identity-and-fix-permission - command: - - /bin/sh - args: - - -c - - | - echo "*** Move files from configmap to emptyDir" - cp -L /config-input-identity/* /config-identity/ - echo "*** set righ user to the different folders" - chown -R 1000:1000 /config-identity - chown -R 1000:1000 /opt/app/aaf - chown -R 1000:1000 /opt/app/osaaf - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: aaf-config-vol - - mountPath: /config-input-identity - name: config-init-identity - - mountPath: /config-identity - name: config-identity - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end -}} - -{{- define "aaf.podConfiguration" }} -- name: {{ include "common.name" . }}-config-container - image: {{ include "repositoryGenerator.repository" . }}/{{.Values.global.aaf.config.image}} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/bash - args: - - -c - - | - cd /opt/app/aaf_config - bin/agent.sh - volumeMounts: - - mountPath: "/opt/app/osaaf" - name: aaf-config-vol - env: - - name: aaf_env - value: "{{ .Values.global.aaf.aaf_env }}" - - name: cadi_latitude - value: "{{ .Values.global.aaf.cadi_latitude }}" - - name: cadi_longitude - value: "{{ .Values.global.aaf.cadi_longitude }}" - - name: cadi_x509_issuers - value: "{{ .Values.global.aaf.cadi_x509_issuers }}" - - name: aaf_locate_url - value: "https://aaf-locate.{{ .Release.Namespace}}:8095" - - name: aaf_locator_container - value: "oom" - - name: aaf_release - value: "{{ .Values.global.aaf.aaf_release }}" - - name: aaf_locator_container_ns - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: aaf_locator_public_fqdn - value: "{{.Values.global.aaf.public_fqdn}}" - - name: aaf_locator_name - value: "{{.Values.global.aaf.aaf_locator_name}}" - - name: aaf_locator_name_oom - value: "{{.Values.global.aaf.aaf_locator_name_oom}}" - - name: cm_always_ignore_ips - value: "true" - - name: CASSANDRA_CLUSTER - value: "aaf-cass.{{ .Release.Namespace }}" - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end -}} - -{{- define "aaf.initContainers" -}} -initContainers: -{{ include "aaf.permissionFixer" . }} -{{- if .Values.sequence_order }} -- name: {{ include "common.name" . }}-aaf-readiness - command: - - /app/ready.py - args: - {{- range $container := .Values.sequence_order }} - - --container-name - - aaf-{{ $container}} - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi -{{- end }} -{{ include "aaf.podConfiguration" . }} -{{- end }} diff --git a/kubernetes/aaf/components/aaf-templates/values.yaml b/kubernetes/aaf/components/aaf-templates/values.yaml deleted file mode 100644 index 73efdc6132..0000000000 --- a/kubernetes/aaf/components/aaf-templates/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/kubernetes/aaf/resources/data/identities.dat b/kubernetes/aaf/resources/data/identities.dat deleted file mode 100644 index 4813cc19fc..0000000000 --- a/kubernetes/aaf/resources/data/identities.dat +++ /dev/null @@ -1,94 +0,0 @@ -{{/* -# -# Sample Identities.dat -# This file is for use with the "Default Organization". It is a simple mechanism to have a basic ILM structure to use with -# out-of-the-box tire-kicking, or even for Small companies -# -# For Larger Companies, you will want to create a new class implementing the "Organization" interface, making calls to your ILM, or utilizing -# batch feeds, as is appropriate for your company. -# -# Example Field Layout. note, in this example, Application IDs and People IDs are mixed. You may want to split -# out AppIDs, choose your own status indicators, or whatever you use. -# 0 - unique ID -# 1 - full name -# 2 - first name -# 3 - last name -# 4 - phone -# 5 - official email -# 6 - employment status e=employee, c=contractor, a=application, n=no longer with company -# 7 - responsible to (i.e Supervisor for People, or AppOwner, if it's an App ID) -# -*/}} - -iowna|Ima D. Owner|Ima|Owner|314-123-2000|ima.d.owner@people.osaaf.com|e| -mmanager|Mark D. Manager|Mark|Manager|314-123-1234|mark.d.manager@people.osaaf.com|e|iowna -bdevl|Robert D. Developer|Bob|Developer|314-123-1235|bob.d.developer@people.osaaf.com|e|mmanager -mmarket|Mary D. Marketer|Mary|Marketer|314-123-1236|mary.d.marketer@people.osaaf.com|e|mmanager -ccontra|Clarice D. Contractor|Clarice|Contractor|314-123-1237|clarice.d.contractor@people.osaaf.com|c|mmanager -iretired|Ira Lee M. Retired|Ira|Retired|314-123-1238|clarice.d.contractor@people.osaaf.com|n|mmanager - -# Portal Identities -portal|ONAP Portal Application|PORTAL|ONAP Application|314-123-1234|portal@people.osaaf.com|a|aaf_admin -shi|ONAP SHI Portal Identity|shi|Portal Application|314-123-1234|shi@people.osaaf.com|a|aaf_admin -demo|PORTAL DEMO|demo|PORTAL|DEMO|314-123-1234|demo@people.osaaf.com|e|aaf_admin -jh0003|PORTAL ADMIN|jh|PORTAL ADMIN|314-123-1234|jh0003@people.osaaf.com|e|aaf_admin -cs0008|PORTAL DESIGNER|cs|PORTAL DESIGNER|314-123-1234|cs0008@people.osaaf.com|e|aaf_admin -jm0007|PORTAL TESTER|jm|PORTAL TESTER|314-123-1234|jm0007@people.osaaf.com|e|aaf_admin -op0001|PORTAL OPS|op|PORTAL OPS|314-123-1234|op0001@people.osaaf.com|e|aaf_admin -gv0001|GV PORTAL|gv|PORTAL|314-123-1234|gv0001@people.osaaf.com|e|aaf_admin -pm0001|PM PORTAL|pm|PORTAL|314-123-1234|pm0001@people.osaaf.com|e|aaf_admin -gs0001|GS PORTAL|gs|PORTAL|314-123-1234|gs0001@people.osaaf.com|e|aaf_admin -ps0001|PS PORTAL|ps|PORTAL|314-123-1234|ps0001@people.osaaf.com|e|aaf_admin - -# AAF Defined Users -aaf_admin|AAF Administrator|Mr AAF|AAF Admin|314-123-1234|aaf_admin@people.osaaf.com|e|mmanager -deployer|Deployer|Deployer|Depoyer|314-123-1234|deployer@people.osaaf.com|e|aaf_admin - -# Requested Users -portal_admin|Portal Admin|Portal|Admin|314-123-1234|portal_admin@people.osaaf.com|e|mmanager - -# ONAP App IDs -a1p|A1 Policy Mangement|A1P|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -aaf|AAF Application|AAF|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -aaf-sms|AAF SMS Application|AAF SMS|Application|314-123-1234|no_reply@people.osaaf.com|a|aaf_admin -clamp|ONAP CLAMP Application|CLAMP|Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai|ONAP AAI Application|AAI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-resources|ONAP AAI Resources Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-schema-service|ONAP AAI Schema Service Application|AAI Schema Service|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -aai-traversal|ONAP AAI Traversal Application|AAI Resources|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -appc|ONAP APPC Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -appc-cdt|ONAP APPC CDT Application|APPC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -cli|ONAP CLI Application|SDNC-CDS|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dcae|ONAP DCAE Application|CLAMP|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -oof|ONAP OOF Application|OOF|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -so|ONAP SO Application|SO|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdc|ONAP SDC Application|SDC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdnc|ONAP SDNC Application|SDNC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -sdnc-cds|ONAP SDNC CDS Application|SDNC-CDS|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vfc|ONAP VFC Application|VNC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -policy|ONAP Policy Application|POLICY|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -pomba|ONAP Pomba Application|POMBA|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes|ONAP Holmes Application|HOLMES|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes-engine-mgmt|ONAP Holmes Engine Management Application|HOLMES-ENGINE|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -holmes-rule-mgmt|ONAP Holmes Rules Management Application|HOLMES-RULES|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -nbi|ONAP NBI Application|NBI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -msb-eag|ONAP MSB EAG Application|MSB EAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -msb-iag|ONAP MSB IAG Application|MSB IAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -music|ONAP MUSIC Application|MUSIC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -refrepo|ONAP REFREPO Application|REFREPO|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -uui|ONAP UUI Application|UUI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -# VID Identities -vid|ONAP VID Application|VID|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vid1|ONAP VID Application 1|VID 1|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -vid2|ONAP VID Application 2|VID 2|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -# DMAAP Identities -dmaap-bc|ONAP DMaap BC Application|DMaap BC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-bc-topic-mgr|ONAP DMaap BC Topic Manager|DMaap BC Topic Manager|DMaap BC|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-bc-mm-prov|ONAP DMaap BC Provisioning Manager|DMaap BC Provision Manager|DMaap BC|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr|ONAP DMaap DR|Prov|DMaap DR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr-prov|ONAP DMaap DR Prov|Prov|DMaap MR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-dr-node|ONAP DMaap DR Node|Node|DMaap MR|314-123-1234|no_reply@people.osaaf.com|a|mmanager -dmaap-mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -#deprecate these in El Alto -dmaapmr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager -#dmaap.mr|ONAP DMaap MR Application|DMaap MR|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager diff --git a/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props b/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props deleted file mode 100644 index 4120913d99..0000000000 --- a/kubernetes/aaf/resources/log/org.osaaf.aaf.log4j.props +++ /dev/null @@ -1,53 +0,0 @@ -######### -# ============LICENSE_START==================================================== -# org.onap.aaf -# =========================================================================== -# Copyright (c) 2017 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2020 Orange Intellectual Property. All rights reserved. -# =========================================================================== -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END==================================================== -# - -log4j.appender.INIT=org.apache.log4j.DailyRollingFileAppender -log4j.appender.INIT.File=${LOG4J_FILENAME_init} -log4j.appender.INIT.DatePattern='.'yyyy-MM-dd -log4j.appender.INIT.layout=org.apache.log4j.PatternLayout -log4j.appender.INIT.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %m %n - -log4j.appender.SRVR=org.apache.log4j.DailyRollingFileAppender -log4j.appender.SRVR.File=${LOG4J_FILENAME_service} -log4j.appender.SRVR.DatePattern='.'yyyy-MM-dd -log4j.appender.SRVR.layout=org.apache.log4j.PatternLayout -log4j.appender.SRVR.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %p [%c] %m %n - -log4j.appender.AUDIT=org.apache.log4j.DailyRollingFileAppender -log4j.appender.AUDIT.File=${LOG4J_FILENAME_audit} -log4j.appender.AUDIT.DatePattern='.'yyyy-MM-dd -log4j.appender.AUDIT.layout=org.apache.log4j.PatternLayout -log4j.appender.AUDIT.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSSZ} %m %n - -log4j.appender.stdout=org.apache.log4j.ConsoleAppender -log4j.appender.stdout.layout=org.apache.log4j.PatternLayout -log4j.appender.stdout.layout.ConversionPattern=%d %p [%c] %m %n - -# General Apache libraries -log4j.rootLogger=WARN.SRVR -log4j.logger.org.apache=WARN,SRVR -log4j.logger.com.datastax=WARN,SRVR -log4j.logger.init=INFO,INIT,stdout -log4j.logger.service=${LOGGING_LEVEL},SRVR,stdout -log4j.logger.audit=INFO,AUDIT -# Additional configs, not caugth with Root Logger -log4j.logger.io.netty=INFO,SRVR -log4j.logger.org.eclipse=INFO,SRVR \ No newline at end of file diff --git a/kubernetes/aaf/templates/configmap.yaml b/kubernetes/aaf/templates/configmap.yaml deleted file mode 100644 index 969046551b..0000000000 --- a/kubernetes/aaf/templates/configmap.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-identity - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/data/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aaf/values.yaml b/kubernetes/aaf/values.yaml deleted file mode 100644 index b014360833..0000000000 --- a/kubernetes/aaf/values.yaml +++ /dev/null @@ -1,104 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications © 2020 AT&T -# Modifications Copyright © 2020 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# - -global: - nodePortPrefix: 302 - persistence: - enabled: true - # Standard OOM - pullPolicy: "Always" - - cmpv2Enabled: true - addTestingComponents: false - aaf: - readiness: false - image: onap/aaf/aaf_core:2.1.23 - aaf_env: "DEV" - public_fqdn: "aaf.osaaf.org" - aaf_release: "Frankfurt" - # DUBLIN ONLY - for M4 compatibility with Casablanca - # aaf_locator_name: "public.%NS.%N" - # aaf_locator_name_oom: "%NS.%N" - # EL ALTO and Beyond - aaf_locator_name: "%NS.%N" - aaf_locator_name_oom: "%CNS.%NS.%N" - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - cadi_x509_issuers: "CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US" - - config: - image: onap/aaf/aaf_config:2.1.23 - - service: - fqdn: "aaf-service" - internal_port: 8100 - public_port: 31110 - locate: - fqdn: "aaf-locate" - internal_port: 8095 - public_port: 31111 - oauth: - fqdn: "aaf-oauth" - internal_port: 8140 - public_port: 31112 - -################################################################# -# Application configuration defaults. -################################################################# - -flavor: small -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 350 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 150 - periodSeconds: 10 - -ingress: - enabled: false - service: - - baseaddr: "aaf.api" - name: "aaf-service" - port: 8100 - config: - ssl: "none" - -persistence: {} - -resources: {} - -aaf-authz: - enabled: true -aaf-sms: - enabled: true -aaf-sshsm: - enabled: false diff --git a/kubernetes/aai/Chart.yaml b/kubernetes/aai/Chart.yaml index e02c624e59..89137d209b 100644 --- a/kubernetes/aai/Chart.yaml +++ b/kubernetes/aai/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,56 +18,53 @@ apiVersion: v2 description: ONAP Active and Available Inventory name: aai -version: 12.0.0 +version: 16.0.1 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) + version: ~13.x-0 repository: '@local' - name: cassandra - version: ~12.x-0 + version: ~16.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' condition: global.cassandra.localCluster - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: aai-babel - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/aai-babel' condition: aai-babel.enabled - name: aai-graphadmin - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/aai-graphadmin' condition: aai-graphadmin.enabled - name: aai-modelloader - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/aai-modelloader' condition: aai-modelloader.enabled - name: aai-resources - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/aai-resources' condition: aai-resources.enabled - name: aai-schema-service - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/aai-schema-service' condition: aai-schema-service.enabled - name: aai-sparky-be - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/aai-sparky-be' condition: aai-sparky-be.enabled - name: aai-traversal - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/aai-traversal' condition: aai-traversal.enabled - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-babel/Chart.yaml b/kubernetes/aai/components/aai-babel/Chart.yaml index 11b561cc9f..376a7dd0f3 100644 --- a/kubernetes/aai/components/aai-babel/Chart.yaml +++ b/kubernetes/aai/components/aai-babel/Chart.yaml @@ -1,7 +1,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: Babel microservice name: aai-babel -version: 12.0.0 +version: 15.0.2 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties index 6a3a74c0a6..8f47bf084b 100644 --- a/kubernetes/aai/components/aai-babel/resources/config/application.properties +++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Copyright © 2021 Orange +# Modifications Copyright � 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,19 +16,21 @@ # limitations under the License. */}} server.port=9516 -{{ if ( include "common.needTLS" .) }} -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=need -server.ssl.key-store-type=PKCS12 -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/services/babel-service logging.config=${CONFIG_HOME}/logback.xml tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json + +spring.application.name=aai-babel +spring.sleuth.enabled={{ .Values.global.tracing.enabled }} +spring.zipkin.baseUrl={{ .Values.global.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled = false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.global.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false + +management.endpoints.web.exposure.include=* diff --git a/kubernetes/aai/components/aai-babel/resources/config/logback.xml b/kubernetes/aai/components/aai-babel/resources/config/logback.xml index 125731cf6e..51ebf9d50b 100644 --- a/kubernetes/aai/components/aai-babel/resources/config/logback.xml +++ b/kubernetes/aai/components/aai-babel/resources/config/logback.xml @@ -1,4 +1,4 @@ - + - - - - - - - - - - - - - - - - + + + + + + timestamp + + + + context + ServerIPAddress + EntryTimestamp + InvokeTimestamp + ErrorCode + ErrorDesc + + + exception + + ^sun\.reflect\..*\.invoke + ^net\.sf\.cglib\.proxy\.MethodProxy\.invoke + true + + + + thread + + + logger + 36 + + + + + - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${errorLogPattern} - - INFO 256 - + - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${auditLogPattern} - - + + 256 - - - - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${metricsLogPattern} - + 256 - - - - - ${logDirectory}/${debugLogName}.log - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${errorLogPattern} - + - e.level.toInt() < INFO.toInt() + DENY NEUTRAL 256 - + false - - - ${errorLogPattern} - - + - - - - - - - - - - - - - - - - + @@ -162,23 +123,24 @@ - - - + + + - + - + - + - + @@ -187,8 +149,13 @@ - + + + + + + diff --git a/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-babel/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-babel/templates/configmap.yaml b/kubernetes/aai/components/aai-babel/templates/configmap.yaml index baee38c0e2..39d494acc2 100644 --- a/kubernetes/aai/components/aai-babel/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-babel/templates/configmap.yaml @@ -21,10 +21,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml index e52ac7a6d1..57f770b845 100644 --- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020,2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,19 +19,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "annotations" .Values.annotations "dot" .) | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} @@ -39,32 +36,27 @@ spec: maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Babel" - /bin/bash /opt/app/babel/bin/start.sh - {{- end }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} + {{- if .Values.debug.enabled }} + - containerPort: {{ .Values.debug.port }} + name: {{ .Values.debug.portName }} + {{- end }} + {{- if .Values.profiling.enabled }} + - containerPort: {{ .Values.profiling.port }} + name: {{ .Values.profiling.portName }} + {{- end }} + {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when + # debugging.enabled=true or profiling.enabled=true + {{- if and .Values.liveness.enabled (not (or .Values.debug.enabled .Values.profiling.enabled)) }} livenessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -77,16 +69,19 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - {{- if not (include "common.needTLS" .) }} - name: KEY_STORE_PASSWORD value: NotUsed - {{- end }} - name: CONFIG_HOME value: /opt/app/babel/config - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + {{- if .Values.profiling.enabled }} + - name: JVM_OPTS + value: '{{ join " " .Values.profiling.args }}' + {{- end }} + {{- if .Values.debug.enabled }} + - name: JVM_OPTS + value: {{ .Values.debug.args | quote }} + {{- end }} + volumeMounts: - mountPath: /opt/app/babel/config/application.properties name: config subPath: application.properties @@ -106,8 +101,11 @@ spec: - mountPath: /opt/app/babel/config/logback.xml name: config subPath: logback.xml - resources: -{{ include "common.resources" . }} + - mountPath: /opt/app/babel/logs + name: babel-logs + - mountPath: /tmp + name: tmp + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -120,10 +118,7 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: config configMap: name: {{ include "common.fullname" . }}-configmap @@ -131,8 +126,14 @@ spec: secret: secretName: {{ include "common.fullname" . }}-babel-secrets - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: babel-logs + emptyDir: + sizeLimit: {{ .Values.volumes.babelLogsSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml index 9d7d2c5a80..3f2b97c210 100644 --- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml +++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml @@ -21,11 +21,7 @@ kind: Secret metadata: name: {{ include "common.fullname" . }}-babel-secrets namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-babel/templates/service.yaml b/kubernetes/aai/components/aai-babel/templates/service.yaml index 87a29db457..86141abe90 100644 --- a/kubernetes/aai/components/aai-babel/templates/service.yaml +++ b/kubernetes/aai/components/aai-babel/templates/service.yaml @@ -16,29 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{- if eq .Values.service.type "NodePort" }} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else }} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end }} - - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/aai/components/aai-babel/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-babel/templates/servicemonitor.yaml new file mode 100644 index 0000000000..dc706029bf --- /dev/null +++ b/kubernetes/aai/components/aai-babel/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml index ca23bc96c1..1af40c9d79 100644 --- a/kubernetes/aai/components/aai-babel/values.yaml +++ b/kubernetes/aai/components/aai-babel/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020, 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,56 +18,29 @@ ################################################################# # Global configuration defaults. ################################################################# -global: {} - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-babel-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} +global: + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/babel:1.11.0 +image: onap/babel:1.13.5 flavor: small -flavorOverride: small # default number of instances replicaCount: 1 +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + updateStrategy: type: RollingUpdate maxUnavailable: 0 @@ -90,10 +64,11 @@ readiness: service: type: NodePort - portName: http - externalPort: 9516 internalPort: 9516 - nodePort: 79 + ports: + - name: http + port: 9516 + nodePort: 79 ingress: enabled: false @@ -104,23 +79,59 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-modelloader-read + - serviceAccount: istio-ingress + namespace: istio-ingress + resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "2500Mi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "4Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "1Gi" unlimited: {} +# adds jvm args for remote debugging the application +debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + port: 5005 + portName: debug + +# adds jvm args for remote profiling the application +profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + port: 9999 + portName: jmx + +metrics: + serviceMonitor: + enabled: true + targetPort: 9516 + path: /services/babel-service/actuator/prometheus + basicAuth: + enabled: false + #Pods Service Account serviceAccount: nameOverride: aai-babel @@ -130,4 +141,18 @@ serviceAccount: #Log configuration log: path: /var/log/onap + level: + root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + artifactDataSizeLimit: 50Mi + babelLogsSizeLimit: 100Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-graphadmin/Chart.yaml b/kubernetes/aai/components/aai-graphadmin/Chart.yaml index 239bcad749..c7020b7f70 100644 --- a/kubernetes/aai/components/aai-graphadmin/Chart.yaml +++ b/kubernetes/aai/components/aai-graphadmin/Chart.yaml @@ -4,7 +4,7 @@ # ================================================================================ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,21 +22,18 @@ apiVersion: v2 description: ONAP AAI GraphAdmin name: aai-graphadmin -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties index f768338d99..0266aabe65 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,29 +25,15 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten - -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} -{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} +{{- if or (.Values.global.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true -aai.tools.username={{ .Values.global.config.basic.auth.username }} -aai.tools.password={{ .Values.global.config.basic.auth.passwd }} -{{ end }} - -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} -{{ end }} +aai.tools.username={{ (index .Values.global.auth.users 0).username }} +aai.tools.password={{ (index .Values.global.auth.users 0).password }} +{{- end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} aai.notificationEvent.default.status=UNPROCESSED @@ -107,6 +94,7 @@ aai.datagrooming.enabledupecheckoff=false aai.datagrooming.enableghost2checkoff=false aai.datagrooming.enableghost2fixon=false aai.datagrooming.enablef=false +aai.datagrooming.enableskipindexupdatefix=false # used by the dataGrooming to set values aai.datagrooming.timewindowminutesvalue=10500 diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties index 6e64fd8400..196448c1fe 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright � 2018 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange +# Modifications Copyright � 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,38 +35,28 @@ server.servlet.context-path=/ spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} +spring.profiles.active={{ .Values.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool -server.tomcat.max-threads=200 +server.tomcat.max-threads=50 #The minimum number of threads always kept alive -server.tomcat.min-Spare-Threads=25 +server.tomcat.min-Spare-Threads=5 #The number of milliseconds before an idle thread shutsdown, unless the number of active threads are less or equal to minSpareThreads server.tomcat.max-idle-time=60000 # If you get an application startup failure that the port is already taken # If thats not it, please check if the key-store file path makes sense server.local.startpath=/opt/app/aai-graphadmin/resources/ -server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties - -server.port=8449 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -server.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} -security.require-ssl=false -server.ssl.enabled=false -{{ end }} - -# JMS bind address host port -jms.bind.address=tcp://localhost:61649 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} + +server.port={{ .Values.service.appPort }} + +spring.kafka.producer.bootstrap-servers=${BOOTSTRAP_SERVERS} +spring.kafka.producer.properties.security.protocol=SASL_PLAINTEXT +spring.kafka.producer.properties.sasl.mechanism=SCRAM-SHA-512 +spring.kafka.producer.key-serializer=org.apache.kafka.common.serialization.StringSerializer +spring.kafka.producer.value-serializer=org.apache.kafka.common.serialization.StringSerializer +spring.kafka.producer.properties.sasl.jaas.config=${JAAS_CONFIG} +spring.kafka.producer.retries=3 # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -101,29 +92,31 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +schema.service.client=no-auth -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -schema.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -{{ end }} aperture.rdbmsname=aai_relational -aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} +aperture.service.client=no-auth aperture.service.base.url=http://localhost:8457/aai/aperture -{{ if ( include "common.needTLS" .) }} -aperture.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks -aperture.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aperture.service.ssl.key-store-password=password(${KEYSTORE_JKS_PASSWORD}) -aperture.service.ssl.trust-store-password=password(${TRUSTSTORE_PASSWORD}) -{{ end }} aperture.service.timeout-in-milliseconds=300000 #To Expose the Prometheus scraping endpoint -management.port=8448 -endpoints.enabled=false -management.security.enabled=false \ No newline at end of file +management.server.port={{ .Values.service.actuatorPort }} +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=* +management.security.enabled=false + +# If true, the actuator health check will be overriden +# to use the AaiGraphChecker check instead. +# This does the same as the /echo endpoint, +# but doesn't show up in micrometer metrics +aai.actuator.echo.enabled={{ .Values.actuator.echo.enabled }} + +aai.graph.properties.path=${server.local.startpath}/etc/appprops/janusgraph-realtime.properties +aai.basic-auth.enabled={{ .Values.global.auth.enabled }} +{{- range $index, $user := .Values.global.auth.users }} +aai.basic-auth.users[{{ $index }}].username={{ $user.username }} +aai.basic-auth.users[{{ $index }}].password={{ $user.password }} +{{- end }} diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-cached.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-cached.properties deleted file mode 100644 index 5962ebd6fc..0000000000 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-cached.properties +++ /dev/null @@ -1,99 +0,0 @@ -{{/* -# -# ============LICENSE_START======================================================= -# org.onap.aai -# ================================================================================ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -query.fast-property=true -query.smart-limit=false - -{{ if .Values.global.config.cluster.cassandra.dynamic }} - -storage.backend=cql -storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph -storage.username={{.Values.global.cassandra.username}} -storage.password={{.Values.global.cassandra.password}} - -storage.cql.read-consistency-level=LOCAL_QUORUM -storage.cql.write-consistency-level=LOCAL_QUORUM -storage.cql.replication-factor={{.Values.global.cassandra.replicas}} -storage.cql.only-use-local-consistency-for-system-operations=true - -{{ else }} - -{{ if .Values.global.config.storage }} - -storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "cql" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cql.keyspace={{ .Values.global.config.storage.name }} - -storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationFactor | int }} - -storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} -storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "hbase" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.hbase.table={{ .Values.global.config.storage.name }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ end }} - -{{ end }} - -{{ end }} - -storage.lock.wait-time=300 -#caching on -cache.db-cache = true -cache.db-cache-clean-wait = 20 -cache.db-cache-time = 180000 -cache.db-cache-size = 0.3 - -#load graphson file on startup -load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties index 61550e7a57..d1797a407e 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/janusgraph-realtime.properties @@ -20,44 +20,39 @@ query.fast-property=true query.smart-limit=false -{{ if .Values.global.config.cluster.cassandra.dynamic }} +{{- if .Values.global.config.cluster.cassandra.dynamic }} storage.backend=cql storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph storage.username={{.Values.global.cassandra.username}} storage.password={{.Values.global.cassandra.password}} +storage.cql.keyspace=aaigraph +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level=LOCAL_QUORUM storage.cql.write-consistency-level=LOCAL_QUORUM storage.cql.replication-factor={{.Values.global.cassandra.replicas}} storage.cql.only-use-local-consistency-for-system-operations=true -{{ else }} +{{- if .Values.global.cassandra.partitionerName }} +storage.cql.partitioner-name={{ .Values.global.cassandra.partitionerName }} +{{- end }} -{{ if .Values.global.config.storage }} +{{- if .Values.config.janusgraph.cassandraDriver }} +storage.cql.internal.string-configuration = datastax-java-driver { {{ .Values.config.janusgraph.cassandraDriver.configuration }} } +{{- end }} -storage.backend={{ .Values.global.config.storage.backend }} +{{- else -}} -{{ if eq .Values.global.config.storage.backend "cassandra" }} +{{- if .Values.global.config.storage }} -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} +storage.backend={{ .Values.global.config.storage.backend }} -{{ else if eq .Values.global.config.storage.backend "cql" }} +{{- if eq .Values.global.config.storage.backend "cql" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.cql.keyspace={{ .Values.global.config.storage.name }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} @@ -65,13 +60,13 @@ storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationF storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ else if eq .Values.global.config.storage.backend "hbase" }} +{{- else if eq .Values.global.config.storage.backend "hbase" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.hbase.table={{ .Values.global.config.storage.name }} @@ -80,14 +75,16 @@ storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ end }} - -{{ end }} - -{{ end }} +{{- end }} +{{- end }} +{{- end }} storage.lock.wait-time=300 # Setting db-cache to false ensure the fastest propagation of changes across servers -cache.db-cache = false +cache.db-cache=false #load graphson file on startup load.snapshot.file=false + +{{- if .Values.config.janusgraph.allowUpgrade }} +graph.allow-upgrade=true +{{- end }} diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml index 8e1bf21c95..257cda60bc 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/localhost-access-logback.xml @@ -20,35 +20,49 @@ */}} --> + - - - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - - - - - + - - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - "logType": "access" + + + + + { + "remoteIp": "%a", + "remoteUser": "%u", + "timestamp": "%t", + "requestMethod": "%m", + "requestUrl": "%U", + "queryString": "%q", + "httpStatusCode": "%s", + "bytesSent": "%b", + "transactionId": "%i{X-TransactionId}", + "fromAppId": "%i{X-FromAppId}", + "forwardedFor": "%i{X-Forwarded-For}", + "aaiSslClientCn": "%i{X-AAI-SSL-Client-CN}", + "aaiSslClientOu": "%i{X-AAI-SSL-Client-OU}", + "aaiSslClientO": "%i{X-AAI-SSL-Client-O}", + "aaiSslClientL": "%i{X-AAI-SSL-Client-L}", + "aaiSslClientSt": "%i{X-AAI-SSL-Client-ST}", + "aaiSslClientC": "%i{X-AAI-SSL-Client-C}", + "aaiSslClientNotBefore": "%i{X-AAI-SSL-Client-NotBefore}", + "aaiSslClientNotAfter": "%i{X-AAI-SSL-Client-NotAfter}", + "aaiSslClientDn": "%i{X-AAI-SSL-Client-DN}", + "durationMs": "%D", + "logType": "access" + } + + + - + + \ No newline at end of file + --> diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml b/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml index fd79f7043a..f72b266e44 100644 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml +++ b/kubernetes/aai/components/aai-graphadmin/resources/config/logback.xml @@ -20,42 +20,9 @@ ============LICENSE_END========================================================= */}} --> - + - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -84,1113 +51,101 @@ 36 - - {"logType":"app"} - - - - - ${logDirectory}/rest/sane.log - - ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - - - - ${queueSize} - true - - - - ${logDirectory}/rest/metrics.log - - ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - ${queueSize} - true - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/debug.log - - ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - ${queueSize} - - true - - - ${logDirectory}/rest/error.log - - ${logDirectory}/rest/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - WARN - - - ${errorPattern} - - - - ${queueSize} - - - - ${logDirectory}/rest/audit.log - - ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - ${queueSize} - true - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/translog.log - - ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${transLogPattern} - - - - ${queueSize} - true - - - - - WARN - - ${logDirectory}/dmaapAAIEventConsumer/error.log - - ${logDirectory}/dmaapAAIEventConsumer/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${"errorPattern"} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/debug.log - - ${logDirectory}/dmaapAAIEventConsumer/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - - WARN - - ${logDirectory}/external/external.log - - ${logDirectory}/external/external.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - - WARN - - ${logDirectory}/dataGrooming/error.log - - ${logDirectory}/dataGrooming/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dataGrooming/debug.log - - ${logDirectory}/dataGrooming/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataGrooming/audit.log - - ${logDirectory}/dataGrooming/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - - - WARN - - ${logDirectory}/dataSnapshot/error.log - - ${logDirectory}/dataSnapshot/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dataSnapshot/debug.log - - ${logDirectory}/dataSnapshot/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataSnapshot/audit.log - - ${logDirectory}/dataSnapshot/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - - - WARN - - ${logDirectory}/historyTruncate/error.log - - ${logDirectory}/historyTruncate/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/historyTruncate/debug.log - - ${logDirectory}/historyTruncate/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/historyTruncate/audit.log - - ${logDirectory}/historyTruncate/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - - - WARN - - ${logDirectory}/createDBSchema/error.log - - ${logDirectory}/createDBSchema/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${"errorPattern"} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/createDBSchema/debug.log - - ${logDirectory}/createDBSchema/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/createDBSchema/metrics.log - - ${logDirectory}/createDBSchema/metrics.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - - - - WARN - - ${logDirectory}/misc/error.log - - ${logDirectory}/misc/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${"errorPattern"} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/misc/debug.log - - ${logDirectory}/misc/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/misc/audit.log - - ${logDirectory}/misc/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dupetool/debug.log - - ${logDirectory}/dupetool/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/dupeTool/error.log - - ${logDirectory}/dupeTool/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - - - WARN - - ${logDirectory}/dynamicPayloadGenerator/error.log - - ${logDirectory}/dynamicPayloadGenerator/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dynamicPayloadGenerator/debug.log - - ${logDirectory}/dynamicPayloadGenerator/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataExport/audit.log - - ${logDirectory}/dynamicPayloadGenerator/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/forceDelete/debug.log - - ${logDirectory}/forceDelete/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/forceDelete/error.log - - ${logDirectory}/forceDelete/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/migration/debug.log - - ${logDirectory}/migration/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/migration/error.log - - ${logDirectory}/migration/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - - - WARN - - ${logDirectory}/dataExport/error.log - - ${logDirectory}/dataExport/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dataExport/debug.log - - ${logDirectory}/dataExport/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataExport/audit.log - - ${logDirectory}/dataExport/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/schemaMod/debug.log - - ${logDirectory}/schemaMod/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/schemaMod/error.log - - ${logDirectory}/schemaMod/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/uniquePropertyCheck/debug.log - - ${logDirectory}/uniquePropertyCheck/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/uniquePropertyCheck/metrics.log - - ${logDirectory}/uniquePropertyCheck/metrics.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - - WARN - ACCEPT - DENY - - ${logDirectory}/uniquePropertyCheck/error.log - - ${logDirectory}/uniquePropertyCheck/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - - - WARN - - ${logDirectory}/dynamicPayloadGenerator/error.log - - ${logDirectory}/dynamicPayloadGenerator/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dynamicPayloadGenerator/debug.log - - ${logDirectory}/dynamicPayloadGenerator/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dataExport/audit.log - - ${logDirectory}/dynamicPayloadGenerator/audit.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${logDirectory}/perf-audit/Audit-${lrmRVer}-${lrmRO}-${Pid}.log - - ${logDirectory}/perf-audit/Audit-${lrmRVer}-${lrmRO}-${Pid}.%i.log.zip - 1 - 9 - - - 5MB - - - auditPattern - - - - - ${logDirectory}/perf-audit/Perform-${lrmRVer}-${lrmRO}-${Pid}.log - - ${logDirectory}/perf-audit/Perform-${lrmRVer}-${lrmRO}-${Pid}.%i.log.zip - 1 - 9 - - - 5MB - - - "%d [%thread] %-5level %logger{1024} - %msg%n" - - - - - DEBUG - - ${logDirectory}/auth/auth.log - - ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n - - - - ${queueSize} - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - + diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties deleted file mode 100644 index ccd9864fb6..0000000000 --- a/kubernetes/aai/components/aai-graphadmin/resources/config/realm.properties +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -# -# ============LICENSE_START======================================================= -# org.onap.aai -# ================================================================================ -# Copyright � 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# format : username: password[,rolename ...] -# default username/password: AAI/AAI, MSO/MSO, ModelLoader/ModelLoader... -*/ -}} -AAI:OBF:1gfr1ev31gg7,admin -MSO:OBF:1jzx1lz31k01,admin -SDNC:OBF:1itr1i0l1i151isv,admin -DCAE:OBF:1g8u1f9d1f991g8w,admin -POLICY:OBF:1mk61i171ima1im41i0j1mko,admin -ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin -ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin -AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin -OOF:OBF:1img1ke71ily,admin -aai@aai.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -so@so.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-graphadmin/templates/_helpers.tpl b/kubernetes/aai/components/aai-graphadmin/templates/_helpers.tpl new file mode 100644 index 0000000000..dd3a3fcfdb --- /dev/null +++ b/kubernetes/aai/components/aai-graphadmin/templates/_helpers.tpl @@ -0,0 +1,20 @@ +{{- define "aai.waitForSchemaService" -}} +- name: wait-for-schema-service + image: "{{ include "repositoryGenerator.image.curl" . }}" + imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-c"] + args: + - | + URL="{{ required "URL is required" (.Values.schemaInitCheckURL | default "http://aai-schema-service:8452/aai/schema-service/util/echo") }}" + AUTH="{{ printf "%s:%s" (index .Values.global.auth.users 0).username (index .Values.global.auth.users 0).password }}" + while true; do + if curl --fail --header 'X-FromAppId: graphadmin' --header 'X-TransactionId: someTransaction' -u $AUTH -s $URL; then + echo "Request successful. Schema-service is available" + exit 0 + else + echo "Request unsuccessful. Schema-service is not available yet. Retrying in 3 seconds..." + sleep 3 + fi + done + {{ include "common.containerSecurityContext" . | indent 2 | trim }} +{{- end -}} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml new file mode 100644 index 0000000000..04692fefcc --- /dev/null +++ b/kubernetes/aai/components/aai-graphadmin/templates/aai-graph-kafka-user.yml @@ -0,0 +1,32 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} + labels: {{- include "common.labels" . | nindent 4 }} + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: topic + name: AAI-EVENT + operations: + - All diff --git a/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-graphadmin/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml index 8eb4a4a781..90768b03d0 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/configmap.yaml @@ -25,11 +25,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -40,19 +36,13 @@ data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-properties namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.global.jobs.migration.enabled }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -69,11 +59,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "0" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml index 3e1479e335..4f3b44f517 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,16 +23,14 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "annotations" .Values.annotations "dot" .) | nindent 2 }} spec: + {{- if .Values.config.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -42,140 +41,141 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostname: aai-graphadmin terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - {{ if .Values.global.initContainers.enabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} - - command: - {{ if .Values.global.jobs.migration.enabled }} - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{ else if .Values.global.jobs.createSchema.enabled }} - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{ else }} - - /app/ready.py - args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra + {{- if .Values.global.initContainers.enabled }} + initContainers: + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForCassandraService ) | indent 8 | trim }} + {{- if not .Values.createDbSchemaViaJob.enabled }} + {{- include "aai.waitForSchemaService" . | nindent 8 }} + - name: {{ include "common.name" . }}-create-db-schema + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | nindent 10 | trim }} + command: + - sh + args: + - -c + - | + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} + sh docker-entrypoint.sh createDBSchema.sh; + {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} + env: + {{- if .Values.config.debug.enabled }} + - name: JVM_OPTS + value: {{ .Values.config.debug.args | quote }} + {{- end }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + - name: BOOTSTRAP_SERVERS + value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} + key: sasl.jaas.config + {{- if .Values.config.debug.enabled }} + ports: + - containerPort: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + {{- end }} + volumeMounts: + - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties + name: config + subPath: janusgraph-realtime.properties + - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties + name: properties + subPath: aaiconfig.properties + - mountPath: /opt/aai/logroot/AAI-GA + name: logs + - mountPath: /opt/app/aai-graphadmin/resources/logback.xml + name: config + subPath: logback.xml + - mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml + name: config + subPath: localhost-access-logback.xml + - mountPath: /opt/app/aai-graphadmin/resources/application.properties + name: properties + subPath: application.properties + resources: {{ include "common.resources" . | nindent 12 }} {{- end }} - - --container-name - - aai-schema-service - {{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - {{ end }} + {{- end }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} - name: INTERNAL_PORT_1 - value: {{ .Values.service.internalPort | quote }} + value: {{ .Values.service.appPort | quote }} - name: INTERNAL_PORT_2 - value: {{ .Values.service.internalPort2 | quote }} + value: {{ .Values.service.debugPort | quote }} - name: INTERNAL_PORT_3 - value: {{ .Values.service.internalPort3 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + value: {{ .Values.service.actuatorPort | quote }} + - name: BOOTSTRAP_SERVERS + value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} + key: sasl.jaas.config + {{- if .Values.config.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.config.profiling.args }}' + {{- end }} + {{- if .Values.config.debug.enabled }} + - name: POST_JVM_ARGS + value: {{ .Values.config.debug.args | quote }} + {{- end }} + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties - mountPath: /opt/aai/logroot/AAI-RES name: logs + - mountPath: /opt/app/aai-graphadmin/logs + name: script-logs - mountPath: /opt/app/aai-graphadmin/resources/logback.xml name: config subPath: logback.xml - mountPath: /opt/app/aai-graphadmin/resources/localhost-access-logback.xml name: config subPath: localhost-access-logback.xml - - mountPath: /opt/app/aai-graphadmin/resources/etc/auth/realm.properties - name: config - subPath: realm.properties - mountPath: /opt/app/aai-graphadmin/resources/application.properties name: properties subPath: application.properties + - mountPath: /tmp + name: tmp-volume ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} + - containerPort: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} + {{- if .Values.config.debug.enabled }} + - containerPort: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + {{- end }} + {{- if .Values.config.profiling.enabled }} + - containerPort: {{ .Values.service.profilingPort }} + name: {{ .Values.service.profilingPortName }} + {{- end }} + - containerPort: {{ .Values.service.actuatorPort }} + name: {{ .Values.service.actuatorPortName }} lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -185,55 +185,64 @@ spec: - sh - -c - | - while (netstat -an | grep ESTABLISHED | grep -e $INTERNAL_PORT_1 -e $INTERNAL_PORT_2) - do sleep 10 + while (netstat -an | grep ESTABLISHED | grep -e $INTERNAL_PORT_1 -e $INTERNAL_PORT_2) do + echo "Still active connections. Waiting for active requests to be finished" + sleep 3 done - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} + # disable liveness probe when + # debugging.enabled=true or profiling.enabled=true + {{- if and .Values.liveness.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.service.actuatorPort }} + path: {{ .Values.liveness.path }} + {{- if .Values.liveness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} + {{- end }} readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.service.actuatorPort }} + path: {{ .Values.readiness.path }} + {{- if .Values.readiness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + startupProbe: + httpGet: + port: {{ .Values.service.actuatorPort }} + path: {{ .Values.startup.path }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + {{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} affinity: -{{ toYaml .Values.affinity | indent 8 }} + {{ toYaml .Values.affinity | indent 8 }} {{- end }} - # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: + - name: tmp-volume + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: script-logs + emptyDir: + sizeLimit: {{ .Values.volumes.scriptlogSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: config configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml index a93c6107e7..6366e0626b 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,87 +41,27 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - annotations: - "helm.sh/hook": pre-upgrade,pre-install - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": before-hook-creation + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} + {{- if .Values.jobAnnotations.backup }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations.backup "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} - {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - - command: - - /bin/bash - - -c - - /app/ready.py --container-name aai-cassandra --timeout 1 || /app/ready.py --container-name cassandra - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-db-backup-readiness + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForCassandraService ) | indent 6 | trim}} {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} command: - sh args: @@ -130,15 +71,7 @@ spec: echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} bash docker-entrypoint.sh dataSnapshot.sh; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -168,21 +101,14 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties - name: migration @@ -192,6 +118,5 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml index a9349028f4..fc35966f79 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -33,94 +34,31 @@ # then it is your job to ensure that there are no connections to the database */}} +{{/* the new default is schema creation via graphadmin init container. This will be removed in the future. */}} +{{- if .Values.createDbSchemaViaJob.enabled }} {{- if and ( not .Values.global.jobs.migration.enabled ) ( .Values.global.jobs.createSchema.enabled ) }} apiVersion: batch/v1 kind: Job metadata: name: {{ include "common.fullname" . }}-create-db-schema namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} + {{- if .Values.jobAnnotations.createDBSchema }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations.createDBSchema "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} - - command: - - /app/ready.py - args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name - - aai-schema-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | nindent 8 | trim }} command: - sh args: @@ -128,23 +66,33 @@ spec: - | {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - bash docker-entrypoint.sh createDBSchema.sh; + sh docker-entrypoint.sh createDBSchema.sh; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + {{- if .Values.config.debug.enabled }} + - name: JVM_OPTS + value: {{ .Values.config.debug.args | quote }} + {{- end }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }} + key: sasl.jaas.config + {{- if .Values.config.debug.enabled }} + ports: + - containerPort: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + {{- end }} + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties @@ -166,25 +114,19 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: 64Mi - name: config configMap: name: {{ include "common.fullname" . }} - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: Never - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key -{{ end }} + {{- include "common.imagePullSecrets" . | nindent 6 }} +{{- end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml index 10b8255c50..fcfb479965 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml @@ -6,6 +6,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,111 +41,32 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-upgrade,post-rollback,post-install - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 4 }} + {{- if .Values.jobAnnotations.migration }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations.migration "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} - - command: - - /app/ready.py - args: - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name - - aai-schema-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.waitForWithSchemaService) | indent 6 | trim }} - command: - sh args: - -c - | - bash docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'` - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + sh docker-entrypoint.sh dataRestoreFromSnapshot.sh `ls -t /opt/app/aai-graphadmin/logs/data/dataSnapshots|head -1|awk -F".P" '{ print $1 }'` + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties @@ -173,23 +95,13 @@ spec: - | {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; + sh docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ; {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + volumeMounts: - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties name: config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-cached.properties - name: config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/aaiconfig.properties name: properties subPath: aaiconfig.properties @@ -211,10 +123,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} @@ -225,27 +135,17 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration - name: properties - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: properties-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-properties restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} --- apiVersion: batch/v1 kind: Job metadata: name: {{ include "common.fullname" . }}-db-backup-job namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "2" @@ -254,60 +154,15 @@ spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }}-db-backup-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "db-backup-job") | nindent 8 }} name: {{ include "common.name" . }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if .Values.global.aafEnabled }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export KEYSTORE_JKS_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_JKS_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "KEYSTORE_JKS_PASSWORD=${KEYSTORE_JKS_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: properties-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} - {{ if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} + initContainers: + {{- if eq .Values.global.jobs.migration.remoteCassandra.enabled false }} - command: - /bin/bash - -c - - /app/ready.py --container-name aai-cassandra --timeout 1 || /app/ready.py --container-name cassandra + - /app/ready.py --service-name {{ .Values.global.cassandra.serviceName }} env: - name: NAMESPACE valueFrom: @@ -317,6 +172,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-db-backup-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" {{- end }} containers: - name: {{ include "common.name" . }}-db-backup-job @@ -329,17 +191,9 @@ spec: - | {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - bash docker-entrypoint.sh dataSnapshot.sh + sh docker-entrypoint.sh dataSnapshot.sh {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: /opt/app/aai-graphadmin/logs/data/dataSnapshots name: snapshots - mountPath: /opt/app/aai-graphadmin/resources/etc/appprops/janusgraph-realtime.properties @@ -369,10 +223,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.resources" . | nindent 10 }} - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} - name: config @@ -391,6 +243,5 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml index 563b920c04..cd72d7f219 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pv.yaml @@ -16,16 +16,13 @@ {{- if .Values.global.jobs.migration.enabled -}} {{- if eq "True" (include "common.needPV" .) -}} +{{- if not .Values.persistence.storageClass -}} kind: PersistentVolume apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} name: {{ include "common.fullname" . }} annotations: "helm.sh/hook": pre-upgrade,pre-install @@ -42,3 +39,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath1 }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml index bf8900686d..19c1016ca4 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/pvc.yaml @@ -20,11 +20,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }}-migration namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} annotations: "helm.sh/hook": pre-upgrade,pre-install "helm.sh/hook-weight": "-1" diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml index 6350f858f1..b7c09cfd0e 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml @@ -25,32 +25,32 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} + - port: {{ .Values.service.appPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.appPortName }} + targetPort: {{ .Values.service.appPortName }} + - port: {{ .Values.service.debugPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} + - port: {{ .Values.service.actuatorPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName3 }} + name: {{ .Values.service.actuatorPortName }} + targetPort: {{ .Values.service.actuatorPortName }} {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} + - port: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} + targetPort: {{ .Values.service.appPortName }} + - port: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} + - port: {{ .Values.service.actuatorPort }} + name: {{ .Values.service.actuatorPortName }} + targetPort: {{ .Values.service.appPort }} {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml index c0d9f212b4..dc706029bf 100644 --- a/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml +++ b/kubernetes/aai/components/aai-graphadmin/templates/servicemonitor.yaml @@ -1,3 +1,3 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml index 2ac55459bb..c36a576d24 100644 --- a/kubernetes/aai/components/aai-graphadmin/values.yaml +++ b/kubernetes/aai/components/aai-graphadmin/values.yaml @@ -5,6 +5,7 @@ # Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2020 Nokia Intellectual Property. All rights reserved. # Copyright (c) 2020-2021 Orange Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,9 +25,15 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 + kafkaBootstrap: strimzi-kafka-bootstrap + aaiGraphKafkaUser: aai-graph-kafka-user cassandra: #This will instantiate AAI cassandra cluster, default:shared cassandra. localCluster: false + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + #Cassandra datacenter name + localDataCenter: dc1 initContainers: enabled: true jobs: @@ -36,32 +43,33 @@ global: # global defaults #migration using helm hooks migration: enabled: false + duplicates: + enabled: false + # Specifies if basic authorization is enabled + auth: + enabled: true + # users that can authenticate via basic auth + users: + - username: aai@aai.onap.org + password: demo123456! + - username: AAI + password: AAI config: - # Specifies that the cluster connected to a dynamic # cluster being spinned up by kubernetes deployment cluster: cassandra: dynamic: true - - # Specifies if the basic authorization is enabled - basic: - auth: - enabled: true - username: AAI - passwd: AAI - # Notification event specific properties notification: eventType: AAI-EVENT domain: dev - # Schema specific properties that include supported versions of api schema: # Specifies if the connection should be one way ssl, two way ssl or no auth # will be set to no-auth if tls is disabled service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will # make a rest request to schema service translator: @@ -76,11 +84,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v30 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28,v29,v30 # Specifies from which version related link should appear related: link: v11 @@ -93,64 +101,22 @@ global: # global defaults # Specifies from which version the edge label appeared in API edge: label: v12 - # Specifies which clients should always default to realtime graph connection realtime: clients: SDNC,-1|MSO,-1|SO,-1|robot-ete,-1 -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-graphadmin-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export KEYSTORE_JKS_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - keytool -storepasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_JKS_PLAIN_PASSWORD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_JKS_PLAIN_PASSWORD}" -alias {{ .Values.fqi }} - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "KEYSTORE_JKS_PLAIN_PASSWORD=${KEYSTORE_JKS_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} - # application image -image: onap/aai-graphadmin:1.11.1 +image: onap/aai-graphadmin:1.16.0 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small + # default number of instances replicaCount: 1 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + # the minimum number of seconds that a newly created Pod should be ready minReadySeconds: 30 updateStrategy: @@ -162,28 +128,31 @@ updateStrategy: # Configuration for the graphadmin deployment config: - # Specify the profiles for the graphadmin microservice profiles: - # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and - # serviceMesh.tls is set to tru - active: dmaap #,one-way-ssl" - + active: kafka + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.aaiGraphKafkaUser }}' + someConfig: graphrandom # Specifies the timeout limit for the REST API requests timeout: enabled: true limit: 180000 - + janusgraph: + # temporarily enable this to update the graph storage version + # see: https://docs.janusgraph.org/changelog/#upgrade-instructions_9 + allowUpgrade: true + # config override for the cassandra driver + # see: https://docs.janusgraph.org/master/configs/configuration-reference/#storagecqlinternal + cassandraDriver: + configuration: advanced.metadata.schema.debouncer.window = 2 second # Default maximum records to fix for the data grooming and dupeTool maxFix: dataGrooming: 150 dupeTool: 25 - # Default number of sleep minutes for dataGrooming and dupeTool sleepMinutes: dataGrooming: 7 dupeTool: 7 - # Cron specific attributes to be triggered for the graphadmin spring cron tasks cron: # Specifies that the data grooming tool which runs duplicates should be enabled @@ -193,10 +162,8 @@ config: dataSnapshot: enabled: true params: JUST_TAKE_SNAPSHOT - # Data cleanup which zips snapshots older than x days and deletes older than y days dataCleanup: - dataGrooming: enabled: true # Zips up the dataGrooming files older than 5 days @@ -215,7 +182,26 @@ config: lock: uri: enabled: false - + # adds jvm args for remote debugging the application + debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + # adds jvm args for remote profiling the application + profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + env: + BOOTSTRAP_SERVERS: onap-strimzi-kafka-bootstrap:9092 + DATA_SNAPSHOT_TASKS_ENABLED: false + DATA_SNAPSHOT_CLEANUP_ENABLED: false + HISTORY_TRUNCATE_TASK_ENABLED: false nodeSelector: {} @@ -223,30 +209,65 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false + enabled: true + path: /actuator/health + periodSeconds: 10 readiness: - initialDelaySeconds: 60 + path: /actuator/health/readiness periodSeconds: 10 +startup: + path: /actuator/health/liveness + failureThreshold: 60 + periodSeconds: 5 + +actuator: + echo: + enabled: true + +## Can be used to restore the old behaviour of having a separate job for schema creation +createDbSchemaViaJob: + enabled: false + +readinessCheck: + waitForSchemaCreationJob: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + waitForLocalCassandra: + containers: + - aai-schema-service + apps: + - aai-cassandra + waitForCassandraService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + waitForWithSchemaService: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + service: type: ClusterIP # REST API port for the graphadmin microservice - portName: http - internalPort: 8449 - portName2: tcp-5005 - internalPort2: 5005 - portName3: aai-graphadmin-8448 - internalPort3: 8448 - terminationGracePeriodSeconds: 120 + appPortName: http + appPort: 8449 + debugPortName: tcp-5005 + debugPort: 5005 + profilingPortName: jxm-9999 + profilingPort: 9999 + actuatorPortName: http-graphadmin + actuatorPort: 8448 + terminationGracePeriodSeconds: 45 ingress: enabled: false +# No inbound communications. +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + persistence: enabled: true ## A manually managed Persistent Volume and Claim @@ -271,46 +292,46 @@ persistence: # To make logback capping values configurable logback: - logToFileEnabled: true + logToFileEnabled: false maxHistory: 7 totalSizeCap: 6GB queueSize: 1000 accessLogback: - logToFileEnabled: true + logToFileEnabled: false maxHistory: 7 totalSizeCap: 6GB resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1536Mi + cpu: "500m" + memory: "1600Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "4Gi" unlimited: {} metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 - path: /prometheus + path: /actuator/prometheus basicAuth: enabled: false selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -318,8 +339,8 @@ metrics: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 65534 + group_id: 65534 #Pods Service Account serviceAccount: @@ -329,4 +350,50 @@ serviceAccount: #Log configuration log: path: /var/log/onap + level: + root: INFO + base: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +#DupeTool cronjob parameters +dupeToolParams: + schedule: "0 8 * * *" + userId: "am8383 " + nodeType: "complex" + timeWindowMinutes: 60 + autoFix: true +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: aai-graph-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: AAI-EVENT + type: topic + operations: [Read, Write] + +volumes: + logSizeLimit: 64Mi + scriptlogSizeLimit: 300Mi + tmpSizeLimit: 500Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + +jobAnnotations: + backup: + "helm.sh/hook": pre-upgrade,pre-rollback,post-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation + migration: + "helm.sh/hook": pre-upgrade,pre-rollback,post-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation diff --git a/kubernetes/aai/components/aai-modelloader/Chart.yaml b/kubernetes/aai/components/aai-modelloader/Chart.yaml index 56aad3ecec..dee413885b 100644 --- a/kubernetes/aai/components/aai-modelloader/Chart.yaml +++ b/kubernetes/aai/components/aai-modelloader/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,15 @@ apiVersion: v2 description: ONAP AAI modelloader name: aai-modelloader -version: 12.0.0 +version: 15.0.5 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-modelloader/resources/application.properties b/kubernetes/aai/components/aai-modelloader/resources/application.properties new file mode 100644 index 0000000000..8180e96cb5 --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/resources/application.properties @@ -0,0 +1,39 @@ +# Note that the start.sh script sets the following System Properties +# We provide default values here for testing purposes +AJSC_HOME=. +CONFIG_HOME=appconfig-local +com.att.eelf.logging.path=src/main/resources +com.att.eelf.logging.file=logback.xml +logback.configurationFile=${com.att.eelf.logging.path}/${com.att.eelf.logging.file} + +server.port=9500 + +spring.application.name=aai-model-loader + +spring.sleuth.enabled={{ .Values.global.tracing.enabled }} +spring.zipkin.baseUrl={{ .Values.global.tracing.collector.baseUrl }} +spring.sleuth.messaging.jms.enabled=false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.global.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c,b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} + +server.tomcat.threads.max=200 +# The minimum number of threads always kept alive +server.tomcat.threads.min-spare=25 + +# Spring Boot logging +logging.config=${logback.configurationFile} + +# Model Loader Client Configuration for the A&AI REST interface +ml.aai.base-url=http://aai.{{.Release.Namespace}}:80 +ml.aai.model-url=/aai/%s/service-design-and-creation/models/model/ +ml.aai.named-query-url=/aai/%s/service-design-and-creation/named-queries/named-query/ +ml.aai.vnf-image-url=/aai/v*/service-design-and-creation/vnf-images # v* is supported by the resources api and translates to 'latest' +ml.aai.auth-user={{ (index .Values.global.auth.users 0).username }} +ml.aai.auth-password={{ (index .Values.global.auth.users 0).password }} +ml.aai.use-gizmo=false +# Babel client config +ml.babel.base-url={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516 +ml.babel.generate-artifacts-url=/services/babel-service/v1/app/generateArtifacts diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 deleted file mode 100644 index ee57120fa0..0000000000 Binary files a/kubernetes/aai/components/aai-modelloader/resources/config/auth/aai-os-cert.p12 and /dev/null differ diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml index 129af8f2ac..944078dcf1 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml +++ b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml @@ -17,118 +17,53 @@ --> */}} - - - - - - - - - - - - - - - - - ${errorLogPattern} + + + timestamp + + + context + ServerIPAddress + EntryTimestamp + InvokeTimestamp + ErrorCode + ErrorDesc + + + exception + + ^sun\.reflect\..*\.invoke + ^net\.sf\.cglib\.proxy\.MethodProxy\.invoke + true + + + thread + + logger + 36 + + + + - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${errorLogPattern} - - - - - - INFO - - 256 - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${auditMetricPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${auditMetricPattern} - - - - 256 - - - - - ${logDirectory}/${debugLogName}.log - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${errorLogPattern} - - - - 256 - - true - - - - - + - - + - - + @@ -142,6 +77,8 @@ + + @@ -163,10 +100,8 @@ - - - - + + diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties index bc53b4b764..2c0696c7dc 100644 --- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties +++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,57 +18,17 @@ # Model Loader Distribution Client Configuration */}} ml.distribution.ACTIVE_SERVER_TLS_AUTH=false -{{ if ( include "common.needTLS" .) }} -ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443 -ml.distribution.ASDC_USE_HTTPS=true -ml.distribution.KEYSTORE_PASSWORD= -ml.distribution.KEYSTORE_FILE= -ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -{{ else }} ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080 ml.distribution.ASDC_USE_HTTPS=false ml.distribution.KEYSTORE_PASSWORD= ml.distribution.KEYSTORE_FILE= ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -{{ end }} -ml.distribution.CONSUMER_GROUP={{ .Values.config.kafka.sdcTopic.consumerGroup }} -ml.distribution.CONSUMER_ID={{ .Values.config.kafka.sdcTopic.clientId }} +{{- with (first .Values.kafkaUser.acls) }} +ml.distribution.CONSUMER_GROUP={{ .name }} +ml.distribution.CONSUMER_ID={{ .name }}-model-loader ml.distribution.ENVIRONMENT_NAME=AUTO ml.distribution.POLLING_INTERVAL=30 ml.distribution.POLLING_TIMEOUT=20 -ml.distribution.USER=aai +ml.distribution.USER={{ .name }} +{{- end }} ml.distribution.ARTIFACT_TYPES=MODEL_QUERY_SPEC,TOSCA_CSAR - -# Model Loader AAI REST Client Configuration -{{ if ( include "common.needTLS" .) }} -ml.aai.BASE_URL=https://aai.{{.Release.Namespace}}:8443 -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -ml.aai.USE_HTTPS= true -{{ else }} -ml.aai.BASE_URL=http://aai.{{.Release.Namespace}}:80 -ml.aai.USE_HTTPS= false -{{ end }} -ml.aai.MODEL_URL=/aai/v*/service-design-and-creation/models/model/ -ml.aai.NAMED_QUERY_URL=/aai/v*/service-design-and-creation/named-queries/named-query/ -ml.aai.VNF_IMAGE_URL=/aai/v*/service-design-and-creation/vnf-images - -ml.aai.AUTH_USER=ModelLoader -ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw - -# Model Loader Babel REST Client Configuration\r -ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516 -ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts -{{ if ( include "common.needTLS" .) }} -ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12 -ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD} -ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD} -ml.babel.USE_HTTPS= true -{{ else }} -ml.babel.KEYSTORE_FILE= -ml.babel.KEYSTORE_PASSWORD= -ml.babel.TRUSTSTORE_FILE= -ml.babel.TRUSTSTORE_PASSWORD= -ml.babel.USE_HTTPS= false -{{ end }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml b/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml deleted file mode 100644 index d7e37e215a..0000000000 --- a/kubernetes/aai/components/aai-modelloader/templates/aai-sdc-list-kafka-user.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* - # Copyright © 2022 Nordix Foundation - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. - */}} - -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.aaiSdcListenerKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: {{ .Values.config.kafka.saslMechanism | lower }} - authorization: - type: {{ .Values.config.kafka.authType }} - acls: - - resource: - type: group - name: {{ .Values.config.kafka.sdcTopic.consumerGroup }} - operation: All - - resource: - type: topic - patternType: prefix - name: {{ .Values.config.kafka.sdcTopic.pattern }} - operation: All diff --git a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml index 534fd021da..c2984626b6 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/configmap.yaml @@ -19,23 +19,16 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-prop namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/model-loader.properties").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/application.properties").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/log/logback.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml index d3136d8dda..50c75ef059 100644 --- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, AT&T # Modifications Copyright © 2018 Bell Canada # Modifications Copyright © 2020-2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,16 +19,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "annotations" .Values.annotations "dot" .) | nindent 2 }} spec: + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} @@ -39,11 +38,7 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -51,74 +46,50 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} - export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - - command: - - sh - args: - - -c - - | - echo "*** Set obfuscated Truststore and Keystore password into configuration file" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - cd /config-input - for PFILE in `ls -1` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: prop-config-input - - mountPath: /config - name: prop-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - name: CONFIG_HOME value: /opt/app/model-loader/config/ - - name: SECURITY_PROTOCOL - value: {{ .Values.config.kafka.securityProtocol }} - - name: SASL_MECHANISM - value: {{ .Values.config.kafka.saslMechanism }} - name: SASL_JAAS_CONFIG - value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aai-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- if .Values.profiling.enabled }} + - name: JVM_ARGS + value: '{{ join " " .Values.profiling.args }}' + {{- end }} + {{- if .Values.debug.enabled }} + - name: JVM_ARGS + value: {{ .Values.debug.args | quote }} + {{- end }} + ports: + - containerPort: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} + {{- if .Values.debug.enabled }} + - containerPort: {{ .Values.debug.port }} + name: {{ .Values.debug.portName }} + {{- end }} + {{- if .Values.profiling.enabled }} + - containerPort: {{ .Values.profiling.port }} + name: {{ .Values.profiling.portName }} + {{- end }} + volumeMounts: - mountPath: /opt/app/model-loader/config/model-loader.properties subPath: model-loader.properties name: prop-config - - mountPath: /opt/app/model-loader/config/auth/ - name: auth-config + - mountPath: /opt/app/model-loader/application.properties + subPath: application.properties + name: prop-config - mountPath: {{ .Values.log.path }} name: logs + - mountPath: /tmp + name: tmp - mountPath: /opt/app/model-loader/logback.xml name: log-config subPath: logback.xml @@ -126,27 +97,19 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: prop-config - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: prop-config-input - {{- end }} configMap: name: {{ include "common.fullname" . }}-prop - - name: auth-config - secret: - secretName: {{ include "common.fullname" . }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-config configMap: name: {{ include "common.fullname" . }}-log restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml b/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml new file mode 100644 index 0000000000..961a850ee9 --- /dev/null +++ b/kubernetes/aai/components/aai-modelloader/templates/podmonitor.yaml @@ -0,0 +1,33 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.metrics.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "common.fullname" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + podMetricsEndpoints: + - port: {{ .Values.metrics.podMonitor.port }} + path: {{ .Values.metrics.podMonitor.path }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml b/kubernetes/aai/components/aai-modelloader/templates/secret.yaml deleted file mode 100644 index 70b0857938..0000000000 --- a/kubernetes/aai/components/aai-modelloader/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} ---- -{{ include "common.secretFast" . }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml index 09bb32dd43..6d43771660 100644 --- a/kubernetes/aai/components/aai-modelloader/values.yaml +++ b/kubernetes/aai/components/aai-modelloader/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020-2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,115 +19,121 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 - aaiSdcListenerKafkaUser: aai-sdc-list-user -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: aai-sdc-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-ml-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai - fqi: aai@aai.onap.org - public_fqdn: aai.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - appMountPath: /opt/app/model-loader/config/auth/aaf - fqi_namespace: org.onap.aai - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + auth: + # users that can authenticate via basic auth + users: + - username: aai@aai.onap.org + password: demo123456! + - username: AAI + password: AAI + # application image -image: onap/model-loader:1.12.0 +image: onap/model-loader:1.14.3 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small - -# application configuration -config: - someConfig: blah - kafka: - securityProtocol: SASL_PLAINTEXT - saslMechanism: SCRAM-SHA-512 - authType: simple - sdcTopic: - pattern: SDC-DIST - consumerGroup: aai - clientId: aai-model-loader + +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: aai + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] # default number of instances replicaCount: 1 +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + updateStrategy: type: RollingUpdate maxUnavailable: 0 maxSurge: 1 +# adds jvm args for remote debugging the application +debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + port: 5005 + portName: debug + +# adds jvm args for remote profiling the application +profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + port: 9999 + portName: jmx + + nodeSelector: {} affinity: {} +service: + # REST API port for the graphadmin microservice + appPortName: http + appPort: 9500 + # probe configuration parameters liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container enabled: true + path: /healthz + periodSeconds: 10 + initialDelaySeconds: 10 readiness: - initialDelaySeconds: 10 + path: /healthz periodSeconds: 10 + initialDelaySeconds: 10 resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "500m" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1 - memory: 1536Mi + cpu: "1" + memory: "2Gi" unlimited: {} +# use this to define service specific overrides +# for the global.tracing.* config keys +tracing: + ignorePatterns: + - /aai/util.* + +metrics: + podMonitor: + enabled: true + port: http + path: /actuator/prometheus + #Pods Service Account serviceAccount: nameOverride: aai-modelloader @@ -135,10 +142,16 @@ serviceAccount: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Log configuration log: path: /var/log/onap + level: + root: INFO logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + tmpSizeLimit: 100Mi diff --git a/kubernetes/aai/components/aai-resources/.helmignore b/kubernetes/aai/components/aai-resources/.helmignore index daebc7da77..f0c1319444 100644 --- a/kubernetes/aai/components/aai-resources/.helmignore +++ b/kubernetes/aai/components/aai-resources/.helmignore @@ -1,21 +1,21 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/aai/components/aai-resources/Chart.yaml b/kubernetes/aai/components/aai-resources/Chart.yaml index fc8ad97b45..29afa6a2ee 100644 --- a/kubernetes/aai/components/aai-resources/Chart.yaml +++ b/kubernetes/aai/components/aai-resources/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,18 @@ apiVersion: v2 description: ONAP AAI resources name: aai-resources -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv deleted file mode 100644 index 60a8fb5f0b..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/bath_config.csv +++ /dev/null @@ -1,33 +0,0 @@ -# AAI -> aai@aai.onap.org -Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ModelLoader -> aai@aai.onap.org -Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# AaiUI -> aai@aai.onap.org, -Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# MSO -> so@so.onap.org -Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 - -# SDNC -> sdnc@sdnc.onap.org -Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# DCAE -> dcae@dcae.onap.org -Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# POLICY -> policy@policy.onap.org -Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ASDC -> sdc@sdc.onap.org -Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# VID -> vid@vid.onap.org -Basic VklEOlZJRA==,Basic dmlkQHZpZC5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# APPC -> appc@appc.onap.org -Basic QVBQQzpBUFBD,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# OOF -> oof@oof.onap.org -Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03 - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties deleted file mode 100644 index ec5fd55e06..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/cadi.properties +++ /dev/null @@ -1,8 +0,0 @@ - -cadi_loglevel=INFO -cadi_prop_files=/opt/app/aai-resources/resources/aaf/org.osaaf.location.props:/opt/app/aai-resources/resources/aaf/org.onap.aai.props - -# OAuth2 -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props deleted file mode 100644 index f4bb9ee89c..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.onap.aai.props +++ /dev/null @@ -1,15 +0,0 @@ -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -# Modifications Copyright © 2020 Orange -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -cadi_alias=aai@aai.onap.org -cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD} -cadi_loglevel=INFO -cadi_bath_convert=/opt/app/aai-resources/resources/aaf/bath_config.csv diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props deleted file mode 100644 index 8ae66aaf79..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/org.osaaf.location.props +++ /dev/null @@ -1,24 +0,0 @@ -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - - diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties deleted file mode 100644 index 4234121a2d..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/aaf/permissions.properties +++ /dev/null @@ -1,2 +0,0 @@ -permission.type=org.onap.aai.resources -permission.instance=* \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties index a569b5366b..44d9070582 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2017 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,27 +39,14 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} -{{ if .Values.global.config.basic.auth.enabled }} +{{ if .Values.global.auth.enabled }} aai.tools.enableBasicAuth=true -aai.tools.username={{ .Values.global.config.basic.auth.username }} -aai.tools.password={{ .Values.global.config.basic.auth.passwd }} -{{ end }} - -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} +aai.tools.username={{ (index .Values.global.auth.users 0).username }} +aai.tools.password={{ (index .Values.global.auth.users 0).password }} {{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} @@ -103,10 +91,10 @@ aai.bulkconsumer.payloadoverride={{ .Values.config.bulk.override }} # # Indicator to enable or disable scheduled task (true/false) -aai.graph.checker.task.enabled=true +aai.graph.checker.task.enabled=false # Delay, in seconds, before the scheduled task is started, if enabled aai.graph.checker.task.delay=5 # Period, in seconds, between two consecutive executions of the scheduled task, if enabled -aai.graph.checker.task.period=10 \ No newline at end of file +aai.graph.checker.task.period=10 diff --git a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties b/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties deleted file mode 100644 index 774e8bd5ca..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties +++ /dev/null @@ -1,14 +0,0 @@ - -spring.autoconfigure.exclude=\ - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration - -multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }} -keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth -keycloak.realm={{ .Values.config.keycloak.realm }} -keycloak.resource={{ .Values.config.keycloak.resource }} -keycloak.public-client=true -keycloak.principal-attribute=preferred_username - -keycloak.ssl-required=external -keycloak.bearer-only=true \ No newline at end of file diff --git a/kubernetes/aai/components/aai-resources/resources/config/application.properties b/kubernetes/aai/components/aai-resources/resources/config/application.properties index b5b64bec4b..7676475e73 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +28,14 @@ spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true server.servlet.context-path=/ +management.tracing.enabled={{ .Values.global.tracing.enabled }} +management.tracing.sampling.probability={{ .Values.global.tracing.sampling.probability }} +management.tracing.propagation.type=w3c, b3 +management.zipkin.tracing.endpoint={{ .Values.global.tracing.collector.baseUrl }} + spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }}{{ .Values.global.aafEnabled | ternary ",aaf-auth" "" }} +spring.profiles.active={{ .Values.global.config.profiles.active }} spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 @@ -41,26 +47,16 @@ server.tomcat.max-idle-time=60000 # If you get an application startup failure that the port is already taken # If thats not it, please check if the key-store file path makes sense server.local.startpath=aai-resources/src/main/resources/ -server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties - -server.port=8447 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} -security.require-ssl=false -server.ssl.enabled=false -{{ end }} - -# JMS bind address host port -jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} + +server.port={{ .Values.service.resourcesPort }} + +spring.kafka.producer.bootstrap-servers=${BOOTSTRAP_SERVERS} +spring.kafka.producer.properties.security.protocol=SASL_PLAINTEXT +spring.kafka.producer.properties.sasl.mechanism=SCRAM-SHA-512 +spring.kafka.producer.key-serializer=org.apache.kafka.common.serialization.StringSerializer +spring.kafka.producer.value-serializer=org.apache.kafka.common.serialization.StringSerializer +spring.kafka.producer.properties.sasl.jaas.config=${JAAS_CONFIG} +spring.kafka.producer.retries=3 # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -96,27 +92,33 @@ schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions -schema.service.client={{ (eq "true" ( include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} - -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} -schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ end }} +schema.service.client=no-auth #to expose the Prometheus scraping endpoint -management.port=8448 -management.endpoints.enabled-by-default=false -management.security.enabled=false -endpoints.enabled=false -endpoints.info.enabled=false -endpoints.prometheus.enabled=false -endpoints.health.enabled=false +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=* +endpoints.enabled={{ .Values.endpoints.enabled }} +endpoints.info.enabled={{ .Values.endpoints.info.enabled }} +endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} +endpoints.health.enabled={{ .Values.endpoints.health.enabled }} management.metrics.web.server.auto-time-requests=false management.metrics.distribution.percentiles-histogram[http.server.requests]=true management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms, 60ms, 70ms, 80ms, 90ms, 100ms, 500ms, 1000ms, 5000ms, 7000ms #Add common tag for grouping all aai related metrics management.metrics.tags.group_id=aai #It is not advisable to use labels to store dimensions with high cardinality. Enable this option only for debug purposes. For more information: https://github.com/micrometer-metrics/micrometer/issues/1584 -scrape.uri.metrics=false \ No newline at end of file +scrape.uri.metrics=false + +# If true, the actuator health check will be overriden +# to use the AaiGraphChecker check instead. +# This does the same as the /echo endpoint, +# but doesn't show up in micrometer metrics +aai.actuator.echo.enabled={{ .Values.actuator.echo.enabled }} +aai.graph.properties.path=${server.local.startpath}/etc/appprops/janusgraph-realtime.properties + +aai.basic-auth.enabled={{ .Values.global.auth.enabled }} +{{- range $index, $user := .Values.global.auth.users }} +aai.basic-auth.users[{{ $index }}].username={{ $user.username }} +aai.basic-auth.users[{{ $index }}].password={{ $user.password }} +{{- end }} diff --git a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-cached.properties b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-cached.properties deleted file mode 100644 index b6fdd4c58f..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-cached.properties +++ /dev/null @@ -1,102 +0,0 @@ -{{/* -# -# ============LICENSE_START======================================================= -# org.onap.aai -# ================================================================================ -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -*/}} - -query.fast-property=true -query.smart-limit=false - -{{ if .Values.global.config.cluster.cassandra.dynamic }} - -storage.backend=cql -storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph -storage.username={{.Values.global.cassandra.username}} -storage.password={{.Values.global.cassandra.password}} - -storage.cql.read-consistency-level=LOCAL_QUORUM -storage.cql.write-consistency-level=LOCAL_QUORUM -storage.cql.replication-factor={{.Values.global.cassandra.replicas}} -storage.cql.only-use-local-consistency-for-system-operations=true - -{{ else }} - -{{ if .Values.global.config.storage }} - -storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "cql" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cql.keyspace={{ .Values.global.config.storage.name }} - -storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationFactor | int }} - -storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} -storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "hbase" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.hbase.table={{ .Values.global.config.storage.name }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ end }} - -{{ end }} - -{{ end }} - -storage.lock.wait-time=300 -#caching on -cache.db-cache = true -cache.db-cache-clean-wait = 20 -cache.db-cache-time = 180000 -cache.db-cache-size = 0.3 - -#load graphson file on startup -load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties index 836dc7b176..1f46755b83 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/janusgraph-realtime.properties @@ -15,52 +15,33 @@ # See the License for the specific language governing permissions and # limitations under the License. # ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# */}} - query.fast-property=true query.smart-limit=false -{{ if .Values.global.config.cluster.cassandra.dynamic }} - +{{- if .Values.global.config.cluster.cassandra.dynamic }} storage.backend=cql storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph storage.username={{.Values.global.cassandra.username}} storage.password={{.Values.global.cassandra.password}} +storage.cql.keyspace=aaigraph +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level=LOCAL_QUORUM storage.cql.write-consistency-level=LOCAL_QUORUM storage.cql.replication-factor={{.Values.global.cassandra.replicas}} storage.cql.only-use-local-consistency-for-system-operations=true -{{ else }} - -{{ if .Values.global.config.storage }} - +{{- if .Values.global.cassandra.partitionerName }} +storage.cql.partitioner-name={{ .Values.global.cassandra.partitionerName }} +{{- end }} +{{- else -}} +{{- if .Values.global.config.storage }} storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "cql" }} - +{{- if eq .Values.global.config.storage.backend "cql" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.cql.keyspace={{ .Values.global.config.storage.name }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} @@ -68,29 +49,38 @@ storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationF storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - {{ else if eq .Values.global.config.storage.backend "hbase" }} - storage.hostname={{ .Values.global.config.storage.hostname }} storage.hbase.table={{ .Values.global.config.storage.name }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} +{{- end }} +{{- end }} +{{- end }} -{{ end }} - -{{ end }} +storage.lock.wait-time=300 -{{ end }} +# https://docs.janusgraph.org/operations/cache/#database-level-caching +# Setting db-cache to false will ensure the fastest propagation of changes across servers +# Setting db-cache to true will ensure fastest response times +cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} +{{- if .Values.config.janusgraph.caching.enabled }} +# cache-time in milliseconds +cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} +cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} +cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} +{{- end }} -storage.lock.wait-time=300 -# Setting db-cache to false ensure the fastest propagation of changes across servers -cache.db-cache = false #load graphson file on startup load.snapshot.file=false + +{{- if .Values.config.janusgraph.allowUpgrade }} +graph.allow-upgrade=true +{{- end }} diff --git a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml deleted file mode 100644 index 5ddd293658..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/localhost-access-logback.xml +++ /dev/null @@ -1,87 +0,0 @@ -{{/* - -*/}} - - - - - - - - - - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - - - - - - - - - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - "logType": "access" - - - - - - -{{/* - -*/}} - diff --git a/kubernetes/aai/components/aai-resources/resources/config/logback.xml b/kubernetes/aai/components/aai-resources/resources/config/logback.xml index b52318500d..c4c2a3a034 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/logback.xml +++ b/kubernetes/aai/components/aai-resources/resources/config/logback.xml @@ -29,285 +29,6 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${logDirectory}/rest/sane.log - - ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd}.zip - ${maxHistory} - ${totalSizeCap} - - - %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - - - - - - ${queueSize} - true - - - - ${logDirectory}/rest/metrics.log - - ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd}.zip - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - - ${queueSize} - true - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/debug.log - - ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd}.zip - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - ${queueSize} - - true - - - ${logDirectory}/rest/error.log - - ${logDirectory}/rest/error.log.%d{yyyy-MM-dd}.zip - ${maxHistory} - ${totalSizeCap} - - - WARN - - - ${errorPattern} - - - - - ${queueSize} - - - - - ${logDirectory}/rest/audit.log - - ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - ${queueSize} - true - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/translog.log - - ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - ${transLogPattern} - - - - - ${queueSize} - true - - - - - - WARN - - ${logDirectory}/dmaapAAIEventConsumer/error.log - - ${logDirectory}/dmaapAAIEventConsumer/error.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/debug.log - - ${logDirectory}/dmaapAAIEventConsumer/debug.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - - WARN - - ${logDirectory}/external/external.log - - ${logDirectory}/external/external.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - DEBUG - - ${logDirectory}/auth/auth.log - - ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd}.zip - - ${maxHistory} - ${totalSizeCap} - - - %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n - - - - ${queueSize} - true - - - - - @@ -335,15 +56,13 @@ 36 - - {"logType":"app"} - - + + @@ -360,77 +79,26 @@ + - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - + - \ No newline at end of file + diff --git a/kubernetes/aai/components/aai-resources/resources/config/realm.properties b/kubernetes/aai/components/aai-resources/resources/config/realm.properties deleted file mode 100644 index 9fbd122492..0000000000 --- a/kubernetes/aai/components/aai-resources/resources/config/realm.properties +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# format : username: password[,rolename ...] -# default username/password: AAI/AAI, MSO/MSO, ModelLoader/ModelLoader... -*/ -}} -AAI:OBF:1gfr1ev31gg7,admin -MSO:OBF:1jzx1lz31k01,admin -SDNC:OBF:1itr1i0l1i151isv,admin -DCAE:OBF:1g8u1f9d1f991g8w,admin -POLICY:OBF:1mk61i171ima1im41i0j1mko,admin -ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin -ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin -AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin -OOF:OBF:1img1ke71ily,admin -aai@aai.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -so@so.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-resources/templates/_helpers.tpl b/kubernetes/aai/components/aai-resources/templates/_helpers.tpl new file mode 100644 index 0000000000..7352b5dbd3 --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/_helpers.tpl @@ -0,0 +1,21 @@ +{{- define "aairesources.waitForSchemaCreation" -}} +- name: wait-for-schema-creation + image: "{{ include "repositoryGenerator.image.curl" . }}" + imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-c"] + args: + - | + URL="{{ required "URL is required" (.Values.schemaInitCheckURL | default "http://aai-graphadmin:8449/isSchemaInitialized") }}" + AUTH="{{ printf "%s:%s" (index .Values.global.auth.users 0).username (index .Values.global.auth.users 0).password }}" + while true; do + RESPONSE=$(curl -u $AUTH -s $URL) + if [ "$RESPONSE" = "true" ]; then + echo "Request successful. Schema is initialized." + exit 0 + else + echo "Request unsuccessful. Schema is not yet initialized. Retrying in 3 seconds..." + sleep 3 + fi + done + {{ include "common.containerSecurityContext" . | indent 2 | trim }} +{{- end -}} diff --git a/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml new file mode 100644 index 0000000000..f6063a024d --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/aai-kafka-user.yml @@ -0,0 +1,32 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.global.aaiKafkaUser }} + labels: {{- include "common.labels" . | nindent 4 }} + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: topic + name: AAI-EVENT + operations: + - All diff --git a/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml new file mode 100644 index 0000000000..29b191b68d --- /dev/null +++ b/kubernetes/aai/components/aai-resources/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.autoscaling.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-resources/templates/configmap.yaml b/kubernetes/aai/components/aai-resources/templates/configmap.yaml index 99973565f8..73723a1270 100644 --- a/kubernetes/aai/components/aai-resources/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-resources/templates/configmap.yaml @@ -20,33 +20,9 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-aaf-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-resources/templates/deployment.yaml b/kubernetes/aai/components/aai-resources/templates/deployment.yaml index 33aa97179e..6dde781842 100644 --- a/kubernetes/aai/components/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-resources/templates/deployment.yaml @@ -3,6 +3,7 @@ # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,16 +20,16 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "annotations" .Values.annotations "dot" .) | nindent 2 }} spec: + {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} + replicas: 1 + {{- else }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -39,115 +40,54 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- if .Values.global.msbEnabled }} - {{ $values := .Values }} - msb.onap.org/service-info: '[ - {{- range $api_endpoint := $values.aai_enpoints -}} - {{- range $api_version := $values.api_list }} - { - "serviceName": "_{{ $api_endpoint.name }}", - "version": "v{{ $api_version }}", - "url": "/aai/v{{ $api_version }}/{{ $api_endpoint.url }}", - "protocol": "REST", - "port": "8447", - "enable_ssl": true, - "lb_policy":"ip_hash", - "visualRange": "1", - "path": "/aai/v{{ $api_version }}/{{ $api_endpoint.url }}" - }, - { - "serviceName": "{{ $api_endpoint.name }}", - "version": "v{{ $api_version }}", - "url": "/aai/v{{ $api_version }}/{{ $api_endpoint.url }}", - "protocol": "REST", - "port": "8447", - "enable_ssl": true, - "lb_policy":"ip_hash", - "visualRange": "1" - }, - {{- end }} - {{- end }} - ]' - {{- end }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostname: aai-resources terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name - - aai-schema-service - {{- end }} - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + {{- if .Values.global.jobs.migration.enabled }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "aairesources.waitForSchemaCreation" . | nindent 6 }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Resources" - /bin/bash /opt/app/aai-resources/docker-entrypoint.sh + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - - name: POST_JAVA_OPTS - value: '-Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -Djavax.net.ssl.trustStorePassword={{ .Values.certInitializer.truststorePassword }}' - - name: TRUSTORE_ALL_PASSWORD - value: {{ .Values.certInitializer.truststorePassword }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if .Values.config.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.config.profiling.args }}' + {{- end }} + {{- if .Values.config.debug.enabled }} + - name: POST_JVM_ARGS + value: {{ .Values.config.debug.args | quote }} + {{- end }} - name: INTERNAL_PORT_1 - value: {{ .Values.service.internalPort | quote }} + value: {{ .Values.service.resourcesPort | quote }} - name: INTERNAL_PORT_2 - value: {{ .Values.service.internalPort2 | quote }} + value: {{ .Values.service.debugPort | quote }} - name: INTERNAL_PORT_3 - value: {{ .Values.service.internalPort3 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + value: {{ .Values.service.metricsPort | quote }} + - name: BOOTSTRAP_SERVERS + value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-{{ .Values.global.aaiKafkaUser }} + key: sasl.jaas.config + volumeMounts: - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-resources/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-resources/resources/etc/appprops/aaiconfig.properties name: {{ include "common.fullname" . }}-config subPath: aaiconfig.properties @@ -156,37 +96,24 @@ spec: - mountPath: /opt/app/aai-resources/resources/logback.xml name: {{ include "common.fullname" . }}-config subPath: logback.xml - - mountPath: /opt/app/aai-resources/resources/localhost-access-logback.xml - name: {{ include "common.fullname" . }}-config - subPath: localhost-access-logback.xml - - mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties - name: {{ include "common.fullname" . }}-config - subPath: realm.properties - - mountPath: /opt/app/aai-resources/resources/aaf/bath_config.csv - name: {{ include "common.fullname" . }}-aaf-certs - subPath: bath_config.csv - - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.onap.aai.props - - mountPath: /opt/app/aai-resources/resources/aaf/org.osaaf.location.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.osaaf.location.props - - mountPath: /opt/app/aai-resources/resources/aaf/permissions.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: permissions.properties - - mountPath: /opt/app/aai-resources/resources/cadi.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: cadi.properties - mountPath: /opt/app/aai-resources/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties - - mountPath: /opt/app/aai-resources/resources/application-keycloak.properties - name: {{ include "common.fullname" . }}-config - subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} + - containerPort: {{ .Values.service.resourcesPort }} + name: {{ .Values.service.resourcesPortName }} + {{- if .Values.config.debug.enabled }} + - containerPort: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + {{- end }} + - containerPort: {{ .Values.service.metricsPort }} + name: {{ .Values.service.metricsPortName }} + {{- if .Values.config.profiling.enabled }} + - containerPort: {{ .Values.service.profilingPort }} + name: {{ .Values.service.profilingPortName }} + {{- end }} lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -196,42 +123,39 @@ spec: - sh - -c - | - while (netstat -an | grep ESTABLISHED | grep -e $INTERNAL_PORT_1 -e $INTERNAL_PORT_2) - do sleep 10 + while (netstat -an | grep ESTABLISHED | grep -e $INTERNAL_PORT_1) + do sleep 3 done - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} + # disable liveness probe when + # debugging.enable=true or profiling.enabled=true + {{- if and .Values.liveness.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} livenessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.internalPort }} - scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }} - httpHeaders: - - name: X-FromAppId - value: LivenessCheck - - name: X-TransactionId - value: LiveCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.liveness.path }} + {{- if .Values.liveness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{- end }} readinessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.internalPort }} - scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }} - httpHeaders: - - name: X-FromAppId - value: ReadinessCheck - - name: X-TransactionId - value: ReadinessCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.readiness.path }} + {{- if .Values.readiness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + startupProbe: + httpGet: + port: {{ .Values.service.metricsPort }} + path: {{ .Values.startup.path }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} + timeoutSeconds: {{ .Values.startup.timeoutSeconds }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -241,22 +165,16 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-aaf-properties - configMap: - name: {{ include "common.fullname" . }}-aaf-props - - name: {{ include "common.fullname" . }}-aaf-certs - secret: - secretName: {{ include "common.fullname" . }}-aaf-keys restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-resources/templates/secret.yaml b/kubernetes/aai/components/aai-resources/templates/secret.yaml deleted file mode 100644 index a0d8629459..0000000000 --- a/kubernetes/aai/components/aai-resources/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf-keys - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} ---- -{{ include "common.secretFast" . }} diff --git a/kubernetes/aai/components/aai-resources/templates/service.yaml b/kubernetes/aai/components/aai-resources/templates/service.yaml index 8feb071bc6..605679ee52 100644 --- a/kubernetes/aai/components/aai-resources/templates/service.yaml +++ b/kubernetes/aai/components/aai-resources/templates/service.yaml @@ -19,34 +19,36 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: {{ if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} + - port: {{ .Values.service.resourcesPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.resourcesPortName }} + targetPort: {{ .Values.service.resourcesPortName }} + - port: {{ .Values.service.debugPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} + - port: {{ .Values.service.metricsPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName3 }} + name: {{ .Values.service.metricsPortName }} + targetPort: {{ .Values.service.metricsPortName }} {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} + - port: {{ .Values.service.resourcesPort }} + name: {{ .Values.service.resourcesPortName }} + targetPort: {{ .Values.service.resourcesPortName }} + {{- if .Values.config.debug.enabled }} + - port: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + - port: {{ .Values.service.metricsPort }} + name: {{ .Values.service.metricsPortName }} + targetPort: {{ .Values.service.metricsPortName }} + {{- end }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-resources/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-resources/templates/servicemonitor.yaml index c0d9f212b4..dc706029bf 100644 --- a/kubernetes/aai/components/aai-resources/templates/servicemonitor.yaml +++ b/kubernetes/aai/components/aai-resources/templates/servicemonitor.yaml @@ -1,3 +1,3 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index de7bf2dd84..f97ca9829b 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -1,6 +1,7 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Copyright (c) 2020 Nokia, Orange # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,10 +20,18 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 + kafkaBootstrap: strimzi-kafka-bootstrap + aaiKafkaUser: aai-kafka-user cassandra: #Service Name of the cassandra cluster to connect to. #Override it to aai-cassandra if localCluster is enabled. serviceName: cassandra + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # Specifies a list of jobs to be run jobs: @@ -33,8 +42,37 @@ global: # global defaults migration: enabled: false - aafEnabled: false - + # Specifies if basic authorization is enabled + auth: + enabled: true + # users that can authenticate via basic auth + users: + - username: aai@aai.onap.org + password: demo123456! + - username: so@so.onap.org + password: demo123456! + - username: sdnc@sdnc.onap.org + password: demo123456! + - username: dcae@dcae.onap.org + password: demo123456! + - username: policy@policy.onap.org + password: demo123456! + - username: sdc@sdc.onap.org + password: demo123456! + - username: AAI + password: AAI + - username: DCAE + password: DCAE + - username: MSO + password: MSO + - username: POLICY + password: POLICY + - username: ASDC + password: ASDC + - username: ModelLoader + password: ModelLoader + - username: AaiUI + password: AaiUI config: # Specifies that the cluster connected to a dynamic # cluster being spinned up by kubernetes deployment @@ -42,17 +80,9 @@ global: # global defaults cassandra: dynamic: true - # Specifies if the basic authorization is enabled - basic: - auth: - enabled: true - username: AAI - passwd: AAI - # Active spring profiles for the resources microservice profiles: - # aaf-auth profile will be automatically set if aaf enabled is set to true - active: production,dmaap #,aaf-auth + active: production,kafka # Notification event specific properties notification: @@ -63,7 +93,7 @@ global: # global defaults schema: # Specifies if the connection should be one way ssl, two way ssl or no auth service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -77,11 +107,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v30 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28,v29,v30 # Specifies from which version related link should appear related: link: v11 @@ -98,7 +128,6 @@ global: # global defaults # Specifies which clients should always default to realtime graph connection realtime: clients: SDNC,MSO,SO,robot-ete - api_list: - 11 - 12 @@ -109,6 +138,16 @@ api_list: - 17 - 18 - 19 + - 20 + - 21 + - 22 + - 23 + - 24 + - 25 + - 26 + - 27 + - 28 + - 29 aai_enpoints: - name: aai-cloudInfrastructure @@ -123,47 +162,18 @@ aai_enpoints: url: network - name: aai-externalSystem url: external-system -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-resources-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-resources - fqi: aai-resources@aai-resources.onap.org - public_fqdn: aai-resources.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-resources - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} # application image -image: onap/aai-resources:1.11.0 +image: onap/aai-resources:1.16.0 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small # default number of instances replicaCount: 1 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + # the minimum number of seconds that a newly created Pod should be ready minReadySeconds: 30 updateStrategy: @@ -175,19 +185,22 @@ updateStrategy: # Configuration for the resources deployment config: - # configure keycloak according to your environment. - # don't forget to add keycloak in active profiles above (global.config.profiles) - keycloak: - host: keycloak.your.domain - port: 8180 - # Specifies a set of users, credentials, roles, and groups - realm: aai-resources - # Used by any client application for enabling fine-grained authorization for their protected resources - resource: aai-resources-app - # If set to true, additional criteria will be added that match the data-owner property with the given role - # to the user in keycloak - multiTenancy: + janusgraph: + caching: + # enable when running read-heavy workloads + # modifications to graph done by this service/janusgraph instance will immediately invalidate the cache + # modifications to graph done by other services (traversal) will only be visible + # after time specified in db-cache-time enabled: true + # Documentation: https://docs.janusgraph.org/operations/cache/#database-level-caching + dbCacheTime: 180000 # in milliseconds + dbCacheSize: 0.5 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running + dbCacheCleanWait: 20 # in milliseconds + # temporarily enable this to update the graph storage version + # see: https://docs.janusgraph.org/changelog/#upgrade-instructions_9 + allowUpgrade: true + + # Specifies crud related operation timeouts and overrides crud: @@ -209,36 +222,79 @@ config: # Specifies if the bulk can be override and if it can the value override: false + # environment variables added to the launch of the image in deployment + env: + MAX_METASPACE_SIZE: "512m" + + # adds jvm args for remote debugging the application + debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + + # adds jvm args for remote profiling the application + # port-forward, i.e: + # $ PODNAME=traversal + # $ kubectl -n ${NAMESPACE:=onap} port-forward pod/$(kubectl -n ${NAMESPACE:=onap} + # get pods | awk '{print $1}' | grep -m1 -e "$PODNAME") 9999:9999 + profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + nodeSelector: {} affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false + enabled: true + path: /actuator/health + periodSeconds: 10 + timeoutSeconds: 3 readiness: - initialDelaySeconds: 60 + path: /actuator/health/readiness periodSeconds: 10 + timeoutSeconds: 3 + +startup: + path: /actuator/health/liveness + failureThreshold: 60 + periodSeconds: 5 + timeoutSeconds: 3 + +actuator: + echo: + enabled: true service: type: ClusterIP - portName: http - internalPort: 8447 - portName2: tcp-5005 - internalPort2: 5005 - portName3: aai-resources-8448 - internalPort3: 8448 - terminationGracePeriodSeconds: 120 + resourcesPortName: http + resourcesPort: 8447 + debugPortName: tcp-5005 + debugPort: 5005 + metricsPortName: metrics + metricsPort: 8448 + profilingPortName: jmx-9999 + profilingPort: 9999 + terminationGracePeriodSeconds: 30 sessionAffinity: None ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-read + - serviceAccount: consul-read + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -249,35 +305,45 @@ ingress: # ref: http://kubernetes.io/docs/user-guide/compute-resources/ # Minimum memory for development is 2 CPU cores and 4GB memory # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "8" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "4" + memory: "6Gi" unlimited: {} +tracing: + ignorePatterns: + - /aai/util.* + +endpoints: + enabled: true + health: + enabled: true + info: + enabled: true + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 - path: /prometheus + path: /actuator/prometheus basicAuth: enabled: false externalSecretName: mysecretname @@ -303,9 +369,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -334,16 +400,50 @@ serviceAccount: #Log configuration log: path: /var/log/onap + level: + root: INFO + base: INFO # base package (org.onap.aai) + audit: WARN + dbMetric: WARN logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# To make logback capping values configurable -logback: - logToFileEnabled: true - maxHistory: 7 - totalSizeCap: 1GB - queueSize: 1000 - -accessLogback: - logToFileEnabled: true - maxHistory: 7 - totalSizeCap: 1GB +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: aai-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: AAI-EVENT + type: topic + operations: [Read, Write] + +volumes: + logSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/aai/components/aai-schema-service/.helmignore b/kubernetes/aai/components/aai-schema-service/.helmignore index daebc7da77..f0c1319444 100644 --- a/kubernetes/aai/components/aai-schema-service/.helmignore +++ b/kubernetes/aai/components/aai-schema-service/.helmignore @@ -1,21 +1,21 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/aai/components/aai-schema-service/Chart.yaml b/kubernetes/aai/components/aai-schema-service/Chart.yaml index c04342fdd9..ec476bfd1b 100644 --- a/kubernetes/aai/components/aai-schema-service/Chart.yaml +++ b/kubernetes/aai/components/aai-schema-service/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2019 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,21 +18,15 @@ apiVersion: v2 description: ONAP AAI Schema Service name: aai-schema-service -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties index a2abaf3785..3d4fd655ab 100644 --- a/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-schema-service/config/aaiconfig.properties @@ -4,6 +4,7 @@ # org.onap.aai # ================================================================================ # Copyright © 2019 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,27 +20,14 @@ # ============LICENSE_END========================================================= */}} -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{ else }} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} - -{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} -aai.tools.enableBasicAuth=true -aai.tools.username={{ .Values.global.config.basic.auth.username }} -aai.tools.password={{ .Values.global.config.basic.auth.passwd }} -{{ end }} -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} +{{ if or (.Values.global.auth.enabled) ( include "common.onServiceMesh" .) }} +aai.tools.enableBasicAuth={{ .Values.global.auth.enabled }} +aai.tools.username={{ (index .Values.global.auth.users 0).username }} +aai.tools.password={{ (index .Values.global.auth.users 0).password }} {{ end }} aai.default.api.version={{ .Values.global.config.schema.version.api.default }} diff --git a/kubernetes/aai/components/aai-schema-service/config/application.properties b/kubernetes/aai/components/aai-schema-service/config/application.properties index a3f7998a8f..ff37210f43 100644 --- a/kubernetes/aai/components/aai-schema-service/config/application.properties +++ b/kubernetes/aai/components/aai-schema-service/config/application.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,33 +23,29 @@ info.build.version=1.1.0 spring.application.name=aai-schema-service spring.jersey.type=filter - +spring.jersey.application-path=${schema.uri.base.path} spring.main.allow-bean-definition-overriding=true -server.servlet.context-path=/ - spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration +spring.sleuth.enabled={{ .Values.global.tracing.enabled }} +spring.zipkin.baseUrl={{ .Values.global.tracing.collector.baseUrl }} +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.global.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false +{{- if and .Values.tracing .Values.tracing.ignorePatterns }} +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} +{{- end }} -spring.jersey.application-path=${schema.uri.base.path} +server.servlet.context-path=/ server.tomcat.max-threads=200 server.tomcat.min-Spare-Threads=25 server.tomcat.max-idle-time=60000 server.local.startpath=aai-schema-service/src/main/resources/ -server.basic.auth.location=${server.local.startpath}/etc/auth/realm.properties server.port=8452 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=PKCS12 -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} schema.configuration.location=N/A schema.source.name={{ .Values.global.config.schema.source.name }} diff --git a/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml index d062835849..36acef2c62 100644 --- a/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml +++ b/kubernetes/aai/components/aai-schema-service/config/localhost-access-logback.xml @@ -9,7 +9,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -58,4 +58,4 @@ %z - Custom pattern that parses the cert for the subject %y - Custom pattern determines rest or dme2 --> -*/}} \ No newline at end of file +*/}} diff --git a/kubernetes/aai/components/aai-schema-service/config/logback.xml b/kubernetes/aai/components/aai-schema-service/config/logback.xml index e91e257d14..a30ffdf496 100644 --- a/kubernetes/aai/components/aai-schema-service/config/logback.xml +++ b/kubernetes/aai/components/aai-schema-service/config/logback.xml @@ -10,7 +10,7 @@ you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -28,200 +28,38 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - %clr(%d{yyyy-MM-dd HH:mm:ss.SSS}){faint} %clr(${LOG_LEVEL_PATTERN:-%5p}) %clr(${PID:- }){magenta} %clr(---){faint} %clr([%15.15t]){faint} %clr(%-40.40logger{39}){cyan} %clr(:){faint} %m%n${LOG_EXCEPTION_CONVERSION_WORD:-%wEx} - - - - - - ${logDirectory}/rest/sane.log - - ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd} - - - %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - - - - - - 1000 - true - - - - - ${logDirectory}/rest/metrics.log - - ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd} - - - ${metricPattern} - - - - 1000 - true - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/debug.log - - ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd} - - - - ${debugPattern} - - - - - 1000 - - true - - - - ${logDirectory}/rest/error.log - - ${logDirectory}/rest/error.log.%d{yyyy-MM-dd} - - - - WARN - - - ${errorPattern} - - - - - 1000 - - - - - ${logDirectory}/rest/audit.log - - ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd} - - - - ${auditPattern} + + + timestamp + + + context + ServerIPAddress + EntryTimestamp + InvokeTimestamp + ErrorCode + ErrorDesc + + + exception + + ^sun\.reflect\..*\.invoke + ^net\.sf\.cglib\.proxy\.MethodProxy\.invoke + true + + + thread + + logger + 36 + + + - - 1000 - true - - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/translog.log - - ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd} - - - - ${transLogPattern} - - - - - 1000 - true - - - - - - WARN - - ${logDirectory}/external/external.log - - ${logDirectory}/external/external.log.%d{yyyy-MM-dd} - - - - ${debugPattern} - - - - - - DEBUG - - ${logDirectory}/auth/auth.log - - ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} - - - - %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n - - - - 1000 - true - - - - - - + @@ -266,26 +104,19 @@ - - - - + - - - - @@ -295,8 +126,7 @@ - + - diff --git a/kubernetes/aai/components/aai-schema-service/config/realm.properties b/kubernetes/aai/components/aai-schema-service/config/realm.properties index 7c8539dbe7..8ed63174df 100644 --- a/kubernetes/aai/components/aai-schema-service/config/realm.properties +++ b/kubernetes/aai/components/aai-schema-service/config/realm.properties @@ -4,8 +4,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -16,8 +14,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-schema-service/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml index 957387158a..b98b030c62 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/configmap.yaml @@ -19,11 +19,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/logback.xml").AsConfig . | indent 2 }} --- @@ -32,11 +28,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-localhost-access-log namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/localhost-access-logback.xml").AsConfig . | indent 2 }} --- @@ -45,11 +37,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-aaiconfig namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/aaiconfig.properties").AsConfig . | indent 2 }} --- @@ -58,23 +46,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-springapp namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "config/application.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-realm - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "config/realm.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml index 8a7c43f0b9..a0c532e502 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/deployment.yaml @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,16 +19,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "" "labels" .Values.labels "annotations" .Values.annotations ) | nindent 2 }} spec: + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} @@ -39,62 +38,44 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0) - echo "*** obfuscate them " - export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD} - export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD} - export JETTY_UTIL_JAR=$(find /usr/local/jetty/lib/ -regextype sed -regex ".*jetty-util-[0-9].*.jar") - export KEYSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - export TRUSTSTORE_PASSWORD=`java -cp ${JETTY_UTIL_JAR} org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop - image: {{ include "repositoryGenerator.image.jetty" . }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: ["cp", "-R", "/opt/app/aai-schema-service/.", "/opt/app/aai-schema-service_rw/"] + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-obfuscate - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - securityContext: - runAsUser: {{ .Values.securityContext.user_id }} - {{- end }} + name: copy-base-folder + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: + limits: + cpu: 100m + memory: 200Mi + requests: + cpu: 3m + memory: 20Mi + volumeMounts: + - mountPath: /opt/app/aai-schema-service_rw + name: aai-schema-service + - mountPath: /tmp + name: tmp-volume containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Schema Service" - /bin/bash /opt/app/aai-schema-service/docker-entrypoint.sh - {{- end }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - - name: LOCAL_USER_ID - value: {{ .Values.securityContext.user_id | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.securityContext.group_id | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + {{- if .Values.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.profiling.args }}' + {{- end }} + {{- if .Values.debug.enabled }} + - name: POST_JAVA_OPTS + value: {{ .Values.debug.args | quote }} + {{- end }} + volumeMounts: + - mountPath: /opt/app/aai-schema-service + name: aai-schema-service - mountPath: /opt/app/aai-schema-service/resources/etc/appprops/aaiconfig.properties name: aaiconfig-conf subPath: aaiconfig.properties @@ -106,31 +87,37 @@ spec: - mountPath: /opt/app/aai-schema-service/resources/localhost-access-logback.xml name: localhost-access-log-conf subPath: localhost-access-logback.xml - - mountPath: /opt/app/aai-schema-service/resources/etc/auth/realm.properties - name: realm-conf - subPath: realm.properties - mountPath: /opt/app/aai-schema-service/resources/application.properties name: springapp-conf subPath: application.properties + - mountPath: /tmp + name: tmp-volume ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} + - containerPort: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} + {{- if .Values.debug.enabled }} + - containerPort: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + {{- end }} + {{- if .Values.profiling.enabled }} + - containerPort: {{ .Values.service.profilingPort }} + name: {{ .Values.service.profilingPortName }} + {{- end }} + # disable liveness probe when + # debugging.enabled=true or profiling.enabled=true + {{- if and .Values.liveness.enabled (not (or .Values.debug.enabled .Values.profiling.enabled)) }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ .Values.service.appPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ .Values.service.appPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -143,15 +130,16 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: aai-common-aai-auth-mount - secret: - secretName: aai-common-aai-auth - - name: localtime - hostPath: - path: /etc/localtime + volumes: + - name: aai-schema-service + emptyDir: + sizeLimit: {{ .Values.volumes.aaiSizeLimit }} + - name: tmp-volume + emptyDir: + sizeLimit: {{ .Values.volumes.aaiSizeLimit }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: log-conf configMap: @@ -165,9 +153,5 @@ spec: - name: aaiconfig-conf configMap: name: {{ include "common.fullname" . }}-aaiconfig - - name: realm-conf - configMap: - name: {{ include "common.fullname" . }}-realm restartPolicy: {{ .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-schema-service/templates/service.yaml b/kubernetes/aai/components/aai-schema-service/templates/service.yaml index b54b6be644..de0270f592 100644 --- a/kubernetes/aai/components/aai-schema-service/templates/service.yaml +++ b/kubernetes/aai/components/aai-schema-service/templates/service.yaml @@ -19,27 +19,25 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} + - port: {{ .Values.service.appPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.appPortName }} + targetPort: {{ .Values.service.appPortName }} + - port: {{ .Values.service.debugPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} + - port: {{ .Values.service.appPort }} + name: {{ .Values.service.appPortName }} + targetPort: {{ .Values.service.appPortName }} + - port: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index 50e12e8e4d..4333129177 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,16 +19,21 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 - + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + + # Specifies if basic authorization is enabled + auth: + enabled: true + users: + - username: AAI + password: AAI # Common configuration for resources traversal and graphadmin config: - # Specifies if the basic authorization is enabled - basic: - auth: - enabled: true - username: AAI - passwd: AAI - # Schema specific properties that include supported versions of api schema: source: @@ -40,11 +46,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v30 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28,v29,v30 # Specifies from which version related link should appear related: link: v11 @@ -58,49 +64,34 @@ global: # global defaults edge: label: v12 -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-schema-service-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-schema-service - fqi: aai-schema-service@aai-schema-service.onap.org - public_fqdn: aai-schema-service.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-schema-service - user_id: &user_id 1000 - group_id: &group_id 1000 - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** writing passwords into prop file" - echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} - # application image -image: onap/aai-schema-service:1.11.0 +image: onap/aai-schema-service:1.12.11 pullPolicy: Always restartPolicy: Always -flavorOverride: small +flavor: small # default number of instances replicaCount: 1 +# adds jvm args for remote debugging the application +debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + +# adds jvm args for remote profiling the application +profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + updateStrategy: type: RollingUpdate maxUnavailable: 0 @@ -112,11 +103,9 @@ affinity: {} # probe configuration parameters liveness: + enabled: true initialDelaySeconds: 60 periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false readiness: initialDelaySeconds: 60 @@ -124,14 +113,23 @@ readiness: service: type: ClusterIP - portName: http - internalPort: 8452 - portName2: tcp-5005 - internalPort2: 5005 + appPortName: http + appPort: 8452 + debugPortName: tcp-5005 + debugPort: 5005 + profilingPortName: jmx-9999 + profilingPort: 9999 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-graphadmin-read + - serviceAccount: aai-resources-read + - serviceAccount: aai-traversal-read + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following @@ -144,26 +142,26 @@ ingress: # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} #Pods Service Account @@ -174,10 +172,24 @@ serviceAccount: # Not fully used for now securityContext: - user_id: *user_id - group_id: *group_id + user_id: 1000 + group_id: 1000 #Log configuration log: path: /var/log/onap + level: + root: INFO + base: INFO # base package (org.onap.aai) logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + aaiSizeLimit: 150Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + +tracing: {} + # ignorePatterns: + # - "" diff --git a/kubernetes/aai/components/aai-sparky-be/.helmignore b/kubernetes/aai/components/aai-sparky-be/.helmignore index daebc7da77..f0c1319444 100644 --- a/kubernetes/aai/components/aai-sparky-be/.helmignore +++ b/kubernetes/aai/components/aai-sparky-be/.helmignore @@ -1,21 +1,21 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/aai/components/aai-sparky-be/Chart.yaml b/kubernetes/aai/components/aai-sparky-be/Chart.yaml index 2bfb7f231a..b63a2dc805 100644 --- a/kubernetes/aai/components/aai-sparky-be/Chart.yaml +++ b/kubernetes/aai/components/aai-sparky-be/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,18 @@ apiVersion: v2 description: ONAP AAI sparky-be name: aai-sparky-be -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties index 084f6e46bc..96c19d43d7 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties @@ -15,4 +15,4 @@ */}} oxm.apiVersion=v14 -oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14 \ No newline at end of file +oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties index 4465fb3e11..6fcdc3d405 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties @@ -15,4 +15,4 @@ */}} oxm.apiVersionOverride=v14 -oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14 \ No newline at end of file +oxm.apiVersionList=v8,v9,v10,v11,v12,v13,v14 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties index ee1341751f..79f48da2aa 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +19,9 @@ oxm.schemaNodeDir=/opt/app/sparky/onap/oxm #schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config oxm.schemaServiceTranslatorList=config # The end point for onap is https://:/onap/schema-service/v1/ -{{ if ( include "common.needTLS" .) }} -oxm.schemaServiceBaseUrl=https:///aai/schema-service/v1/ -oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD} -oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD} -{{ else }} + oxm.schemaServiceBaseUrl=http:///aai/schema-service/v1/ -{{ end }} + # Schema Service need this variable for the time being diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 7c82d1f90d..e0cf24c40b 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,16 +16,6 @@ */}} resources.hostname=aai -{{ if ( include "common.needTLS" .) }} -resources.port=8443 -resources.authType=SSL_BASIC -resources.basicAuthUserName=aai@aai.onap.org -resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek -resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -resources.trust-store-password=${TRUSTSTORE_PASSWORD} -resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -resources.client-cert-password=${KEYSTORE_PASSWORD} -{{ else }} + resources.port=80 resources.authType=HTTP_NOAUTH -{{ end }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties index 422e7ce150..68e1141cb3 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,13 +14,5 @@ # limitations under the License. server.port=8000 -{{ if ( include "common.needTLS" .) }} -server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ else }} security.require-ssl=false server.ssl.enabled=false -{{ end }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties index 4fb10a21f7..e617554eb3 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties @@ -3,4 +3,4 @@ historicalEntitySyncEnabled=true autoSuggestSyncEnabled=true vnfAliasSyncEnabled=true geoSyncEnabled=true -viewInspectSyncEnabled=true \ No newline at end of file +viewInspectSyncEnabled=true diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties index 90cb00069e..41c41d29b1 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,16 +23,62 @@ spring.mvc.favicon.enabled=false # and in the values.yaml change the internalPort to 9517 # -spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,{{ ( eq "true" ( include "common.needTLS" .)) | ternary "ssl" "http" }} +spring.profiles.active=camel,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy,http portal.cadiFileLocation={{.Values.config.cadiFileLocation}} searchservice.hostname={{.Values.global.searchData.serviceName}} searchservice.port=9509 -{{ if ( include "common.needTLS" .) }} -searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -searchservice.client-cert-password=${KEYSTORE_PASSWORD} -searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -searchservice.truststore-password=${TRUSTSTORE_PASSWORD} -{{ end }} schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties + +# Properties for the SchemaLocationsBean +# Files named aai_oxm_v*.xml are unpacked here: +# Schema Version Related Attributes +schema.uri.base.path=/aai +# Lists all of the versions in the schema +schema.version.list=v9,v10,v11,v12,v13,v14 +# Specifies from which version should the depth parameter to default to zero +schema.version.depth.start=v10 +# Specifies from which version should the related link be displayed in response payload +schema.version.related.link.start=v10 +# Specifies from which version should the client see only the uri excluding host info +# Before this version server base will also be included +schema.version.app.root.start=v11 +# Specifies from which version should the namespace be changed +schema.version.namespace.change.start=v12 +# Specifies from which version should the client start seeing the edge label in payload +schema.version.edge.label.start=v12 +# Specifies the version that the application should default to +schema.version.api.default=v14 +# Schema Location Related Attributes +schema.configuration.location=NA +# New propterties required by the aai-common - aai-schema-ingest lib as of 1.3.0 +schema.configuration.location=N/A +schema.nodes.location=${APP_HOME}/onap/oxm +schema.edges.location= +# Setting this values to ${oxm.apiVersion} only to ensure the value used exists (we don't use this properties in our application) +# schema.version.depth.start=${oxm.apiVersion} +# schema.version.related.link.start=${oxm.apiVersion} +# schema.version.app.root.start=${oxm.apiVersion} +# schema.version.namespace.change.start=${oxm.apiVersion} +# schema.version.edge.label.start=${oxm.apiVersion} +# Properties required by AAI Schema Service MS +schema.translator.list=config +schema.service.base.url=${oxm.schemaServiceBaseUrl} +schema.service.nodes.endpoint=nodes?version= +schema.service.edges.endpoint=edgerules?version= +schema.service.versions.endpoint=versions +schema.local=true +schema.filename=mockrequests +#Default rest client is the two-way-ssl +#schema.service.client=two-way-ssl +#Replace the below with the A&AI client key store +schema.service.ssl.key-store=${oxm.schemaServiceKeystore} +#Replace the below with the A&AI tomcat trust store +schema.service.ssl.trust-store=${oxm.schemaServiceTruststore} +schema.service.ssl.key-store-password=${oxm.schemaServiceKeystorePassword} +schema.service.ssl.trust-store-password=${oxm.schemaServiceTruststorePassword} +spring.application.name=sparky +nodeDir=src/main/resources/schema/onap/oxm/ +edgeDir=src/main/resources/schema/onap/oxm +schemaIngestPropLoc=src/main/resources/schema/onap/oxm diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml index cd5338f5b3..5ceae5c641 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml @@ -1,187 +1,187 @@ - - - - - - - - - - - - - - - - - - - - - - - - - ${errorLogPattern} - - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip + + + + + + + + + + + + + + + + + + + + + + + + + ${errorLogPattern} + + + + + + + + + + + ${logDirectory}/${generalLogName}.log + + ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${errorLogPattern} - - - - - - INFO - - 256 - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip + 60 + + + ${errorLogPattern} + + + + + + INFO + + 256 + + + + + + + + ${logDirectory}/${auditLogName}.log + + ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${auditMetricPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip + 60 + + + ${auditMetricPattern} + + + + 256 + + + + + ${logDirectory}/${metricsLogName}.log + + ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - - ${auditMetricPattern} - - - - - - 256 - - - - - ${logDirectory}/${debugLogName}.log - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip + 60 + + + + ${auditMetricPattern} + + + + + + 256 + + + + + ${logDirectory}/${debugLogName}.log + + ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip - 60 - - - ${errorLogPattern} - - - - - 256 - - false - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file + 60 + + + ${errorLogPattern} + + + + + 256 + + false + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config b/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config index ce69e88918..093e7b01fa 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config @@ -1,20 +1,20 @@ -[{ - "orgId": null, - "managerId": null, - "firstName": "Demo", - "middleInitial": null, - "lastName": "User", - "phone": null, - "email": "demo@email.com", - "hrid": null, - "orgUserId": "demo", - "orgCode": null, - "orgManagerUserId": null, - "jobTitle": null, - "loginId": "demo", - "active": false, - "roles": [{ - "id": 1, - "name": "View" - }] -}] \ No newline at end of file +[{ + "orgId": null, + "managerId": null, + "firstName": "Demo", + "middleInitial": null, + "lastName": "User", + "phone": null, + "email": "demo@email.com", + "hrid": null, + "orgUserId": "demo", + "orgCode": null, + "orgManagerUserId": null, + "jobTitle": null, + "loginId": "demo", + "active": false, + "roles": [{ + "id": 1, + "name": "View" + }] +}] diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties deleted file mode 100644 index 67268e33e2..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/key.properties +++ /dev/null @@ -1 +0,0 @@ -cipher.enc.key=AGLDdG4D04BKm2IxIWEr8o==! diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties deleted file mode 100644 index 7a0fb8250b..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -################################################################################ -############################## Portal properties ############################### -################################################################################ - -# Java class that implements the ECOMP role and user mgt API -*/}} -portal.api.impl.class = org.onap.aai.sparky.security.portal.PortalRestAPICentralServiceImpl - -# Instance of ECOMP Portal where the app has been on-boarded -# use insecure http for dev purposes to avoid self-signed certificate -ecomp_rest_url = https://portal-app:8443/ONAPPORTAL/auxapi - -# Standard global logon page -ecomp_redirect_url = https://portal.api.simpledemo.onap.org:30225/ONAPPORTAL/login.htm - -# Name of cookie to extract on login request -csp_cookie_name = EPService -# Alternate values: DEVL, V_DEVL, V_PROD -csp_gate_keeper_prod_key = PROD - -# Toggles use of UEB -ueb_listeners_enable = false -# IDs application withing UEB flow -ueb_app_key=ueb_key_7 -# Use this tag if the app is centralized -role_access_centralized=remote - -# Connection and Read timeout values -ext_req_connection_timeout=15000 -ext_req_read_timeout=20000 - -#Add AAF namespace if the app is centralized -auth_namespace={{ .Values.certInitializer.fqi_namespace }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties deleted file mode 100644 index baefd9806b..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties +++ /dev/null @@ -1,49 +0,0 @@ -# Configure AAF -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 -aaf_url=<%=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -#aaf_url=https://DME2RESOLVE/service=com.att.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE -# AAF Environment Designation - -#if you are running aaf service from a docker image you have to use aaf service IP and port number -aaf_id={{ .Values.certInitializer.fqi }} -#Encrypt the password using AAF Jar -aaf_password={{ .Values.certInitializer.aafDeployPass }} -# Sample CADI Properties, from CADI 1.4.2 -#hostname=org.onap.aai.orr -csp_domain=PROD -# Add Absolute path to Keyfile -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -cadi_alias={{ .Values.certInitializer.fqi }} - -# This is required to accept Certificate Authentication from Certman certificates. -# can be TEST, IST or PROD -aaf_env=DEV - -# DEBUG prints off all the properties. Use to get started. -cadi_loglevel=DEBUG - -# Add Absolute path to truststore2018.jks -cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -# Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs -cadi_truststore_password=${TRUSTSTORE_PASSWORD} - -# how to turn on SSL Logging -#javax.net.debug=ssl - -# Use "maps.bing.com" to get Lat and Long for an Address -AFT_LATITUDE=32.780140 -AFT_LONGITUDE=-96.800451 -AFT_ENVIRONMENT=AFTUAT -AFT_DME2_CLIENT_IGNORE_SSL_CONFIG=true -DME2.DEBUG=true -AFT_DME2_HTTP_EXCHANGE_TRACE_ON=true - -cadi_latitude=32.780140 -cadi_longitude=-96.800451 - -aaf_root_ns=com.att.aaf -aaf_api_version=2.0 diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile deleted file mode 100644 index 921ce6714a..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/keyFile +++ /dev/null @@ -1,27 +0,0 @@ -77E_fh-8gTjeg8egAo-JgNkXYm1FGEBPMo44vKPgKyGCJj9Dn0xJqIBct2Ko35X4_HSU3wPq3I2q -YHIvJCjmzXTVu2zvu4rIGTlwycTtLGDkgPyhOYFytv4GgazbpSs9331MPUeVVrdpkDCQmjtHSB4m -DThhfEe2lkbZ35ljX3sVSf3JDy4ngRot0ktQwnnY4vxFdgVUl7LzVinXWgFLoqMyXmKh_bGw9aUH -VMgqFsF_YmqLZY5ZARAraeywktvrU5kXYh5SnfXoJy7XIk0TBjHKqO-1mW-TcIgS3_v6GIGkZnpq -e1FyE8cS21gTPFlc1KDoWUZE2yoEsQKJc4RFWfjid_mE6nckxym1TOsEn3G2_TlkZvliN_QMDB_c -RuFLDB9HCChm4YYHpSn-RBqtJFz29bMTHQX8VNVfZ_Zhh-4dWOlEfpSzJvAqm_boo-8y8YDGIusx -mvKyPXEKVCuBOljHaKhYg0d43nAXIFsssKpjmtQizA2L_TP1Mo_lDFIlCsPcRlHKTvzkTstEAhRj -JnepzA--olBMwBkPxjm1Y5XQBGZH72i_o4Hr7_NqHb9sP486I2Nd1-owjHkhacGrLO1oORnuBUxp -_SnaXYywe9tTz3BcfFupXSoDv4Sj7g9B53yPIWmjGggigidql3SNJsui6qOtwDHOejzEDFm23Lj7 -fXD6sb52U_ul9ahi4CoLTzpvMsPRYOqyRCk8K8FVBauZbG5D42oaFPn0S0rCSHOCU1TXbRdTF-Cs -I2R0pEHNgb33yx6vtInaTSYIQ5cxa3XDA_50AQearV5SuYSlp8dK0BkpVCKgvSQdTn-2WiaV_hvO -KzG7D2adT1kYY6TjYMXIaUiJ33y1XSNDG0s6r4NG5dNE6Jj7thdpnV-AAZoi0uZh1_bsHKLVmHRr -NCXAc6DZm1D4N9y5lOJwUprUlJisZXLFTQThGMRY5dtiY_eK9Xjj4FQygXXhuhFXHz2-e4YApORv -lXDcT29IZuuI1j26bxdNdhNr1wZsqqievBN6l6OQMiP21eIrxAUu1BEmiVOrfOzaEjxldDN2gFum -4-zf9gsQT9UT8KEuOje64wVeHr09JpWuddV9HOAMvqc6mKTWmvUv_QiLgtK_b39QccMrOfOA1usM -biRJ9wuTYIr584Q9CjHEcm5e2YufcbF-IDZ4IDui8gNXyYJuusTYdspeKzrtiLKfgI56ZWA3it9G -SOkN18YyUmhk7HFkx9qEifb4UEbUQPb0dyXBRotf-91c5CPkct-36uV4sZBA_AR1tX3-aRKKB_SQ -B0zaG-eaEdEqKv-ZYHqk23ZxiEsCX3ZdY7VSMWztE3_D5n8UgEl4et5LVfnjvU-arVVO93WUbXk0 -zi2QrOwytOZ0StAvFdF1nVwWllPg4EYcn8qLJIaaBRvLMlpHixtwRhltwJeMmJl3ExImOxNhVbhF -6LxVXW6JK8JfMIwb_TE4EShDBjemq76BojQOwrO4OAyPG7B5iUtefdY-Zu1EtjXPhrUgljI_A1tg -5_2WNjNTCT7Bvig3saFsIRi3cvgIcMAF2H7kJYw3UDvCFnx4LIom2u6vSeyatPxEOhRfpP0KvgEU -koM9DFJW7VWQ11mB_DcU2NoYHdFKFy_cM62kIvoRwZTADGryEtkLSWEDT8MLpVrGXP2RjSZ3HHqC -vVpVqQHC2VIqNKi2uHtYCiTEfj81Z0rCrnH3hYIRoOSe5W6m17xyb0RloG0G44uK0oNCfDYLwK0L -TJaBdWSIBYI__ISsKx8o8r-3XLtbwQPPhv4-LpGwJYd7sIcqnpTYAyNGSrbEM4ECzHCH9Hwf9Duy -cAQGWqXIbTV9i8ryw8OhcCZPTf3noPZyhzzdegiv6KNT-BBbxsgtDehtP-jvpd9eAhjlfUV_hoFJ -rBUVMFrIOEDnnItVqBDmnavRdhn6N9ObVjVMv_4inhkvtpBCEVxtVQT2kFuBmZvPu_uHHbXi7_g8 -SVs3AjJ2ya3pZraK6gH3IOYoGtTAH3rKl7XdTMjqWnUCbhepuJqeEOF-DhpsEW7Oo0Lqzbjg \ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties deleted file mode 100644 index e1ddd326f9..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/portal-authentication.properties +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -##################################################################################### -############################## Portal Auth Properties ############################## -##################################################################################### - -############################## Auth ############################## -*/}} -username={{.Values.config.portalUsername}} -password={{.Values.config.portalPassword}} - -{{/* -############################## ############################## -# -# ONAP Cookie Processing - During initial development, this flag, if true, will -# prevent the portal interface's login processing from searching for a user -# specific cookie, and will instead allow passage if a valid session cookie is -# discovered. -*/}} -onap_enabled={{.Values.config.portalOnapEnabled}} -onap.user_id_cookie_name={{.Values.config.portalCookieName}} -cookie_decryptor_classname={{.Values.config.cookieDecryptorClass}} -app_roles={{.Values.config.portalAppRoles}} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-sparky-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index fee07d8acf..407850eb7f 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -17,39 +17,6 @@ --- apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-portal - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/portal/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-portal-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/portal/BOOT-INF/classes/*").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 31ea946d9b..517601b0dc 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -1,7 +1,8 @@ {{/* -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2020 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,16 +19,15 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "annotations" .Values.annotations "dot" .) | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if .Values.debug.enabled }} + replicas: 1 + {{- else }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} @@ -35,87 +35,18 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - annotations: - sidecar.istio.io/rewriteAppHTTPProbers: "false" - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- if ( include "common.needTLS" .) }} - - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ - | xargs -0) - if [ -z "$KEYSTORE_PASSWORD" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - fi - echo "*** write them in portal part" - cd /config-input - for PFILE in `ls -1 .` - do - envsubst <${PFILE} >/config/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config-input - name: portal-config-input - - mountPath: /config - name: portal-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - {{- end }} - - command: - - /app/ready.py - args: - - --container-name - - aai - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ - | xargs -0) - echo "*** actual launch of AAI Sparky BE" - /opt/app/sparky/bin/start.sh - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/sparky/config/auth/csp-cookie-filter.properties - name: auth-config - subPath: csp-cookie-filter.properties - - mountPath: /opt/app/sparky/config/portal/ - name: portal-config - - mountPath: /opt/app/sparky/config/portal/BOOT-INF/classes/ - name: portal-config-props + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + volumeMounts: - mountPath: {{ .Values.log.path }} name: logs - mountPath: /opt/app/sparky/config/application.properties @@ -145,25 +76,53 @@ spec: - mountPath: /opt/app/sparky/config/logging/logback.xml name: config subPath: logback.xml + - mountPath: /tmp + name: tmp-volume ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPlainPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} + {{- if .Values.debug.enabled }} + - containerPort: {{ .Values.debug.port }} + name: {{ .Values.debug.portName }} + {{- end }} + {{- if .Values.profiling.enabled }} + - containerPort: {{ .Values.profiling.port }} + name: {{ .Values.profiling.portName }} + {{- end }} + {{ include "common.containerPorts" . | nindent 10 }} + env: + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if .Values.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.profiling.args }}' + {{- end }} + {{- if .Values.debug.enabled }} + - name: JVM_ARGS + value: {{ .Values.debug.args | quote }} + {{- end }} + # disable liveness probe when + # debugging.enabled=true or profiling.enabled=true + {{- if and .Values.liveness.enabled (not (or .Values.debug.enabled .Values.profiling.enabled)) }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} + {{- end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + startupProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -176,32 +135,19 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: config configMap: name: {{ include "common.fullname" . }} - - name: portal-config - {{- if .Values.global.aafEnabled }} - emptyDir: - medium: Memory - - name: portal-config-input - {{- end }} - configMap: - name: {{ include "common.fullname" . }}-portal - - name: portal-config-props - configMap: - name: {{ include "common.fullname" . }}-portal-props - - name: auth-config - secret: - secretName: {{ include "common.fullname" . }} - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: modeldir - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.modeldirSizeLimit }} + - name: tmp-volume + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml b/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml deleted file mode 100644 index d6013c832e..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/templates/secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml index 9e3ffd6f56..10d9e2a07d 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/service.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/service.yaml @@ -14,24 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - port: {{ .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - {{- if eq .Values.service.type "NodePort" }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end }} - type: {{ .Values.service.type }} - selector: - app: {{ include "common.name" . }} +{{ include "common.service" . }} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index 29953b4b66..16fbf7ff87 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -1,5 +1,6 @@ -# Copyright (c) 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright (c) 2020 Nokia, Orange +# Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2020 Nokia, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,48 +28,13 @@ global: # global defaults searchData: serviceName: aai-search-data - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-sparky-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "aai" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.aai" - fqi: "aai@aai.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing passwords into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - # application image -image: onap/sparky-be:2.0.3 +image: onap/sparky-be:2.1.0 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small dockerhubRepository: registry.hub.docker.com -ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 + # application configuration config: elasticsearchHttpPort: 9200 @@ -78,8 +44,9 @@ config: portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui portalCookieName: UserId portalAppRoles: ui_view - cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties cookieDecryptorClass: org.onap.aai.sparky.security.BaseCookieDecryptor + env: + JVM_ARGS: -XX:MaxRAMPercentage=50.0 # ONAP Cookie Processing - During initial development, the following flag, if true, will # prevent the portal interface's login processing from searching for a user @@ -87,14 +54,33 @@ config: portalOnapEnabled: true # -# override chart name (sparky-be) to share a common namespace -# suffix with parent chart (aai) -nsSuffix: aai +# adds jvm args for remote debugging the application +debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + port: 5555 + portName: debug +# adds jvm args for remote profiling the application +profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + port: 9999 + portName: jmx # default number of instances replicaCount: 1 +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + updateStrategy: type: RollingUpdate maxUnavailable: 0 @@ -116,13 +102,18 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 +startup: + failureThreshold: 90 + periodSeconds: 1 + service: type: NodePort - portName: http - externalPort: 8000 - internalPort: 8000 - internalPlainPort: 9517 - nodePort: 20 + internalPort: 9517 + ports: + - name: http + port: 8000 + internal_port: 9517 + nodePort: 20 ingress: enabled: false @@ -133,23 +124,33 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + # Configure resource requests and limits # ref: http://kubernetes.io/docs/user-guide/compute-resources/ resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "500m" + memory: "2Gi" requests: - cpu: 0.25 - memory: 1Gi + cpu: "250m" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 0.5 - memory: 2Gi + cpu: "500m" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -162,3 +163,17 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 64Mi + modeldirSizeLimit: 64Mi + tmpSizeLimit: 64Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for: + services: + - aai diff --git a/kubernetes/aai/components/aai-traversal/.helmignore b/kubernetes/aai/components/aai-traversal/.helmignore index daebc7da77..f0c1319444 100644 --- a/kubernetes/aai/components/aai-traversal/.helmignore +++ b/kubernetes/aai/components/aai-traversal/.helmignore @@ -1,21 +1,21 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/kubernetes/aai/components/aai-traversal/Chart.yaml b/kubernetes/aai/components/aai-traversal/Chart.yaml index f5a6a923a6..e1602b9b02 100644 --- a/kubernetes/aai/components/aai-traversal/Chart.yaml +++ b/kubernetes/aai/components/aai-traversal/Chart.yaml @@ -1,6 +1,6 @@ # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,21 +17,18 @@ apiVersion: v2 description: ONAP AAI traversal name: aai-traversal -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv b/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv deleted file mode 100644 index 60a8fb5f0b..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/bath_config.csv +++ /dev/null @@ -1,33 +0,0 @@ -# AAI -> aai@aai.onap.org -Basic QUFJOkFBSQ==,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ModelLoader -> aai@aai.onap.org -Basic TW9kZWxMb2FkZXI6TW9kZWxMb2FkZXI=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# AaiUI -> aai@aai.onap.org, -Basic QWFpVUk6QWFpVUk=,Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# MSO -> so@so.onap.org -Basic TVNPOk1TTw==,Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 - -# SDNC -> sdnc@sdnc.onap.org -Basic U0ROQzpTRE5D,Basic c2RuY0BzZG5jLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# DCAE -> dcae@dcae.onap.org -Basic RENBRTpEQ0FF,Basic ZGNhZUBkY2FlLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# POLICY -> policy@policy.onap.org -Basic UE9MSUNZOlBPTElDWQ==,Basic cG9saWN5QHBvbGljeS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# ASDC -> sdc@sdc.onap.org -Basic QVNEQzpBU0RD,Basic c2RjQHNkYy5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# VID -> vid@vid.onap.org -Basic VklEOlZJRA==,Basic dmlkQHZpZC5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 - -# APPC -> appc@appc.onap.org -Basic QVBQQzpBUFBD,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 - -# OOF -> oof@oof.onap.org -Basic T09GOk9PRg==,Basic b29mQG9vZi5vbmFwLm9yZzpkZW1vMTIzNDQ2IQ==,2050-03-03 - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties deleted file mode 100644 index 2b19da9f6f..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/cadi.properties +++ /dev/null @@ -1,8 +0,0 @@ - -cadi_loglevel=INFO -cadi_prop_files=/opt/app/aai-traversal/resources/aaf/org.osaaf.location.props:/opt/app/aai-traversal/resources/aaf/org.onap.aai.props - -# OAuth2 -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props deleted file mode 100644 index b46defa6b7..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.onap.aai.props +++ /dev/null @@ -1,16 +0,0 @@ -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -# Modifications Copyright (c) 2020 Orange -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US -cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile -cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD} - -#cadi_key_password=enc:9xs_lJ9QQRDoMcHqLbGg40-gefGrw-sLMjWL40ejbyqdC7Jt_pQfY6ajBLGcbLuL -cadi_alias=aai@aai.onap.org -cadi_truststore={{ .Values.certInitializer.credsPath }}/truststoreONAPall.jks -cadi_truststore_password=${TRUSTSTORE_ALL_PASSWORD} -cadi_loglevel=INFO -cadi_bath_convert=/opt/app/aai-traversal/resources/aaf/bath_config.csv diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props b/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props deleted file mode 100644 index b9ec6b4641..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/org.osaaf.location.props +++ /dev/null @@ -1,23 +0,0 @@ -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect - - diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties deleted file mode 100644 index d4956f577c..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaf/permissions.properties +++ /dev/null @@ -1,2 +0,0 @@ -permission.type=org.onap.aai.traversal -permission.instance=* \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties index b8a2b5fe03..92eb34765d 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/aaiconfig.properties @@ -5,6 +5,7 @@ # ================================================================================ # Copyright © 2017 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,28 +28,14 @@ aai.config.checktime=1000 # this could come from siteconfig.pl? aai.config.nodename=AutomaticallyOverwritten - -{{ if ( include "common.needTLS" .) }} -aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/ -aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/ -aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/ -{{else}} aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/ aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/ aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/ -{{ end }} -{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }} +{{ if or (.Values.global.auth.enabled) ( include "common.onServiceMesh" .) }} aai.tools.enableBasicAuth=true -aai.tools.username={{ .Values.global.config.basic.auth.username }} -aai.tools.password={{ .Values.global.config.basic.auth.passwd }} -{{ end }} - -{{ if ( include "common.needTLS" .) }} -aai.truststore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -aai.truststore.passwd.x=${TRUSTSTORE_PASSWORD} -aai.keystore.filename={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -aai.keystore.passwd.x=${KEYSTORE_PASSWORD} +aai.tools.username={{ (index .Values.global.auth.users 0).username }} +aai.tools.password={{ (index .Values.global.auth.users 0).password }} {{ end }} aai.notification.current.version={{ .Values.global.config.schema.version.api.default }} diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties b/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties deleted file mode 100644 index dd1956b63f..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/application-keycloak.properties +++ /dev/null @@ -1,13 +0,0 @@ -spring.autoconfigure.exclude=\ - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration - -multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }} -keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth -keycloak.realm={{ .Values.config.keycloak.realm }} -keycloak.resource={{ .Values.config.keycloak.resource }} -keycloak.public-client=false -keycloak.principal-attribute=preferred_username - -keycloak.ssl-required=external -keycloak.bearer-only=true diff --git a/kubernetes/aai/components/aai-traversal/resources/config/application.properties b/kubernetes/aai/components/aai-traversal/resources/config/application.properties index 3022b17f97..b3e869d504 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/application.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/application.properties @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright © 2020 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,11 +26,17 @@ spring.application.name=aai-traversal spring.jersey.type=filter spring.main.allow-bean-definition-overriding=true -server.servlet.context-path=/ +server.servlet.context-path=${schema.uri.base.path} + +spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration +spring.profiles.active={{ .Values.global.config.profiles.active }} +spring.jersey.application-path=/ + +management.tracing.enabled={{ .Values.global.tracing.enabled }} +management.tracing.sampling.probability={{ .Values.global.tracing.sampling.probability }} +management.tracing.propagation.type=w3c, b3 +management.zipkin.tracing.endpoint={{ .Values.global.tracing.collector.baseUrl }} -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,org.keycloak.adapters.springboot.KeycloakAutoConfiguration,org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration,org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration -spring.profiles.active={{ .Values.global.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }} -spring.jersey.application-path=${schema.uri.base.path} #The max number of active threads in this pool server.tomcat.max-threads=200 #The minimum number of threads always kept alive @@ -40,26 +47,16 @@ server.tomcat.max-idle-time=60000 # If you get an application startup failure that the port is already taken # If thats not it, please check if the key-store file path makes sense server.local.startpath=aai-traversal/src/main/resources/ -server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties server.port=8446 -{{ if ( include "common.needTLS" .) }} -server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -server.ssl.client-auth=want -server.ssl.key-store-type=JKS -{{ else }} -security.require-ssl=false -server.ssl.enabled=false -{{ end }} - -# JMS bind address host port -jms.bind.address=tcp://localhost:61647 -dmaap.ribbon.listOfServers=message-router.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} -dmaap.ribbon.transportType={{ include "common.scheme" . }} + +spring.kafka.producer.bootstrap-servers=${BOOTSTRAP_SERVERS} +spring.kafka.producer.properties.security.protocol=SASL_PLAINTEXT +spring.kafka.producer.properties.sasl.mechanism=SCRAM-SHA-512 +spring.kafka.producer.key-serializer=org.apache.kafka.common.serialization.StringSerializer +spring.kafka.producer.value-serializer=org.apache.kafka.common.serialization.StringSerializer +spring.kafka.producer.properties.sasl.jaas.config=${JAAS_CONFIG} +spring.kafka.producer.retries=3 # Schema related attributes for the oxm and edges # Any additional schema related attributes should start with prefix schema @@ -98,27 +95,34 @@ schema.service.nodes.endpoint=nodes?version= schema.service.edges.endpoint=edgerules?version= schema.service.versions.endpoint=versions schema.service.custom.queries.endpoint=stored-queries -schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }} - -{{ if ( include "common.needTLS" .) }} -schema.service.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -schema.service.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -schema.service.ssl.key-store-password=${KEYSTORE_PASSWORD} -schema.service.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} -{{ end }} +schema.service.client=no-auth #to expose the Prometheus scraping endpoint -management.port=8448 -management.endpoints.enabled-by-default=false +management.server.port=8448 +management.endpoints.enabled-by-default=true +management.endpoints.web.exposure.include=* management.security.enabled=false -endpoints.enabled=false -endpoints.info.enabled=false -endpoints.prometheus.enabled=false -endpoints.health.enabled=false +endpoints.enabled={{ .Values.endpoints.enabled }} +endpoints.info.enabled={{ .Values.endpoints.info.enabled }} +endpoints.prometheus.enabled={{ .Values.metrics.serviceMonitor.enabled }} +endpoints.health.enabled={{ .Values.endpoints.health.enabled }} management.metrics.web.server.auto-time-requests=false management.metrics.distribution.percentiles-histogram[http.server.requests]=true management.metrics.distribution.sla[http.server.requests]=20ms, 30ms, 40ms, 50ms, 60ms, 70ms, 80ms, 90ms, 100ms, 500ms, 1000ms, 5000ms, 7000ms #Add common tag for grouping all aai related metrics management.metrics.tags.group_id=aai #It is not advisable to use labels to store dimensions with high cardinality. Enable this option only for debug purposes. For more information: https://github.com/micrometer-metrics/micrometer/issues/1584 -scrape.uri.metrics=false \ No newline at end of file +scrape.uri.metrics=false + +# If true, the actuator health check will be overriden +# to use the AaiGraphChecker check instead. +# This does the same as the /echo endpoint, +# but doesn't show up in micrometer metrics +aai.actuator.echo.enabled={{ .Values.actuator.echo.enabled }} +aai.graph.properties.path=${server.local.startpath}/etc/appprops/janusgraph-realtime.properties + +aai.basic-auth.enabled={{ .Values.global.auth.enabled }} +{{- range $index, $user := .Values.global.auth.users }} +aai.basic-auth.users[{{ $index }}].username={{ $user.username }} +aai.basic-auth.users[{{ $index }}].password={{ $user.password }} +{{- end }} diff --git a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-cached.properties b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-cached.properties deleted file mode 100644 index b6fdd4c58f..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-cached.properties +++ /dev/null @@ -1,102 +0,0 @@ -{{/* -# -# ============LICENSE_START======================================================= -# org.onap.aai -# ================================================================================ -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -*/}} - -query.fast-property=true -query.smart-limit=false - -{{ if .Values.global.config.cluster.cassandra.dynamic }} - -storage.backend=cql -storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph -storage.username={{.Values.global.cassandra.username}} -storage.password={{.Values.global.cassandra.password}} - -storage.cql.read-consistency-level=LOCAL_QUORUM -storage.cql.write-consistency-level=LOCAL_QUORUM -storage.cql.replication-factor={{.Values.global.cassandra.replicas}} -storage.cql.only-use-local-consistency-for-system-operations=true - -{{ else }} - -{{ if .Values.global.config.storage }} - -storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} - -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "cql" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cql.keyspace={{ .Values.global.config.storage.name }} - -storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} -storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationFactor | int }} - -storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} -storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ else if eq .Values.global.config.storage.backend "hbase" }} - -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.hbase.table={{ .Values.global.config.storage.name }} - -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} - -{{ end }} - -{{ end }} - -{{ end }} - -storage.lock.wait-time=300 -#caching on -cache.db-cache = true -cache.db-cache-clean-wait = 20 -cache.db-cache-time = 180000 -cache.db-cache-size = 0.3 - -#load graphson file on startup -load.snapshot.file=false diff --git a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties index 836dc7b176..47095adf93 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/janusgraph-realtime.properties @@ -15,52 +15,40 @@ # See the License for the specific language governing permissions and # limitations under the License. # ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# */}} query.fast-property=true query.smart-limit=false -{{ if .Values.global.config.cluster.cassandra.dynamic }} +{{- if .Values.global.config.cluster.cassandra.dynamic }} storage.backend=cql storage.hostname={{.Values.global.cassandra.serviceName}} -storage.cql.keyspace=aaigraph storage.username={{.Values.global.cassandra.username}} storage.password={{.Values.global.cassandra.password}} +storage.cql.keyspace=aaigraph +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level=LOCAL_QUORUM storage.cql.write-consistency-level=LOCAL_QUORUM storage.cql.replication-factor={{.Values.global.cassandra.replicas}} storage.cql.only-use-local-consistency-for-system-operations=true -{{ else }} - -{{ if .Values.global.config.storage }} - -storage.backend={{ .Values.global.config.storage.backend }} - -{{ if eq .Values.global.config.storage.backend "cassandra" }} +{{- if .Values.global.cassandra.partitionerName }} +storage.cql.partitioner-name={{ .Values.global.cassandra.partitionerName }} +{{- end }} -storage.hostname={{ .Values.global.config.storage.hostname }} -storage.cassandra.keyspace={{ .Values.global.config.storage.name }} +{{- else -}} -storage.cassandra.read-consistency-level={{ .Values.global.config.storage.cassandra.readConsistency }} -storage.cassandra.write-consistency-level={{ .Values.global.config.storage.cassandra.writeConsistency }} -storage.cassandra.replication-factor={{ .Values.global.config.storage.cassandra.replicationFactor | int }} -storage.cassandra.astyanax.cluster-name= {{ .Values.global.config.storage.clusterName }} -storage.cassandra.astyanax.local-datacenter= {{ .Values.global.config.storage.localDataCenter }} +{{- if .Values.global.config.storage }} -storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} -cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} -log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} +storage.backend={{ .Values.global.config.storage.backend }} -{{ else if eq .Values.global.config.storage.backend "cql" }} +{{- if eq .Values.global.config.storage.backend "cql" }} storage.hostname={{ .Values.global.config.storage.hostname }} storage.cql.keyspace={{ .Values.global.config.storage.name }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.cql.read-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} storage.cql.write-consistency-level={{ .Values.global.config.storage.cql.readConsistency }} @@ -68,13 +56,13 @@ storage.cql.replication-factor={{ .Values.global.config.storage.cql.replicationF storage.cql.only-use-local-consistency-for-system-operations={{ .Values.global.config.storage.cql.localConsistencyForSysOps }} storage.cql.cluster-name={{ .Values.global.config.storage.clusterName }} -storage.cql.local-datacenter={{ .Values.global.config.storage.localDataCenter }} +storage.cql.local-datacenter={{ .Values.global.cassandra.localDataCenter }} storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | int }} cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ else if eq .Values.global.config.storage.backend "hbase" }} +{{- else if eq .Values.global.config.storage.backend "hbase" -}} storage.hostname={{ .Values.global.config.storage.hostname }} storage.hbase.table={{ .Values.global.config.storage.name }} @@ -83,14 +71,26 @@ storage.connection-timeout={{ .Values.global.config.storage.connectionTimeout | cache.tx-cache-size={{ .Values.global.config.storage.cacheSize | int }} log.tx.key-consistent={{ .Values.global.config.storage.keyConsistent }} -{{ end }} +{{- end }} +{{- end }} +{{- end }} -{{ end }} +storage.lock.wait-time=300 -{{ end }} +# https://docs.janusgraph.org/operations/cache/#database-level-caching +# Setting db-cache to false will ensure the fastest propagation of changes across servers +# Setting db-cache to true will ensure fastest response times +cache.db-cache={{ .Values.config.janusgraph.caching.enabled }} +{{- if .Values.config.janusgraph.caching.enabled }} +# cache-time in milliseconds +cache.db-cache-time={{ .Values.config.janusgraph.caching.dbCacheTime }} +cache.db-cache-size={{ .Values.config.janusgraph.caching.dbCacheSize }} +cache.db-cache-clean-wait={{ .Values.config.janusgraph.caching.dbCacheCleanWait }} +{{- end }} -storage.lock.wait-time=300 -# Setting db-cache to false ensure the fastest propagation of changes across servers -cache.db-cache = false #load graphson file on startup load.snapshot.file=false + +{{- if .Values.config.janusgraph.allowUpgrade }} +graph.allow-upgrade=true +{{- end }} diff --git a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml b/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml deleted file mode 100644 index 1d32a521a1..0000000000 --- a/kubernetes/aai/components/aai-traversal/resources/config/localhost-access-logback.xml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* -*/}} - - - - - - - - - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log - - ${AJSC_HOME}/logs/ajsc-jetty/localhost_access.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - - - - - - - - - %a %u %z [%t] "%m %U%q" %s %b %y %i{X-TransactionId} %i{X-FromAppId} %i{X-Forwarded-For} %i{X-AAI-SSL-Client-CN} %i{X-AAI-SSL-Client-OU} %i{X-AAI-SSL-Client-O} %i{X-AAI-SSL-Client-L} %i{X-AAI-SSL-Client-ST} %i{X-AAI-SSL-Client-C} %i{X-AAI-SSL-Client-NotBefore} %i{X-AAI-SSL-Client-NotAfter} %i{X-AAI-SSL-Client-DN} %D - "logType": "access" - - - - -{{/**/}} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/resources/config/logback.xml b/kubernetes/aai/components/aai-traversal/resources/config/logback.xml index 3dc4867f5d..65fb2443ec 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/logback.xml +++ b/kubernetes/aai/components/aai-traversal/resources/config/logback.xml @@ -1,23 +1,23 @@ {{/* */}} @@ -25,42 +25,6 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -88,230 +52,10 @@ 36 - - {"logType":"app"} - - - - - ${logDirectory}/rest/sane.log - - ${logDirectory}/rest/sane.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - %d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n - - - - - ${queueSize} - true - - - - ${logDirectory}/rest/metrics.log - - ${logDirectory}/rest/metrics.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - ${queueSize} - true - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/debug.log - - ${logDirectory}/rest/debug.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - ${queueSize} - - true - - - ${logDirectory}/rest/error.log - - ${logDirectory}/rest/error.log.%d{yyyy-MM-dd} - ${maxHistory} - ${totalSizeCap} - - - WARN - - - ${errorPattern} - - - - ${queueSize} - - - - ${logDirectory}/rest/audit.log - - ${logDirectory}/rest/audit.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - ${queueSize} - true - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/rest/translog.log - - ${logDirectory}/rest/translog.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${transLogPattern} - - - - ${queueSize} - true - - - - - WARN - - ${logDirectory}/dmaapAAIEventConsumer/error.log - - ${logDirectory}/dmaapAAIEventConsumer/error.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${errorPattern} - - - - - DEBUG - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/debug.log - - ${logDirectory}/dmaapAAIEventConsumer/debug.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log - - ${logDirectory}/dmaapAAIEventConsumer/dmaap-transaction.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${auditPattern} - - - - - INFO - ACCEPT - DENY - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log - - ${logDirectory}/dmaapAAIEventConsumer/metrics.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${metricPattern} - - - - - WARN - - ${logDirectory}/external/external.log - - ${logDirectory}/external/external.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - ${debugPattern} - - - - - DEBUG - - ${logDirectory}/auth/auth.log - - ${logDirectory}/auth/auth.log.%d{yyyy-MM-dd} - - ${maxHistory} - ${totalSizeCap} - - - %d{yyyy-MM-dd'T'HH:mm:ss.SSSZ, UTC}[%thread] %-5level %logger{1024} - %msg%n - - - - ${queueSize} - true - - - - - @@ -329,107 +73,43 @@ + - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - + - - - - - - + - \ No newline at end of file + diff --git a/kubernetes/aai/components/aai-traversal/resources/config/realm.properties b/kubernetes/aai/components/aai-traversal/resources/config/realm.properties index 9fbd122492..f254d03631 100644 --- a/kubernetes/aai/components/aai-traversal/resources/config/realm.properties +++ b/kubernetes/aai/components/aai-traversal/resources/config/realm.properties @@ -21,8 +21,6 @@ SDNC:OBF:1itr1i0l1i151isv,admin DCAE:OBF:1g8u1f9d1f991g8w,admin POLICY:OBF:1mk61i171ima1im41i0j1mko,admin ASDC:OBF:1f991j0u1j001f9d,admin -VID:OBF:1jm91i0v1jl9,admin -APPC:OBF:1f991ksf1ksf1f9d,admin ModelLoader:OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw,admin AaiUI:OBF:1gfr1p571unz1p4j1gg7,admin OOF:OBF:1img1ke71ily,admin @@ -32,8 +30,6 @@ sdnc@sdnc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin dcae@dcae.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin policy@policy.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin sdc@sdc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -vid@vid.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin -appc@appc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin oof@oof.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin pomba@pomba.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin vfc@vfc.onap.org:OBF:1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek,admin diff --git a/kubernetes/aai/components/aai-traversal/templates/_helpers.tpl b/kubernetes/aai/components/aai-traversal/templates/_helpers.tpl new file mode 100644 index 0000000000..fa95534a7b --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/_helpers.tpl @@ -0,0 +1,21 @@ +{{- define "aai.waitForSchemaCreation" -}} +- name: wait-for-schema-creation + image: "{{ include "repositoryGenerator.image.curl" . }}" + imagePullPolicy: IfNotPresent + command: ["/bin/sh", "-c"] + args: + - | + URL="{{ required "URL is required" (.Values.schemaInitCheckURL | default "http://aai-graphadmin:8449/isSchemaInitialized") }}" + AUTH="{{ printf "%s:%s" (index .Values.global.auth.users 0).username (index .Values.global.auth.users 0).password }}" + while true; do + RESPONSE=$(curl -u $AUTH -s $URL) + if [ "$RESPONSE" = "true" ]; then + echo "Request successful. Schema is initialized." + exit 0 + else + echo "Request unsuccessful. Schema is not yet initialized. Retrying in 3 seconds..." + sleep 3 + fi + done + {{ include "common.containerSecurityContext" . | indent 2 | trim }} +{{- end -}} diff --git a/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml new file mode 100644 index 0000000000..966e5663f2 --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/aai-trav-kafka-user.yml @@ -0,0 +1,32 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.release" . }}-{{ .Values.global.aaiTravKafkaUser }} + labels: {{- include "common.labels" . | nindent 4 }} + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: scram-sha-512 + authorization: + type: simple + acls: + - resource: + type: topic + name: AAI-EVENT + operations: + - All diff --git a/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml new file mode 100644 index 0000000000..a14a9b5bda --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/autoscaling.yaml @@ -0,0 +1,29 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index 8f1bd2ddc8..5db7fb117c 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T # Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,36 +18,9 @@ apiVersion: v1 kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/localhost-access-logback.xml").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/janusgraph-realtime.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/janusgraph-cached.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaiconfig.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/application-keycloak.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/realm.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-aaf-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/aaf/org.osaaf.location.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index 093277169a..36e1cbea78 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -1,8 +1,9 @@ {{/* -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia, Orange -# Modifications Copyright (c) 2021 Orange +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2020 Nokia, Orange +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,16 +20,16 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "annotations" .Values.annotations "dot" .) | nindent 2 }} spec: + {{- if or .Values.config.debug.enabled .Values.config.profiling.enabled }} + replicas: 1 + {{- else }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -39,134 +40,65 @@ spec: matchLabels: app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - {{- if .Values.global.msbEnabled }} - {{ $values := .Values }} - msb.onap.org/service-info: '[ - {{- range $api_endpoint := $values.aai_enpoints -}} - {{- range $api_version := $values.api_list }} - { - "serviceName": "_{{ $api_endpoint.name }}", - "version": "v{{ $api_version }}", - "url": "/aai/v{{ $api_version }}/{{ $api_endpoint.url }}", - "protocol": "REST", - "port": "8446", - "enable_ssl": true, - "lb_policy":"ip_hash", - "visualRange": "1", - "path": "/aai/v{{ $api_version }}/{{ $api_endpoint.url }}" - }, - { - "serviceName": "{{ $api_endpoint.name }}", - "version": "v{{ $api_version }}", - "url": "/aai/v{{ $api_version }}/{{ $api_endpoint.url }}", - "protocol": "REST", - "port": "8446", - "enable_ssl": true, - "lb_policy":"ip_hash", - "visualRange": "1" - }, - {{- end }} - {{- end }} - { - "serviceName": "_aai-named-query", - "url": "/aai/search", - "protocol": "REST", - "port": "8446", - "enable_ssl": true, - "lb_policy":"ip_hash", - "visualRange": "1", - "path": "/aai/search" - }, - { - "serviceName": "aai-named-query", - "url": "/aai/search", - "protocol": "REST", - "port": "8446", - "enable_ssl": true, - "lb_policy":"ip_hash", - "visualRange": "1" - } - ]' - {{- end }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: hostname: aai-traversal terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - /app/ready.py - args: + initContainers: {{- if .Values.global.jobs.migration.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-migration - {{- else }} - {{- if .Values.global.jobs.createSchema.enabled }} - - --job-name - - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{- else }} - - --container-name - {{- if .Values.global.cassandra.localCluster }} - - aai-cassandra - {{- else }} - - cassandra - {{- end }} - - --container-name - - aai-schema-service - {{- end }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_migration) | nindent 8 }} + {{- else if .Values.global.jobs.createSchema.enabled }} + {{ include "aai.waitForSchemaCreation" . | nindent 6 }} + {{- else }} + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_cassandra) | nindent 8 }} {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - -c - - | - echo "*** retrieve Truststore and Keystore password" - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - echo "*** actual launch of AAI Resources" - /bin/bash /opt/app/aai-traversal/docker-entrypoint.sh + {{ include "common.containerSecurityContext" . | indent 8 | trim }} env: - - name: TRUSTORE_ALL_PASSWORD - value: {{ .Values.certInitializer.truststorePassword }} + {{- if .Values.config.env }} + {{- range $key,$value := .Values.config.env }} + - name: {{ $key | upper | quote}} + value: {{ $value | quote}} + {{- end }} + {{- end }} + {{- if eq .Values.flavor "small" }} + - name: MAX_HEAP_SIZE + value: {{ .Values.small.maxHeapSize | quote }} + {{- else if eq .Values.flavor "large" }} + - name: MAX_HEAP_SIZE + value: {{ .Values.large.maxHeapSize | quote }} + {{- end }} + {{- if .Values.config.profiling.enabled }} + - name: PRE_JVM_ARGS + value: '{{ join " " .Values.config.profiling.args }}' + {{- end }} + {{- if .Values.config.debug.enabled }} + - name: POST_JVM_ARGS + value: {{ .Values.config.debug.args | quote }} + {{- end }} - name: DISABLE_UPDATE_QUERY value: {{ .Values.config.disableUpdateQuery | quote }} - - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - name: INTERNAL_PORT_1 - value: {{ .Values.service.internalPort | quote }} + value: {{ .Values.service.traversalPort | quote }} - name: INTERNAL_PORT_2 - value: {{ .Values.service.internalPort2 | quote }} + value: {{ .Values.service.debugPort | quote }} - name: INTERNAL_PORT_3 - value: {{ .Values.service.internalPort3 | quote }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + value: {{ .Values.service.metricsPort | quote }} + - name: BOOTSTRAP_SERVERS + value: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.release" . }}-{{ .Values.global.aaiTravKafkaUser }} + key: sasl.jaas.config + volumeMounts: - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-traversal/resources/etc/appprops/aaiconfig.properties name: {{ include "common.fullname" . }}-config subPath: aaiconfig.properties @@ -177,37 +109,24 @@ spec: - mountPath: /opt/app/aai-traversal/resources/logback.xml name: {{ include "common.fullname" . }}-config subPath: logback.xml - - mountPath: /opt/app/aai-traversal/resources/localhost-access-logback.xml - name: {{ include "common.fullname" . }}-config - subPath: localhost-access-logback.xml - - mountPath: /opt/app/aai-traversal/resources/etc/auth/realm.properties - name: {{ include "common.fullname" . }}-config - subPath: realm.properties - - mountPath: /opt/app/aai-traversal/resources/aaf/bath_config.csv - name: {{ include "common.fullname" . }}-aaf-certs - subPath: bath_config.csv - - mountPath: /opt/app/aai-traversal/resources/aaf/org.onap.aai.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.onap.aai.props - - mountPath: /opt/app/aai-traversal/resources/aaf/org.osaaf.location.props - name: {{ include "common.fullname" . }}-aaf-properties - subPath: org.osaaf.location.props - - mountPath: /opt/app/aai-traversal/resources/aaf/permissions.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: permissions.properties - - mountPath: /opt/app/aai-traversal/resources/cadi.properties - name: {{ include "common.fullname" . }}-aaf-properties - subPath: cadi.properties - mountPath: /opt/app/aai-traversal/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties - - mountPath: /opt/app/aai-traversal/resources/application-keycloak.properties - name: {{ include "common.fullname" . }}-config - subPath: application-keycloak.properties + - mountPath: /tmp + name: tmp ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} + - containerPort: {{ .Values.service.traversalPort }} + name: {{ .Values.service.traversalPortName }} + {{- if .Values.config.debug.enabled }} + - containerPort: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + {{- end }} + - containerPort: {{ .Values.service.metricsPort }} + name: {{ .Values.service.metricsPortName }} + {{- if .Values.config.profiling.enabled }} + - containerPort: {{ .Values.service.profilingPort }} + name: {{ .Values.service.profilingPortName }} + {{- end }} lifecycle: # wait for active requests (long-running tasks) to be finished # Before the SIGTERM is invoked, Kubernetes exposes a preStop hook in the Pod. @@ -217,75 +136,53 @@ spec: - sh - -c - | - while (netstat -an | grep ESTABLISHED | grep -e $INTERNAL_PORT_1 -e $INTERNAL_PORT_2) - do sleep 10 + while (netstat -an | grep ESTABLISHED | grep -e $INTERNAL_PORT_1) + do sleep 3 done - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} + # disable liveness probe when + # debugging.enable=true or profiling.enabled=true + {{- if and .Values.liveness.enabled (not (or .Values.config.debug.enabled .Values.config.profiling.enabled)) }} livenessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.internalPort }} - scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }} - httpHeaders: - - name: X-FromAppId - value: LivenessCheck - - name: X-TransactionId - value: LiveCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.liveness.path }} + {{- if .Values.liveness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} + {{- end }} readinessProbe: httpGet: - path: /aai/util/echo?action=checkDB - port: {{ .Values.service.internalPort }} - scheme: HTTP{{ (eq "true" (include "common.needTLS" .)) | ternary "S" "" }} - httpHeaders: - - name: X-FromAppId - value: ReadinessCheck - - name: X-TransactionId - value: ReadinessCheck_TID - - name: Accept - value: application/json + port: {{ .Values.service.metricsPort }} + path: {{ .Values.readiness.path }} + {{- if .Values.readiness.initialDelaySeconds }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + {{- end }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} + nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} {{- end }} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} + affinity: {{ toYaml .Values.affinity | indent 8 }} {{- end }} # side car containers {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-aaf-properties - configMap: - name: {{ include "common.fullname" . }}-aaf-props - - name: {{ include "common.fullname" . }}-aaf-certs - secret: - secretName: {{ include "common.fullname" . }}-aaf - - name: aai-common-aai-auth-mount - secret: - secretName: aai-common-aai-auth restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index ddd325d7a0..2e51fd0a81 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -2,6 +2,7 @@ # Copyright (c) 2017-2018 AT&T # Modifications Copyright (c) 2018 Amdocs, Bell Canada # Modifications Copyright (c) 2020 Nokia, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,79 +24,73 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-update-query-data namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{ if .Values.global.jobs.migration.enabled }} - annotations: - "helm.sh/hook": post-upgrade,post-rollback,post-install - "helm.sh/hook-weight": "2" - "helm.sh/hook-delete-policy": before-hook-creation + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} {{ end }} spec: template: metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} + labels: {{- include "common.labels" (dict "labels" .Values.labels "ignoreHelmChart" .Values.ignoreHelmChart "dot" . "suffix" "job") | nindent 8 }} name: {{ include "common.name" . }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --container-name - - aai - {{ if eq .Values.global.aafEnabled true }} - - --container-name - - aaf-locate - {{ end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_traversal) | nindent 6 }} + - name: {{ include "common.name" . }}-wait-for-aai-haproxy image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + securityContext: + runAsUser: 100 + runAsGroup: 65533 + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + command: + - sh + - "-c" + - | + set -x; + + until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do + echo "Retrying to reach aai on port 80"; + sleep 1; + done; + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - - bash + - sh - "-c" - | - set -x - if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; then mkdir -p /opt/aai/logroot/AAI-GQ/misc; fi - {{- if (include "common.needTLS" .) }} - until nc -w10 -z -v aai.{{.Release.Namespace}} 8443; do echo "Retrying to reach aai on port 8443"; done; - bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh - {{- else }} - until nc -w10 -z -v aai.{{.Release.Namespace}} 80; do echo "Retrying to reach aai on port 80"; done; - bash -x /opt/app/aai-traversal/docker-entrypoint.sh install/updateQueryData.sh ; + set -x; + if [ ! -d /opt/aai/logroot/AAI-GQ/misc ]; + then mkdir -p /opt/aai/logroot/AAI-GQ/misc; + fi + + sh -x /opt/app/aai-traversal/bin/install/updateQueryData.sh ; + {{ include "common.serviceMesh.killSidecar" . | indent 11 | trim }} - {{- end }} - env: - - name: LOCAL_USER_ID - value: {{ .Values.global.config.userId | quote }} - - name: LOCAL_GROUP_ID - value: {{ .Values.global.config.groupId | quote }} - resources: -{{ include "common.resources" . }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-realtime.properties name: {{ include "common.fullname" . }}-config subPath: janusgraph-realtime.properties - - mountPath: /opt/app/aai-traversal/resources/etc/appprops/janusgraph-cached.properties - name: {{ include "common.fullname" . }}-config - subPath: janusgraph-cached.properties - mountPath: /opt/app/aai-traversal/resources/etc/appprops/aaiconfig.properties name: {{ include "common.fullname" . }}-config subPath: aaiconfig.properties @@ -106,27 +101,23 @@ spec: - mountPath: /opt/app/aai-traversal/resources/logback.xml name: {{ include "common.fullname" . }}-config subPath: logback.xml - - mountPath: /opt/app/aai-traversal/resources/localhost-access-logback.xml - name: {{ include "common.fullname" . }}-config - subPath: localhost-access-logback.xml - mountPath: /opt/app/aai-traversal/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-logs - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name: {{ include "common.fullname" . }}-logs-misc - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.logmiscSizeLimit }} {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }} restartPolicy: OnFailure - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/aai/components/aai-traversal/templates/secret.yaml b/kubernetes/aai/components/aai-traversal/templates/secret.yaml deleted file mode 100644 index 8e022fe6b0..0000000000 --- a/kubernetes/aai/components/aai-traversal/templates/secret.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index daf1758890..60e8efc2ad 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -19,34 +19,36 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: type: {{ .Values.service.type }} ports: {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} + - port: {{ .Values.service.traversalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} + name: {{ .Values.service.traversalPortName }} + targetPort: {{ .Values.service.traversalPortName }} + - port: {{ .Values.service.debugPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} + - port: {{ .Values.service.metricsPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName3 }} + name: {{ .Values.service.metricsPortName }} + targetPort: {{ .Values.service.metricsPortName }} {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} + - port: {{ .Values.service.traversalPort }} + name: {{ .Values.service.traversalPortName }} + targetPort: {{ .Values.service.traversalPortName }} + {{- if .Values.config.debug.enabled }} + - port: {{ .Values.service.debugPort }} + name: {{ .Values.service.debugPortName }} + targetPort: {{ .Values.service.debugPortName }} {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + - port: {{ .Values.service.metricsPort }} + name: {{ .Values.service.metricsPortName }} + targetPort: {{ .Values.service.metricsPortName }} + {{- end }} + selector: {{- include "common.matchLabels" . | nindent 4 }} clusterIP: None sessionAffinity: {{ .Values.service.sessionAffinity }} diff --git a/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml b/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml index c0d9f212b4..dc706029bf 100644 --- a/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/servicemonitor.yaml @@ -1,3 +1,3 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml index b5d99fdbda..34d07c1b1b 100644 --- a/kubernetes/aai/components/aai-traversal/values.yaml +++ b/kubernetes/aai/components/aai-traversal/values.yaml @@ -1,6 +1,7 @@ # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright (c) 2020 Nokia # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,12 +20,20 @@ # Declare variables to be passed into your templates. global: # global defaults nodePortPrefix: 302 - aafEnabled: true - + kafkaBootstrap: strimzi-kafka-bootstrap + aaiTravKafkaUser: aai-trav-kafka-user cassandra: #Service Name of the cassandra cluster to connect to. #Override it to aai-cassandra if localCluster is enabled. serviceName: cassandra + # Cassandra datacenter name + localDataCenter: dc1 + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) # Specifies a list of jobs to be run jobs: @@ -37,7 +46,26 @@ global: # global defaults #migration using helm hooks migration: enabled: false - + # Specifies if basic authorization is enabled + auth: + enabled: true + users: + - username: aai@aai.onap.org + password: demo123456! + - username: AAI + password: AAI + - username: DCAE + password: DCAE + - username: MSO + password: MSO + - username: POLICY + password: POLICY + - username: ASDC + password: ASDC + - username: ModelLoader + password: ModelLoader + - username: AaiUI + password: AaiUI # Common configuration for resources traversal and graphadmin config: # User information for the admin user in container @@ -50,16 +78,9 @@ global: # global defaults cassandra: dynamic: true - # Specifies if the basic authorization is enabled - basic: - auth: - enabled: true - username: AAI - passwd: AAI - # Active spring profiles for the resources microservice profiles: - active: production,dmaap #,aaf-auth ,keycloak + active: production,kafka # Notification event specific properties notification: @@ -70,7 +91,7 @@ global: # global defaults schema: # Specifies if the connection should be one way ssl, two way ssl or no auth service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -84,11 +105,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v30 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28,v29,v30 # Specifies from which version related link should appear related: link: v11 @@ -105,46 +126,14 @@ global: # global defaults # Specifies which clients should always default to realtime graph connection realtime: clients: SDNC,MSO,SO,robot-ete - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-traversal-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: aai-traversal - fqi: aai-traversal@aai-traversal.onap.org - public_fqdn: aai-traversal.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.aai-traversal - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} + jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.aaiTravKafkaUser }}' + someConfig: random # application image -image: onap/aai-traversal:1.11.1 +image: onap/aai-traversal:1.16.0 pullPolicy: Always restartPolicy: Always flavor: small -flavorOverride: small # the minimum number of seconds that a newly created Pod should be ready minReadySeconds: 30 updateStrategy: @@ -164,6 +153,16 @@ api_list: - 17 - 18 - 19 + - 20 + - 21 + - 22 + - 23 + - 24 + - 25 + - 26 + - 27 + - 28 + - 29 aai_enpoints: - name: aai-generic-query @@ -175,20 +174,20 @@ aai_enpoints: # application configuration config: - - # configure keycloak according to your environment. - # don't forget to add keycloak in active profiles above (global.config.profiles) - keycloak: - host: keycloak.your.domain - port: 8180 - # Specifies a set of users, credentials, roles, and groups - realm: aai-traversal - # Used by any client application for enabling fine-grained authorization for their protected resources - resource: aai-traversal-app - # If set to true, additional criteria will be added into traversal query to returns all the vertices that match - # the data-owner property with the given role to the user in keycloak - multiTenancy: + janusgraph: + caching: + # enable when running read-heavy workloads + # modifications to graph done by this service/janusgraph instance will immediately invalidate the cache + # modifications to graph done by other services (traversal) will only be visible + # after time specified in db-cache-time enabled: true + # Documentation: https://docs.janusgraph.org/operations/cache/#database-level-caching + dbCacheTime: 180000 # in milliseconds + dbCacheSize: 0.1 # percentage (expressed as a decimal between 0 and 1) of the total heap space available to the JVM running + dbCacheCleanWait: 20 # in milliseconds + # temporarily enable this to update the graph storage version + # see: https://docs.janusgraph.org/changelog/#upgrade-instructions_9 + allowUpgrade: true # Specifies timeout information such as application specific and limits timeout: @@ -199,6 +198,29 @@ config: # Specifies how long should it wait before timing out the REST request limit: 180000 + # environment variables added to the launch of the image in deployment + env: + MIN_HEAP_SIZE: "512m" + MAX_METASPACE_SIZE: "512m" + # POST_JVM_ARGS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + + # adds jvm args for remote debugging the application + debug: + enabled: false + args: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" + + # adds jvm args for remote profiling the application + profiling: + enabled: false + args: + - "-Dcom.sun.management.jmxremote" + - "-Dcom.sun.management.jmxremote.ssl=false" + - "-Dcom.sun.management.jmxremote.authenticate=false" + - "-Dcom.sun.management.jmxremote.local.only=false" + - "-Dcom.sun.management.jmxremote.port=9999" + - "-Dcom.sun.management.jmxremote.rmi.port=9999" + - "-Djava.rmi.server.hostname=127.0.0.1" + # Disables the updateQueryData script to run as part of traversal disableUpdateQuery: true @@ -231,11 +253,8 @@ persistence: # default number of instances replicaCount: 1 -minReadySeconds: 10 -updateStrategy: - type: RollingUpdate - maxUnavailable: 0 - maxSurge: 1 +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 nodeSelector: {} @@ -243,39 +262,52 @@ affinity: {} # probe configuration parameters liveness: + path: /actuator/health initialDelaySeconds: 60 periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false + enabled: true readiness: + path: /actuator/health/readiness initialDelaySeconds: 10 periodSeconds: 10 +actuator: + echo: + enabled: true + service: type: ClusterIP - portName: http - internalPort: 8446 - portName2: tcp-5005 - internalPort2: 5005 - portName3: aai-traversal-8448 - internalPort3: 8448 - terminationGracePeriodSeconds: 120 + traversalPortName: http + traversalPort: 8446 + debugPortName: tcp-5005 + debugPort: 5005 + metricsPortName: metrics + metricsPort: 8448 + profilingPortName: jmx-9999 + profilingPort: 9999 + terminationGracePeriodSeconds: 30 sessionAffinity: None ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: aai-read + - serviceAccount: consul-read + # To make logback capping values configurable logback: - logToFileEnabled: true + logToFileEnabled: false maxHistory: 7 totalSizeCap: 6GB queueSize: 1000 accessLogback: - logToFileEnabled: true + logToFileEnabled: false + livenessAccessLogEnabled: false # false: do not log kubernetes liveness probes maxHistory: 7 totalSizeCap: 6GB @@ -284,25 +316,52 @@ accessLogback: resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} +# define the heap size for the JVM +# according to the resource flavor +small: + maxHeapSize: "2500m" +large: + maxHeapSize: "3g" + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + +tracing: + ignorePatterns: + - /aai/util.* + +endpoints: + enabled: true + health: + enabled: true + info: + enabled: true + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' + metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 - path: /prometheus + path: /actuator/prometheus basicAuth: enabled: false externalSecretName: mysecretname @@ -328,9 +387,9 @@ metrics: ## selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -359,4 +418,54 @@ serviceAccount: #Log configuration log: path: /var/log/onap + level: + root: INFO + base: INFO # base package (org.onap.aai) logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +volumes: + logSizeLimit: 50Mi + logmiscSizeLimit: 50Mi + tmpSizeLimit: 100Mi + +securityContext: + user_id: 1000 + group_id: 1000 + +readinessCheck: + wait_for_migration: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-migration' + wait_for_createSchema: + jobs: + - '{{ include "common.release" . }}-aai-graphadmin-create-db-schema' + wait_for_cassandra: + services: + - '{{ .Values.global.cassandra.serviceName }}' + - aai-schema-service + wait_for_traversal: + services: + - aai-traversal + +jobAnnotations: + "helm.sh/hook": pre-upgrade,pre-rollback,post-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: aai-trav-kafka-user + externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' + type: genericKV + envs: + - name: sasl.jaas.config + value: '{{ .Values.config.someConfig }}' + policy: generate +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: AAI-EVENT + type: topic + operations: [Read, Write] diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg index 03212b9f2d..307260e766 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index 8c2554efea..a953a508bf 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -39,9 +40,6 @@ defaults log global mode http option httplog -{{- if ( include "common.needTLS" .) }} - option ssl-hello-chk -{{- end }} option httpchk http-check send meth GET uri /aai/util/echo ver HTTP/1.1 hdr Host aai hdr X-TransactionId haproxy-0111 hdr X-FromAppId haproxy hdr Accept application/json hdr Authorization 'Basic QUFJOkFBSQ==' default-server init-addr none @@ -101,50 +99,6 @@ frontend IST_8080 default_backend IST_Default_8447 -{{- if ( include "common.needTLS" .) }} -frontend IST_8443 - mode http - bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem -# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r - log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" - option httplog - log global - option logasap - option forwardfor - capture request header Host len 100 - capture response header Host len 100 - option log-separate-errors - option forwardfor - - http-request set-header X-Forwarded-Proto https - http-request add-header X-Forwarded-Port 8443 - - http-request set-header X-Forwarded-Proto https if { ssl_fc } - http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } - http-request set-header X-AAI-SSL %[ssl_fc] - http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] - http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] - http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] - http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] - http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] - http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] - http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] - http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] - http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] - http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] - http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] - http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] -####################################### -## Request blocking configuration ### -####################################### - {{- if eq $.Values.haproxy.requestBlocking.enabled true }} - {{- range $custom_config := $.Values.haproxy.requestBlocking.customConfigs }} - {{ $custom_config }} - {{- end }} - {{- end }} - -{{- end }} - ####################### #ACLS FOR PORT 8446#### ####################### @@ -169,11 +123,7 @@ backend IST_Default_8447 stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; -{{- if ( include "common.needTLS" .) }} - server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none -{{- else }} server-template aai-resources.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiResources}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 -{{- end }} ####################### # BACKEND 8446######### @@ -185,8 +135,4 @@ backend IST_AAI_8446 stick on path http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; -{{- if ( include "common.needTLS" .) }} - server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none -{{- else }} server-template aai-traversal.{{.Release.Namespace}} {{$.Values.haproxy.replicas.aaiTraversal}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 -{{- end }} diff --git a/kubernetes/aai/resources/config/haproxy/resolvers.conf b/kubernetes/aai/resources/config/haproxy/resolvers.conf new file mode 100644 index 0000000000..c456e3526a --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/resolvers.conf @@ -0,0 +1,3 @@ +resolvers kubernetes + nameserver dns1 {{.Values.config.NAME_SERVER}}:53 + hold valid 1s diff --git a/kubernetes/aai/templates/authorizationpolicy.yaml b/kubernetes/aai/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..f48e06eab4 --- /dev/null +++ b/kubernetes/aai/templates/authorizationpolicy.yaml @@ -0,0 +1,101 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $authorizedPrincipalsMetrics := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsMetrics -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} + +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "metrics-authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }}-metrics + action: ALLOW + rules: +{{- if $authorizedPrincipalsMetrics }} +{{- range $principal := $authorizedPrincipalsMetrics }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml index dac36d729d..c66af502ac 100644 --- a/kubernetes/aai/templates/configmap.yaml +++ b/kubernetes/aai/templates/configmap.yaml @@ -22,12 +22,9 @@ kind: ConfigMap metadata: name: aai-deployment-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: +{{ tpl (.Files.Glob "resources/config/haproxy/resolvers.conf").AsConfig . | indent 2 }} {{ if .Values.global.installSidecarSecurity }} {{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }} {{ else }} @@ -40,6 +37,7 @@ kind: Secret metadata: name: aai-fproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }} @@ -49,6 +47,7 @@ kind: Secret metadata: name: aai-rproxy-auth-certs namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }} @@ -58,6 +57,7 @@ kind: Secret metadata: name: aai-rproxy-security-config namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index f1d10e2c81..160d8cf823 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright (c) 2018 Amdocs, Bell Canada, AT&T # Modifications Copyright (c) 2020 Nokia, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,19 +18,13 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" (dict "annotations" .Values.annotations "dot" .) | nindent 2 }} spec: selector: matchLabels: app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} strategy: type: {{ .Values.updateStrategy.type }} {{- if (eq "RollingUpdate" .Values.updateStrategy.type) }} @@ -38,93 +33,68 @@ spec: maxSurge: {{ .Values.updateStrategy.maxSurge }} {{- end }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.release" . }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: terminationGracePeriodSeconds: {{ .Values.service.terminationGracePeriodSeconds }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - /app/ready.py - args: - - --container-name - - aai-resources - - --container-name - - aai-traversal - - --container-name - - aai-graphadmin - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: ["/bin/sh","-c"] + args: ['cp -R /usr/local/etc/haproxy /usr/local/etc/haproxy_rw/'] + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + name: copy-haproxy-config resources: - requests: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} limits: - memory: {{ .Values.haproxy.initContainers.resources.memory }} - cpu: {{ .Values.haproxy.initContainers.resources.cpu }} + cpu: 100m + memory: 200Mi + requests: + cpu: 2m + memory: 100Mi + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /usr/local/etc/haproxy_rw + name: haproxy-etc containers: - name: {{ include "common.name" . }} - image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }}" + image: '{{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}' imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - - mountPath: /etc/localtime - name: localtime + - mountPath: /usr/local/etc/haproxy + name: haproxy-etc + - mountPath: /usr/local/etc/haproxy/resolvers.conf + name: haproxy-config + subPath: resolvers.conf readOnly: true - - mountPath: /dev/log - name: aai-service-log - mountPath: /usr/local/etc/haproxy/haproxy.cfg {{ if .Values.global.installSidecarSecurity }} subPath: haproxy-pluggable-security.cfg {{ else }} subPath: haproxy.cfg {{ end }} - name: haproxy-cfg - {{- include "common.certInitializer.volumeMount" . | nindent 8 }} + name: haproxy-config ports: - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPlainPort }} + name: {{ .Values.service.portName }} - containerPort: {{ .Values.metricsService.internalPort }} + name: {{ .Values.metricsService.portName }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} readinessProbe: - httpGet: - path: /aai/util/echo - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - #scheme: HTTPS - scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }} - httpHeaders: - - name: X-FromAppId - value: OOM_ReadinessCheck - {{ if .Values.global.installSidecarSecurity }} - - name: Authorization - value: Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== - {{ end }} - - name: X-TransactionId - value: OOM_ReadinessCheck_TID - - name: Accept - value: application/json initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} + tcpSocket: + port: {{ .Values.service.internalPort }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -135,15 +105,10 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: aai-service-log - hostPath: - path: "/dev/log" - - name: haproxy-cfg - configMap: - name: aai-deployment-configmap - {{ include "common.certInitializer.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: haproxy-config + configMap: + name: aai-deployment-configmap + - name: haproxy-etc + emptyDir: + sizeLimit: {{ .Values.volumes.haProxySizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/aai/templates/secret.yaml b/kubernetes/aai/templates/secret.yaml index d868b9582e..1a592a0801 100644 --- a/kubernetes/aai/templates/secret.yaml +++ b/kubernetes/aai/templates/secret.yaml @@ -19,11 +19,7 @@ kind: Secret metadata: name: aai-common-aai-auth namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }} @@ -33,6 +29,7 @@ kind: Secret metadata: name: aai-common-truststore namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/templates/service.yaml b/kubernetes/aai/templates/service.yaml index a8c3c3957e..1509311a2b 100644 --- a/kubernetes/aai/templates/service.yaml +++ b/kubernetes/aai/templates/service.yaml @@ -19,23 +19,19 @@ kind: Service metadata: name: {{ include "common.servicename" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort .Values.service.externalPlainPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + - name: {{ .Values.service.portName }} + port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} {{- if eq .Values.service.type "NodePort" }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + {{ end }} {{- end }} - type: {{ .Values.service.type }} - selector: - app: {{ include "common.name" . }} - clusterIP: {{ .Values.service.aaiServiceClusterIp }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}{{ .Values.service.type }}{{ end }} + selector: {{- include "common.matchLabels" . | nindent 4 }} sessionAffinity: {{ .Values.service.sessionAffinity }} --- apiVersion: v1 @@ -43,36 +39,26 @@ kind: Service metadata: name: {{ include "common.servicename" . }}-internal namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.portName }} - port: {{ .Values.service.externalPlainPort }} - targetPort: {{ .Values.service.internalPlainPort }} + port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} type: ClusterIP - selector: - app: {{ include "common.name" . }} + selector: {{- include "common.matchLabels" . | nindent 4 }} --- apiVersion: v1 kind: Service metadata: name: {{ include "common.servicename" . }}-metrics namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-metrics - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - port: {{ .Values.metricsService.externalPort }} targetPort: {{ .Values.metricsService.internalPort }} name: {{ .Values.metricsService.portName }} type: {{ .Values.metricsService.type }} - selector: - app: {{ include "common.name" . }} - clusterIP: None \ No newline at end of file + selector: {{- include "common.matchLabels" . | nindent 4 }} + clusterIP: None diff --git a/kubernetes/aai/templates/servicemonitor.yaml b/kubernetes/aai/templates/servicemonitor.yaml index c0d9f212b4..dc706029bf 100644 --- a/kubernetes/aai/templates/servicemonitor.yaml +++ b/kubernetes/aai/templates/servicemonitor.yaml @@ -1,3 +1,3 @@ {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml index d382b80ba0..6c8157b84d 100644 --- a/kubernetes/aai/values.yaml +++ b/kubernetes/aai/values.yaml @@ -2,6 +2,7 @@ # Modifications Copyright (c) 2018 AT&T # Modifications Copyright (c) 2020 Nokia, Orange # Modifications Copyright (c) 2021 Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,33 +25,59 @@ global: # global defaults dockerhubRepository: docker.io busyboxImage: busybox - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.1.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 restartPolicy: Always - aafEnabled: true - msbEnabled: true - centralizedLoggingEnabled: true + centralizedLoggingEnabled: false + + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) cassandra: #This will instantiate AAI cassandra cluster, default:shared cassandra. localCluster: false + # in case of a local cassandra cluster + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + #Service Name of the cassandra cluster to connect to. #Override it to aai-cassandra if localCluster is enabled. - serviceName: cassandra + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case of local k8ssandra-operator instance it is + #serviceName: aai-cassandra-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra #This should be same as shared cassandra instance or if localCluster is enabled #then it should be same as aai-cassandra replicaCount replicas: 3 - #Cassanara login details + #Cassandra login details username: cassandra password: cassandra + #Cassandra datacenter name + localDataCenter: dc1 + + # The name of Cassandra cluster's partitioner. + # It will be retrieved by client if not provided. + # See storage.cql.partitioner-name in https://docs.janusgraph.org/v0.6/configs/configuration-reference/#storagecql + partitionerName: org.apache.cassandra.dht.Murmur3Partitioner + aai: serviceName: aai babel: @@ -61,10 +88,6 @@ global: # global defaults serviceName: aai-resources sparkyBe: serviceName: aai-sparky-be - dataRouter: - serviceName: aai-data-router - gizmo: - serviceName: aai-gizmo modelloader: serviceName: aai-modelloader searchData: @@ -73,8 +96,6 @@ global: # global defaults serviceName: aai-traversal graphadmin: serviceName: aai-graphadmin - spike: - serviceName: aai-spike initContainers: enabled: true @@ -205,7 +226,7 @@ global: # global defaults # Active spring profiles for the resources microservice # aaf-auth profile will be automatically set if aaf enabled is set to true profiles: - active: production,dmaap #,aaf-auth + active: production,kafka #,aaf-auth # Notification event specific properties notification: @@ -217,7 +238,7 @@ global: # global defaults # Specifies if the connection should be one way ssl, two way ssl or no auth # will be set to no-auth if tls is disabled service: - client: one-way-ssl + client: no-auth # Specifies which translator to use if it has schema-service, then it will make a rest request to schema service translator: list: schema-service @@ -231,11 +252,11 @@ global: # global defaults version: # Current version of the REST API api: - default: v27 + default: v30 # Specifies which version the depth parameter is configurable depth: v11 # List of all the supported versions of the API - list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27 + list: v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23,v24,v25,v26,v27,v28,v29,v30 # Specifies from which version related link should appear related: link: v11 @@ -277,16 +298,12 @@ global: # global defaults # since when this is enabled, it prints a lot of information to console enabled: false - aaiSdcListenerKafkaUser: aai-sdc-list-user - aai-babel: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' aai-graphadmin: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' aai-modelloader: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.aaiSdcListenerKafkaUser }}' aai-resources: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' aai-schema-service: @@ -296,47 +313,12 @@ aai-sparky-be: aai-traversal: logConfigMapNamePrefix: '{{ include "common.release" . }}-aai' -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: aai-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "aai" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.aai" - fqi: "aai@aai.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ - -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ - -alias ca_local_0 \ - -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** generating needed file" - cat {{ .Values.credsPath }}/certs/cert.pem \ - {{ .Values.credsPath }}/certs/cacert.pem \ - {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - > {{ .Values.credsPath }}/certs/fullchain.pem; - chown 1001 {{ .Values.credsPath }}/certs/* - # application image dockerhubRepository: registry.hub.docker.com -image: onap/aai-haproxy:1.9.5 +image: onap/aai-haproxy:1.15.2 pullPolicy: Always flavor: small -flavorOverride: small # flag to enable debugging - application support required debugEnabled: false @@ -345,13 +327,21 @@ debugEnabled: false config: logstashServiceName: log-ls logstashPort: 5044 + # IP address of name server is needed in nginx configuration. The secure endpoint for logging with Keycloak need the ip address in the config file. + # You can find this ip address in the /etc/resolv.conf This file is generated by k8s. The name server ip address is in all k8s cluster the same. + NAME_SERVER: coredns.kube-system + # hold interval in seconds + DNS_REFRESH_INTERVAL: 5 # default number of instances replicaCount: 1 +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + updateStrategy: type: RollingUpdate - maxUnavailable: 0 + maxUnavailable: 33% maxSurge: 1 nodeSelector: {} @@ -362,14 +352,17 @@ affinity: {} haproxy: initContainers: resources: - memory: 100Mi - cpu: 50m + cpu: "50m" + memory: "500Mi" requestBlocking: enabled: false customConfigs: [] replicas: - aaiResources: 1 - aaiTraversal: 1 + aaiResources: 3 + aaiTraversal: 3 + # stickiness based on path. + # For multiple replicas, requests will not be distributed evenly + stickOnPath: true # probe configuration parameters liveness: @@ -394,6 +387,9 @@ cassandra: persistence: mountSubPath: aai/cassandra enabled: true + k8ssandraOperator: + config: + clusterName: aai-cassandra readiness: initialDelaySeconds: 10 @@ -402,24 +398,20 @@ readiness: service: type: NodePort portName: http - externalPort: 8443 - internalPort: 8443 + externalPort: 80 + internalPort: 8080 nodePort: 33 - externalPlainPort: 80 - internalPlainPort: 8080 - nodeport: 33 - aaiServiceClusterIp: sessionAffinity: None metricsService: type: ClusterIP - portName: prometheus + portName: http-pro externalPort: 8448 internalPort: 8448 metrics: serviceMonitor: - enabled: false + enabled: true targetPort: 8448 path: /metrics basicAuth: @@ -427,9 +419,9 @@ metrics: selector: app: '{{ include "common.name" . }}-metrics' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' relabelings: [] @@ -440,26 +432,53 @@ ingress: service: - baseaddr: "aai-api" name: "aai" - port: 8443 - plain_port: 80 + port: 80 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipalsMetrics: [] + authorizedPrincipals: + - serviceAccount: aai-graphadmin-read + - serviceAccount: aai-modelloader-read + - serviceAccount: aai-resources-read + - serviceAccount: aai-schema-service-read + - serviceAccount: aai-traversal-read + - serviceAccount: cds-blueprints-processor-read + - serviceAccount: consul-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-tcagen2 + - serviceAccount: nbi-read + - serviceAccount: sdnc-read + - serviceAccount: so-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-cnf-adapter-read + - serviceAccount: so-nssmf-adapter-read + - serviceAccount: so-etsi-nfvo-ns-lcm-read + - serviceAccount: so-etsi-sol003-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-ve-vnfm-adapter + - serviceAccount: istio-ingress + namespace: istio-ingress + resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "500m" + memory: "1200Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "2400Mi" unlimited: {} #Pods Service Account @@ -467,3 +486,13 @@ serviceAccount: nameOverride: aai roles: - read + +securityContext: + user_id: 99 + group_id: 99 + +volumes: + haProxySizeLimit: 20Mi + +podAnnotations: + checksum/config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}' diff --git a/kubernetes/appc/Chart.yaml b/kubernetes/appc/Chart.yaml deleted file mode 100644 index 782a5c6e29..0000000000 --- a/kubernetes/appc/Chart.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Application Controller -name: appc -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - - name: dgbuilder - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: appc-ansible-server - version: ~12.x-0 - repository: 'file://components/appc-ansible-server' - condition: appc-ansible-server.enabled - - name: appc-cdt - version: ~12.x-0 - repository: 'file://components/appc-cdt' - condition: appc-cdt.enabled diff --git a/kubernetes/appc/components/appc-ansible-server/Chart.yaml b/kubernetes/appc/components/appc-ansible-server/Chart.yaml deleted file mode 100644 index 1929d389f2..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP APPC Ansible Server -name: appc-ansible-server -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/appc/components/appc-ansible-server/resources/config/RestServer_config b/kubernetes/appc/components/appc-ansible-server/resources/config/RestServer_config deleted file mode 100644 index 090aa557f5..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/resources/config/RestServer_config +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Host definition -ip: 0.0.0.0 -port: {{.Values.service.internalPort}} - -# Security (controls use of TLS encrypton and RestServer authentication) -tls: no -auth: no - -# TLS certificates (must be built on application host) -priv: provide_privated_key.pem -pub: provide_public_key.pem - -# Mysql -host: {{.Values.config.mariadbGaleraSVCName}} - -# Playbooks -from_files: yes -ansible_path: /opt/onap/ccsdk/Playbooks -ansible_inv: Ansible_inventory -ansible_temp: PlaybooksTemp -timeout_seconds: 60 - -# Blocking on GetResults -getresults_block: yes diff --git a/kubernetes/appc/components/appc-ansible-server/templates/configmap.yaml b/kubernetes/appc/components/appc-ansible-server/templates/configmap.yaml deleted file mode 100644 index 3bfe84c6e7..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/appc/components/appc-ansible-server/templates/pv.yaml b/kubernetes/appc/components/appc-ansible-server/templates/pv.yaml deleted file mode 100644 index b2acf37393..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i, $t := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-playbook-{{$i}} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - storageClassName: "{{ include "common.fullname" $global }}-data" - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/appc/components/appc-ansible-server/templates/service.yaml b/kubernetes/appc/components/appc-ansible-server/templates/service.yaml deleted file mode 100644 index e952357c4c..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file diff --git a/kubernetes/appc/components/appc-ansible-server/templates/statefulset.yaml b/kubernetes/appc/components/appc-ansible-server/templates/statefulset.yaml deleted file mode 100644 index 0e9e60ab5f..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/templates/statefulset.yaml +++ /dev/null @@ -1,114 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.ansibleUid }}:{{ .Values.config.ansibleGid}} {{ .Values.persistence.playbookPath }}"] - volumeMounts: - - mountPath: {{ .Values.persistence.playbookPath }} - name: {{ include "common.fullname" . }}-playbook - containers: - - name: {{ include "common.name" . }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk && ./startAnsibleServer.sh"] - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: {{ .Values.config.configDir }}/RestServer_config - name: config - subPath: RestServer_config - - mountPath: {{ .Values.persistence.playbookPath }} - name: {{ include "common.fullname" . }}-playbook - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: config - configMap: - name: {{ include "common.fullname" . }} - defaultMode: 0644 -{{ if not .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-playbook - emptyDir: {} -{{ else }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-playbook - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{ end }} diff --git a/kubernetes/appc/components/appc-ansible-server/values.yaml b/kubernetes/appc/components/appc-ansible-server/values.yaml deleted file mode 100644 index 076cf6b5f2..0000000000 --- a/kubernetes/appc/components/appc-ansible-server/values.yaml +++ /dev/null @@ -1,110 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# -flavor: small - -# application image -image: onap/ccsdk-ansible-server-image:0.4.4 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - ansibleUid: 100 - ansibleGid: 101 - appcChartName: appc - mysqlServiceName: appc-db - configDir: /opt/onap/ccsdk - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 180 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 60 - periodSeconds: 10 - -service: - type: ClusterIP - name: appc-ansible-server - portName: appc-ansible-server - internalPort: 8000 - externalPort: 8000 - nfsprovisionerPrefix: appc - disableNfsProvisioner: true - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: appc/ansible - playbookPath: /home/ansible - -ingress: - enabled: false - -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 0.5 - memory: 0.5Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - unlimited: {} diff --git a/kubernetes/appc/components/appc-cdt/Chart.yaml b/kubernetes/appc/components/appc-cdt/Chart.yaml deleted file mode 100644 index 917bfab546..0000000000 --- a/kubernetes/appc/components/appc-cdt/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP APPC Self Service Controller Design Tool -name: appc-cdt -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh b/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh deleted file mode 100755 index b5fa5248fa..0000000000 --- a/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh - -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018-2019 AT&T Intellectual Property. All rights reserved. -# Copyright (C) 2021 Orange Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### - -if [ -z "$CDT_PORT" ] -then - CDT_PORT="30232" -fi -echo "Setting CDT port to $CDT_PORT" -sed -i -e "s/30290/$CDT_PORT/" /opt/cdt/main.bundle.js - -CDT_HOME=/opt/cdt; export CDT_HOME -LOG_DIR=/opt/cdt/logs; export LOG_DIR -MaxLogSize=3000000; export MaxLogSize -PORT=18080; export PORT -if [ -z "$HTTPS_KEY_FILE" ] -then - HTTPS_KEY_FILE=/opt/cert/cdt-key.pem - export HTTPS_KEY_FILE -fi -if [ -z "$HTTPS_CERT_FILE" ] -then - HTTPS_CERT_FILE=/opt/cert/cdt-cert.pem - export HTTPS_CERT_FILE -fi -echo "*** cert file: ${HTTPS_CERT_FILE}" -echo "*** key file : ${HTTPS_KEY_FILE}" -node $CDT_HOME/app/ndserver.js \ No newline at end of file diff --git a/kubernetes/appc/components/appc-cdt/templates/NOTES.txt b/kubernetes/appc/components/appc-cdt/templates/NOTES.txt deleted file mode 100644 index 1a7dbc5d13..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.fullname" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/appc/components/appc-cdt/templates/configmap.yaml b/kubernetes/appc/components/appc-cdt/templates/configmap.yaml deleted file mode 100644 index fea0ec2f7a..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2021 Orange. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-entrypoint - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/entrypoint/*").AsConfig . | indent 2 }} diff --git a/kubernetes/appc/components/appc-cdt/templates/deployment.yaml b/kubernetes/appc/components/appc-cdt/templates/deployment.yaml deleted file mode 100644 index fb15897ae1..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/deployment.yaml +++ /dev/null @@ -1,98 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /opt/startCdt.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - # This sets the port that CDT will use to connect to the main appc container. - # The 11 is the node port suffix that is used in the main appc oom templates - # for nodePort3. This value will be configured in appc main chart in appc-cdt section. - - name: CDT_PORT - value: "{{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.nodePort3 }}" - - name: HTTPS_KEY_FILE - value: {{ .Values.certInitializer.credsPath }}/certs/key.pem - - name: HTTPS_CERT_FILE - value: {{ .Values.certInitializer.credsPath }}/certs/cert.pem - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/startCdt.sh - name: entrypoint - subPath: startCdt.sh - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: entrypoint - configMap: - name: {{ include "common.fullname" . }}-entrypoint - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/appc/components/appc-cdt/templates/service.yaml b/kubernetes/appc/components/appc-cdt/templates/service.yaml deleted file mode 100644 index 54e239ebc5..0000000000 --- a/kubernetes/appc/components/appc-cdt/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml deleted file mode 100644 index 5765d3482d..0000000000 --- a/kubernetes/appc/components/appc-cdt/values.yaml +++ /dev/null @@ -1,118 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - - -################################################################# -# AAF part -################################################################# - -# dependency / sub-chart configuration -certInitializer: - nameOverride: appc-cdt-cert-initializer - truststoreMountpath: /opt/onap/appc/data/stores - fqdn: "appc-cdt" - app_ns: "org.osaaf.aaf" - fqi: "appc-cdt@appc-cdt.onap.org" - fqi_namespace: org.onap.appc-cdt - public_fqdn: "appc-cdt.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key file" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/key.pem - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - -################################################################# -# Application configuration defaults. -################################################################# - -flavor: small - -# application image -image: onap/appc-cdt-image:1.7.2 -pullPolicy: Always - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: appc-cdt - externalPort: 18080 - internalPort: 18080 - nodePort: 89 - -ingress: - enabled: false - service: - - baseaddr: appccdt - name: "appc-cdt" - port: 18080 - config: - ssl: "redirect" - -# Configure resource requests and limits -# ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 0.5 - memory: 500Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - unlimited: {} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh deleted file mode 100755 index 424074aa8c..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -x - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -waiting_bundles=$(/opt/opendaylight/current/bin/client bundle:list | grep Waiting | wc -l) -run_level=$(/opt/opendaylight/current/bin/client system:start-level) - - if [ "$run_level" = "Level 100" ] && [ "$waiting_bundles" -lt "1" ] - then - echo APPC is healthy. - else - echo APPC is not healthy. - exit 1 - fi - -exit 0 diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh deleted file mode 100755 index 830708bb39..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/installAppcDb.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -APPC_HOME=${APPC_HOME:-/opt/onap/appc} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} - -APPC_DB_USER=${APPC_DB_USER} -APPC_DB_PASSWD=${APPC_DB_PASSWD} -APPC_DB_DATABASE={{.Values.config.appcdb.dbName}} -SDNC_DB_DATABASE={{.Values.config.sdncdb.dbName}} - - -# Create tablespace and user account -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -CREATE DATABASE ${APPC_DB_DATABASE}; -CREATE USER '${APPC_DB_USER}'@'localhost' IDENTIFIED BY '${APPC_DB_PASSWD}'; -CREATE USER '${APPC_DB_USER}'@'%' IDENTIFIED BY '${APPC_DB_PASSWD}'; -GRANT ALL PRIVILEGES ON ${APPC_DB_DATABASE}.* TO '${APPC_DB_USER}'@'localhost' WITH GRANT OPTION; -GRANT ALL PRIVILEGES ON ${APPC_DB_DATABASE}.* TO '${APPC_DB_USER}'@'%' WITH GRANT OPTION; -commit; -END - -if [ -f ${APPC_HOME}/data/appcctl.dump ] -then - mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${APPC_DB_DATABASE} < ${APPC_HOME}/data/appcctl.dump -fi - -if [ -f ${APPC_HOME}/data/sdnctl.dump ] -then - mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${SDNC_DB_DATABASE} < ${APPC_HOME}/data/sdnctl.dump -fi - -if [ -f ${APPC_HOME}/data/sqlData.dump ] -then - mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${SDNC_DB_DATABASE} < ${APPC_HOME}/data/sqlData.dump -fi diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh deleted file mode 100755 index 789f1b38a1..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ /dev/null @@ -1,201 +0,0 @@ -#!/bin/sh -x - -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017-2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### - -# -# This script takes care of installing the SDNC & APPC platform components -# if not already installed, and starts the APPC Docker Container -# -#set -x -*/}} - -enable_odl_cluster () { - if [ -z $APPC_REPLICAS ]; then - echo "APPC_REPLICAS is not configured in Env field" - exit - fi - - echo "Update cluster information statically" - hm=$(hostname) - echo "Get current Hostname ${hm}" - - node=($(echo ${hm} | sed 's/-[0-9]*$//g')) - node_index=($(echo ${hm} | awk -F"-" '{print $NF}')) - node_list="${node}-0.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}"; - - for i in $(seq 1 $((${APPC_REPLICAS}-1))); - do - node_list="${node_list} ${node}-$i.{{ .Values.service.name }}-cluster.{{.Release.Namespace}}" - done - - /opt/opendaylight/current/bin/configure_cluster.sh $((node_index+1)) ${node_list} -} - -ODL_HOME=${ODL_HOME:-/opt/opendaylight/current} -SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -APPC_HOME=${APPC_HOME:-/opt/onap/appc} -SLEEP_TIME=${SLEEP_TIME:-120} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} -ENABLE_ODL_CLUSTER=${ENABLE_ODL_CLUSTER:-false} -ENABLE_AAF=${ENABLE_AAF:-true} -DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} - -# -# Wait for database to init properly -# -echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1 -do - printf "." - sleep 1 -done -echo -echo "mariadbgalera ready" - -if [ ! -d ${DBINIT_DIR} ] -then - mkdir -p ${DBINIT_DIR} -fi - -if [ ! -f ${DBINIT_DIR}/.installed ] -then - sdnc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -show databases like 'sdnctl'; -END -) - if [ "${sdnc_db_exists}" = "" ] - then - echo "Installing SDNC database" - ${SDNC_HOME}/bin/installSdncDb.sh - - appc_db_exists=$(mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -show databases like 'appcctl'; -END -) - if [ "${appc_db_exists}" = "" ] - then - echo "Installing APPC database" - ${APPC_HOME}/bin/installAppcDb.sh - fi - else - sleep 30 - fi - - echo "Installed at `date`" > ${DBINIT_DIR}/.installed -fi - - -if [ ! -f ${SDNC_HOME}/.installed ] -then - echo "Installing ODL Host Key" - ${SDNC_HOME}/bin/installOdlHostKey.sh - -# echo "Copying a working version of the logging configuration into the opendaylight etc folder" -# cp ${APPC_HOME}/data/org.ops4j.pax.logging.cfg ${ODL_HOME}/etc/org.ops4j.pax.logging.cfg - - - echo "Waiting ${SLEEP_TIME} seconds for OpenDaylight to initialize" - sleep ${SLEEP_TIME} - - - if [ -x ${SDNC_HOME}/svclogic/bin/install.sh ] - then - echo "Installing directed graphs" - ${SDNC_HOME}/svclogic/bin/install.sh - fi - - if [ -x ${APPC_HOME}/svclogic/bin/install-converted-dgs.sh ] - then - echo "Installing APPC JSON DGs converted to XML using dg-loader" - ${APPC_HOME}/svclogic/bin/install-converted-dgs.sh - fi - - if $ENABLE_ODL_CLUSTER - then - echo "Enabling Opendaylight cluster features" - enable_odl_cluster - fi - - echo "Copying the aaa shiro configuration into opendaylight" - mkdir -p ${ODL_HOME}/etc/opendaylight/datastore/initial/config - if $ENABLE_AAF - then - cp ${APPC_HOME}/data/properties/aaa-app-config.xml ${ODL_HOME}/etc/opendaylight/datastore/initial/config/aaa-app-config.xml - fi - -fi - -# Move journal and snapshots directory to persistent storage - -hostdir=${ODL_HOME}/daexim/$(hostname -s) -if [ ! -d $hostdir ] -then - mkdir -p $hostdir - if [ -d ${ODL_HOME}/journal ] - then - mv ${ODL_HOME}/journal ${hostdir} - else - mkdir ${hostdir}/journal - fi - if [ -d ${ODL_HOME}/snapshots ] - then - mv ${ODL_HOME}/snapshots ${hostdir} - else - mkdir ${hostdir}/snapshots - fi -fi - -ln -s ${hostdir}/journal ${ODL_HOME}/journal -ln -s ${hostdir}/snapshots ${ODL_HOME}/snapshots - -echo "Starting cdt-proxy-service jar, logging to ${APPC_HOME}/cdt-proxy-service/jar.log" -java -jar ${APPC_HOME}/cdt-proxy-service/cdt-proxy-service.jar > ${APPC_HOME}/cdt-proxy-service/jar.log & - -echo "Starting dmaap-event-service jar, logging to ${APPC_HOME}/dmaap-event-service/jar.log" -java -jar -Dorg_onap_appc_bootstrap_path=/opt/onap/appc/data/properties -Dorg_onap_appc_bootstrap_file=appc.properties ${APPC_HOME}/dmaap-event-service/dmaap-event-service.jar > ${APPC_HOME}/dmaap-event-service/jar.log & - -echo "Adding a property system.properties for AAF cadi.properties location" -echo "" >> ${ODL_HOME}/etc/system.properties -echo "cadi_prop_files=${APPC_HOME}/data/properties/cadi.properties" >> ${ODL_HOME}/etc/system.properties -echo "" >> ${ODL_HOME}/etc/system.properties - -echo "Adding a value to property appc.asdc.env in appc.properties for appc-asdc-listener feature" -echo "" >> $APPC_HOME/data/properties/appc.properties -echo "appc.asdc.env=$DMAAP_TOPIC_ENV" >> $APPC_HOME/data/properties/appc.properties -echo "" >> $APPC_HOME/data/properties/appc.properties - -echo "Copying jetty, keystore for https into opendalight" -cp ${APPC_HOME}/data/jetty.xml ${ODL_HOME}/etc/jetty.xml -cp ${APPC_HOME}/data/keystore ${ODL_HOME}/etc/keystore -cp ${APPC_HOME}/data/custom.properties ${ODL_HOME}/etc/custom.properties - -echo "Copying a working version of the logging configuration into the opendaylight etc folder" -cp ${APPC_HOME}/data/org.ops4j.pax.logging.cfg ${ODL_HOME}/etc/org.ops4j.pax.logging.cfg - -ODL_BOOT_FEATURES_EXTRA="odl-netconf-connector,odl-restconf-noauth,odl-netconf-clustered-topology,odl-mdsal-clustering" -sed -i -e "\|featuresBoot[^a-zA-Z]|s|$|,${ODL_BOOT_FEATURES_EXTRA}|" $ODL_HOME/etc/org.apache.karaf.features.cfg - -exec ${APPC_HOME}/bin/dockerInstall.sh & -echo "Starting OpenDaylight" -exec ${ODL_HOME}/bin/karaf server diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml deleted file mode 100644 index de6e7e4742..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaa-app-config.xml +++ /dev/null @@ -1,121 +0,0 @@ - - - - - - -
- tokenAuthRealm - - org.onap.aaf.cadi.shiro.AAFRealm -
- - - -
- securityManager.realms - $tokenAuthRealm -
- - -
- authcBasic - org.opendaylight.aaa.shiro.filters.ODLHttpAuthenticationFilter -
- - -
- accountingListener - org.opendaylight.aaa.shiro.filters.AuthenticationListener -
-
- securityManager.authenticator.authenticationListeners - $accountingListener -
- - -
- dynamicAuthorization - org.opendaylight.aaa.shiro.realm.MDSALDynamicAuthorizationFilter -
- - - - - - - /auth/** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/config/aaa-cert-mdsal** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operational/aaa-cert-mdsal** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operations/aaa-cert-rpc** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/config/aaa-authn-model** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operational/aaa-authn-model** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /restconf/operations/cluster-admin** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - /** - - authcBasic, roles[org.onap.appc.odl:odl-api:*] - - - diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties deleted file mode 100644 index 24b10bcb89..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/aaiclient.properties +++ /dev/null @@ -1,251 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### - -# -# Configuration file for A&AI Client -# - -# -# Certificate keystore and truststore -# -*/}} -org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/onap/appc/data/stores/truststoreONAPall.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=changeit -org.onap.ccsdk.sli.adaptors.aai.ssl.key=/opt/onap/appc/data/stores/truststoreONAPall.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.key.psswd=changeit - -org.onap.ccsdk.sli.adaptors.aai.client.name=appc@appc.onap.org -org.onap.ccsdk.sli.adaptors.aai.client.psswd=demo123456! - -org.onap.ccsdk.sli.adaptors.aai.application=openECOMP -connection.timeout=60000 -read.timeout=60000 - -# -# Configuration file for A&AI Client -# -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 - -# query -org.onap.ccsdk.sli.adaptors.aai.path.query=/aai/v14/search/sdn-zone-query -org.onap.ccsdk.sli.adaptors.aai.query.nodes=/aai/v14/search/nodes-query?search-node-type={node-type}&filter={entity-identifier}:EQUALS:{entity-name} -org.onap.ccsdk.sli.adaptors.aai.query.generic=/aai/v14/search/generic-query?key={identifier}:{value}&start-node-type={start-node-type}&include=complex&depth=3 - -# named query -org.onap.ccsdk.sli.adaptors.aai.query.named=/aai/search/named-query - - -#update -org.onap.ccsdk.sli.adaptors.aai.update=/aai/v14/actions/update - -# vce -org.onap.ccsdk.sli.adaptors.aai.path.vce =/aai/v14/network/vces/vce/ -org.onap.ccsdk.sli.adaptors.aai.path.vces=/aai/v14/network/vces/ - -# vpe -org.onap.ccsdk.sli.adaptors.aai.path.vpe =/aai/v14/network/vpes/vpe/ -org.onap.ccsdk.sli.adaptors.aai.path.vpes=/aai/v14/network/vpes/ - -# customer -org.onap.ccsdk.sli.adaptors.aai.path.customer=/aai/v14/business/customers/customer/{customer-id} - -# service subscription -org.onap.ccsdk.sli.adaptors.aai.path.service.subscription=/aai/v14/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type} - -# service instance -org.onap.ccsdk.sli.adaptors.aai.path.svcinst=/aai/v14/business/customers/customer/{customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances -org.onap.ccsdk.sli.adaptors.aai.path.svcinst.query=/aai/v14/search/generic-query?key=service-instance.service-instance-id:{svc-instance-id}&start-node-type=service-instance&include=service-instance -org.onap.ccsdk.sli.adaptors.aai.path.service.instance=/aai/v14/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances/service-instance/{service-instance-id} - -# complex -org.onap.ccsdk.sli.adaptors.aai.path.complexes=/aai/v14/cloud-infrastructure/complexes -org.onap.ccsdk.sli.adaptors.aai.path.complex=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id} - -# tenant -org.onap.ccsdk.sli.adaptors.aai.path.tenant=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id} -org.onap.ccsdk.sli.adaptors.aai.path.tenant.query=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant?tenant-name={tenant-name} - -# vservers -org.onap.ccsdk.sli.adaptors.aai.path.vservers=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/ -org.onap.ccsdk.sli.adaptors.aai.path.vserver=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id} - -# vpls-pe -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pes=/aai/v14/network/vpls-pes/ -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pe =/aai/v14/network/vpls-pes/vpls-pe/ - -# ctag-pool -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pools=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pool=/aai/v14/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools/ctag-pool/{target-pe}/{availability-zone-name} - -# -#-------------- 1510 ---------------------- -# - -# pservers -org.onap.ccsdk.sli.adaptors.aai.path.pservers=/aai/v14/cloud-infrastructure/pservers -org.onap.ccsdk.sli.adaptors.aai.path.pserver=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname} - -# generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnfs=/aai/v14/network/generic-vnfs -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id} - -# dvs-switch -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitches=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitch=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches/dvs-switch/{switch-name} - -# L3 Networks -org.onap.ccsdk.sli.adaptors.aai.path.l3networks=/aai/v14/network/l3-networks -org.onap.ccsdk.sli.adaptors.aai.path.l3network=/aai/v14/network/l3-networks/l3-network/{network-id} -org.onap.ccsdk.sli.adaptors.aai.path.l3network.query.name=/aai/v14/network/l3-networks/l3-network?network-name={network-name} - -# P-Interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{interface-name} - -# Physical Link -org.onap.ccsdk.sli.adaptors.aai.path.physical.links=/aai/v14/network/physical-links -org.onap.ccsdk.sli.adaptors.aai.path.physical.link=/aai/v14/network/physical-links/physical-link/{link-name} - -# VPN Bindings -org.onap.ccsdk.sli.adaptors.aai.path.vpn.bindings=/aai/v14/network/vpn-bindings/ -org.onap.ccsdk.sli.adaptors.aai.path.vpn.binding=/aai/v14/network/vpn-bindings/vpn-binding/{vpn-id} - -# VNF IMAGES -org.onap.ccsdk.sli.adaptors.aai.path.vnf.images=/aai/v14/service-design-and-creation/vnf-images -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image=/aai/v14/service-design-and-creation/vnf-images/vnf-image/{att-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image.query=/aai/v14/service-design-and-creation/vnf-images/vnf-image?application={application_model}&application-vendor={application_vendor} - -# UBB Notify -org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v14/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information - -# Service -org.onap.ccsdk.sli.adaptors.aai.path.service=/aai/v14/service-design-and-creation/services/service/{service-id} -org.onap.ccsdk.sli.adaptors.aai.path.services=/aai/v14/service-design-and-creation/services - - -# -#-------------- 1604 ---------------------- -# - -# VNFC -org.onap.ccsdk.sli.adaptors.aai.path.vnfc=/aai/v14/network/vnfcs/vnfc/{vnfc-name} - -# class-of-service -org.onap.ccsdk.sli.adaptors.aai.path.class.of.service=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id}/classes-of-service/class-of-service/{cos-id} - -# site-pair -org.onap.ccsdk.sli.adaptors.aai.path.site.pair=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id} - -# routing-instance -org.onap.ccsdk.sli.adaptors.aai.path.routing.instance=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id} - -# site-pair-set -org.onap.ccsdk.sli.adaptors.aai.path.site.pair.set=/aai/v14/network/site-pair-sets/site-pair-set/{site-pair-set-id} - -# license key resource -org.onap.ccsdk.sli.adaptors.aai.path.license.acquire=/aai/v14/actions/assignment/license-management/assignment-group-uuid/{assignment-group-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.license=/aai/v14/license-management/license-key-resources/license-key-resource/{att-uuid} - -# logical-link -org.onap.ccsdk.sli.adaptors.aai.path.logical.link =/aai/v14/network/logical-links/logical-link/{link-name} - -# virtual-data-center -org.onap.ccsdk.sli.adaptors.aai.path.virtual.data.center=/aai/v14/cloud-infrastructure/virtual-data-centers/virtual-data-center/{vdc-id} - -# wan-connector -org.onap.ccsdk.sli.adaptors.aai.path.wan.connector=/aai/v14/business/connectors/connector/{resource-instance-id} - -# l-interface -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface=/aai/v14/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# l-interface pnf -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface.pnf=/aai/v14/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface.pnf=/aai/v14/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# subinterface -org.onap.ccsdk.sli.adaptors.aai.path.pnf.lag.interface.subinterface=/aai/v14/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.pnf.p.interface.l.interface=/aai/v14/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# vlans -org.onap.ccsdk.sli.adaptors.aai.path.vlan=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.vlan=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} - -# l3-interface-ipv4-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# l3-interface-ipv6-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# ipsec-configuration -org.onap.ccsdk.sli.adaptors.aai.path.ipsec.configuration=/aai/v14/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id} - -# vig server -org.onap.ccsdk.sli.adaptors.aai.path.vig.server=/aai/v14/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id}/vig-servers/vig-server/{vig-address-type} - -# l3-network -org.onap.ccsdk.sli.adaptors.aai.path.l3.network=/aai/v14/network/l3-networks/l3-network/{network-id} - -# subnet -org.onap.ccsdk.sli.adaptors.aai.path.subnet=/aai/v14/network/l3-networks/l3-network/{network-id}/subnets/subnet/{subnet-id} - -# multicast-configuration -org.onap.ccsdk.sli.adaptors.aai.path.multicast.configuration=/aai/v14/network/multicast-configurations/multicast-configuration/{multicast-configuration-id} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.vlan.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.vlan.ipv4.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv6.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv6.address.list=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# volume.group -org.onap.ccsdk.sli.adaptors.aai.path.volume.group=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/volume-groups/volume-group/{volume-group-id} - -#cloud region -org.onap.ccsdk.sli.adaptors.aai.path.cloud.region=/aai/v14/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id} - -# vf-module -org.onap.ccsdk.sli.adaptors.aai.path.vf.module=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/vf-modules/vf-module/{vf-module-id} - -# l-interface through generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.linterface=/aai/v14/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name} - -# network-policy -org.onap.ccsdk.sli.adaptors.aai.path.network.policy=/aai/v14/network/network-policies/network-policy/{network-policy-id} - -# pnf -org.onap.ccsdk.sli.adaptors.aai.path.pnf=/aai/v14/network/pnfs/pnf/{pnf-name} - -# -# Formatting -# -org.onap.ccsdk.sli.adaptors.aai.param.format=filter=%s:%s -org.onap.ccsdk.sli.adaptors.aai.param.vnf_type=vnf-type -org.onap.ccsdk.sli.adaptors.aai.param.physical.location.id=physical-location-id -org.onap.ccsdk.sli.adaptors.aai.param.service.type=service-type diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties deleted file mode 100644 index 3b7f02d6f7..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/appc.properties +++ /dev/null @@ -1,139 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -### ### -### Properties for demo ### -### ### -appc.demo.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.demo.topic.read=APPC-CL -appc.demo.topic.write=APPC-CL -appc.demo.client.name=appcDemoEventListener -appc.demo.threads.queuesize.min=1 -appc.demo.threads.queuesize.max=1000 -appc.demo.threads.poolsize.min=1 -appc.demo.threads.poolsize.max=2 -appc.demo.provider.user={{.Values.config.odlUser}} -appc.demo.provider.pass={{.Values.config.odlPassword}} -appc.demo.provider.url=http://localhost:8181/restconf/operations/appc-provider -appc.provider.vfodl.url=http://{{.Values.config.odlUser|urlquery}}:{{.Values.config.odlPassword|urlquery}}@localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/NODE_NAME/yang-ext:mount/stream-count:stream-count/streams/ - -# The properties right below are needed to properly call the Master DG to serve demo purposes -appc.service.logic.module.name=APPC -appc.topology.dg.method=topology-operation-all -appc.topology.dg.version=2.0.0 - -# TEMP - Properties that might be needed to make the AAI-APPC connection -org.onap.appc.db.url.appcctl=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}:3306/{{.Values.config.appcdb.dbName}} -org.onap.appc.db.user.appcctl=${APPC_DB_USER} -org.onap.appc.db.pass.appcctl=${APPC_DB_PASSWD} - -org.onap.appc.db.url.sdnctl=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.appc.db.user.sdnctl=${SDNC_DB_USER} -org.onap.appc.db.pass.sdnctl=${SDNC_DB_PASSWD} - - -### ### -### OpenStack credentials (these properties also are used in appc-rest-adapter-bundle, appc-chef-adapter-bundle, appc-iaas-adapter-bundle) ### -### ### -provider1.type={{.Values.config.openStackType}} -provider1.name={{.Values.config.openStackName}} -provider1.identity={{.Values.config.openStackKeyStoneUrl}} -provider1.tenant1.name={{.Values.config.openStackServiceTenantName}} -provider1.tenant1.domain={{.Values.config.openStackDomain}} -provider1.tenant1.userid={{.Values.config.openStackUserName}} -provider1.tenant1.password={{.Values.config.openStackEncryptedPassword}} - -### ### -### Properties that are not covered or being replaced from default.properties files. Default value for DMaaP IP is 10.0.11.1:3904 ### -### which is what the Master HEAT Template to instantiate OpenECOMP is pointing to (version R1). All other default values are ### -### left there since these are pre-defined as part of APP-C/OpenECOMP default instantiation with Master HEAT Template ### -### ### - - -# Property below is valid in appc-command-executor-core, appc-license-manager-core, appc-lifecycle-management-core, -# appc-request-handler-core, appc-workflow-management-core (all from the appc-dispatcher package). -dmaap.poolMembers=message-router.{{.Release.Namespace}}:3904 - - -# appc-event-listener-bundle properties (only defined in src/test of default.properties) -appc.LCM.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.LCM.topic.read=APPC-LCM-READ -appc.LCM.topic.write=APPC-LCM-WRITE -appc.LCM.client.name=APPC-EVENT-LISTENER-TEST -appc.LCM.provider.user={{.Values.config.odlUser}} -appc.LCM.provider.pass={{.Values.config.odlPassword}} -appc.LCM.provider.url=http://localhost:8181/restconf/operations/appc-provider-lcm -appc.LCM.scopeOverlap.endpoint=http://localhost:8181/restconf/operations/interfaces-service:execute-service - -# properties from appc-netconf-adapter-bundle, appc-dg-common, appc-dmaap-adapter-bundle -poolMembers=message-router.{{.Release.Namespace}}:3904 -event.pool.members=message-router.{{.Release.Namespace}}:3904 -restconf.user={{.Values.config.odlUser}} -restconf.pass={{.Values.config.odlPassword}} - - -# properties found in appc-rest-adapter-bundle, appc-chef-adapter-bundle, appc-iaas-adapter-bundle) -#Your OpenStack IP -test.ip=10.0.11.100 -# Your OpenStack Platform's Keystone Port (default is 5000) -test.port=5000 -test.tenantid=test -test.vmid=test -# Port 8774 below is default port for OpenStack's Nova API Service -test.url=http://api.appc.local/vm/9999999/test/99999999-9999-9999-9999-999999999999 -#skips hypervisor check which usually occurs during iaas-adapter-bundle startup -org.onap.appc.iaas.skiphypervisorcheck=true - -# Properties from default.properties in the src/test and src/main paths of appc-asdc-listener-bundle -appc.sdc.host=sdc-be.{{.Release.Namespace}}:8443 -appc.sdc.env=APPC-ASDC-ENV -appc.sdc.user=test -appc.sdc.pass=test -appc.sdc.consumer=APPC-ASDC-CONSUMER -appc.sdc.consumer.id=APPC-ASDC-CONSUMER-ID -appc.sdc.provider.url=http://localhost:8181/restconf/operations/AsdcMessage:configuration-document-request - -# Properties used by EventSenderDmaapImpl.java -DCAE.dmaap.event.topic.write=EventSenderTest -DCAE.dmaap.event.username=test -DCAE.dmaap.event.password=test -DCAE.dmaap.event.poolMembers=message-router.{{.Release.Namespace}}:3904 - -#OAM Listener -appc.OAM.disabled=true -appc.OAM.provider.url=http://localhost:8181/restconf/operations/appc-oam -appc.OAM.poolMembers=message-router.{{.Release.Namespace}}:3904 -appc.OAM.service=ueb -appc.OAM.topic.read=testOAM -appc.OAM.topic.write=testOAM -appc.OAM.client.name=testOAM -appc.OAM.provider.user={{.Values.config.odlUser}} -appc.OAM.provider.pass={{.Values.config.odlPassword}} - -appc.asdc.env={{.Values.config.dmaapTopicEnv}} - -#Properties for communication between appc dmaap microservice and appc -appc.srvcomm.messaging.username={{.Values.config.dmaapServiceUser}} -appc.srvcomm.messaging.password={{.Values.config.dmaapServicePassword}} -appc.srvcomm.messaging.url={{.Values.config.dmaapServiceUrl}} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv deleted file mode 100644 index 24a3dff7e2..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/bath_config.csv +++ /dev/null @@ -1,8 +0,0 @@ -# APPC HELM CHART APPC_RESTCONF_UI -> appc@appc.onap.org -Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==,Basic YXBwY0BhcHBjLm9uYXAub3JnOmRlbW8xMjM0NTYh,2050-03-03 -# jolokiaall = demo@people.osaaf.org -Basic am9sb2tpYWFsbDpqb2xva2lhYWxs,Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh,2050-03-03 -# restall = aaf_admin@people.osaaf.org -Basic cmVzdGFsbDpyZXN0YWxs,Basic YWFmX2FkbWluQHBlb3BsZS5vc2FhZi5vcmc6ZGVtbzEyMzQ1NiE=,2050-03-03 -# odlro = mmmanger@people.osaaf.org -Basic b2Rscm86b2Rscm8=,Basic bW1tYW5nZXJAcGVvcGxlLm9zYWFmLm9yZzpkZW1vMTIzNDU2IQ==,2050-03-03 diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties deleted file mode 100644 index 0592f8b06f..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/cadi.properties +++ /dev/null @@ -1,60 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -#hostname=localhost -*/}} - -cadi_loglevel=DEBUG -cadi_bath_convert=/opt/onap/appc/data/properties/bath_config.csv - -############################################################ -# Properties Generated by AT&T Certificate Manager -# @copyright 2016, AT&T -############################################################ -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US -cadi_keyfile=/opt/onap/appc/data/stores/org.onap.appc.keyfile -cadi_keystore=/opt/onap/appc/data/stores/org.onap.appc.p12 -cadi_keystore_password=enc:j5wAY4JjI6Gg8KbPRT3CK55kCaBZcrSq9XMe0vU2Hj3_TWfhln414p_og8-0u4EV -#cadi_key_password=enc: -cadi_alias=appc@appc.onap.org -cadi_truststore=/opt/onap/appc/data/stores/truststoreONAPall.jks -cadi_truststore_password=enc:9WJ6CRlrFmHiQrFlckhHybFXOwPW3tRetofp3AZ5nyt - -## -## org.osaaf.location.props -## -## Localized Machine Information -## -# Almeda California ? -cadi_latitude=37.78187 -cadi_longitude=-122.26147 - -# Locate URL (which AAF Env) -aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 - -# AAF URL -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 - -# AAF Environment Designation -aaf_env=DEV - -# OAuth2 Endpoints -aaf_oauth2_token_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.token:2.1/token -aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.introspect:2.1/introspect diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties deleted file mode 100644 index 3c19fb44e3..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/dblib.properties +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# dblib.properrties -org.onap.ccsdk.sli.dbtype=jdbc - -org.onap.ccsdk.sli.jdbc.hosts=dbhost -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} -org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 -org.onap.ccsdk.sli.jdbc.connection.timeout=50 -org.onap.ccsdk.sli.jdbc.request.timeout=100 -org.onap.ccsdk.sli.jdbc.limit.init=10 -org.onap.ccsdk.sli.jdbc.limit.min=10 -org.onap.ccsdk.sli.jdbc.limit.max=20 -org.onap.dblib.connection.recovery=false diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties deleted file mode 100644 index 95f672c2e2..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/data/properties/svclogic.properties +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = dblib -#Note : the next 4 fields are only used if org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} - -org.xml.sax.driver=org.apache.xerces.parsers.SAXParser diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh deleted file mode 100755 index b6fb2d88a9..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/bin/showActiveGraphs.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -MYSQL_USER=${SDNC_DB_USER} -MYSQL_PWD=${SDNC_DB_PASSWD} -MYSQL_DB={{.Values.config.sdncdb.dbName}} -MYSQL_HOST=${MYSQL_HOST:-{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}} - -mysql --user=${MYSQL_USER} --password=${MYSQL_PWD} --host=${MYSQL_HOST} ${MYSQL_DB} <<-END -SELECT module, rpc, version, mode from SVC_LOGIC where active='Y'; -END diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties deleted file mode 100644 index a6f7f50026..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/svclogic/config/svclogic.properties +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -### -*/}} - -org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database = {{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWD} diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh deleted file mode 100755 index 7257d186e6..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/bin/installSdncDb.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh - -{{/* - -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -SDNC_HOME=${SDNC_HOME:-/opt/onap/ccsdk} -MYSQL_PASSWD=${MYSQL_ROOT_PASSWORD} - -SDNC_DB_USER=${SDNC_DB_USER} -SDNC_DB_PASSWD=${SDNC_DB_PASSWD} -SDNC_DB_DATABASE={{.Values.config.sdncdb.dbName}} - - -# Create tablespace and user account -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql <<-END -CREATE DATABASE ${SDNC_DB_DATABASE}; -CREATE USER '${SDNC_DB_USER}'@'localhost' IDENTIFIED BY '${SDNC_DB_PASSWD}'; -CREATE USER '${SDNC_DB_USER}'@'%' IDENTIFIED BY '${SDNC_DB_PASSWD}'; -GRANT ALL PRIVILEGES ON ${SDNC_DB_DATABASE}.* TO '${SDNC_DB_USER}'@'localhost' WITH GRANT OPTION; -GRANT ALL PRIVILEGES ON ${SDNC_DB_DATABASE}.* TO '${SDNC_DB_USER}'@'%' WITH GRANT OPTION; -commit; -END - -if [ -f ${SDNC_HOME}/data/odlsli.dump ] -then -mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} ${SDNC_DB_DATABASE} < ${SDNC_HOME}/data/odlsli.dump -fi diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties deleted file mode 100644 index fb56680a1d..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/aaiclient.properties +++ /dev/null @@ -1,251 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# APPC -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# -# Configuration file for A&AI Client -# - -# -# Certificate keystore and truststore -# -org.onap.ccsdk.sli.adaptors.aai.ssl.trust=/opt/openecomp/appc/data/stores/truststore.openecomp.client.jks -org.onap.ccsdk.sli.adaptors.aai.ssl.trust.psswd=adminadmin -org.onap.ccsdk.sli.adaptors.aai.host.certificate.ignore=true - -org.onap.ccsdk.sli.adaptors.aai.client.name=AAI -org.onap.ccsdk.sli.adaptors.aai.client.psswd=AAI - -org.onap.ccsdk.sli.adaptors.aai.application=openECOMP -#connection.timeout=1000 -#read.timeout=2000 - -# -# Configuration file for A&AI Client -# -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 - - -# query -org.onap.ccsdk.sli.adaptors.aai.path.query=/aai/v11/search/sdn-zone-query -org.onap.ccsdk.sli.adaptors.aai.query.nodes=/aai/v11/search/nodes-query?search-node-type={node-type}&filter={entity-identifier}:EQUALS:{entity-name} -org.onap.ccsdk.sli.adaptors.aai.query.generic=/aai/v11/search/generic-query?key={identifier}:{value}&start-node-type={start-node-type}&include=complex&depth=3 - -# named query -org.onap.ccsdk.sli.adaptors.aai.query.named=/aai/search/named-query - - -#update -org.onap.ccsdk.sli.adaptors.aai.update=/aai/v11/actions/update - -# vce -org.onap.ccsdk.sli.adaptors.aai.path.vce =/aai/v11/network/vces/vce/ -org.onap.ccsdk.sli.adaptors.aai.path.vces=/aai/v11/network/vces/ - -# vpe -org.onap.ccsdk.sli.adaptors.aai.path.vpe =/aai/v11/network/vpes/vpe/ -org.onap.ccsdk.sli.adaptors.aai.path.vpes=/aai/v11/network/vpes/ - -# customer -org.onap.ccsdk.sli.adaptors.aai.path.customer=/aai/v11/business/customers/customer/{customer-id} - -# service subscription -org.onap.ccsdk.sli.adaptors.aai.path.service.subscription=/aai/v11/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type} - -# service instance -org.onap.ccsdk.sli.adaptors.aai.path.svcinst=/aai/v11/business/customers/customer/{customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances -org.onap.ccsdk.sli.adaptors.aai.path.svcinst.query=/aai/v11/search/generic-query?key=service-instance.service-instance-id:{svc-instance-id}&start-node-type=service-instance&include=service-instance -org.onap.ccsdk.sli.adaptors.aai.path.service.instance=/aai/v11/business/customers/customer/{global-customer-id}/service-subscriptions/service-subscription/{service-type}/service-instances/service-instance/{service-instance-id} - -# complex -org.onap.ccsdk.sli.adaptors.aai.path.complexes=/aai/v11/cloud-infrastructure/complexes -org.onap.ccsdk.sli.adaptors.aai.path.complex=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id} - -# tenant -org.onap.ccsdk.sli.adaptors.aai.path.tenant=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id} -org.onap.ccsdk.sli.adaptors.aai.path.tenant.query=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant?tenant-name={tenant-name} - -# vservers -org.onap.ccsdk.sli.adaptors.aai.path.vservers=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/ -org.onap.ccsdk.sli.adaptors.aai.path.vserver=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id} - -# vpls-pe -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pes=/aai/v11/network/vpls-pes/ -org.onap.ccsdk.sli.adaptors.aai.path.vpls.pe =/aai/v11/network/vpls-pes/vpls-pe/ - -# ctag-pool -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pools=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools -org.onap.ccsdk.sli.adaptors.aai.path.ctag.pool=/aai/v11/cloud-infrastructure/complexes/complex/{physical-location-id}/ctag-pools/ctag-pool/{target-pe}/{availability-zone-name} - -# -#-------------- 1510 ---------------------- -# - -# pservers -org.onap.ccsdk.sli.adaptors.aai.path.pservers=/aai/v11/cloud-infrastructure/pservers -org.onap.ccsdk.sli.adaptors.aai.path.pserver=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname} - -# generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnfs=/aai/v11/network/generic-vnfs -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id} - -# dvs-switch -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitches=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches -org.onap.ccsdk.sli.adaptors.aai.path.dvsswitch=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/dvs-switches/dvs-switch/{switch-name} - -# L3 Networks -org.onap.ccsdk.sli.adaptors.aai.path.l3networks=/aai/v11/network/l3-networks -org.onap.ccsdk.sli.adaptors.aai.path.l3network=/aai/v11/network/l3-networks/l3-network/{network-id} -org.onap.ccsdk.sli.adaptors.aai.path.l3network.query.name=/aai/v11/network/l3-networks/l3-network?network-name={network-name} - -# P-Interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces -org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{interface-name} - -# Physical Link -org.onap.ccsdk.sli.adaptors.aai.path.physical.links=/aai/v11/network/physical-links -org.onap.ccsdk.sli.adaptors.aai.path.physical.link=/aai/v11/network/physical-links/physical-link/{link-name} - -# VPN Bindings -org.onap.ccsdk.sli.adaptors.aai.path.vpn.bindings=/aai/v11/network/vpn-bindings/ -org.onap.ccsdk.sli.adaptors.aai.path.vpn.binding=/aai/v11/network/vpn-bindings/vpn-binding/{vpn-id} - -# VNF IMAGES -org.onap.ccsdk.sli.adaptors.aai.path.vnf.images=/aai/v11/service-design-and-creation/vnf-images -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image=/aai/v11/service-design-and-creation/vnf-images/vnf-image/{att-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.vnf.image.query=/aai/v11/service-design-and-creation/vnf-images/vnf-image?application={application_model}&application-vendor={application_vendor} - -# UBB Notify -org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v11/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=https://aai.{{.Release.Namespace}}:8443/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information - -# Service -org.onap.ccsdk.sli.adaptors.aai.path.service=/aai/v11/service-design-and-creation/services/service/{service-id} -org.onap.ccsdk.sli.adaptors.aai.path.services=/aai/v11/service-design-and-creation/services - - -# -#-------------- 1604 ---------------------- -# - -# VNFC -org.onap.ccsdk.sli.adaptors.aai.path.vnfc=/aai/v11/network/vnfcs/vnfc/{vnfc-name} - -# class-of-service -org.onap.ccsdk.sli.adaptors.aai.path.class.of.service=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id}/classes-of-service/class-of-service/{cos-id} - -# site-pair -org.onap.ccsdk.sli.adaptors.aai.path.site.pair=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id}/site-pairs/site-pair/{site-pair-id} - -# routing-instance -org.onap.ccsdk.sli.adaptors.aai.path.routing.instance=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id}/routing-instances/routing-instance/{routing-instance-id} - -# site-pair-set -org.onap.ccsdk.sli.adaptors.aai.path.site.pair.set=/aai/v11/network/site-pair-sets/site-pair-set/{site-pair-set-id} - -# license key resource -org.onap.ccsdk.sli.adaptors.aai.path.license.acquire=/aai/v11/actions/assignment/license-management/assignment-group-uuid/{assignment-group-uuid} -org.onap.ccsdk.sli.adaptors.aai.path.license=/aai/v11/license-management/license-key-resources/license-key-resource/{att-uuid} - -# logical-link -org.onap.ccsdk.sli.adaptors.aai.path.logical.link =/aai/v11/network/logical-links/logical-link/{link-name} - -# virtual-data-center -org.onap.ccsdk.sli.adaptors.aai.path.virtual.data.center=/aai/v11/cloud-infrastructure/virtual-data-centers/virtual-data-center/{vdc-id} - -# wan-connector -org.onap.ccsdk.sli.adaptors.aai.path.wan.connector=/aai/v11/business/connectors/connector/{resource-instance-id} - -# l-interface -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface=/aai/v11/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# l-interface pnf -org.onap.ccsdk.sli.adaptors.aai.path.lag.interface.l.interface.pnf=/aai/v11/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.p.interface.l.interface.pnf=/aai/v11/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# subinterface -org.onap.ccsdk.sli.adaptors.aai.path.pnf.lag.interface.subinterface=/aai/v11/network/pnfs/pnf/{pnf-name}/lag-interfaces/lag-interface/{lag-interface.interface-name}/l-interfaces/l-interface/{interface-name} -org.onap.ccsdk.sli.adaptors.aai.path.pnf.p.interface.l.interface=/aai/v11/network/pnfs/pnf/{pnf-name}/p-interfaces/p-interface/{p-interface.interface-name}/l-interfaces/l-interface/{interface-name} - -# vlans -org.onap.ccsdk.sli.adaptors.aai.path.vlan=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/tenants/tenant/{tenant-id}/vservers/vserver/{vserver-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.vlan=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface} - -# l3-interface-ipv4-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# l3-interface-ipv6-address-list -org.onap.ccsdk.sli.adaptors.aai.path.l3.interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} -org.onap.ccsdk.sli.adaptors.aai.path.vlan.l3.interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# ipsec-configuration -org.onap.ccsdk.sli.adaptors.aai.path.ipsec.configuration=/aai/v11/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id} - -# vig server -org.onap.ccsdk.sli.adaptors.aai.path.vig.server=/aai/v11/network/ipsec-configurations/ipsec-configuration/{ipsec-configuration-id}/vig-servers/vig-server/{vig-address-type} - -# l3-network -org.onap.ccsdk.sli.adaptors.aai.path.l3.network=/aai/v11/network/l3-networks/l3-network/{network-id} - -# subnet -org.onap.ccsdk.sli.adaptors.aai.path.subnet=/aai/v11/network/l3-networks/l3-network/{network-id}/subnets/subnet/{subnet-id} - -# multicast-configuration -org.onap.ccsdk.sli.adaptors.aai.path.multicast.configuration=/aai/v11/network/multicast-configurations/multicast-configuration/{multicast-configuration-id} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.vlan.ipv4.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.vlan.ipv4.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/vlans/vlan/{vlan-interface}/l3-interface-ipv4-address-list/{l3-interface-ipv4-address} - -# org.onap.ccsdk.sli.adaptors.aai.path.l.interface.ipv6.address.list -org.onap.ccsdk.sli.adaptors.aai.path.l3-interface.ipv6.address.list=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name}/l3-interface-ipv6-address-list/{l3-interface-ipv6-address} - -# volume.group -org.onap.ccsdk.sli.adaptors.aai.path.volume.group=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id}/volume-groups/volume-group/{volume-group-id} - -#cloud region -org.onap.ccsdk.sli.adaptors.aai.path.cloud.region=/aai/v11/cloud-infrastructure/cloud-regions/cloud-region/{cloud-owner}/{cloud-region-id} - -# vf-module -org.onap.ccsdk.sli.adaptors.aai.path.vf.module=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/vf-modules/vf-module/{vf-module-id} - -# l-interface through generic-vnf -org.onap.ccsdk.sli.adaptors.aai.path.generic.vnf.linterface=/aai/v11/network/generic-vnfs/generic-vnf/{vnf-id}/l-interfaces/l-interface/{interface-name} - -# network-policy -org.onap.ccsdk.sli.adaptors.aai.path.network.policy=/aai/v11/network/network-policies/network-policy/{network-policy-id} - -# pnf -org.onap.ccsdk.sli.adaptors.aai.path.pnf=/aai/v11/network/pnfs/pnf/{pnf-name} - -# -# Formatting -# -org.onap.ccsdk.sli.adaptors.aai.param.format=filter=%s:%s -org.onap.ccsdk.sli.adaptors.aai.param.vnf_type=vnf-type -org.onap.ccsdk.sli.adaptors.aai.param.physical.location.id=physical-location-id -org.onap.ccsdk.sli.adaptors.aai.param.service.type=service-type diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties deleted file mode 100644 index a46920f001..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/dblib.properties +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -# dblib.properrties -org.onap.ccsdk.sli.dbtype=jdbc - -org.onap.ccsdk.sli.jdbc.hosts=dbhost -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.driver=org.mariadb.jdbc.Driver -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} -org.onap.ccsdk.sli.jdbc.connection.name=sdnctldb01 -org.onap.ccsdk.sli.jdbc.connection.timeout=50 -org.onap.ccsdk.sli.jdbc.request.timeout=100 -org.onap.ccsdk.sli.jdbc.limit.init=10 -org.onap.ccsdk.sli.jdbc.limit.min=10 -org.onap.ccsdk.sli.jdbc.limit.max=20 -org.onap.dblib.connection.recovery=false diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties deleted file mode 100644 index a0df862636..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/data/properties/svclogic.properties +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = dblib -#Note : the next 4 fields are only used if org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url=jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database={{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user=${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password=${SDNC_DB_PASSWD} - -org.xml.sax.driver=org.apache.xerces.parsers.SAXParser diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh deleted file mode 100755 index d0e6c3ee71..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh - -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -MYSQL_USER=${SDNC_DB_USER} -MYSQL_PWD=${SDNC_DB_PASSWD} -MYSQL_DB={{.Values.config.sdncdb.dbName}} -MYSQL_HOST=${MYSQL_HOST:-{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}} - -mysql --user=${MYSQL_USER} --password=${MYSQL_PWD} --host=${MYSQL_HOST} ${MYSQL_DB} <<-END -SELECT module, rpc, version, mode from SVC_LOGIC where active='Y'; -END diff --git a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties b/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties deleted file mode 100644 index 5be5b8ddab..0000000000 --- a/kubernetes/appc/resources/config/appc/opt/onap/ccsdk/svclogic/config/svclogic.properties +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -### -# ============LICENSE_START======================================================= -# openECOMP : SDN-C -# ================================================================================ -# Copyright (C) 2017 AT&T Intellectual Property. All rights -# reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -### -*/}} - -org.onap.ccsdk.sli.dbtype = jdbc -org.onap.ccsdk.sli.jdbc.url = jdbc:mysql://{{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}}:3306/{{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.database = {{.Values.config.sdncdb.dbName}} -org.onap.ccsdk.sli.jdbc.user = ${SDNC_DB_USER} -org.onap.ccsdk.sli.jdbc.password = ${SDNC_DB_PASSWD} diff --git a/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile b/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile deleted file mode 100644 index b7dd5ff9e7..0000000000 --- a/kubernetes/appc/resources/config/certs/org.onap.appc.keyfile +++ /dev/null @@ -1,27 +0,0 @@ -EVYIj42lKzRyMicebf8OOUa9CVwvaKie3N7fTGeDT-GjiR6M6AHQCwBD9Bj95VxgVWOyXGAYy7eT -SSfnkVBgcdZWXlRL7HSUocs52DneRTGYcYGIBGz24O6EpmeZQyWluCKBcVCALKClPzqBNsHa2W06 -XwAccZzYPkDV-taGqF5kP10RiYvKe5YoZEQYBfauS3lDqf47AP-Dh1wLUIpvTSAUfBgDW9FBx9Ay -8Wy2geTuAXcPduBtTGIj3law-5ePDFRqwVVkXmSaEmEn34NvJ4z6Ww7VHqzqBxKAvLErV-KCEHEa -L3L1CCqNCXjUUa_D8CReDA-LPAG_v0yrjQxrdqzcYJ76Q0uIlNmEi_85AlAUXx6KGC03TqaGqICW -nNs4ouxM6U4ekiDi9qbFh7RlTEXw6bHhJPCq-G5ID-crWDHSarQ3IUR5qOmgIFIxpkPksBSGmUI4 -OIScgb2TtqG94EAZ3qu3PmzVlJrxbHYHVFlNLEecu7tGtiQJTLUHpJ0Z8O2GOc8bBz6o6NBT72Pv -i068VkLyUyrSNnVo9rNVFWAc3HREFi85KszBdk58kPTr2AQFH9iK2hmrXTdnPMjhmQgRh4xiAn4J -v5Gsb4DL2si3ZjD2E36Fy5XlPhyFFc8gdB6-v-Et1XJTU6mwV5DgKgg5o3WdHTuHZjYgWmcATZiQ -yLOQ6ZdjTF_004yOSkUzHbArOEmS6LIPTuLibvN6CY1Q0u_ucl5iaIbcwo_sVFisnVXQBHYXblBm -MgZZFg0n5ugL-bdUSdJtU7yIU5t79n0aMxnN84QhuREMSvCUioCrBD5c5H22iqbY7UCPO9Yy7lM- -aPVDRPwHAKEVjYqf4Z4k0Jthn7wqWS2iAKVOEi4R1oniAuuIcM9xoha0-LdRe8hWTV-qXDbtCVDz -h6Rw3dqtS5mCGBMC0TCrLJzG5n3Ed_4kGl5Emb3SXHWNqI_BuIalU4uot7seCv464E3QWQgAkv8w -wTk_IEWIFZhKJIcy5Brsw7Fz-XWQWkExEU3xKButC9hFXpdszF0y8CYUI6EPt2mPqaxB6zu3s4Bv -bKrVxFPX97mOeD8TpmxElmF0vpdhJ9Ee8clvBrGtLl1UIP6B80PrAPEZMLNhLV8S-ZJMKL5PTZh0 -_HNpj1EfiXnBz02cbes5Fuq9M8Dk7f16tP8prYzJ1JbnLTNHHcW4Z1quKrN8RIoYw3qzlXuYRm6Y -8rbuPlZ1wTllIxf00omnonJw8Fx9XzArv_UvqTvAYrv22YliUSl-lcFi8cOK58bmM5rBmkWoFObK -DsCMicfyPWhKf3DEwg1Y0j0qKppFqtKcSxnIbQ-VPRCrRv2yTjauEW6iNlq3RQKSJqFjUVmSUn2w -7tYQzeNv0tYgfRtHgSy_CA9q_ANJFFlxDtqtrFTsgrEH4jOlLs2_UN96RNUhVqSu95X5hEukI574 -kQBUMc5gGQvQ2_Xug15O_-cFfhtalI7NBZkGNNPY5K8h7xYZp2aAl-pNPwKHAmrOWAvFwy64A1NT -_RrZxrtVkj-k3f8Mv_p56yChUpujZ_ZDwLgYKWraqDxyEctpXyMMgjOYRy2CZ6oZfuAygrN5Gw4k -zMKBDkz_5LO_rYU2RUa2NRDLlh2Y47Gxt90IEw_i8y7nxn7K6y3nApI11tfsiiotYq8DLk6jYh07 -mJg-D8lb0q9JRYmnJcNkIQNVJ06bmJnaJQZ7GXUz9MF8_zuTdm4D8m_Ly2Ai4KFq_lw5CBVrLM5k -pfJveSw_6_uF5pda_EZoR4bBoWdrFvLNwob3lsdgiIYGTafQx2SFfQiiEB_CwpGuj4_Dv-TkUT2O -Ui2UWI9Gr-HxSITnvUR0UHStrDb5miXEr8E_Znwc4Db2juh30L57aEtl5N0TYwKI925qLNLHbFg0 -FKEvIt-o7HmvPY6UqajwAtIAdKpxWpWD-hl-eNVNsT4mVzdegIrM2wzzKIcLOvCEEvyWei_E8mIp -nqYw9LoFrQf3dCh8XeamqYkbPE00E8p1zXPNRow5iz9NQ-BNksp1e-ghqF_xr3L4eh7BkEu2 \ No newline at end of file diff --git a/kubernetes/appc/resources/config/certs/org.onap.appc.p12 b/kubernetes/appc/resources/config/certs/org.onap.appc.p12 deleted file mode 100644 index 352c4f562a..0000000000 Binary files a/kubernetes/appc/resources/config/certs/org.onap.appc.p12 and /dev/null differ diff --git a/kubernetes/appc/resources/config/log/filebeat/filebeat.yml b/kubernetes/appc/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 98df709639..0000000000 --- a/kubernetes/appc/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,65 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - # The below commented properties are for time-based rolling policy. But as the log4j 1.2x does not support time-based rolling these properties are not set - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - #ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - #clean_inactive: 96h - - #Multiline properties for log4j xml log events - multiline.pattern: '' - multiline.negate: true - multiline.match: before - #multiline.max_lines: 500 - #multiline.timeout: 5s - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg b/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg deleted file mode 100644 index b74cc995fd..0000000000 --- a/kubernetes/appc/resources/config/log/org.ops4j.pax.logging.cfg +++ /dev/null @@ -1,97 +0,0 @@ -{{/* -################################################################################ -# -# ============LICENSE_START======================================================= -# ONAP : APPC -# ================================================================================ -# Copyright (C) 2017-2018 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -################################################################################ -*/}} - -# Common pattern layout for appenders -log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} - %X{bundle.name} - %X{bundle.version} | %m%n - -# Root logger -log4j2.rootLogger.level = INFO -# uncomment to use asynchronous loggers, which require mvn:com.lmax/disruptor/3.3.2 library -#log4j2.rootLogger.type = asyncRoot -#log4j2.rootLogger.includeLocation = false -log4j2.rootLogger.appenderRef.RollingFile.ref = RollingFile -log4j2.rootLogger.appenderRef.PaxOsgi.ref = PaxOsgi -log4j2.rootLogger.appenderRef.Console.ref = Console -log4j2.rootLogger.appenderRef.Console.filter.threshold.type = ThresholdFilter -log4j2.rootLogger.appenderRef.Console.filter.threshold.level = ${karaf.log.console:-OFF} - -# Loggers configuration - -# Spifly logger -log4j2.logger.spifly.name = org.apache.aries.spifly -log4j2.logger.spifly.level = WARN - -# Security audit logger -log4j2.logger.audit.name = org.apache.karaf.jaas.modules.audit -log4j2.logger.audit.level = INFO -log4j2.logger.audit.additivity = false -log4j2.logger.audit.appenderRef.AuditRollingFile.ref = AuditRollingFile - -# Appenders configuration - -# Console appender not used by default (see log4j2.rootLogger.appenderRefs) -log4j2.appender.console.type = Console -log4j2.appender.console.name = Console -log4j2.appender.console.layout.type = PatternLayout -log4j2.appender.console.layout.pattern = ${log4j2.pattern} - -# Rolling file appender -log4j2.appender.rolling.type = RollingRandomAccessFile -log4j2.appender.rolling.name = RollingFile -log4j2.appender.rolling.fileName = ${karaf.data}/log/karaf.log -log4j2.appender.rolling.filePattern = ${karaf.data}/log/karaf.log.%i -# uncomment to not force a disk flush -#log4j2.appender.rolling.immediateFlush = false -log4j2.appender.rolling.append = true -log4j2.appender.rolling.layout.type = PatternLayout -log4j2.appender.rolling.layout.pattern = ${log4j2.pattern} -log4j2.appender.rolling.policies.type = Policies -log4j2.appender.rolling.policies.size.type = SizeBasedTriggeringPolicy -log4j2.appender.rolling.policies.size.size = 16MB - -# Audit file appender -log4j2.appender.audit.type = RollingRandomAccessFile -log4j2.appender.audit.name = AuditRollingFile -log4j2.appender.audit.fileName = ${karaf.data}/security/audit.log -log4j2.appender.audit.filePattern = ${karaf.data}/security/audit.log.%i -log4j2.appender.audit.append = true -log4j2.appender.audit.layout.type = PatternLayout -log4j2.appender.audit.layout.pattern = ${log4j2.pattern} -log4j2.appender.audit.policies.type = Policies -log4j2.appender.audit.policies.size.type = SizeBasedTriggeringPolicy -log4j2.appender.audit.policies.size.size = 8MB - -# OSGi appender -log4j2.appender.osgi.type = PaxOsgi -log4j2.appender.osgi.name = PaxOsgi -log4j2.appender.osgi.filter = * - -# help with identification of maven-related problems with pax-url-aether -#log4j2.logger.aether.name = shaded.org.eclipse.aether -#log4j2.logger.aether.level = TRACE -#log4j2.logger.http-headers.name = shaded.org.apache.http.headers -#log4j2.logger.http-headers.level = DEBUG -#log4j2.logger.maven.name = org.ops4j.pax.url.mvn -#log4j2.logger.maven.level = TRACE - diff --git a/kubernetes/appc/templates/NOTES.txt b/kubernetes/appc/templates/NOTES.txt deleted file mode 100644 index 455b030b0a..0000000000 --- a/kubernetes/appc/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/appc/templates/configmap.yaml b/kubernetes/appc/templates/configmap.yaml deleted file mode 100644 index 6ebf0b1026..0000000000 --- a/kubernetes/appc/templates/configmap.yaml +++ /dev/null @@ -1,134 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-data-properties - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/data/properties/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/svclogic/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/ccsdk/svclogic/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-data-properties - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/data/properties/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-bin - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/svclogic/bin/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/appc/opt/onap/appc/svclogic/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-logging-cfg - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/appc/templates/pv.yaml b/kubernetes/appc/templates/pv.yaml deleted file mode 100644 index 0df2dbf378..0000000000 --- a/kubernetes/appc/templates/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i, $t := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{$i}} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - storageClassName: "{{ include "common.fullname" $global }}-data" - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/appc/templates/secrets.yaml b/kubernetes/appc/templates/secrets.yaml deleted file mode 100644 index 3cccd128eb..0000000000 --- a/kubernetes/appc/templates/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/appc/templates/service.yaml b/kubernetes/appc/templates/service.yaml deleted file mode 100644 index eb95ffc405..0000000000 --- a/kubernetes/appc/templates/service.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "appc", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange":"1", - "path": "/" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: "{{ .Values.service.portName }}-8443" - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: "{{ .Values.service.portName }}-1830" - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: "{{ .Values.service.portName }}-9090" - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}-8443 - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}-1830 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}-9090 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-cluster - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - ports: - - name: "{{ .Values.service.portName }}-cluster-port" - port: {{ .Values.service.clusterPort }} - clusterIP: None - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - sessionAffinity: None - type: ClusterIP diff --git a/kubernetes/appc/templates/statefulset.yaml b/kubernetes/appc/templates/statefulset.yaml deleted file mode 100644 index d67e1687ba..0000000000 --- a/kubernetes/appc/templates/statefulset.yaml +++ /dev/null @@ -1,292 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: "{{ .Values.service.name }}-cluster" - replicas: {{ .Values.replicaCount }} - podManagementPolicy: Parallel - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; chmod 0755 /config/${PFILE}; done" - env: - - name: APPC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "login") | indent 10 }} - - name: APPC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "password") | indent 10 }} - - name: SDNC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "login") | indent 10 }} - - name: SDNC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input/appc-data-properties - name: onap-appc-data-properties-input - - mountPath: /config-input/appc-svclogic-config - name: onap-appc-svclogic-config-input - - mountPath: /config-input/sdnc-data-properties - name: onap-sdnc-data-properties-input - - mountPath: /config-input/sdnc-svclogic-config - name: onap-sdnc-svclogic-config-input - - mountPath: /config/appc-data-properties - name: onap-appc-data-properties - - mountPath: /config/appc-svclogic-config - name: onap-appc-svclogic-config - - mountPath: /config/sdnc-data-properties - name: onap-sdnc-data-properties - - mountPath: /config/sdnc-svclogic-config - name: onap-sdnc-svclogic-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{.Values.config.mariadbGaleraContName}} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }}"] - volumeMounts: - - mountPath: {{ .Values.persistence.mdsalPath }} - name: {{ include "common.fullname" . }}-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /opt/appc/bin/startODL.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.externalPort2 }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - - name: APPC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "login") | indent 14 }} - - name: APPC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "appcdb-user-creds" "key" "password") | indent 14 }} - - name: SDNC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "login") | indent 14 }} - - name: SDNC_DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdncdb-user-creds" "key" "password") | indent 14 }} - - name: SDNC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: APPC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: DMAAP_TOPIC_ENV - value: "{{ .Values.config.dmaapTopic }}" - - name: ENABLE_AAF - value: "{{ .Values.config.enableAAF }}" - - name: ENABLE_ODL_CLUSTER - value: "{{ .Values.config.enableClustering }}" - - name: APPC_REPLICAS - value: "{{ .Values.replicaCount }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/onap/appc/data/properties/dblib.properties - name: onap-appc-data-properties - subPath: dblib.properties - - mountPath: /opt/onap/appc/data/properties/svclogic.properties - name: onap-appc-data-properties - subPath: svclogic.properties - - mountPath: /opt/onap/appc/data/properties/appc.properties - name: onap-appc-data-properties - subPath: appc.properties - - mountPath: /opt/onap/appc/data/properties/aaiclient.properties - name: onap-appc-data-properties - subPath: aaiclient.properties - - mountPath: /opt/onap/appc/data/properties/cadi.properties - name: onap-appc-data-properties - subPath: cadi.properties - - mountPath: /opt/onap/appc/data/properties/aaa-app-config.xml - name: onap-appc-data-properties-input - subPath: aaa-app-config.xml - - mountPath: /opt/onap/appc/data/properties/bath_config.csv - name: onap-appc-data-properties - subPath: bath_config.csv - - mountPath: /opt/onap/appc/svclogic/config/svclogic.properties - name: onap-appc-svclogic-config - subPath: svclogic.properties - - mountPath: /opt/onap/appc/svclogic/bin/showActiveGraphs.sh - name: onap-appc-svclogic-bin - subPath: showActiveGraphs.sh - - mountPath: /opt/onap/appc/bin/startODL.sh - name: onap-appc-bin - subPath: startODL.sh - - mountPath: /opt/onap/appc/bin/installAppcDb.sh - name: onap-appc-bin - subPath: installAppcDb.sh - - mountPath: /opt/onap/appc/bin/health_check.sh - name: onap-appc-bin - subPath: health_check.sh - - mountPath: /opt/onap/ccsdk/data/properties/dblib.properties - name: onap-sdnc-data-properties - subPath: dblib.properties - - mountPath: /opt/onap/ccsdk/data/properties/svclogic.properties - name: onap-sdnc-data-properties - subPath: svclogic.properties - - mountPath: /opt/onap/ccsdk/data/properties/aaiclient.properties - name: onap-sdnc-data-properties - subPath: aaiclient.properties - - mountPath: /opt/onap/ccsdk/svclogic/config/svclogic.properties - name: onap-sdnc-svclogic-config - subPath: svclogic.properties - - mountPath: /opt/onap/ccsdk/svclogic/bin/showActiveGraphs.sh - name: onap-sdnc-svclogic-bin - subPath: showActiveGraphs.sh - - mountPath: /opt/onap/ccsdk/bin/installSdncDb.sh - name: onap-sdnc-bin - subPath: installSdncDb.sh - - mountPath: {{ .Values.persistence.mdsalPath }} - name: {{ include "common.fullname" . }}-data - - mountPath: {{ .Values.log.path }} - name: logs - - mountPath: /opt/onap/appc/data/org.ops4j.pax.logging.cfg - name: log-config - subPath: org.ops4j.pax.logging.cfg - - mountPath: /opt/onap/appc/data/stores/org.onap.appc.p12 - name: p12-certs - subPath: org.onap.appc.p12 - - mountPath: /opt/onap/appc/data/stores/org.onap.appc.keyfile - name: keyfile-certs - subPath: org.onap.appc.keyfile - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: keyfile-certs - secret: - secretName: {{ include "common.fullname" . }}-certs - - name: p12-certs - secret: - secretName: {{ include "common.fullname" . }}-certs - - name: localtime - hostPath: - path: /etc/localtime - - name: log-config - configMap: - name: {{ include "common.fullname" . }}-logging-cfg - - name: logs - emptyDir: {} - {{ include "common.log.volumes" . | nindent 8 }} - - name: onap-appc-data-properties-input - configMap: - name: {{ include "common.fullname" . }}-onap-appc-data-properties - - name: onap-appc-svclogic-config-input - configMap: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-config - - name: onap-appc-svclogic-bin - configMap: - name: {{ include "common.fullname" . }}-onap-appc-svclogic-bin - defaultMode: 0755 - - name: onap-appc-bin - configMap: - name: {{ include "common.fullname" . }}-onap-appc-bin - defaultMode: 0755 - - name: onap-sdnc-data-properties-input - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-data-properties - - name: onap-sdnc-svclogic-config-input - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-config - - name: onap-sdnc-svclogic-bin - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-svclogic-bin - defaultMode: 0755 - - name: onap-sdnc-bin - configMap: - name: {{ include "common.fullname" . }}-onap-sdnc-bin - defaultMode: 0755 - - name: onap-appc-data-properties - emptyDir: - medium: Memory - - name: onap-appc-svclogic-config - emptyDir: - medium: Memory - - name: onap-sdnc-data-properties - emptyDir: - medium: Memory - - name: onap-sdnc-svclogic-config - emptyDir: - medium: Memory -{{ if not .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - emptyDir: {} -{{ else }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{ end }} diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml deleted file mode 100644 index d224030db3..0000000000 --- a/kubernetes/appc/values.yaml +++ /dev/null @@ -1,371 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - centralizedLoggingEnabled: false - persistence: - mountPath: /dockerdata-nfs - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: "db-root-pass" - name: '{{ include "common.release" . }}-appc-db-root-pass' - externalSecret: '{{ .Values.config.dbRootPassExternalSecret }}' - type: password - password: '{{ .Values.config.dbRootPass }}' - - uid: 'appcdb-user-creds' - name: '{{ include "common.release" . }}-appcdb-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.appcdb.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.appcdb.userName }}' - password: '{{ .Values.config.appcdb.password }}' - - uid: 'sdncdb-user-creds' - name: '{{ include "common.release" . }}-sdncdb-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.sdncdb.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.sdncdb.userName }}' - password: '{{ .Values.config.sdncdb.password }}' - - -################################################################# -# Application configuration defaults. -################################################################# -flavor: small -# application image -image: onap/appc-image:1.7.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# log configuration -log: - path: /var/log/onap - -# application configuration -config: -# dbRootPassExternalSecret: some secret -# dbRootPass: password - appcdb: - # Warning: changing this config option may not work. - # It seems that the DB name is hardcoded. - dbName: appcctl - userName: appcctl - # password: appcctl - # userCredsExternalSecret: some secret - sdncdb: - # Warning: changing this config option may not work. - # It seems that the DB name is hardcoded. - dbName: sdnctl - userName: sdnctl - # password: gamma - # userCredsExternalSecret: some secret - odlUid: 100 - odlGid: 101 - ansibleServiceName: appc-ansible-server - ansiblePort: 8000 - mariadbGaleraSVCName: &appc-db appc-db - mariadbGaleraContName: *appc-db - enableAAF: true - enableClustering: false - configDir: /opt/onap/appc/data/properties - dmaapTopic: SUCCESS - dmaapTopicEnv: AUTO - logstashServiceName: log-ls - logstashPort: 5044 - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: enc:LDEbHEAvTF1R - odlUser: admin - dmaapServiceUrl: http://localhost:8080/publish - dmaapServiceUser: appc - dmaapServicePassword: onapappc - -appc-ansible-server: - enabled: true - service: - name: appc-ansible-server - internalPort: 8000 - config: - mysqlServiceName: *appc-db - -appc-cdt: - enabled: true - -mariadb-galera: - nameOverride: *appc-db - rootUser: - externalSecret: '{{ include "common.release" . }}-appc-db-root-pass' - service: - name: *appc-db - nfsprovisionerPrefix: appc - sdnctlPrefix: appc - persistence: - mountSubPath: appc/data - enabled: true - disableNfsProvisioner: true - serviceAccount: - nameOverride: *appc-db - replicaCount: 1 - - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - lower_case_table_names = 1 - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE - sysdate_is_now=1 - - ## Binary Logging - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - binlog_format=row - default_storage_engine=InnoDB - innodb_autoinc_lock_mode=2 - transaction-isolation=READ-COMMITTED - wsrep_causal_reads=1 - wsrep_sync_wait=7 - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - -dgbuilder: - nameOverride: appc-dgbuilder - certInitializer: - nameOverride: appc-dgbuilder-cert-initializer - config: - db: - rootPasswordExternalSecret: '{{ include "common.release" . }}-appc-db-root-pass' - userCredentialsExternalSecret: '{{ include "common.release" . }}-sdncdb-user-creds' - dbPodName: *appc-db - dbServiceName: *appc-db - service: - name: appc-dgbuilder - serviceAccount: - nameOverride: appc-dgbuilder - ingress: - enabled: false - service: - - baseaddr: "appc-dgbuilder" - name: "appc-dgbuilder" - port: 3000 - config: - ssl: "redirect" - -#passing value to cdt chart. value of nodePort3 will be same as appc.service.nodePort3. -appc-cdt: - nodePort3: 11 -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 300 - periodSeconds: 60 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 300 - periodSeconds: 60 - -service: - type: NodePort - name: appc - portName: appc - - internalPort: 8443 - externalPort: 8443 - nodePort: 30 - - externalPort2: 1830 - nodePort2: 31 - clusterPort: 2550 - - internalPort3: 9191 - externalPort3: 9090 - nodePort3: 11 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: appc/mdsal - mdsalPath: /opt/opendaylight/current/daexim - -ingress: - enabled: false - service: - - baseaddr: "appc-api" - name: "appc" - port: 8443 - plain_port: 1830 - config: - ssl: "redirect" - -# Configure resource requests and limits -# ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/authentication/.helmignore b/kubernetes/authentication/.helmignore new file mode 100644 index 0000000000..cf02291a2a --- /dev/null +++ b/kubernetes/authentication/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +ci/ +examples/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/authentication/Chart.yaml b/kubernetes/authentication/Chart.yaml new file mode 100644 index 0000000000..6430743bf7 --- /dev/null +++ b/kubernetes/authentication/Chart.yaml @@ -0,0 +1,37 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © 2024 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +version: 15.0.1 +description: ONAP Realm creation, Oauth2Proxy installation and configuration +name: authentication +sources: +- https://github.com/adorsys/keycloak-config-cli + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: onap-keycloak-config-cli + version: 6.2.1 + repository: 'file://components/keycloak-config-cli' + - name: onap-oauth2-proxy + version: 7.8.0 + repository: 'file://components/oauth2-proxy' diff --git a/kubernetes/authentication/Makefile b/kubernetes/authentication/Makefile new file mode 100644 index 0000000000..f47666e135 --- /dev/null +++ b/kubernetes/authentication/Makefile @@ -0,0 +1,60 @@ +# Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md new file mode 100644 index 0000000000..9144d4b721 --- /dev/null +++ b/kubernetes/authentication/README.md @@ -0,0 +1,349 @@ +# Helm Chart for Authentication Application + +This component delivers: + +- Keycloak Realm creation and import +- (Optionally) creation of AuthenticationPolicies for Ingress to enable + OAuth Authentication and RoleBased access to Ingress APIs and UIs + +## REALM Configuration settings + +- In the configuration section "realmSettings" multiple REALMs can be configured +- Each REALM configuration has the following sections: + - [General REALM settings](#general-realm-settings) + - [CLIENT definitions](#client-definitions) + - (optional) [CLIENT SCOPE definitions](#client-scope-definitions) + - (optional) [Access control definitions](#access-control-definitions) + - (optional) [GROUP definitions](#group-definitions) + - (optional) [USER definitions](#user-definitions) + - (optional) [IDENTITY PROVIDER definitions](#identity-provider-and-mapper-definitions) + - (optional) [SMTP server definitions](#smtp-server-definitions) + +### General REALM settings + +This sections sets the realm general attributes shown in Keycloak + +```yaml +realmSettings: + - name: - unique ID for a realm (e.g. "ONAP") + displayName: - (optional) Keycloak Display Name (e.g. "ONAP Realm") + accessTokenLifespan: - (optional) Access Tolek Lifespan (default: 1900) + registrationAllowed: - (optional) Enable/disable the registration page (default: false) + resetPasswordAllowed: - (optional) Show a link on login page for user to click when they have forgotten their credentials (default: true) + passwordPolicy: - (optional) Set Password policies, e.g. + "length(8) and specialChars(1) and upperCase(1) and lowerCase(1) and digits(1) and notUsername(undefined) + and notEmail(undefined) and notContainsUsername(undefined) and passwordHistory(3)" + sslRequired: - (optional) Is HTTPS required? ('None'|'External'|'All requests' (default: "external") + themes: - (optional) Keycloak Theme settings + login: - (optional) Keycloak Theme for Login UI (e.g. "base") + admin: - (optional) Keycloak Theme for Admin UI (e.g. "base") + account: - (optional) Keycloak Theme for Account UI (e.g. "base") + email: - (optional) Keycloak Theme for Email UI (e.g. "base") + attributes: - (optional) + frontendUrl: "" - (optional) External Url for Keycloak access (e.g. "https://keycloak.simpledemo.onap.org") +``` + +### CLIENT definitions + +In this section each realm authentication client is defined e.g. portal-bff, oauth2-proxy, grafana + +- possible "attributes" settings (maybe more): + - id.token.as.detached.signature: "false" + - exclude.session.state.from.auth.response: "false" + - tls.client.certificate.bound.access.tokens: "false" + - saml.allow.ecp.flow: "false" + - saml.assertion.signature: "false" + - saml.force.post.binding: "false" + - saml.multivalued.roles: "false" + - saml.encrypt: "false" + - saml.server.signature: "false" + - saml.server.signature.keyinfo.ext: "false" + - saml.artifact.binding: "false" + - saml_force_name_id_format: "false" + - saml.client.signature: "false" + - saml.authnstatement: "false" + - saml.onetimeuse.condition: "false" + - oidc.ciba.grant.enabled: "false" + - frontchannel.logout.session.required: "true" + - backchannel.logout.session.required: "true" + - backchannel.logout.revoke.offline.tokens: "false" + - client_credentials.use_refresh_token: "false" + - acr.loa.map: "{}" + - require.pushed.authorization.requests: "false" + - oauth2.device.authorization.grant.enabled: "false" + - display.on.consent.screen: "false" + - token.response.type.bearer.lower-case: "false" + - use.refresh.tokens: "true" + - post.logout.redirect.uris: '' + +```yaml + clients: + oauth2_proxy: + clientId: "" - client ID + name: "" - (optional) client name + secret: - (optional) client secret + clientAuthenticatorType: - (optional) auth type (default: client-secret) + protocol: - (optional) auth protocol (default: openid-connect) + description: "" - (optional) client description + baseUrl: "" - (optional) url subpath (e.g. /application) + rootUrl: "" - (optional) root url + adminUrl: "" - (optional) admin url + bearerOnly: "" - (optional) bearerOnly (default: false) + consentRequired: "" - (optional) consentRequired (default: false) + standardFlowEnabled: "" - (optional) standardFlowEnabled (default: true) + implicitFlowEnabled: "" - (optional) implicitFlowEnabled (default: false) + directAccessGrantsEnabled: "" - (optional) directAccessGrantsEnabled (default: true) + serviceAccountsEnabled: "" - (optional) serviceAccountsEnabled (default: false) + frontchannelLogout: "" - (optional) frontend channel logout (default: true) + surrogateAuthRequired: "" - (optional) surrogate Auth Required (default: false) + authorizationServicesEnabled: "" - (optional) enable Authorization Services (RBAC) (default: false) + publicClient: "" - (optional) public Client (default: false) + attributes: - (optional) attributes settings (see code) + post.logout.redirect.uris: '' - example + protocolMappers: - (optional) protocol mappers + - name: "Audience for Oauth2Proxy" - examples + protocolMapper: "oidc-audience-mapper" + config: + included.client.audience: "oauth2-proxy-onap" + id.token.claim: "false" + access.token.claim: "true" + included.custom.audience: "oauth2-proxy-onap" + - name: "SDC-User" + protocolMapper: "oidc-usermodel-attribute-mapper" + config: + multivalued: "false" + userinfo.token.claim: "true" + user.attribute: "sdc_user" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "sdc_user" + jsonType.label: "String" + additionalDefaultScopes: + - "onap_roles" + redirectUris: + - "https://portal.simpledemo.onap.org/*" + - "http://localhost/*" + webOrigins: + - "https://argocd.simpledemo.onap.org" + defaultClientScopes: - (optional) definition of default client scopes + - "web-origins" - if used, has to contain the full scope list + - "profile" + - "acr" + - "email" + - "roles" + - "groups" + optionalClientScopes: - (optional) definition of optional client scopes + - ... - if used, has to contain the full scope list +``` + +#### Authorization settings within Client section (optional) + +Information about the Keycloak Authorization Services can be found under: + +To enable Authorization the setting shown above needs to be: + - authorizationServicesEnabled: true + +```yaml + authorizationSettings: + allowRemoteResourceManagement: "" - (optional) managed remotely by the resource server? (default: true) + policyEnforcementMode: ""- (optional) dictates how policies are enforced (default: ENFORCING) + decisionStrategy: "" - (optional) dictates how permissions are evaluated (default: UNANIMOUS) + resources: - resources definitions + - name: "" - unique name for this resource + displayName: "" - (optional) user-friendly name for the resource + type: "" - Type can be used to group different resource instances with the same type + ownerManagedAccess: - (optional) access can be managed by the resource owner? (default: false) + attributes: {} - (optional) The attributes associated wth the resource + uris: - Set of URIs which are protected by resource + - "/*" + - ... + scopes: - The scopes associated with this resource + - name: "" + - ... + icon_uri: "" - (optional) A URI pointing to an icon. + - ... + policies: - policy definitions + - name: "" - unique name for this policy + description: "" - (optional) A description for this policy + type: "" - Choose the policy type + logic: "" - dictates how the policy decision should be made + roles: - Specifies the client roles allowed by this policy + - id: "" - points to an existing role + required: - decide, whether role is required + ... + - ... + permissions: - policy definitions + - name: "" - unique name for this permission + description: "" - (optional) A description for this permission + type: "" - Choose the permission type + decisionStrategy: "" - dictates how the policies associated with a given permission are evaluated + resources: - Specifies that this permission must be applied to a specific resource instance + - "" - points to an existing resource + - ... + scopes: - Specifies that this permission must be applied to one or more scopes + - "" - points to an existing scope + - ... + applyPolicies: - Specifies all the policies that must be applied to the scopes defined by this permission + - "" - points to an existing policy + - ... + - ... + scopes: - scope definitions + - name: "" - unique name for this scope + iconUri: "" - (optional) A URI pointing to an icon. + displayName: "" - (optional) user-friendly name for the resource + - ... +``` + +### CLIENT SCOPE definitions + +Here additional scopes besides the default scopes can be defined and set as defaul client scope +default scopes: roles, groups, acr, profile, address, web-origin, phone, email, offline_access, role_list, microprofile-jwt + +```yaml + defaultClientScopes: + - "onap_roles" + additionalClientScopes: + - name: onap_roles + description: OpenID Connect scope for add user onap roles to the access token + protocolMappers: + - name: aud + protocol: openid-connect + protocolMapper: oidc-audience-mapper + consentRequired: false + config: + included.client.audience: oauth2-proxy + id.token.claim: 'false' + access.token.claim: 'true' + - name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + multivalued: 'true' + userinfo.token.claim: 'false' + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: onap_roles + jsonType.label: String + usermodel.clientRoleMapping.clientId: oauth2-proxy +``` + +### Access control definitions + +In this section additional roles (assignableRoles) besides the default roles can be set. +default roles: user, admin, offline_access, uma_authorization, default-roles- + +(optional) accessRoles can be defined. +These access roles are used in the Ingress "Auhorization Policy" to restrict the access to certain services +The access role is assigned to a realm client (e.g. oauth2_proxy) + +```yaml + accessControl: + assignableRoles: + - name: onap-operator-read + description: "Allows to perform GET operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-read", ... ] + accessRoles: + "oauth2_proxy": + - name: dmaap-bc-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-bc-api +``` + +### GROUP definitions + +```yaml + groups: - (optional) Group definitions + - name: - Group name + path: /path> - Group URL path + roles: [ ,... ] - (optional) List of Realm roles +``` + +### USER definitions + +```yaml + initialUsers: - (optional) List of initial users + - username: - Name of the User + firstName: - (optional) First Name + lastName: - (optional) Last Name + email: - (optional) Email Address + emailVerified : - (optional)Email verified + credentials: - (optional) credentials + - type: password - (optional) initial password (: encrypted password, : used salt) + secretData: "{\"value\":\"\",\"salt\":\"\"}" + credentialData: "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\"}" + requiredActions: - (optional) action, the user has to execute + - - e.g. "UPDATE_PASSWORD", "UPDATE_PROFILE",... + attributes: - (optional) additional attributes + sdc_user: - example attribute + - "cs0008" + realmRoles: - (optional) assigned realm roles + - + groups: - (optional) group membership + - +``` + +### Identity Provider and Mapper definitions + +```yaml + identityProviders: + - name: "gitlab" + displayName: "gitlab" + config: + userInfoUrl: "https:///oauth/userinfo" + validateSignature: "true" + clientId: "" + tokenUrl: "https:///oauth/token" + jwksUrl: "https:///oauth/discovery/keys" + issuer: "https://" + useJwksUrl: "true" + authorizationUrl: "https:///oauth/authorize" + clientAuthMethod: "client_secret_post" + syncMode: "IMPORT" + clientSecret: "gloas-35267790bf6fb7c4b507aea11db46d80174cb8ef4192e77424803b595eef735e" + defaultScope: "openid read_user email" + identityProviderMappers: + - name: "argo-admins" + identityProviderAlias: "gitlab" + identityProviderMapper: "oidc-advanced-group-idp-mapper" + config: + claims: "[{\"key\":\"groups_direct\",\"value\":\"dt-rc\"}]" + syncMode: "FORCE" + group: "/ArgoCDAdmins" + - name: "ArgoCDRestricted" + identityProviderAlias: "gitlab" + identityProviderMapper: "oidc-advanced-group-idp-mapper" + config: + claims: "[{\"key\":\"groups_direct\",\"value\":\"\"}]" + syncMode: "FORCE" + group: "/ArgoCDRestricted" + - name: "lastName " + identityProviderAlias: "gitlab" + identityProviderMapper: "oidc-user-attribute-idp-mapper" + config: + claim: "nickname" + syncMode: "FORCE" + user.attribute: "lastName" +``` + +### SMTP Server definitions + +```yaml + smtpServer: + password: "" + starttls: "true" + auth: "true" + port: "587" + host: "" + from: "" + fromDisplayName: "onapsupport" + ssl: "false" + user: "onapsupport" +``` + +## Requirements + +authentication needs the following ONAP projects to work: + +- common +- serviceAccount diff --git a/kubernetes/authentication/components/Makefile b/kubernetes/authentication/components/Makefile new file mode 100644 index 0000000000..4ecfbc53cc --- /dev/null +++ b/kubernetes/authentication/components/Makefile @@ -0,0 +1,59 @@ +# Copyright © 2020 Samsung Electronics, Orange, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/authentication/components/keycloak-config-cli/.helmignore b/kubernetes/authentication/components/keycloak-config-cli/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/authentication/components/keycloak-config-cli/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml new file mode 100644 index 0000000000..32514f7867 --- /dev/null +++ b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml @@ -0,0 +1,45 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright © adorsys GmbH & Co. KG +# Modifications © 2022 Deutsche Telekom +# ================================================================================ +# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE) +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +apiVersion: v2 +name: onap-keycloak-config-cli +description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak. +home: https://github.com/adorsys/keycloak-config-cli +version: 6.2.1 +appVersion: 6.2.1 +maintainers: + - name: jkroepke + email: joe@adorsys.de + url: https://github.com/jkroepke +keywords: + - keycloak + - config + - import + - json + - continuous-integration + - keycloak-config-cli +sources: + - https://github.com/adorsys/keycloak-config-cli + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl b/kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl new file mode 100644 index 0000000000..cc1ad7ad8d --- /dev/null +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "keycloak-config-cli.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "keycloak-config-cli.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "keycloak-config-cli.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "keycloak-config-cli.labels" -}} +helm.sh/chart: {{ include "keycloak-config-cli.chart" . }} +{{ include "keycloak-config-cli.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "keycloak-config-cli.selectorLabels" -}} +app.kubernetes.io/name: {{ include "keycloak-config-cli.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + diff --git a/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml new file mode 100644 index 0000000000..5ea4cbd770 --- /dev/null +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml @@ -0,0 +1,111 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # Modifications © 2022, Deutsche Telekom + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +--- +apiVersion: batch/v1 +kind: Job +metadata: + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "keycloak-config-cli.fullname" . }} + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +spec: + backoffLimit: {{ .Values.backoffLimit }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- . | nindent 8 }} + {{- end }} + labels: + {{- include "keycloak-config-cli.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.image.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + restartPolicy: Never + containers: + - name: keycloak-config-cli + image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ tpl .Values.image.tag $ }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + {{- range $name, $value := .Values.env }} + - name: {{ $name | quote }} + value: {{ tpl $value $ | quote }} + {{- end }} + {{- range $name, $value := .Values.secrets }} + - name: {{ $name | quote }} + valueFrom: + secretKeyRef: + name: "{{ template "keycloak-config-cli.fullname" $ }}" + key: {{ $name | quote }} + {{- end }} + {{- if and .Values.existingSecret .Values.existingSecretKey }} + - name: "KEYCLOAK_PASSWORD" + valueFrom: + secretKeyRef: + name: "{{ tpl .Values.existingSecret . }}" + key: "{{ .Values.existingSecretKey }}" + {{- end }} + {{- if .Values.existingSecrets }} + {{- range .Values.existingSecrets }} + - name: {{ .envVar }} + valueFrom: + secretKeyRef: + name: {{ .name }} + key: {{ .key }} + {{- end }} + {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /config + {{- with .Values.extraVolumeMounts }} + {{- tpl . $ | nindent 12 }} + {{- end }} + volumes: + - name: config + secret: + {{- if .Values.existingConfigSecret }} + secretName: "{{ tpl .Values.existingConfigSecret $ }}" + {{- else }} + secretName: "{{ template "keycloak-config-cli.fullname" . }}-config-realms" + {{- end }} + defaultMode: 0555 + {{- with .Values.extraVolumes }} + {{- tpl . $ | nindent 8 }} + {{- end }} + {{- with .Values.serviceAccount }} + serviceAccountName: "{{ tpl . $ }}" + {{- end }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml new file mode 100644 index 0000000000..fa9363e9d0 --- /dev/null +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml @@ -0,0 +1,32 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{ if not .Values.existingConfigSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "keycloak-config-cli.fullname" . }}-config-realms + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +data: + {{- range $name, $config := .Values.config }} + {{- if hasKey $config "file" }} + {{ $name }}.json: "{{ tpl ($.Files.Get $config.file) $ | b64enc }}" + {{- else if hasKey $config "inline" }} + {{ $name }}.json: "{{ tpl (toJson $config.inline) $ | b64enc }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml new file mode 100644 index 0000000000..94505289e6 --- /dev/null +++ b/kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml @@ -0,0 +1,28 @@ +{{/* + # Copyright © adorsys GmbH & Co. KG + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} +{{ if .Values.secrets }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "keycloak-config-cli.fullname" . }} + labels: + {{- include "keycloak-config-cli.labels" . | nindent 4 }} +data: + {{- range $name, $value := .Values.secrets }} + {{ $name }}: "{{ tpl $value $ | b64enc }}" + {{- end }} + {{- end }} diff --git a/kubernetes/authentication/components/keycloak-config-cli/values.yaml b/kubernetes/authentication/components/keycloak-config-cli/values.yaml new file mode 100644 index 0000000000..ffeeaeb176 --- /dev/null +++ b/kubernetes/authentication/components/keycloak-config-cli/values.yaml @@ -0,0 +1,98 @@ +# Copyright © adorsys GmbH & Co. KG +# Modifications © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +global: + pullPolicy: Always + persistence: {} + dockerHubRepository: docker.io + +fullnameOverride: "" +nameOverride: "" + +image: + repository: adorsys/keycloak-config-cli + tag: "{{ .Chart.AppVersion }}-25.0.6" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + # - myRegistryKeySecretName + +# Count of re(!)tries. A value of 2 means 3 tries in total. +backoffLimit: 1 + +# annotations of the Job. Define helm post hook here +# currently disabled to see the results and to be compliant with ArgoCD +#annotations: +# "helm.sh/hook": "post-install,post-upgrade,post-rollback" +# "helm.sh/hook-delete-policy": "hook-succeeded,before-hook-creation" +# "helm.sh/hook-weight": "5" + +labels: {} + +resources: {} + # limits: + # cpu: "100m" + # memory: "1024Mi" + # requests: + # cpu: "100m" +# memory: "1024Mi" + +env: + KEYCLOAK_URL: http://keycloak:8080 + KEYCLOAK_USER: admin + IMPORT_PATH: /config/ + +secrets: {} +# KEYCLOAK_PASSWORD: + +# Specifies an existing secret to be used for the admin password +existingSecret: "" + +# The key in the existing secret that stores the password +existingSecretKey: password + +securityContext: {} +containerSecurityContext: {} + +## Additional pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +podLabels: {} + +## Extra Annotations to be added to pod +podAnnotations: {} +# New section for existing secrets +existingSecrets: +# - name: my-existing-secret +# key: my-secret-key +# envVar: MY_ENV_VAR + +config: {} + # : + # inline: + # realm: + # clients: [] + # : + # file: + +existingConfigSecret: "" + +# Add additional volumes, e.g. for custom secrets +extraVolumes: "" + +# Add additional volumes mounts, e. g. for custom secrets +extraVolumeMounts: "" diff --git a/kubernetes/authentication/components/oauth2-proxy/.helmignore b/kubernetes/authentication/components/oauth2-proxy/.helmignore new file mode 100644 index 0000000000..825c007791 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/kubernetes/authentication/components/oauth2-proxy/Chart.yaml b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml new file mode 100644 index 0000000000..300ed0964b --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml @@ -0,0 +1,48 @@ +name: onap-oauth2-proxy +version: 7.8.0 +apiVersion: v2 +appVersion: 7.7.1 +home: https://oauth2-proxy.github.io/oauth2-proxy/ +description: A reverse proxy that provides authentication with Google, Github or other providers +keywords: + - kubernetes + - oauth + - oauth2 + - authentication + - google + - github + - redis +dependencies: + - name: redis + version: 20.3.0 + repository: https://charts.bitnami.com/bitnami + alias: redis + condition: redis.enabled + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + +sources: + - https://github.com/oauth2-proxy/oauth2-proxy + - https://github.com/oauth2-proxy/manifests +maintainers: + - name: desaintmartin + email: cedric@desaintmartin.fr + - name: tlawrie + - name: NickMeves + email: nicholas.meves@gmail.com + - name: JoelSpeed + email: joel.speed@hotmail.co.uk + - name: pierluigilenoci + email: pierluigi.lenoci@gmail.com +kubeVersion: ">=1.16.0-0" +annotations: + artifacthub.io/changes: | + - kind: added + description: allow templates in annotations + links: + - name: Github PR + url: https://github.com/oauth2-proxy/manifests/pull/256 diff --git a/kubernetes/authentication/components/oauth2-proxy/README.md b/kubernetes/authentication/components/oauth2-proxy/README.md new file mode 100644 index 0000000000..0dc6c13962 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/README.md @@ -0,0 +1,359 @@ +# oauth2-proxy + +[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by e-mail, domain, or group. + +## TL;DR; + +```console +$ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests +$ helm install my-release oauth2-proxy/oauth2-proxy +``` + +## Introduction + +This chart bootstraps an oauth2-proxy deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy +``` + +The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. +The [configuration](#configuration) section lists the parameters that can be configured during installation. + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +$ helm uninstall my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates an incompatible breaking change needing manual actions. + +### To 1.0.0 + +This version upgrades oauth2-proxy to v4.0.0. To upgrade, please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400). + +### To 2.0.0 + +Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by addressing the Deployment object apiVersion `apps/v1beta2` deprecation. +See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information. + +Due to [this issue](https://github.com/helm/helm/issues/6583), errors may occur when performing a `helm upgrade` of this chart from versions earlier than 2.0.0. + +### To 3.0.0 + +Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart. +This is a breaking change since the service account is enabled by default. +To disable this behaviour set `serviceAccount.enabled` to `false` + +### To 4.0.0 + +Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**. +Therefore, the `ingress.extraPaths` parameter must be updated to the new format. +See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information. + +For the same reason `service.port` was renamed to `service.portNumber`. + +### To 5.0.0 + +Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). +This is a breaking change because many labels of all resources need to be updated to stay consistent. + +In order to upgrade, delete the Deployment before upgrading: + +```bash +kubectl delete deployment my-release-oauth2-proxy +``` + +This will introduce a slight downtime. + +For users who don't want downtime, you can perform these actions: + +- Perform a non-cascading removal of the deployment that keeps the pods running +- Add new labels to pods +- Perform `helm upgrade` + +### To 6.0.0 + +Version 6.0.0 bumps the version of the Redis subchart from ~10.6.0 to ~16.4.0. +You probably need to adjust your Redis configuration. +See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions. + +### To 7.0.0 + +Version 7.0.0 introduces a new implementation to support multiple hostAliases. +You probably need to adjust your hostAliases config. +See [here](https://github.com/oauth2-proxy/manifests/pull/164/) for detailed information. + +## Configuration + +The following table lists the configurable parameters of the oauth2-proxy chart and their default values. + +| Parameter | Description | Default | +|-------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------| +| `affinity` | node/pod affinities | None | +| `authenticatedEmailsFile.enabled` | Enables authorize individual e-mail addresses | `false` | +| `authenticatedEmailsFile.persistence` | Defines how the e-mail addresses file will be projected, via a configmap or secret | `configmap` | +| `authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""` | +| `authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the e-mail addresses list | `""` | +| `authenticatedEmailsFile.restricted_access` | [e-mail addresses](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/#email-authentication) list config | `""` | +| `authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil` | +| `config.clientID` | oauth client ID | `""` | +| `config.clientSecret` | oauth client secret | `""` | +| `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""` | +| `config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil` | +| `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""` | +| `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil` | +| `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""` | +| `autoscaling.enabled` | Deploy a Horizontal Pod Autoscaler. | `false` | +| `autoscaling.minReplicas` | Minimum replicas for the Horizontal Pod Autoscaler. | `1` | +| `autoscaling.maxReplicas` | Maximum replicas for the Horizontal Pod Autoscaler. | `10` | +| `autoscaling.targetCPUUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `80` | +| `autoscaling.targetMemoryUtilizationPercentage` | Horizontal Pod Autoscaler setting. | `` | +| `autoscaling.annotations` | Horizontal Pod Autoscaler annotations. | `{}` | +| `alphaConfig.enabled` | Flag to toggle any alpha config-related logic | `false` | +| `alphaConfig.annotations` | Configmap annotations | `{}` | +| `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}` | +| `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}` | +| `alphaConfig.configData` | Arbitrary configuration data to append | `{}` | +| `alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""` | +| `alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil` | +| `customLabels` | Custom labels to add into metadata | `{}` | +| `config.google.adminEmail` | user impersonated by the Google service account | `""` | +| `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account JSON | `false` | +| `config.google.targetPrincipal` | service account to use/impersonate | `""` | +| `config.google.serviceAccountJson` | Google service account JSON contents | `""` | +| `config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [Google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil` | +| `config.google.groups` | restrict logins to members of these Google groups | `[]` | +| `containerPort` | used to customize port on the deployment | `""` | +| `extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows the same flag to be configured multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]` | +| `extraContainers` | List of extra containers to be added to the pod | `[]` | +| `extraEnv` | key:value list of extra environment variables to give the binary | `[]` | +| `extraVolumes` | list of extra volumes | `[]` | +| `extraVolumeMounts` | list of extra volumeMounts | `[]` | +| `hostAliases` | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution. | | +| `htpasswdFile.enabled` | enable htpasswd-file option | `false` | +| `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#command-line-options) | `{}` | +| `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""` | +| `httpScheme` | `http` or `https`. `name` used for the port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.command` | Define command to be executed by container at startup | `[]` | +| `image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy` | +| `image.tag` | Image tag | `""` (defaults to appVersion) | +| `imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods) | +| `ingress.enabled` | Enable Ingress | `false` | +| `ingress.className` | name referencing IngressClass | `nil` | +| `ingress.path` | Ingress accepted path | `/` | +| `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific` | +| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/). | `[]` | +| `ingress.labels` | Ingress extra labels | `{}` | +| `ingress.annotations` | Ingress annotations | `nil` | +| `ingress.hosts` | Ingress accepted hostnames | `nil` | +| `ingress.tls` | Ingress TLS configuration | `nil` | +| `initContainers.waitForRedis.enabled` | If `redis.enabled` is true, use an init container to wait for the Redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list, and watch the Redis master pod | `true` | +| `initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent` | +| `initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl` | +| `initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")` +| `initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `initContainers.waitForRedis.timeout` | number of seconds | 180 | +| `initContainers.waitForRedis.resources` | pod resource requests & limits | `{}` | +| `livenessProbe.enabled` | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `livenessProbe.initialDelaySeconds` | number of seconds | 0 | +| `livenessProbe.timeoutSeconds` | number of seconds | 1 | +| `namespaceOverride` | Override the deployment namespace | `""` | +| `nodeSelector` | node labels for pod assignment | `{}` | +| `deploymentAnnotations` | annotations to add to the deployment | `{}` | +| `podAnnotations` | annotations to add to each pod | `{}` | +| `podLabels` | additional labels to add to each pod | `{}` | +| `podDisruptionBudget.enabled` | Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true | +| `podDisruptionBudget.minAvailable` | minAvailable parameter for PodDisruptionBudget | 1 | +| `podSecurityContext` | Kubernetes security context to apply to pod | `{}` | +| `priorityClassName` | priorityClassName | `nil` | +| `readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true` | +| `readinessProbe.initialDelaySeconds` | number of seconds | 0 | +| `readinessProbe.timeoutSeconds` | number of seconds | 5 | +| `readinessProbe.periodSeconds` | number of seconds | 10 | +| `readinessProbe.successThreshold` | number of successes | 1 | +| `replicaCount` | desired number of pods | `1` | +| `resources` | pod resource requests & limits | `{}` | +| `revisionHistoryLimit` | maximum number of revisions maintained | 10 | +| `service.portNumber` | port number for the service | `80` | +| `service.appProtocol` | application protocol on the port of the service | `http` | +| `service.externalTrafficPolicy` | denotes if the service desires to route external traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.internalTrafficPolicy` | denotes if the service desires to route internal traffic to node-local or cluster-wide endpoints | `Cluster` | +| `service.type` | type of service | `ClusterIP` | +| `service.clusterIP` | cluster ip address | `nil` | +| `service.loadBalancerIP` | ip of load balancer | `nil` | +| `service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil` | +| `service.nodePort` | external port number for the service when service.type is `NodePort` | `nil` | +| `serviceAccount.enabled` | create a service account | `true` | +| `serviceAccount.name` | the service account name | `` | +| `serviceAccount.annotations` | (optional) annotations for the service account | `{}` | +| `strategy` | configure deployment strategy | `{}` | +| `tolerations` | list of node taints to tolerate | `[]` | +| `securityContext.enabled` | enable Kubernetes security context on container | `true` | +| `proxyVarsAsSecrets` | Choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true` | +| `sessionStorage.type` | Session storage type which can be one of the following: cookie or Redis | `cookie` | +| `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the Redis & Redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""` | +| `sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from Redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence | `nil` | +| `sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the Redis password value | `redis-password` | +| `sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for the Redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone` | +| `sessionStorage.redis.standalone.connectionUrl` | URL of Redis standalone server for Redis session storage (e.g., `redis://HOST[:PORT]`). Automatically generated if not set. | `""` | +| `sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g., `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the Redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""` | +| `sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any Redis node passwords need to use `sessionStorage.redis.password` | `nil` | +| `sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the Redis sentinel password value | `redis-sentinel-password` | +| `sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil` | +| `sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]` | +| `topologySpreadConstraints` | List of pod topology spread constraints | `[]` | +| `redis.enabled` | Enable the Redis subchart deployment | `false` | +| `checkDeprecation` | Enable deprecation checks | `true` | +| `metrics.enabled` | Enable Prometheus metrics endpoint | `true` | +| `metrics.port` | Serve Prometheus metrics on this port | `44180` | +| `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil` | +| `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http` | +| `metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false` | +| `metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""` | +| `metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default` | +| `metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s` | +| `metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | +| `metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource | `{}` | +| `metrics.serviceMonitor.scheme` | HTTP scheme for scraping. It can be used with `tlsConfig` for example, if using Istio mTLS. | `""` | +| `metrics.serviceMonitor.tlsConfig` | TLS configuration when scraping the endpoint. For example, if using Istio mTLS. | `{}` | +| `metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file. | `""` | +| `metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster | `{}` | +| `metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion. | `[]` | +| `extraObjects` | Extra K8s manifests to deploy | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy \ + --set=image.tag=v0.0.2,resources.limits.cpu=200m +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, + +```console +$ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## TLS Configuration + +See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/configuration/tls/). +Use ```values.yaml``` like: + +```yaml +... +extraArgs: + tls-cert-file: /path/to/cert.pem + tls-key-file: /path/to/cert.key + +extraVolumes: + - name: ssl-cert + secret: + secretName: my-ssl-secret + +extraVolumeMounts: + - mountPath: /path/to/ + name: ssl-cert +... +``` + +With a secret called `my-ssl-secret`: + +```yaml +... +data: + cert.pem: AB..== + cert.key: CD..== +``` + +## Extra environment variable templating +The extraEnv value supports the tpl function, which evaluates strings as templates inside the deployment template. +This is useful for passing a template string as a value to the chart's extra environment variables and rendering external configuration environment values. + +```yaml +... +tplValue: "This is a test value for the tpl function" +extraEnv: + - name: TEST_ENV_VAR_1 + value: test_value_1 + - name: TEST_ENV_VAR_2 + value: '{{ .Values.tplValue }}' +``` + +## Custom templates configuration +You can replace the default template files using a Kubernetes `configMap` volume. The default templates are the two files [sign_in.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/sign_in.html) and [error.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/error.html). + +```yaml +config: + configFile: | + ... + custom_templates_dir = "/data/custom-templates" + +extraVolumes: + - name: custom-templates + configMap: + name: oauth2-proxy-custom-templates + +extraVolumeMounts: + - name: custom-templates + mountPath: "/data/custom-templates" + readOnly: true + +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: oauth2-proxy-custom-templates + data: + sign_in.html: | + + + sign_in + + error.html: | + + + +

error

+

{{.StatusCode}}

+ + +``` + +## Multi whitelist-domain configuration +You must use the config.configFile section for a multi-whitelist-domain configuration for one Oauth2-proxy instance. + +It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` [configuration file](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview#config-file). +In this example, Google provider is used, but you can find all other provider configurations here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/configuration/providers/). + +``` +config: + ... + clientID="$YOUR_GOOGLE_CLIENT_ID" + clientSecret="$YOUR_GOOGLE_CLIENT_SECRET" + cookieSecret="$YOUR_COOKIE_SECRET" + configFile: | + ... + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] + cookie_secure = "false" + cookie_domains = [ ".domain.com", ".example.io" ] + whitelist_domains = [ ".domain.com", ".example.io"] + provider = "google" +``` diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml new file mode 100644 index 0000000000..fc2ba605ad --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml new file mode 100644 index 0000000000..92dc451807 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml @@ -0,0 +1,4 @@ +extraArgs: + pass-authorization-header: "true" + request-logging: "true" + allowed-role: client_id:client_role diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml new file mode 100644 index 0000000000..5f47a5f479 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml @@ -0,0 +1,5 @@ +extraArgs: + - "--pass-authorization-header=true" + - "--request-logging=true" + - --allowed-role=client_id:client_role_A + - --allowed-role=client_id_B:client_role_C diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml new file mode 100644 index 0000000000..357dba9153 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml @@ -0,0 +1,6 @@ +tplValue: "This is a test value for the template function" +extraEnv: + - name: TEST_ENV_VAR_1 + value: test_value_1 + - name: TEST_ENV_VAR_2 + value: '{{ .Values.tplValue }}' diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml new file mode 100644 index 0000000000..fd1a0060fe --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/horizontal-pod-autoscaling-values.yaml @@ -0,0 +1,5 @@ +# Enables Horizontal Pod Autoscaler and removes replica count in deployment +autoscaling: + enabled: true + annotations: + test-annotations/test: "true" diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml new file mode 100644 index 0000000000..e74a393db0 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml @@ -0,0 +1,14 @@ +ingress: + enabled: true + path: / + pathType: ImplementationSpecific + hosts: + - chart-example.local + extraPaths: + - path: /* + pathType: ImplementationSpecific + backend: + service: + name: ssl-redirect + port: + name: use-annotation diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml new file mode 100644 index 0000000000..25b16272a7 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml @@ -0,0 +1 @@ +replicaCount: 2 # Enables PodDisruptionBudget which is disabled when replicaCount is 1 diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml new file mode 100644 index 0000000000..b7c8cea546 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml @@ -0,0 +1,4 @@ +# Allocate a FSGroup that owns the pod’s volumes via podSecurityContext +--- +podSecurityContext: + fsGroup: 2000 diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml new file mode 100644 index 0000000000..e58c32cf0c --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml @@ -0,0 +1,15 @@ +sessionStorage: + type: redis + redis: + clientType: "standalone" + password: "foo" +redis: + # provision an instance of the redis sub-chart + enabled: true + architecture: standalone + global: + redis: + password: "foo" +initContainers: + waitForRedis: + enabled: true diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml new file mode 100644 index 0000000000..0c232bf5c1 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml @@ -0,0 +1,18 @@ +metrics: + enabled: true + serviceMonitor: + enabled: true + annotations: + key: value + metricRelabelings: + - action: keep + regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + sourceLabels: [__name__] + + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + separator: ; + regex: ^(.*)$ + targetLabel: nodename + replacement: $1 + action: replace diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml new file mode 100644 index 0000000000..d217653086 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml @@ -0,0 +1,62 @@ +extraEnv: + - name: TEST_ENV_VAR_2 + value: '{{ $.Release.Name }}' +ingress: + enabled: true + hosts: + - "{{ $.Release.Name }}.local" + tls: + - hosts: + - "{{ $.Release.Name }}.local" + annotations: + test-annotations/test: "{{ $.Release.Name }}" +oauth2-proxy: + checkDeprecation: false + config: + clientSecret: '{{ $.Release.Name }}' + configFile: | + oidc_issuer_url = "https://{{ $.Release.Name }}/dex" + +pass_authorization_header: "true" + +extraArgs: + pass-authorization-header: "{{ $.Values.pass_authorization_header }}" + +extraVolumes: + - name: "{{ $.Release.Name }}-secret" + secret: + secretName: "{{ .Release.Name }}-secret" + items: + - key: secret + path: secret + +authenticatedEmailsFile: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +config: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +deploymentAnnotations: + test-annotations/test: "{{ $.Release.Name }}" + +autoscaling: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +alphaConfig: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +service: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceAccount: + annotations: + test-annotations/test: "{{ $.Release.Name }}" + +serviceMonitor: + annotations: + test-annotations/test: "{{ $.Release.Name }}" diff --git a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh new file mode 100755 index 0000000000..62dd9b684f --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh @@ -0,0 +1,61 @@ +#!/bin/sh + +RETRY_INTERVAL=5 # Interval between retries in seconds +elapsed=0 # Elapsed time + +check_redis() { + host=$1 + port=$2 + while [ $elapsed -lt $TOTAL_RETRY_TIME ]; do + echo "Checking Redis at $host:$port... Elapsed time: ${elapsed}s" + if nc -z -w1 $TIMEOUT $host $port > /dev/null 2>&1; then + echo "Redis is up at $host:$port!" + return 0 + else + echo "Redis is down at $host:$port. Retrying in $RETRY_INTERVAL seconds." + sleep $RETRY_INTERVAL + elapsed=$((elapsed + RETRY_INTERVAL)) + fi + done + echo "Failed to connect to Redis at $host:$port after $TOTAL_RETRY_TIME seconds." + return 1 +} + +# For parsing and checking connections +parse_and_check() { + url=$1 + + # Strip either redis:// or rediss:// + if [ $url = "rediss://*" ]; then + clean_url=${url#rediss://} + echo "Using secure Rediss connection..." + else + clean_url=${url#redis://} + echo "Using standard Redis connection..." + fi + + host=$(echo $clean_url | cut -d':' -f1) + port=$(echo $clean_url | cut -d':' -f2) + check_redis $host $port +} + +# Main +if [ -n "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" ]; then + echo "Checking Redis in cluster mode..." + echo "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do + parse_and_check $addr || exit 1 + done +elif [ -n "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" ]; then + echo "Checking Redis in sentinel mode..." + echo "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do + parse_and_check $addr || exit 1 + done +elif [ -n "$OAUTH2_PROXY_REDIS_CONNECTION_URL" ]; then + echo "Checking standalone Redis..." + parse_and_check "$OAUTH2_PROXY_REDIS_CONNECTION_URL" || exit 1 +else + echo "Redis configuration not specified." + exit 1 +fi + +echo "Redis check completed." diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt new file mode 100644 index 0000000000..36ded35867 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt @@ -0,0 +1,3 @@ +To verify that oauth2-proxy has started, run: + + kubectl --namespace={{ template "oauth2-proxy.namespace" $ }} get pods -l "app={{ template "oauth2-proxy.name" . }}" diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl new file mode 100644 index 0000000000..f959f10e49 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl @@ -0,0 +1,23 @@ +{{/* +Returns the appropriate apiVersion for podDisruptionBudget object. +*/}} +{{- define "capabilities.podDisruptionBudget.apiVersion" -}} +{{- if semverCompare ">=1.21-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress object. +*/}} +{{- define "capabilities.ingress.apiVersion" -}} +{{- if semverCompare "<1.14-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl new file mode 100644 index 0000000000..6a9bbb320d --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl @@ -0,0 +1,161 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "oauth2-proxy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "oauth2-proxy.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "oauth2-proxy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "oauth2-proxy.labels" }} +helm.sh/chart: {{ include "oauth2-proxy.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: authentication-proxy +app.kubernetes.io/part-of: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "oauth2-proxy.selectorLabels" }} +app.kubernetes.io/name: {{ include "oauth2-proxy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Get the secret name. +*/}} +{{- define "oauth2-proxy.secretName" -}} +{{- if .Values.config.existingSecret -}} +{{- printf "%s" .Values.config.existingSecret -}} +{{- else -}} +{{- printf "%s" (include "oauth2-proxy.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "oauth2-proxy.serviceAccountName" -}} +{{- if .Values.serviceAccount.enabled -}} + {{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "oauth2-proxy.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Redis subcharts fullname +*/}} +{{- define "oauth2-proxy.redis.fullname" -}} +{{- if .Values.redis.enabled -}} +{{- include "common.names.fullname" (dict "Chart" (dict "Name" "redis") "Release" .Release "Values" .Values.redis) -}} +{{- else -}} +{{ fail "attempting to use redis subcharts fullname, even though the subchart is not enabled. This will lead to misconfiguration" }} +{{- end -}} +{{- end -}} + +{{/* +Compute the redis url if not set explicitly. +*/}} +{{- define "oauth2-proxy.redis.StandaloneUrl" -}} +{{- if .Values.sessionStorage.redis.standalone.connectionUrl -}} +{{ .Values.sessionStorage.redis.standalone.connectionUrl }} +{{- else if .Values.redis.enabled -}} +{{- printf "redis://%s-master:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.master.service.ports.redis -}} +{{- else -}} +{{ fail "please set sessionStorage.redis.standalone.connectionUrl or enable the redis subchart via redis.enabled" }} +{{- end -}} +{{- end -}} + +{{/* +Returns the version +*/}} +{{- define "oauth2-proxy.version" -}} +{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }} +{{- end -}} + +{{/* +Returns the kubectl version +Workaround for EKS https://github.com/aws/eks-distro/issues/1128 +*/}} +{{- define "kubectl.version" -}} +{{- if .Values.initContainers.waitForRedis.kubectlVersion -}} +{{ .Values.initContainers.waitForRedis.kubectlVersion }} +{{- else -}} +{{- printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "") -}} +{{- end -}} +{{- end -}} + +{{- define "oauth2-proxy.alpha-config" -}} +--- +server: + BindAddress: '0.0.0.0:4180' +{{- if .Values.alphaConfig.serverConfigData }} +{{- toYaml .Values.alphaConfig.serverConfigData | nindent 2 }} +{{- end }} +{{- if .Values.metrics.enabled }} +metricsServer: + BindAddress: '0.0.0.0:44180' +{{- if .Values.alphaConfig.metricsConfigData }} +{{- toYaml .Values.alphaConfig.metricsConfigData | nindent 2 }} +{{- end }} +{{- end }} +{{- if .Values.alphaConfig.configData }} +{{- toYaml .Values.alphaConfig.configData | nindent 0 }} +{{- end }} +{{- if .Values.alphaConfig.configFile }} +{{- tpl .Values.alphaConfig.configFile $ | nindent 0 }} +{{- end }} +{{- end -}} + +{{- define "oauth2-proxy.secrets" -}} +cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }} +client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }} +client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl new file mode 100644 index 0000000000..f4a3cad0e4 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl @@ -0,0 +1,46 @@ +{{/* +Returns `true` if the API `ingressClassName` field is supported and `false` otherwise +*/}} +{{- define "ingress.supportsIngressClassName" -}} +{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns `true` if the API `pathType` field is supported and `false` otherwise +*/}} +{{- define "ingress.supportsPathType" -}} +{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns the appropriate ingress `backend` fields depending on the Kubernetes API version. +e.g.: `{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}` +Where the dict must contain the following entries: +- `serviceName` {String} - Name of an existing service backend +- `servicePort` {String|Number} - Port name or port number of the service. +- `context` {Dict} - (Parent) Context for the template evaluation required for the API version detection. +*/}} +{{- define "ingress.backend" -}} +{{- $apiVersion := ( include "capabilities.ingress.apiVersion" .context ) -}} +{{- if or ( eq $apiVersion "extensions/v1beta1" ) ( eq $apiVersion "networking.k8s.io/v1beta1" ) -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or ( typeIs "int" .servicePort ) ( typeIs "float64" .servicePort ) }} + number: {{ .servicePort }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml new file mode 100644 index 0000000000..68c9d76629 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml @@ -0,0 +1,18 @@ +{{- if .Values.authenticatedEmailsFile.enabled }} +{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- with .Values.authenticatedEmailsFile.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist + namespace: {{ template "oauth2-proxy.namespace" $ }} +data: + {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml new file mode 100644 index 0000000000..721048d786 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis + namespace: {{ template "oauth2-proxy.namespace" $ }} +data: + check-redis.sh: | +{{ .Files.Get "scripts/check-redis.sh" | indent 4 }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml new file mode 100644 index 0000000000..0f164d230c --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml @@ -0,0 +1,18 @@ +{{- if not .Values.config.existingConfig }} +{{- if .Values.config.configFile }} +apiVersion: v1 +kind: ConfigMap +metadata: +{{- with .Values.config.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +data: + oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }} +{{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml new file mode 100644 index 0000000000..bd5c2c923d --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml @@ -0,0 +1,418 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- with .Values.deploymentAnnotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- with .Values.strategy }} + strategy: + {{ toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + template: + metadata: + annotations: + {{- if .Values.config.configFile }} + checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }} + {{- end }} + {{- if .Values.alphaConfig.enabled }} + checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }} + {{- end }} + {{- if .Values.authenticatedEmailsFile.enabled }} + checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }} + {{- end }} + checksum/secret: {{ include "oauth2-proxy.secrets" . | sha256sum }} + checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }} + checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} +{{- if .Values.htpasswdFile.enabled }} + checksum/htpasswd: {{ toYaml .Values.htpasswdFile.entries | sha256sum }} +{{- end }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 8 }} + {{- if .Values.podLabels }} +{{ toYaml .Values.podLabels | indent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: + {{ toYaml .Values.hostAliases | nindent 8}} + {{- end }} + {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} + initContainers: + - name: wait-for-redis + #image: "{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" + image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}" + imagePullPolicy: {{ .Values.initContainers.waitForRedis.image.pullPolicy }} + command: ["/bin/sh", "-c", "/scripts/check-redis.sh"] + env: + - name: TOTAL_RETRY_TIME + value: "{{ .Values.initContainers.waitForRedis.timeout }}" + {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} + - name: OAUTH2_PROXY_REDIS_CONNECTION_URL + value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} + - name: OAUTH2_PROXY_REDIS_USE_CLUSTER + value: "true" + - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} + - name: OAUTH2_PROXY_REDIS_USE_SENTINEL + value: "true" + - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} + {{- end }} + {{- if .Values.initContainers.waitForRedis.securityContext.enabled }} + {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }} + securityContext: + {{- toYaml $securityContext | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.initContainers.waitForRedis.resources | nindent 10 }} + volumeMounts: + - name: redis-script + mountPath: /scripts + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" + #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.image.command }} + command: + {{- range .Values.image.command }} + - {{ . | quote }} + {{- end }} + {{- end }} + args: + {{- if .Values.alphaConfig.enabled }} + - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml + {{- else }} + - --http-address=0.0.0.0:4180 + - --https-address=0.0.0.0:4443 + {{- if .Values.metrics.enabled }} + - --metrics-address=0.0.0.0:44180 + {{- end }} + {{- end }} + {{- if .Values.config.cookieName }} + - --cookie-name={{ .Values.config.cookieName }} + {{- end }} + {{- if kindIs "map" .Values.extraArgs }} + {{- range $key, $value := .Values.extraArgs }} + {{- if not (kindIs "invalid" $value) }} + - --{{ $key }}={{ tpl ($value | toString) $ }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- end }} + {{- if kindIs "slice" .Values.extraArgs }} + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- if or .Values.config.existingConfig .Values.config.configFile }} + - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + {{- end }} + {{- if .Values.authenticatedEmailsFile.enabled }} + {{- if .Values.authenticatedEmailsFile.template }} + - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }} + {{- else }} + - --authenticated-emails-file=/etc/oauth2-proxy/{{ template "oauth2-proxy.fullname" . }}-accesslist + {{- end }} + {{- end }} + {{- with .Values.config.google }} + {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }} + - --google-admin-email={{ .adminEmail }} + {{- if .useApplicationDefaultCredentials }} + - --google-use-application-default-credentials=true + {{- else }} + - --google-service-account-json=/google/service-account.json + {{- end }} + {{- if .targetPrincipal }} + - --google-target-principal={{ .targetPrincipal }} + {{- end }} + {{- end }} + {{- if .groups }} + {{- range $group := .groups }} + - --google-group={{ $group }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.htpasswdFile.enabled }} + - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt + {{- end }} +{{- if .Values.lifecycle }} + lifecycle: +{{ toYaml .Values.lifecycle | indent 10 }} +{{- end }} + env: + {{- if .Values.proxyVarsAsSecrets }} + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ template "oauth2-proxy.secretName" . }} + key: cookie-secret + {{- end }} + {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }} + - name: OAUTH2_PROXY_SESSION_STORE_TYPE + value: "redis" + {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}} + - name: OAUTH2_PROXY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + {{- if .Values.sessionStorage.redis.existingSecret }} + name: {{ .Values.sessionStorage.redis.existingSecret }} + {{- else if .Values.sessionStorage.redis.password }} + name: {{ template "oauth2-proxy.fullname" . }}-redis-access + {{- else }} + name: {{ include "oauth2-proxy.redis.fullname" . }} + {{- end }} + key: {{ .Values.sessionStorage.redis.passwordKey }} + {{- end }} + {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }} + - name: OAUTH2_PROXY_REDIS_CONNECTION_URL + value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }} + - name: OAUTH2_PROXY_REDIS_USE_CLUSTER + value: "true" + - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }} + {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }} + - name: OAUTH2_PROXY_REDIS_USE_SENTINEL + value: "true" + - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME + value: {{ .Values.sessionStorage.redis.sentinel.masterName }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS + value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }} + {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }} + - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD + valueFrom: + secretKeyRef: + {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }} + name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }} + {{- else }} + name: {{ template "oauth2-proxy.fullname" . }}-redis-access + {{- end }} + key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.extraEnv }} +{{ tpl (toYaml .Values.extraEnv) . | indent 8 }} + {{- end }} + {{- if .Values.envFrom }} + envFrom: +{{ tpl (toYaml .Values.envFrom) . | indent 8 }} + {{- end }} + ports: + {{- if .Values.containerPort }} + - containerPort: {{ .Values.containerPort }} + {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }} + - containerPort: 4180 + {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }} + - containerPort: 4443 + {{- else }} + {{- end}} + name: {{ .Values.httpScheme }} + protocol: TCP +{{- if .Values.metrics.enabled }} + - containerPort: 44180 + protocol: TCP + name: metrics +{{- end }} +{{- if .Values.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /ping + port: {{ .Values.httpScheme }} + scheme: {{ .Values.httpScheme | upper }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} +{{- end }} +{{- if .Values.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }} + port: {{ .Values.httpScheme }} + scheme: {{ .Values.httpScheme | upper }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + volumeMounts: +{{- with .Values.config.google }} +{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} + - name: google-secret + mountPath: /google + readOnly: true +{{- end }} +{{- end }} +{{- if or .Values.config.existingConfig .Values.config.configFile }} + - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg + name: configmain + subPath: oauth2_proxy.cfg +{{- end }} +{{- if .Values.alphaConfig.enabled }} + - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml + name: configalpha + subPath: oauth2_proxy.yml +{{- end }} +{{- if .Values.authenticatedEmailsFile.enabled }} + - mountPath: /etc/oauth2-proxy + name: configaccesslist + readOnly: true +{{- end }} +{{- if .Values.htpasswdFile.enabled }} + - mountPath: /etc/oauth2_proxy/htpasswd + name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + readOnly: true +{{- end }} +{{- if ne (len .Values.extraVolumeMounts) 0 }} +{{ toYaml .Values.extraVolumeMounts | indent 8 }} +{{- end }} +{{- if .Values.securityContext.enabled }} +{{- $securityContext := unset .Values.securityContext "enabled" }} + securityContext: + {{- toYaml $securityContext | nindent 10 }} +{{- end }} +{{- if .Values.extraContainers }} + {{- toYaml .Values.extraContainers | nindent 6 }} +{{- end }} + volumes: +{{- with .Values.config.google }} +{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }} + - name: google-secret + secret: + secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }} +{{- end }} +{{- end }} + +{{- if .Values.htpasswdFile.enabled }} + - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + secret: + secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }} +{{- end }} + +{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }} + - name: configaccesslist + secret: + items: + - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} +{{- if .Values.authenticatedEmailsFile.template }} + path: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + path: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} +{{- if .Values.authenticatedEmailsFile.template }} + secretName: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} +{{- end }} +{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} + - name: redis-script + configMap: + name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis + defaultMode: 0775 +{{- end }} +{{- if or .Values.config.existingConfig .Values.config.configFile }} + - configMap: + defaultMode: 420 + name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }} + name: configmain +{{- end }} +{{- if .Values.alphaConfig.enabled }} +{{- if .Values.alphaConfig.existingConfig }} + - configMap: + defaultMode: 420 + name: {{ .Values.alphaConfig.existingConfig }} + name: configalpha +{{- else }} + - secret: + defaultMode: 420 + secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }} + name: configalpha +{{- end }} +{{- end }} +{{- if ne (len .Values.extraVolumes) 0 }} +{{ tpl (toYaml .Values.extraVolumes) . | indent 6 }} +{{- end }} +{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }} + - configMap: +{{- if .Values.authenticatedEmailsFile.template }} + name: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} + items: + - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }} +{{- if .Values.authenticatedEmailsFile.template }} + path: {{ .Values.authenticatedEmailsFile.template }} +{{- else }} + path: {{ template "oauth2-proxy.fullname" . }}-accesslist +{{- end }} + name: configaccesslist +{{- end }} + + {{- with (.Values.imagePullSecrets | default .Values.global.imagePullSecrets) }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml new file mode 100644 index 0000000000..126d3e7a18 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml @@ -0,0 +1,12 @@ +{{- if .Values.checkDeprecation }} + {{- if .Values.service.port }} + {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }} + {{- end }} + {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}} + {{- range .Values.ingress.extraPaths }} + {{- if or (.backend.serviceName) (.backend.servicePort) }} + {{ fail "Please update the format of your `ingress.extraPaths` to the new ingress apiVersion `networking.k8s.io/v1` format" }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml new file mode 100644 index 0000000000..a9bb3b6ba8 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml new file mode 100644 index 0000000000..30a9ae1bb6 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-google + namespace: {{ template "oauth2-proxy.namespace" $ }} +type: Opaque +data: + service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml new file mode 100644 index 0000000000..a6d7461797 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/hpa.yaml @@ -0,0 +1,38 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + {{- with .Values.autoscaling.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 8 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "oauth2-proxy.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml new file mode 100644 index 0000000000..8cc7953ee9 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml @@ -0,0 +1,44 @@ +{{- if .Values.ingress.enabled -}} +{{- $serviceName := include "oauth2-proxy.fullname" . -}} +{{- $servicePort := .Values.service.portNumber -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ include "capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.ingress.labels }} +{{ toYaml .Values.ingress.labels | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +{{- with .Values.ingress.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} +spec: + {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }} + ingressClassName: {{ .Values.ingress.className | quote }} + {{- end }} + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ tpl $host $ | quote }} + http: + paths: +{{- if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if eq "true" ( include "ingress.supportsPathType" $ ) }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: {{- include "ingress.backend" ( dict "serviceName" $serviceName "servicePort" $servicePort "context" $ ) | nindent 14 }} + {{- end -}} + {{- if .Values.ingress.tls }} + tls: +{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml new file mode 100644 index 0000000000..1fc8ecc005 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }} +apiVersion: {{ include "capabilities.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +spec: + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml new file mode 100644 index 0000000000..202e9243e3 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml @@ -0,0 +1,23 @@ +{{- $name := include "oauth2-proxy.name" . -}} +{{- $fullName := include "oauth2-proxy.fullname" . -}} +{{- $labels := include "oauth2-proxy.labels" . -}} +{{- with .Values.sessionStorage }} +{{- if and (eq .type "redis") (not .redis.existingSecret) (or .redis.password .redis.sentinel.password) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ $name }} + {{- $labels | indent 4 }} + name: {{ $fullName }}-redis-access + namespace: {{ template "oauth2-proxy.namespace" $ }} +type: Opaque +data: + {{- if and .redis.password (not .redis.existingSecret) }} + {{ .redis.passwordKey }}: {{ .redis.password | b64enc | quote }} + {{- end }} + {{- if and .redis.sentinel.password (not .redis.sentinel.existingSecret) (ne .redis.sentinel.passwordKey .redis.passwordKey) }} + {{ .redis.sentinel.passwordKey }}: {{ .redis.sentinel.password | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml new file mode 100644 index 0000000000..ba2c02d5aa --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml @@ -0,0 +1,21 @@ +{{- + if and + .Values.alphaConfig.enabled + (not .Values.alphaConfig.existingConfig) + (not .Values.alphaConfig.existingSecret) +}} +apiVersion: v1 +kind: Secret +metadata: +{{- with .Values.alphaConfig.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} + {{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-alpha + namespace: {{ template "oauth2-proxy.namespace" $ }} +data: + oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml new file mode 100644 index 0000000000..9b607dd34a --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml @@ -0,0 +1,19 @@ +{{- if .Values.authenticatedEmailsFile.enabled }} +{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "secret") }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- with .Values.authenticatedEmailsFile.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} + name: {{ template "oauth2-proxy.fullname" . }}-accesslist + namespace: {{ template "oauth2-proxy.namespace" $ }} +data: + {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }} +{{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml new file mode 100644 index 0000000000..c5ea330ff7 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file + namespace: {{ template "oauth2-proxy.namespace" $ }} +type: Opaque +stringData: + users.txt: |- + {{- range $entries := .Values.htpasswdFile.entries }} + {{ $entries }} + {{- end -}} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml new file mode 100644 index 0000000000..a041843484 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml @@ -0,0 +1,17 @@ +{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }} +apiVersion: v1 +kind: Secret +metadata: +{{- with .Values.config.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +type: Opaque +data: +{{- include "oauth2-proxy.secrets" . | nindent 2 }} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml new file mode 100644 index 0000000000..e8d02aeba8 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} + name: {{ template "oauth2-proxy.fullname" . }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +{{- with .Values.service.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} +{{- end }} +spec: +{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} +{{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} + {{- end -}} +{{- else }} + type: {{ .Values.service.type }} +{{- end }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} +{{- if .Values.service.internalTrafficPolicy }} + internalTrafficPolicy: {{ .Values.service.internalTrafficPolicy }} +{{- end }} + ports: + - port: {{ .Values.service.portNumber }} + targetPort: {{ .Values.httpScheme }} + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + protocol: TCP + {{- with .Values.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + name: {{ .Values.httpScheme }} + {{- if and .Values.metrics.enabled .Values.metrics.port }} + - port: {{ .Values.metrics.port }} + protocol: TCP + {{- with .Values.metrics.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + targetPort: metrics + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.metrics.nodePort))) }} + nodePort: {{ .Values.metrics.nodePort }} + {{- end }} + name: metrics + {{- end }} + selector: + {{- include "oauth2-proxy.selectorLabels" . | indent 4 }} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml new file mode 100644 index 0000000000..e38cd7a7a6 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml @@ -0,0 +1,60 @@ +{{- if or .Values.serviceAccount.enabled -}} +{{- $fullName := include "oauth2-proxy.fullname" . -}} +{{- $saName := include "oauth2-proxy.serviceAccountName" . -}} +{{- $name := include "oauth2-proxy.name" . -}} +{{- $namespace := include "oauth2-proxy.namespace" $ -}} +{{- $labels := include "oauth2-proxy.labels" . -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- with .Values.serviceAccount.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} + {{- end }} + labels: + app: {{ $name }} +{{- $labels | indent 4 }} + name: {{ $saName }} + namespace: {{ $namespace }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $fullName }}-watch-redis + namespace: {{ $namespace }} + labels: + app: {{ $name }} + {{- $labels | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + resourceNames: + - "{{ include "oauth2-proxy.redis.fullname" . }}-master-0" + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $saName }}-watch-redis + namespace: {{ $namespace }} + labels: + app: {{ $name }} + {{- $labels | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ $saName }} + apiGroup: "" +roleRef: + kind: Role + name: {{ $fullName }}-watch-redis + apiGroup: "" +{{- end -}} +{{- end -}} diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml new file mode 100644 index 0000000000..99d62fd4ad --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + {{- with .Values.metrics.serviceMonitor.annotations }} + annotations: +{{ tpl ( toYaml . ) $ | indent 4 }} + {{- end }} + name: {{ template "oauth2-proxy.fullname" . }} +{{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} +{{- else }} + namespace: {{ template "oauth2-proxy.namespace" $ }} +{{- end }} + labels: + prometheus: {{ .Values.metrics.serviceMonitor.prometheusInstance }} + app: {{ template "oauth2-proxy.name" . }} +{{- include "oauth2-proxy.labels" . | indent 4 }} +{{- if .Values.metrics.serviceMonitor.labels }} +{{ toYaml .Values.metrics.serviceMonitor.labels | indent 4}} +{{- end }} +spec: + jobLabel: {{ template "oauth2-proxy.fullname" . }} + selector: + matchLabels: + {{- include "oauth2-proxy.selectorLabels" . | indent 6 }} + namespaceSelector: + matchNames: + - {{ template "oauth2-proxy.namespace" $ }} + endpoints: + - port: metrics + path: "/metrics" + {{- with .Values.metrics.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.bearerTokenFile }} + bearerTokenFile: {{ . }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .| nindent 6 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.metrics.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/authentication/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml new file mode 100644 index 0000000000..7157aa0c72 --- /dev/null +++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml @@ -0,0 +1,497 @@ +global: + quayRepository: quay.io + dockerHubRepository: docker.io + # Additions for Redis **************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + + # Workaround to avoid redis restarts with ArgoCD + redis: + password: "32ugd3783rhfjdhow" + # ************************************************* + +## Override the deployment namespace +## +namespaceOverride: "" + +# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set). +# This is especially useful for `helm template` as capabilities are always empty +# due to the fact that it doesn't query an actual cluster +kubeVersion: + +# Oauth client configuration specifics +config: + # Add config annotations + annotations: {} + # OAuth client ID + clientID: "XXXXXXX" + # OAuth client secret + clientSecret: "XXXXXXXX" + # Create a new secret with the following command + # openssl rand -base64 32 | head -c 32 | base64 + # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields) + # Example: + # existingSecret: secret + cookieSecret: "XXXXXXXXXXXXXXXX" + # The name of the cookie that oauth2-proxy will create + # If left empty, it will default to the release name + cookieName: "" + google: {} + # adminEmail: xxxx + # useApplicationDefaultCredentials: true + # targetPrincipal: xxxx + # serviceAccountJson: xxxx + # Alternatively, use an existing secret (see google-secret.yaml for required fields) + # Example: + # existingSecret: google-secret + # groups: [] + # Example: + # - group1@example.com + # - group2@example.com + # Default configuration, to be overridden + configFile: |- + email_domains = [ "*" ] + upstreams = [ "file:///dev/null" ] + # Custom configuration file: oauth2_proxy.cfg + # configFile: |- + # pass_basic_auth = false + # pass_access_token = true + # Use an existing config map (see configmap.yaml for required fields) + # Example: + # existingConfig: config + +alphaConfig: + enabled: false + # Add config annotations + annotations: {} + # Arbitrary configuration data to append to the server section + serverConfigData: {} + # Arbitrary configuration data to append to the metrics section + metricsConfigData: {} + # Arbitrary configuration data to append + configData: {} + # Arbitrary configuration to append + # This is treated as a Go template and rendered with the root context + configFile: "" + # Use an existing config map (see secret-alpha.yaml for required fields) + existingConfig: ~ + # Use an existing secret + existingSecret: ~ + +image: + #repository: "quay.io/oauth2-proxy/oauth2-proxy" + repository: "oauth2-proxy/oauth2-proxy" + # appVersion is used by default + tag: "" + pullPolicy: "IfNotPresent" + command: [] + +# Optionally specify an array of imagePullSecrets. +# Secrets must be manually created in the namespace. +# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod +# imagePullSecrets: + # - name: myRegistryKeySecretName + +# Set a custom containerPort if required. +# This will default to 4180 if this value is not set and the httpScheme set to http +# This will default to 4443 if this value is not set and the httpScheme set to https +# containerPort: 4180 + +extraArgs: {} +extraEnv: [] + +envFrom: [] +# Load environment variables from a ConfigMap(s) and/or Secret(s) +# that already exists (created and managed by you). +# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables +# +# PS: Changes in these ConfigMaps or Secrets will not be automatically +# detected and you must manually restart the relevant Pods after changes. +# +# - configMapRef: +# name: special-config +# - secretRef: +# name: special-config-secret + +# -- Custom labels to add into metadata +customLabels: {} + +# To authorize individual email addresses +# That is part of extraArgs but since this needs special treatment we need to do a separate section +authenticatedEmailsFile: + enabled: false + # Defines how the email addresses file will be projected, via a configmap or secret + persistence: configmap + # template is the name of the configmap what contains the email user list but has been configured without this chart. + # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service. + # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the + # provided value in restrictedUserAccessKey field. + template: "" + # The configmap/secret key under which the list of email access is stored + # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility + restrictedUserAccessKey: "" + # One email per line + # example: + # restricted_access: |- + # name1@domain + # name2@domain + # If you override the config with restricted_access it will configure a user list within this chart what takes care of the + # config map resource. + restricted_access: "" + annotations: {} + # helm.sh/resource-policy: keep + +service: + type: ClusterIP + # when service.type is ClusterIP ... + # clusterIP: 192.0.2.20 + # when service.type is LoadBalancer ... + # loadBalancerIP: 198.51.100.40 + # loadBalancerSourceRanges: 203.0.113.0/24 + # when service.type is NodePort ... + # nodePort: 80 + portNumber: 80 + # Protocol set on the service + appProtocol: http + annotations: {} + # foo.io/bar: "true" + # configure externalTrafficPolicy + externalTrafficPolicy: "" + # configure internalTrafficPolicy + internalTrafficPolicy: "" + +## Create or use ServiceAccount +serviceAccount: + ## Specifies whether a ServiceAccount should be created + enabled: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + name: + automountServiceAccountToken: true + annotations: {} + +ingress: + enabled: false + # className: nginx + path: / + # Only used if API capabilities (networking.k8s.io/v1) allow it + pathType: ImplementationSpecific + # Used to create an Ingress record. + # hosts: + # - chart-example.local + # Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1) + # extraPaths: + # - path: /* + # pathType: ImplementationSpecific + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + labels: {} + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # tls: + # Secrets must be manually created in the namespace. + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # limits: + # cpu: 100m + # memory: 300Mi + # requests: + # cpu: 100m + # memory: 300Mi + +extraVolumes: [] + # - name: ca-bundle-cert + # secret: + # secretName: + +extraVolumeMounts: [] + # - mountPath: /etc/ssl/certs/ + # name: ca-bundle-cert + +# Additional containers to be added to the pod. +extraContainers: [] + # - name: my-sidecar + # image: nginx:latest + +priorityClassName: "" + +# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution +hostAliases: [] +# - ip: "10.xxx.xxx.xxx" +# hostnames: +# - "auth.example.com" +# - ip: 127.0.0.1 +# hostnames: +# - chart-example.local +# - example.local + +# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. +# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling +# topologySpreadConstraints: [] + +# Affinity for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +# affinity: {} + +# Tolerations for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Node labels for pod assignment +# Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables +proxyVarsAsSecrets: true + +# Configure Kubernetes liveness and readiness probes. +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ +# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks +livenessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 1 + +readinessProbe: + enabled: true + initialDelaySeconds: 0 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + +# Configure Kubernetes security context for container +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +securityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 2000 + runAsGroup: 2000 + seccompProfile: + type: RuntimeDefault + +deploymentAnnotations: {} +podAnnotations: {} +podLabels: {} +replicaCount: 1 +revisionHistoryLimit: 10 +strategy: {} + +## PodDisruptionBudget settings +## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ +podDisruptionBudget: + enabled: true + minAvailable: 1 + +## Horizontal Pod Autoscaling +## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 +# targetMemoryUtilizationPercentage: 80 + annotations: {} + +# Configure Kubernetes security context for pod +# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +podSecurityContext: {} + +# whether to use http or https +httpScheme: http + +initContainers: + # if the redis sub-chart is enabled, wait for it to be ready + # before starting the proxy + # creates a role binding to get, list, watch, the redis master pod + # if service account is enabled + waitForRedis: + enabled: true + image: + repository: "alpine" + tag: "latest" + pullPolicy: "IfNotPresent" + # uses the kubernetes version of the cluster + # the chart is deployed on, if not set + kubectlVersion: "" + securityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault + timeout: 180 + resources: {} + # limits: + # cpu: 100m + # memory: 300Mi + # requests: + # cpu: 100m + # memory: 300Mi + +# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption. +# Alternatively supply an existing secret which contains the required information. +htpasswdFile: + enabled: false + existingSecret: "" + entries: [] + # One row for each user + # example: + # entries: + # - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy + +# Configure the session storage type, between cookie and redis +sessionStorage: + # Can be one of the supported session storage cookie|redis + type: cookie + redis: + # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) + existingSecret: "" + # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence + password: "" + # Key of the Kubernetes secret data containing the redis password value + passwordKey: "redis-password" + # Can be one of standalone|cluster|sentinel + clientType: "standalone" + standalone: + # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set + connectionUrl: "" + cluster: + # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + sentinel: + # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` + existingSecret: "" + # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` + password: "" + # Key of the Kubernetes secret data containing the redis sentinel password value + passwordKey: "redis-sentinel-password" + # Redis sentinel master name + masterName: "" + # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + +# Enables and configure the automatic deployment of the redis subchart +redis: + # provision an instance of the redis sub-chart + enabled: false + # Redis specific helm chart settings, please see: + # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters + # redisPort: 6379 + # architecture: standalone + +# Enables apiVersion deprecation checks +checkDeprecation: true + +# Allows graceful shutdown +# terminationGracePeriodSeconds: 65 +# lifecycle: +# preStop: +# exec: +# command: [ "sh", "-c", "sleep 60" ] + +metrics: + # Enable Prometheus metrics endpoint + enabled: true + # Serve Prometheus metrics on this port + port: 44180 + # when service.type is NodePort ... + # nodePort: 44180 + # Protocol set on the service for the metrics port + service: + appProtocol: http + serviceMonitor: + # Enable Prometheus Operator ServiceMonitor + enabled: false + # Define the namespace where to deploy the ServiceMonitor resource + namespace: "" + # Prometheus Instance definition + prometheusInstance: default + # Prometheus scrape interval + interval: 60s + # Prometheus scrape timeout + scrapeTimeout: 30s + # Add custom labels to the ServiceMonitor resource + labels: {} + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + tlsConfig: {} + + ## bearerTokenFile: Path to bearer token file. + bearerTokenFile: "" + + ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + annotations: {} + + ## Metric relabel configs to apply to samples before ingestion. + ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## Relabel configs to apply to samples before ingestion. + ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +# Extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: oauth2-proxy-secrets-store + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "oauth2-proxy" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client-id" + # - path: "client_secret" + # objectAlias: "client-secret" + # - path: "cookie_secret" + # objectAlias: "cookie-secret" + # secretObjects: + # - data: + # - key: client-id + # objectName: client-id + # - key: client-secret + # objectName: client-secret + # - key: cookie-secret + # objectName: cookie-secret + # secretName: oauth2-proxy-secrets-store + # type: Opaque diff --git a/kubernetes/authentication/resources/oauth2_proxy.cfg b/kubernetes/authentication/resources/oauth2_proxy.cfg new file mode 100644 index 0000000000..60aaad4b52 --- /dev/null +++ b/kubernetes/authentication/resources/oauth2_proxy.cfg @@ -0,0 +1,38 @@ +provider = "oidc" +provider_display_name = "ONAPKeycloakID" +client_id = "{{ index .Values "onap-oauth2-proxy" "config" "clientId" }}" +client_secret = "{{ index .Values "onap-oauth2-proxy" "config" "clientSecret" }}" +oidc_issuer_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap' +oidc_jwks_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/certs' +profile_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo' +validate_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo' +redeem_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/token' +scope = "openid email profile groups onap_roles" +skip_oidc_discovery = true +cookie_secure = false +cookie_secret = "{{ index .Values "onap-oauth2-proxy" "config" "cookieSecret" }}" +email_domains = [ "*" ] +auth_logging = true +request_logging = true +standard_logging = true +show_debug_on_error = true +cookie_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}" +cookie_samesite = "lax" +whitelist_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}" +login_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/auth' +pass_access_token = true +pass_authorization_header = true +pass_host_header = true +pass_user_headers = true +http_address = "0.0.0.0:4180" +oidc_email_claim = "email" +oidc_groups_claim = "groups" +insecure_oidc_skip_issuer_verification = true +insecure_oidc_allow_unverified_email = true +silence_ping_logging = true +upstreams = "static://200" +set_xauthrequest = true +set_authorization_header = true +skip_provider_button = true +skip_jwt_bearer_tokens = true +cookie_expire = "30m" diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl new file mode 100644 index 0000000000..958d0c78df --- /dev/null +++ b/kubernetes/authentication/templates/_utils.tpl @@ -0,0 +1,926 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* +Renders a value that contains template. +Usage: +{{ include "auth.realm" ( dict "dot" . "realm" .Values.path.to.realm) }} +*/}} +{{- define "auth.realm" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +realm: {{ $realm.name }} +{{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }} +accessTokenLifespan: {{ default "1900" $realm.accessTokenLifespan }} +registrationAllowed: {{ default false $realm.registrationAllowed }} +resetPasswordAllowed: {{ default true $realm.resetPasswordAllowed }} +{{ if $realm.passwordPolicy }}passwordPolicy: {{ $realm.passwordPolicy }}{{ end }} +sslRequired: {{ default "external" $realm.sslRequired }} +enabled: true +{{ if $realm.themes }} +{{ if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }} +{{ if $realm.themes.admin }}adminTheme: {{ $realm.themes.admin }}{{ end }} +{{ if $realm.themes.account }}accountTheme: {{ $realm.themes.account }}{{ end }} +{{ if $realm.themes.email }}emailTheme: {{ $realm.themes.email }}{{ end }} +{{- end }} +{{- if $realm.accessControl }} +{{ include "auth._roles" $realm }} +{{- end }} +{{ include "auth._clients" (dict "dot" $dot "realm" $realm) }} +{{ include "auth._clientScopes" $realm }} +{{ include "auth._defaultClientScopes" $realm }} +{{ include "auth._groups" $realm }} +{{ include "auth._users" $realm }} +{{ include "auth._identity" $realm }} +{{ include "auth._identityMapper" $realm }} +{{ include "auth._smtpServer" $realm }} +{{ include "auth._attributes" (dict "dot" $dot "realm" $realm) }} +{{- end -}} + +{{/* +Renders the roles section in a realm. +Usage: +{{ include "auth._roles" ( dict "dot" .Values) }} +*/}} +{{- define "auth._roles" -}} +{{- $realm := default . .dot -}} +roles: + realm: + {{- range $index, $role := $realm.accessControl.assignableRoles }} + - name: "{{ $role.name }}" + description: "{{ $role.description }}" + {{- if $role.associatedAccessRoles }} + composite: true + composites: + client: + {{- range $key, $accessRole := $realm.accessControl.accessRoles }} + {{ $client := index $realm.clients $key -}} + {{ $client.clientId }}: + {{- range $index2, $associatedRole := $role.associatedAccessRoles }} + - {{ $associatedRole }} + {{- end }} + {{- end }} + {{- else }} + composite: false + {{- end }} + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + {{- end }} + - name: "user" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "admin" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "offline_access" + description: "${role_offline-access}" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "uma_authorization" + description: "${role_uma_authorization}" + composite: false + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + - name: "default-roles-{{ $realm.name }}" + description: "${role_default-roles}" + composite: true + composites: + realm: + - "offline_access" + - "uma_authorization" + client: + account: + - "view-profile" + - "manage-account" + clientRole: false + containerId: "{{ $realm.name }}" + attributes: {} + {{- if $realm.accessControl.accessRoles }} + client: + {{- range $key, $accessRole := $realm.accessControl.accessRoles }} + {{ $client := index $realm.clients $key -}} + {{ $client.clientId }}: + {{- range $index, $role := get $realm.accessControl.accessRoles $key }} + - name: "{{ $role.name }}" + description: "Allows to perform {{ $role.methodsAllowed }} operations for {{ $role.name }} component" + composite: false + clientRole: false + containerId: "{{ $client.clientId }}" + attributes: {} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the clients section in a realm. +Usage: +{{ include "auth._clients" ( dict "dot" . "realm" $realm ) }} +*/}} +{{- define "auth._clients" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +clients: + {{- range $index, $client := $realm.clients }} + - clientId: "{{ $client.clientId }}" + {{- if $client.name }} + name: "{{ $client.name }}" + {{- end }} + {{- if $client.description }} + description: "{{ $client.description }}" + {{- end }} + {{- if $client.rootUrl }} + rootUrl: {{ tpl $client.rootUrl $dot }} + {{- end }} + {{- if $client.adminUrl }} + adminUrl: {{ tpl $client.adminUrl $dot }} + {{- end }} + {{- if $client.baseUrl }} + baseUrl: {{ tpl $client.baseUrl $dot }} + {{- end }} + surrogateAuthRequired: {{ default false $client.surrogateAuthRequired }} + authorizationServicesEnabled: {{ default false $client.authorizationServicesEnabled }} + enabled: true + alwaysDisplayInConsole: false + clientAuthenticatorType: {{ default "client-secret" $client.clientAuthenticatorType }} + {{- if $client.secret }} + secret: "{{ $client.secret }}" + {{- end }} + {{- if $client.redirectUris }} + redirectUris: + {{- range $index2, $url := $client.redirectUris }} + - {{ tpl $url $dot }} + {{- end }} + {{- else }} + redirectUris: [] + {{- end }} + {{- if $client.webOrigins }} + webOrigins: + {{- range $index3, $web := $client.webOrigins }} + - {{ $web | quote }} + {{- end }} + {{- else }} + webOrigins: [] + {{- end }} + notBefore: 0 + bearerOnly: {{ default false $client.bearerOnly }} + consentRequired: {{ default false $client.consentRequired }} + standardFlowEnabled: {{ default true $client.standardFlowEnabled }} + implicitFlowEnabled: {{ default false $client.implicitFlowEnabled }} + directAccessGrantsEnabled: {{ default true $client.directAccessGrantsEnabled }} + serviceAccountsEnabled: {{ default false $client.serviceAccountsEnabled }} + publicClient: {{ default false $client.publicClient }} + frontchannelLogout: {{ default false $client.frontchannelLogout }} + protocol: "{{ default "openid-connect" $client.protocol }}" + {{- if $client.attributes }} + attributes: + {{- range $key,$value := $client.attributes }} + {{ $key }}: {{ tpl $value $dot }} + {{- end }} + {{- end }} + authenticationFlowBindingOverrides: {} + fullScopeAllowed: true + nodeReRegistrationTimeout: -1 + protocolMappers: + {{- if $client.protocolMappers }} + {{- range $index2, $mapper := $client.protocolMappers }} + - name: {{ $mapper.name }} + protocol: "openid-connect" + protocolMapper: {{ $mapper.protocolMapper }} + consentRequired: false + config: + {{ toYaml $mapper.config | nindent 10 }} + {{- end }} + {{- end }} + {{- if $client.defaultClientScopes }} + defaultClientScopes: + {{- range $index2, $scope := $client.defaultClientScopes }} + - {{ $scope }} + {{- end }} + {{- end }} + {{- if $client.optionalClientScopes }} + optionalClientScopes: + {{- range $index2, $scope := $client.optionalClientScopes }} + - {{ $scope }} + {{- end }} + {{- end }} + {{- if $client.authorizationSettings }} + authorizationSettings: {{ include "auth._authorizationSettings" (dict "dot" $client.authorizationSettings ) | nindent 6 }} + {{- end }} + {{- end }} +{{- end }} + +{{/* +Renders the authorizationSettings in the client section in a realm. +Usage: +{{ include "auth._authorizationSettings" ( dict "dot" .Values) }} +*/}} +{{- define "auth._authorizationSettings" -}} +{{- $dot := default . .dot -}} +allowRemoteResourceManagement: "{{ default true $dot.allowRemoteResourceManagement }}" +policyEnforcementMode: "{{ default "ENFORCING" $dot.policyEnforcementMode }}" +decisionStrategy: "{{ default "UNANIMOUS" $dot.decisionStrategy }}" +resources: + {{- range $index, $resource := $dot.resources }} + - name: {{ $resource.name }} + type: {{ (default "" $resource.type) | quote }} + displayName: {{ (default "" $resource.displayName) | quote }} + ownerManagedAccess: {{ default false $resource.ownerManagedAccess }} + {{- if $resource.attributes }} + attributes: + {{- range $key,$value := $resource.attributes }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + {{- if $resource.uris }} + uris: + {{- range $index2, $url := $resource.uris }} + - {{ $url }} + {{- end }} + {{- end }} + {{- if $resource.scopes }} + scopes: + {{- range $index3, $scope := $resource.scopes }} + - {{ $scope | toYaml }} + {{- end }} + {{- end }} + icon_uri: {{ (default "" $resource.icon_uri) | quote }} + {{- end }} +policies: + {{- range $index4, $policy := $dot.policies }} + - name: {{ $policy.name }} + type: {{ (default "" $policy.type) | quote }} + description: {{ (default "" $policy.description) | quote }} + logic: {{ default "POSITIVE" $policy.logic }} + decisionStrategy: {{ default "UNANIMOUS" $dot.decisionStrategy }} + config: + roles: {{ include "auth._policyRoles" (dict "dot" $policy.roles) | toJson }} + {{- end }} + {{- range $index6, $permission := $dot.permissions }} + - name: {{ $permission.name }} + type: {{ (default "" $permission.type) | quote }} + description: {{ (default "" $permission.description) | quote }} + logic: {{ default "POSITIVE" $permission.logic }} + decisionStrategy: {{ default "UNANIMOUS" $permission.decisionStrategy }} + config: + {{- if $permission.resources }} + resources: {{ include "auth._permissionResources" (dict "dot" $permission.resources) | toJson }} + {{- end }} + {{- if $permission.scopes }} + scopes: {{ include "auth._permissionScopes" (dict "dot" $permission.scopes) | toJson }} + {{- end }} + {{- if $permission.applyPolicies }} + applyPolicies: {{ include "auth._permissionApplyPolicies" (dict "dot" $permission.applyPolicies) | toJson }} + {{- end }} + {{- end }} +scopes: + {{- range $index, $scope := $dot.scopes }} + - name: {{ $scope.name }} + iconUri: {{ (default "" $scope.icon_uri) | quote }} + displayName: {{ (default "" $scope.displayName) | quote }} + {{- end }} +{{- end }} + +{{/* +Renders the roles in a policy. +Usage: +{{ include "auth._policyRoles" ( dict "dot" .Values) }} +*/}} +{{- define "auth._policyRoles" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$role := $dot }}{"id":"{{ $role.id }}","required":{{ $role.required }}}{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the resources in a permission. +Usage: +{{ include "auth._permissionResources" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionResources" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$resource := $dot }}"{{ $resource }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the scopes in a permission. +Usage: +{{ include "auth._permissionScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionScopes" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$scope := $dot }}"{{ $scope }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} + +{{/* +Renders the applyPolicies in a permission. +Usage: +{{ include "auth._permissionApplyPolicies" ( dict "dot" .Values) }} +*/}} +{{- define "auth._permissionApplyPolicies" -}} +{{- $dot := default . .dot -}} +[{{- range $index,$policy := $dot }}"{{ $policy }}"{{ if ne $index (sub (len $dot) 1)}},{{ end }}{{- end }}] +{{- end }} +{{/* +Renders the defaultDefaultClientScopes section in a realm. +Usage: +{{ include "auth._defaultClientScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._defaultClientScopes" -}} +{{- $dot := default . .dot -}} +{{- if $dot.defaultClientScopes }} +defaultDefaultClientScopes: + {{- range $index, $scope := $dot.defaultClientScopes }} + - {{ $scope }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the clientScopes section in a realm. +Usage: +{{ include "auth._clientScopes" ( dict "dot" .Values) }} +*/}} +{{- define "auth._clientScopes" -}} +{{- $dot := default . .dot -}} +clientScopes: +{{- if $dot.additionalClientScopes }} +{{- range $index, $scope := $dot.additionalClientScopes }} +- name: {{ $scope.name }} + description: {{ (default "" $scope.description) | quote }} + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'true' + gui.order: '' + consent.screen.text: "${rolesScopeConsentText}" + {{- if $scope.protocolMappers }} + protocolMappers: + {{- range $index2, $mapper := $scope.protocolMappers }} + - name: {{ $mapper.name }} + protocol: "openid-connect" + protocolMapper: {{ $mapper.protocolMapper }} + consentRequired: false + config: + {{ toYaml $mapper.config | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} +{{- end }} +- name: roles + description: OpenID Connect scope for add user roles to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'true' + consent.screen.text: "${rolesScopeConsentText}" + protocolMappers: + - name: audience resolve + protocol: openid-connect + protocolMapper: oidc-audience-resolve-mapper + consentRequired: false + config: {} + - name: realm roles + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: 'true' + claim.name: realm_access.roles + jsonType.label: String + multivalued: 'true' + - name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + user.attribute: foo + access.token.claim: 'true' + claim.name: resource_access.${client_id}.roles + jsonType.label: String + multivalued: 'true' +- name: groups + description: Membership to a group + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + gui.order: '' + consent.screen.text: '' + protocolMappers: + - name: groups + protocol: openid-connect + protocolMapper: oidc-group-membership-mapper + consentRequired: false + config: + full.path: 'false' + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: groups + userinfo.token.claim: 'true' +- name: acr + description: OpenID Connect scope for add acr (authentication context class reference) + to the token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + protocolMappers: + - name: acr loa level + protocol: openid-connect + protocolMapper: oidc-acr-mapper + consentRequired: false + config: + id.token.claim: 'true' + access.token.claim: 'true' +- name: profile + description: 'OpenID Connect built-in scope: profile' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${profileScopeConsentText}" + protocolMappers: + - name: profile + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: profile + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: profile + jsonType.label: String + - name: given name + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: firstName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: given_name + jsonType.label: String + - name: website + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: website + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: website + jsonType.label: String + - name: zoneinfo + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: zoneinfo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: zoneinfo + jsonType.label: String + - name: locale + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: locale + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: locale + jsonType.label: String + - name: gender + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: gender + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: gender + jsonType.label: String + - name: family name + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: lastName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: family_name + jsonType.label: String + - name: username + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: preferred_username + jsonType.label: String + - name: middle name + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: middleName + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: middle_name + jsonType.label: String + - name: birthdate + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: birthdate + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: birthdate + jsonType.label: String + - name: updated at + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: updatedAt + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: updated_at + jsonType.label: long + - name: full name + protocol: openid-connect + protocolMapper: oidc-full-name-mapper + consentRequired: false + config: + id.token.claim: 'true' + access.token.claim: 'true' + userinfo.token.claim: 'true' + - name: nickname + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: nickname + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: nickname + jsonType.label: String + - name: picture + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: picture + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: picture + jsonType.label: String +- name: address + description: 'OpenID Connect built-in scope: address' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${addressScopeConsentText}" + protocolMappers: + - name: address + protocol: openid-connect + protocolMapper: oidc-address-mapper + consentRequired: false + config: + user.attribute.formatted: formatted + user.attribute.country: country + user.attribute.postal_code: postal_code + userinfo.token.claim: 'true' + user.attribute.street: street + id.token.claim: 'true' + user.attribute.region: region + access.token.claim: 'true' + user.attribute.locality: locality +- name: web-origins + description: OpenID Connect scope for add allowed web origins to the access token + protocol: openid-connect + attributes: + include.in.token.scope: 'false' + display.on.consent.screen: 'false' + consent.screen.text: '' + protocolMappers: + - name: allowed web origins + protocol: openid-connect + protocolMapper: oidc-allowed-origins-mapper + consentRequired: false + config: {} +- name: phone + description: 'OpenID Connect built-in scope: phone' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${phoneScopeConsentText}" + protocolMappers: + - name: phone number verified + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: phoneNumberVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number_verified + jsonType.label: boolean + - name: phone number + protocol: openid-connect + protocolMapper: oidc-usermodel-attribute-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: phoneNumber + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: phone_number + jsonType.label: String +- name: offline_access + description: 'OpenID Connect built-in scope: offline_access' + protocol: openid-connect + attributes: + consent.screen.text: "${offlineAccessScopeConsentText}" + display.on.consent.screen: 'true' +- name: role_list + description: SAML role list + protocol: saml + attributes: + consent.screen.text: "${samlRoleListScopeConsentText}" + display.on.consent.screen: 'true' + protocolMappers: + - name: role list + protocol: saml + protocolMapper: saml-role-list-mapper + consentRequired: false + config: + single: 'false' + attribute.nameformat: Basic + attribute.name: Role +- name: microprofile-jwt + description: Microprofile - JWT built-in scope + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'false' + protocolMappers: + - name: upn + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: username + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: upn + jsonType.label: String + - name: groups + protocol: openid-connect + protocolMapper: oidc-usermodel-realm-role-mapper + consentRequired: false + config: + multivalued: 'true' + user.attribute: foo + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: groups + jsonType.label: String +- name: email + description: 'OpenID Connect built-in scope: email' + protocol: openid-connect + attributes: + include.in.token.scope: 'true' + display.on.consent.screen: 'true' + consent.screen.text: "${emailScopeConsentText}" + protocolMappers: + - name: email + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: email + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email + jsonType.label: String + - name: email verified + protocol: openid-connect + protocolMapper: oidc-usermodel-property-mapper + consentRequired: false + config: + userinfo.token.claim: 'true' + user.attribute: emailVerified + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: email_verified + jsonType.label: boolean +{{- end }} + +{{/* +Renders the groups section in a realm. +Usage: +{{ include "auth._groups" ( dict "dot" .Values) }} +*/}} +{{- define "auth._groups" -}} +{{- $dot := default . .dot -}} +{{- if $dot.groups }} +groups: +{{- range $index, $group := $dot.groups }} + - name: "{{ $group.name }}" + path: "{{ $group.path }}" + attributes: {} + {{- if $group.roles }} + realmRoles: + {{- range $index2, $groupRole := $group.roles }} + - "{{ $groupRole }}" + {{- end }} + {{- else }} + realmRoles: [] + {{- end }} + clientRoles: {} + subGroups: [] +{{- end }} +{{- else }} +groups: [] +{{- end }} +{{- end }} + +{{/* +Renders the users section in a realm. +Usage: +{{ include "auth._users" ( dict "dot" .Values) }} +*/}} +{{- define "auth._users" -}} +{{- $dot := default . .dot -}} +{{- if $dot.initialUsers }} +users: + {{- range $index, $user := $dot.initialUsers }} + - username: "{{ $user.username }}" + enabled: true + totp: false + email: "{{ default "" $user.email }}" + emailVerified: "{{ default true $user.emailVerified }}" + firstName: "{{ default "" $user.firstName }}" + lastName: "{{ default "" $user.lastName }}" + {{- if $user.attributes }} + attributes: + {{ toYaml $user.attributes | nindent 6 }} + {{- else }} + attributes: {} + {{- end }} + {{- if $user.password }} + credentials: + - type: "password" + temporary: false + value: "{{ $user.password }}" + {{- end }} + {{- if $user.credentials }} + credentials: + {{ toYaml $user.credentials | nindent 6 }} + {{- end }} + disableableCredentialTypes: [] + {{- if $user.requiredActions }} + requiredActions: + {{- range $index2, $action := $user.requiredActions }} + - "{{ $action }}" + {{- end }} + {{- else }} + requiredActions: [] + {{- end }} + {{- if $user.realmRoles }} + realmRoles: + {{- range $index2, $realmRole := $user.realmRoles }} + - "{{ $realmRole }}" + {{- end }} + {{- else }} + realmRoles: [ "default-roles-{{ $dot.name }}" ] + {{- end }} + {{- if $user.clientRoles }} + clientRoles: + {{ toYaml $user.clientRoles | nindent 6 }} + {{- end }} + notBefore: 0 + groups: {{ $user.groups | toJson }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the identityProviders section in a realm. +Usage: +{{ include "auth._identity" ( dict "dot" .Values) }} +*/}} +{{- define "auth._identity" -}} +{{- $dot := default . .dot -}} +{{- if $dot.identityProviders }} +identityProviders: +{{- range $index, $provider := $dot.identityProviders }} + - alias: {{ $provider.name }} + displayName: {{ $provider.displayName }} + providerId: oidc + enabled: true + updateProfileFirstLoginMode: "on" + trustEmail: true + storeToken: true + addReadTokenRoleOnCreate: true + authenticateByDefault: false + linkOnly: false + firstBrokerLoginFlowAlias: "first broker login" + config: + {{ toYaml $provider.config | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the identityProviderMappers section in a realm. +Usage: +{{ include "auth._identityMapper" ( dict "dot" .Values) }} +*/}} +{{- define "auth._identityMapper" -}} +{{- $dot := default . .dot -}} +{{- if $dot.identityProviderMappers }} +identityProviderMappers: +{{- range $index, $mapper := $dot.identityProviderMappers }} + - name: {{ $mapper.name }} + identityProviderAlias: {{ $mapper.identityProviderAlias }} + identityProviderMapper: {{ $mapper.identityProviderMapper }} + config: + {{ toYaml $mapper.config | nindent 6 }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Renders the smtpServer section in a realm. +Usage: +{{ include "auth._smtpServer" ( dict "dot" .Values) }} +*/}} +{{- define "auth._smtpServer" -}} +{{- $dot := default . .dot -}} +{{- if $dot.smtpServer }} +smtpServer: + {{ toYaml $dot.smtpServer | nindent 2 }} +{{- end }} +{{- end }} + +{{/* +Renders the attributes section in a realm. +Usage: +{{ include "auth._attributes" ( dict "dot" . "realm" $realm ) }} +*/}} +{{- define "auth._attributes" -}} +{{- $dot := default . .dot -}} +{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}} +{{- if $realm.attributes }} +attributes: +{{- if $realm.attributes.frontendUrl }} + frontendUrl: {{ tpl $realm.attributes.frontendUrl $dot }} +{{- end }} + acr.loa.map: "{\"ABC\":\"5\"}" +{{- end }} +{{- end }} diff --git a/kubernetes/authentication/templates/authorizationpolicy.yaml b/kubernetes/authentication/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..abd40725da --- /dev/null +++ b/kubernetes/authentication/templates/authorizationpolicy.yaml @@ -0,0 +1,90 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.ingressAuthentication.enabled }} +--- +{{- $dot := . }} +{{- range $index, $realm := .Values.realmSettings }} +{{- range $key, $accessRole := $realm.accessControl.accessRoles }} +{{- range $index, $role := get $realm.accessControl.accessRoles $key }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ $key }}-{{ $role.name }}-jwt + namespace: istio-ingress +spec: + action: ALLOW + rules: + - to: + - operation: + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $role.servicePrefix) }} + methods: + {{- range $role.methodsAllowed }} + - {{ . }} + {{- end }} + when: + - key: request.auth.claims[onap_roles] + values: + - {{ $role.name }} + selector: + matchLabels: + istio: ingress +--- +{{- end }} +{{- end }} +{{- end }} +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Name }}-custom-action + namespace: istio-ingress +spec: + action: CUSTOM + provider: + name: oauth2-proxy + rules: + - to: + - operation: + notHosts: + {{- if .Values.ingressAuthentication.exceptions }} + {{- range $index, $url := .Values.ingressAuthentication.exceptions }} + - {{ tpl $url $dot }} + {{- end }} + {{- end }} + selector: + matchLabels: + istio: ingress +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ .Release.Name }}-allowed-exceptions + namespace: istio-ingress +spec: + action: ALLOW + rules: + - to: + - operation: + hosts: + {{- if .Values.ingressAuthentication.exceptions }} + {{- range $index, $url := .Values.ingressAuthentication.exceptions }} + - {{ tpl $url $dot }} + {{- end }} + {{- end }} + selector: + matchLabels: + istio: ingress +{{- end }} diff --git a/kubernetes/authentication/templates/configmap.yaml b/kubernetes/authentication/templates/configmap.yaml new file mode 100644 index 0000000000..f373754379 --- /dev/null +++ b/kubernetes/authentication/templates/configmap.yaml @@ -0,0 +1,23 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: oauth2-onap-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/oauth2_proxy.cfg").AsConfig . | indent 2 }} diff --git a/kubernetes/authentication/templates/requestauthentication.yaml b/kubernetes/authentication/templates/requestauthentication.yaml new file mode 100644 index 0000000000..92bea9f48e --- /dev/null +++ b/kubernetes/authentication/templates/requestauthentication.yaml @@ -0,0 +1,36 @@ +{{/* +# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.ingressAuthentication.enabled }} +--- +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: {{ .Release.Name }}-request-auth + namespace: istio-ingress +spec: + selector: + matchLabels: + istio: ingress + jwtRules: + {{- $dot := . }} + {{- range $index, $realm := .Values.realmSettings }} + - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ $dot.Values.keycloak.relativePath }}realms/{{ $realm.name }}" + jwksUri: {{ $dot.Values.keycloak.intURL }}realms/{{ $realm.name }}/protocol/openid-connect/certs + {{- end }} + - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}realms/master" + jwksUri: {{ .Values.keycloak.intURL }}realms/master/protocol/openid-connect/certs + forwardOriginalToken: true +{{- end }} diff --git a/kubernetes/authentication/templates/secret.yaml b/kubernetes/authentication/templates/secret.yaml new file mode 100644 index 0000000000..812b0ab61d --- /dev/null +++ b/kubernetes/authentication/templates/secret.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: keycloak-config-cli-config-realms + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{- $dot := . }} +{{- range $realm := .Values.realmSettings }} + {{ $realm.name }}: {{ include "auth.realm" (dict "dot" $dot "realm" $realm) | fromYaml | toPrettyJson | indent 2 | b64enc | quote }} +{{- end -}} diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml new file mode 100644 index 0000000000..f6d3c08442 --- /dev/null +++ b/kubernetes/authentication/values.yaml @@ -0,0 +1,670 @@ +# Copyright © 2024, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + # Global ingress configuration + ingress: + enabled: false + virtualhost: + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + +keycloak: + intURL: "http://keycloak-http.keycloak.svc.cluster.local/" + relativePath: "" +ingressAuthentication: + enabled: false + exceptions: + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}' + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}' + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}' + - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}' + +onap-keycloak-config-cli: + image: + # "edge" is the latest build release and need to be replaced with a new version + # compatible with keycloak 26.x.y + tag: edge + tag: "6.2.1-26.0.5" + pullSecrets: + - name: onap-docker-registry-key + +# annotations: +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# helm.sh/hook: post-install,pre-upgrade,pre-rollback +# helm.sh/hook-weight: "1" +# helm.sh/hook-delete-policy: before-hook-creation + + #existingSecret: "keycloak-keycloakx-admin-creds" + env: + # internal KC URL plus relative path + KEYCLOAK_URL: "http://keycloak-http.keycloak.svc.cluster.local/" + KEYCLOAK_SSLVERIFY: "false" + KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true" + secrets: + KEYCLOAK_PASSWORD: secret + existingConfigSecret: "keycloak-config-cli-config-realms" + securityContext: + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + resources: + limits: + cpu: "1" + memory: 500Mi + requests: + cpu: 100m + memory: 10Mi + +onap-oauth2-proxy: + + # Addition for oauth2-proxy deployment + imagePullSecrets: + - name: '{{ include "common.namespace" . }}-docker-registry-key' + + securityContext: + capabilities: + drop: + - ALL + - CAP_NET_RAW + + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 500m + memory: 500Mi + + initContainers: + waitForRedis: + #image: + # repository: "docker.io/alpine" + # tag: "3.20" + securityContext: + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 300Mi + + # Oauth client configuration specifics + config: + # Create a new secret with the following command + # openssl rand -base64 32 | head -c 32 | base64 + cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA=" + clientID: &clientID "oauth2-proxy-onap" + # To be set in helmfile + clientSecret: &clientSecret "5YSOkJz99WHv8enDZPknzJuGqVSerELp" + # To be set in helmfile + cookieName: "onap-cookie" + # settings see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md + existingConfig: "oauth2-onap-config" + + # Configure the session storage type, between cookie and redis + sessionStorage: + # Can be one of the supported session storage cookie|redis + type: redis + redis: + # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) + existingSecret: "onap-authentication-redis" + # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence + password: "" + # Key of the Kubernetes secret data containing the redis password value + passwordKey: "redis-password" + # Can be one of standalone|cluster|sentinel + clientType: "sentinel" + standalone: + # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set + connectionUrl: "" + cluster: + # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: [] + sentinel: + # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` + existingSecret: "" + # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` + password: "" + # Key of the Kubernetes secret data containing the redis sentinel password value + passwordKey: "redis-password" + # Redis sentinel master name + masterName: "mymaster" + # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) + connectionUrls: "redis://onap-authentication-redis-node-0.onap-authentication-redis-headless.onap:26379,redis://onap-authentication-redis-node-1.onap-authentication-redis-headless.onap:26379,redis://onap-authentication-redis-node-2.onap-authentication-redis-headless.onap:26379" + + # Enables and configure the automatic deployment of the redis subchart + redis: + # provision an instance of the redis sub-chart + enabled: true + master: + containerSecurityContext: + capabilities: + drop: ["ALL", "CAP_NET_RAW"] + replica: + containerSecurityContext: + capabilities: + drop: ["ALL", "CAP_NET_RAW"] + sentinel: + enabled: true + containerSecurityContext: + capabilities: + drop: ["ALL", "CAP_NET_RAW"] + +serviceAccount: + nameOverride: keycloak-init + roles: + - read + +realmSettings: + - name: onap + displayName: "ONAP Realm" + attributes: + frontendUrl: 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}' + themes: + login: "base" + admin: "base" + account: "base" + email: "base" + groups: + - name: admins + path: /admins + roles: [ "platform-all-full" ] + - name: contributors + path: /contributors + roles: [ "platform-all-write" ] + - name: readers + path: /readers + roles: [ "platform-all-read" ] + initialUsers: + - username: "onap-admin" + credentials: + - type: password + secretData: "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}" + credentialData : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}" + attributes: + sdc_user: + - "cs0008" + realmRoles: + - default-roles-onap + - portal_admin + groups: [] + - username: "onap-designer" + credentials: [] + attributes: + sdc_user: + - "cs0008" + realmRoles: + - default-roles-onap + - portal_designer + groups: [] + - username: "onap-operator" + credentials: [] + attributes: + sdc_user: + - "cs0008" + realmRoles: + - default-roles-onap + - portal_operator + groups: [] + - username: "service-account-portal-bff" + serviceAccountClientId: "portal-bff" + credentials: [] + clientRoles: + realm-management: + - manage-realm + - manage-users + groups: [] + - username: adminek + password: Adminek + email: "onap-admin@amartus.com" + groups: + - admins + - username: onapadmin + password: ONAPAdmin + email: "onap-admin1@amartus.com" + groups: + - admins + - username: contributor + password: Contributor + email: "onap-contributor@amartus.com" + groups: + - contributors + - username: reader + password: Reader + email: "onap-reader@amartus.com" + groups: + - readers + clients: + oauth2_proxy: + clientId: *clientID + name: "Oauth2 Proxy" + secret: *clientSecret + protocol: openid-connect + protocolMappers: + - name: "Audience for Oauth2Proxy" + protocolMapper: "oidc-audience-mapper" + config: + included.client.audience: "oauth2-proxy-onap" + id.token.claim: "false" + access.token.claim: "true" + included.custom.audience: "oauth2-proxy-onap" + - name: "SDC-User" + protocolMapper: "oidc-usermodel-attribute-mapper" + config: + multivalued: "false" + userinfo.token.claim: "true" + user.attribute: "sdc_user" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "sdc_user" + jsonType.label: "String" + additionalDefaultScopes: + - "onap_roles" + portal_app: + clientId: "portal-app" + redirectUris: + - 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ng-ui") }}/*' + - 'http://localhost/*' + protocol: openid-connect + webOrigins: + - "*" + publicClient: "true" + additionalAttributes: + post.logout.redirect.uris: 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ng-ui") }}/*' + protocolMappers: + - name: "User-Roles" + protocolMapper: "oidc-usermodel-attribute-mapper" + config: + userinfo.token.claim: "true" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "roles" + multivalued: "true" + - name: "SDC-User" + protocolMapper: "oidc-usermodel-attribute-mapper" + config: + userinfo.token.claim: "true" + user.attribute: "sdc_user" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "sdc_user" + jsonType.label: "String" + portal_bff: + clientId: "portal-bff" + protocol: openid-connect + secret : pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr + protocolMappers: + - name: "Client Host" + protocolMapper: "oidc-usersessionmodel-note-mapper" + config: + user.session.note: "clientHost" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientHost" + jsonType.label: "String" + - name: "Client IP Address" + protocolMapper: "oidc-usersessionmodel-note-mapper" + config: + user.session.note: "clientAddress" + id.token.claim: "true" + access.token.claim: "true" + claim.name: "clientAddress" + jsonType.label: "String" + defaultClientScopes: + - "onap_roles" + additionalClientScopes: + - name: onap_roles + description: "OpenID Connect scope for add user onap roles to the access token" + protocolMappers: + - name: aud + protocol: openid-connect + protocolMapper: oidc-audience-mapper + consentRequired: false + config: + included.client.audience: oauth2-proxy + id.token.claim: 'false' + access.token.claim: 'true' + - name: client roles + protocol: openid-connect + protocolMapper: oidc-usermodel-client-role-mapper + consentRequired: false + config: + multivalued: 'true' + userinfo.token.claim: 'false' + id.token.claim: 'true' + access.token.claim: 'true' + claim.name: onap_roles + jsonType.label: String + usermodel.clientRoleMapping.clientId: oauth2-proxy + accessControl: + assignableRoles: + - name: portal_admin + description: "User role for administration tasks in the portal." + - name: portal_designer + description: "User role for designer tasks in the portal." + - name: portal_operator + description: "User role for operator tasks in the portal." + - name: onap-operator-read + description: "Allows to perform GET operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ] + - name: onap-operator-write + description: "Allows to perform GET, POST, PUT, PATCH operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-write", "dmaap-dr-node-api-write", "dmaap-dr-prov-api-write", "dmaap-mr-api-write", "msb-consul-api-write", "msb-discovery-api-write", "msb-eag-ui-write", "msb-iag-ui-write", "nbi-api-write", "aai-api-write", "aai-babel-api-write", "aai-sparkybe-api-write", "cds-blueprintsprocessor-api-write", "cds-ui-write", "cps-core-api-write", "cps-ncmp-dmi-plugin-api-write", "cps-temporal-api-write", "reaper-dc1-write", "sdc-be-api-write", "sdc-fe-ui-write", "sdc-wfd-be-api-write", "sdc-wfd-fe-ui-write", "so-admin-cockpit-ui-write", "so-api-write", "usecase-ui-write", "uui-server-write" ] + - name: onap-operator-full + description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all ONAP components" + associatedAccessRoles: [ "dmaap-bc-api-full", "dmaap-dr-node-api-full", "dmaap-dr-prov-api-full", "dmaap-mr-api-full", "msb-consul-api-full", "msb-discovery-api-full", "msb-eag-ui-full", "msb-iag-ui-full", "nbi-api-full", "aai-api-full", "aai-babel-api-full", "aai-sparkybe-api-full", "cds-blueprintsprocessor-api-full", "cds-ui-full", "cps-core-api-full", "cps-ncmp-dmi-plugin-api-full", "cps-temporal-api-full", "reaper-dc1-full", "sdc-be-api-full", "sdc-fe-ui-full", "sdc-wfd-be-api-full", "sdc-wfd-fe-ui-full", "so-admin-cockpit-ui-full", "so-api-full", "usecase-ui-full", "uui-server-full" ] + - name: platform-operator-read + description: "Allows to perform GET operations for all ONAP components" + associatedAccessRoles: [ "grafana-read", "kibana-read" ] + - name: platform-operator-write + description: "Allows to perform GET, POST, PUT, PATCH operations for all ONAP components" + associatedAccessRoles: [ "grafana-write", "kibana-write" ] + - name: platform-operator-full + description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all ONAP components" + associatedAccessRoles: [ "grafana-full", "kibana-full" ] + - name: platform-all-read + description: "Allows to perform GET operations for all PLATFORM components" + associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "grafana-read", "kibana-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ] + - name: platform-all-write + description: "Allows to perform GET, POST, PUT, PATCH operations for all PLATFORM components" + associatedAccessRoles: [ "dmaap-bc-api-write", "dmaap-dr-node-api-write", "dmaap-dr-prov-api-write", "dmaap-mr-api-write", "msb-consul-api-write", "msb-discovery-api-write", "msb-eag-ui-write", "msb-iag-ui-write", "nbi-api-write", "aai-api-write", "aai-babel-api-write", "aai-sparkybe-api-write", "cds-blueprintsprocessor-api-write", "cds-ui-write", "cps-core-api-write", "cps-ncmp-dmi-plugin-api-write", "cps-temporal-api-write", "grafana-write", "kibana-write", "reaper-dc1-write", "sdc-be-api-write", "sdc-fe-ui-write", "sdc-wfd-be-api-write", "sdc-wfd-fe-ui-write", "so-admin-cockpit-ui-write", "so-api-write", "usecase-ui-write", "uui-server-write" ] + - name: platform-all-full + description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all PLATFORM components" + associatedAccessRoles: [ "dmaap-bc-api-full", "dmaap-dr-node-api-full", "dmaap-dr-prov-api-full", "dmaap-mr-api-full", "msb-consul-api-full", "msb-discovery-api-full", "msb-eag-ui-full", "msb-iag-ui-full", "nbi-api-full", "aai-api-full", "aai-babel-api-full", "aai-sparkybe-api-full", "cds-blueprintsprocessor-api-full", "cds-ui-full", "cps-core-api-full", "cps-ncmp-dmi-plugin-api-full", "cps-temporal-api-full", "grafana-full", "kibana-full", "reaper-dc1-full", "sdc-be-api-full", "sdc-fe-ui-full", "sdc-wfd-be-api-full", "sdc-wfd-fe-ui-full", "so-admin-cockpit-ui-full", "so-api-full", "usecase-ui-full", "uui-server-full" ] + accessRoles: + "oauth2_proxy": + - name: dmaap-bc-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-bc-api + - name: dmaap-bc-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-bc-api + - name: dmaap-bc-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-bc-api + - name: dmaap-dr-node-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-dr-node-api + - name: dmaap-dr-node-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-dr-node-api + - name: dmaap-dr-node-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-dr-node-api + - name: dmaap-dr-prov-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-dr-prov-api + - name: dmaap-dr-prov-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-dr-prov-api + - name: dmaap-dr-prov-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-dr-prov-api + - name: dmaap-mr-api-read + methodsAllowed: ["GET"] + servicePrefix: dmaap-mr-api + - name: dmaap-mr-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: dmaap-mr-api + - name: dmaap-mr-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: dmaap-mr-api + - name: msb-consul-api-read + methodsAllowed: ["GET"] + servicePrefix: msb-consul-api + - name: msb-consul-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-consul-api + - name: msb-consul-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-consul-api + - name: msb-discovery-api-read + methodsAllowed: ["GET"] + servicePrefix: msb-discovery-api + - name: msb-discovery-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-discovery-api + - name: msb-discovery-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-discovery-api + - name: msb-eag-ui-read + methodsAllowed: ["GET"] + servicePrefix: msb-eag-ui + - name: msb-eag-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-eag-ui + - name: msb-eag-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-eag-ui + - name: msb-iag-ui-read + methodsAllowed: ["GET"] + servicePrefix: msb-iag-ui + - name: msb-iag-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: msb-iag-ui + - name: msb-iag-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: msb-iag-ui + - name: nbi-api-read + methodsAllowed: ["GET"] + servicePrefix: nbi-api + - name: nbi-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: nbi-api + - name: nbi-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: nbi-api + - name: aai-api-read + methodsAllowed: ["GET"] + servicePrefix: aai-api + - name: aai-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: aai-api + - name: aai-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: aai-api + - name: aai-babel-api-read + methodsAllowed: ["GET"] + servicePrefix: aai-babel-api + - name: aai-babel-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: aai-babel-api + - name: aai-babel-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: aai-babel-api + - name: aai-sparkybe-api-read + methodsAllowed: ["GET"] + servicePrefix: aai-sparkybe-api + - name: aai-sparkybe-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: aai-sparkybe-api + - name: aai-sparkybe-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: aai-sparkybe-api + - name: cds-blueprintsprocessor-api-read + methodsAllowed: ["GET"] + servicePrefix: cds-blueprintsprocessor-api + - name: cds-blueprintsprocessor-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cds-blueprintsprocessor-api + - name: cds-blueprintsprocessor-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cds-blueprintsprocessor-api + - name: cds-ui-read + methodsAllowed: ["GET"] + servicePrefix: cds-ui + - name: cds-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cds-ui + - name: cds-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cds-ui + - name: cps-core-api-read + methodsAllowed: ["GET"] + servicePrefix: cps-core-api + - name: cps-core-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cps-core-api + - name: cps-core-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cps-core-api + - name: cps-ncmp-dmi-plugin-api-read + methodsAllowed: ["GET"] + servicePrefix: cps-ncmp-dmi-plugin-api + - name: cps-ncmp-dmi-plugin-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cps-ncmp-dmi-plugin-api + - name: cps-ncmp-dmi-plugin-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cps-ncmp-dmi-plugin-api + - name: cps-temporal-api-read + methodsAllowed: ["GET"] + servicePrefix: cps-temporal-api + - name: cps-temporal-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: cps-temporal-api + - name: cps-temporal-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: cps-temporal-api + - name: grafana-read + methodsAllowed: ["GET"] + servicePrefix: grafana + - name: grafana-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: grafana + - name: grafana-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: grafana + - name: kibana-read + methodsAllowed: ["GET"] + servicePrefix: kibana + - name: kibana-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: kibana + - name: kibana-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: kibana + - name: minio-read + methodsAllowed: ["GET"] + servicePrefix: minio-console + - name: minio-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: minio-console + - name: minio-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: minio-console + - name: reaper-dc1-read + methodsAllowed: ["GET"] + servicePrefix: reaper-dc1 + - name: reaper-dc1-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: reaper-dc1 + - name: reaper-dc1-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: reaper-dc1 + - name: sdc-be-api-read + methodsAllowed: ["GET"] + servicePrefix: sdc-be-api + - name: sdc-be-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-be-api + - name: sdc-be-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-be-api + - name: sdc-fe-ui-read + methodsAllowed: ["GET"] + servicePrefix: sdc-fe-ui + - name: sdc-fe-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-fe-ui + - name: sdc-fe-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-fe-ui + - name: sdc-wfd-be-api-read + methodsAllowed: ["GET"] + servicePrefix: sdc-wfd-be-api + - name: sdc-wfd-be-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-wfd-be-api + - name: sdc-wfd-be-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-wfd-be-api + - name: sdc-wfd-fe-ui-read + methodsAllowed: ["GET"] + servicePrefix: sdc-wfd-fe-ui + - name: sdc-wfd-fe-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: sdc-wfd-fe-ui + - name: sdc-wfd-fe-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: sdc-wfd-fe-ui + - name: so-admin-cockpit-ui-read + methodsAllowed: ["GET"] + servicePrefix: so-admin-cockpit-ui + - name: so-admin-cockpit-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: so-admin-cockpit-ui + - name: so-admin-cockpit-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: so-admin-cockpit-ui + - name: so-api-read + methodsAllowed: ["GET"] + servicePrefix: so-api + - name: so-api-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: so-api + - name: so-api-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: so-api + - name: usecase-ui-read + methodsAllowed: ["GET"] + servicePrefix: usecase-ui + - name: usecase-ui-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: usecase-ui + - name: usecase-ui-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: usecase-ui + - name: uui-server-read + methodsAllowed: ["GET"] + servicePrefix: uui-server + - name: uui-server-write + methodsAllowed: ["GET", "POST", "PUT", "PATCH"] + servicePrefix: uui-server + - name: uui-server-full + methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"] + servicePrefix: uui-server diff --git a/kubernetes/cds/Chart.yaml b/kubernetes/cds/Chart.yaml index 578899f198..1353916813 100644 --- a/kubernetes/cds/Chart.yaml +++ b/kubernetes/cds/Chart.yaml @@ -17,32 +17,33 @@ apiVersion: v2 description: ONAP Controller Design Studio (CDS) name: cds -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~16.x-0 repository: '@local' + condition: global.mariadbGalera.localCluster - name: cds-blueprints-processor - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-blueprints-processor' condition: cds-blueprints-processor.enabled - name: cds-command-executor - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-command-executor' condition: cds-command-executor.enabled - name: cds-py-executor - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-py-executor' condition: cds-py-executor.enabled - name: cds-sdc-listener - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-sdc-listener' condition: cds-sdc-listener.enabled - name: cds-ui - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/cds-ui' condition: cds-ui.enabled diff --git a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml index 3ef9519d55..cfe5c7371b 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/Chart.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP CDS Blueprints Processor name: cds-blueprints-processor -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: certInitializer - version: ~12.x-0 + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer b/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/ONAP_RootCA.cer +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties index 2818fd99b4..248e5bf4ec 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties +++ b/kubernetes/cds/components/cds-blueprints-processor/resources/config/application.properties @@ -1,6 +1,6 @@ {{/* # -# Copyright (c) 2017-2022 AT&T, IBM, Bell Canada, Nordix Foundation. +# Copyright (c) 2017-2023 AT&T, IBM, Bell Canada, Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -44,7 +44,7 @@ blueprintsprocessor.httpPort=8080 blueprintsprocessor.grpcPort=9111 # db -blueprintsprocessor.db.url=jdbc:mysql://{{.Values.config.cdsDB.dbServer}}:{{.Values.config.cdsDB.dbPort}}/{{.Values.config.cdsDB.dbName}} +blueprintsprocessor.db.url=jdbc:mariadb://{{.Values.config.cdsDB.dbServer}}:{{.Values.config.cdsDB.dbPort}}/{{.Values.config.cdsDB.dbName}} blueprintsprocessor.db.username=${CDS_DB_USERNAME} blueprintsprocessor.db.password=${CDS_DB_PASSWORD} blueprintsprocessor.db.driverClassName=org.mariadb.jdbc.Driver @@ -55,7 +55,7 @@ blueprintsprocessor.db.hibernateDialect=org.hibernate.dialect.MySQL5InnoDBDialec # processor-db endpoint blueprintsprocessor.db.processor-db.type=maria-db -blueprintsprocessor.db.processor-db.url=jdbc:mysql://{{ .Values.config.sdncDB.dbService }}:{{ .Values.config.sdncDB.dbPort }}/{{.Values.config.sdncDB.dbName}} +blueprintsprocessor.db.processor-db.url=jdbc:mariadb://{{ .Values.config.sdncDB.dbService }}:{{ .Values.config.sdncDB.dbPort }}/{{.Values.config.sdncDB.dbName}} blueprintsprocessor.db.processor-db.username=${SDNC_DB_USERNAME} blueprintsprocessor.db.processor-db.password=${SDNC_DB_PASSWORD} @@ -101,11 +101,7 @@ blueprintsprocessor.restclient.sdnc.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoG # AAI Data REST Client settings blueprintsprocessor.restclient.aai-data.type=basic-auth -{{ if ( include "common.needTLS" .) }} -blueprintsprocessor.restclient.aai-data.url=https://{{ .Values.global.aaiData.ServiceName }}:8443 -{{- else -}} blueprintsprocessor.restclient.aai-data.url=http://{{ .Values.global.aaiData.ServiceName }}:{{ .Values.global.aaiData.ExternalPlainPort }} -{{- end }} blueprintsprocessor.restclient.aai-data.username=aai@aai.onap.org blueprintsprocessor.restclient.aai-data.password=demo123456! blueprintsprocessor.restclient.aai-data.additionalHeaders.X-TransactionId=cds-transaction-id @@ -121,70 +117,44 @@ blueprintsprocessor.restclient.cps-data.additionalHeaders.Accept=application/jso blueprintsprocessor.restclient.cps-data.additionalHeaders.Content-Type=application/json # Self Service Request Kafka Message Consumer -blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable={{ .Values.kafkaRequestConsumer.enabled }} -blueprintsprocessor.messageconsumer.self-service-api.type={{ .Values.kafkaRequestConsumer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageconsumer.self-service-api.kafkaEnable=true +blueprintsprocessor.messageconsumer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageconsumer.self-service-api.bootstrapServers={{ .Values.kafkaRequestConsumer.bootstrapServers }} +{{- with (first .Values.kafkaUser.acls) }} +blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .name }} {{- end }} -blueprintsprocessor.messageconsumer.self-service-api.groupId={{ .Values.kafkaRequestConsumer.groupId }} -blueprintsprocessor.messageconsumer.self-service-api.topic={{ .Values.kafkaRequestConsumer.topic }} -blueprintsprocessor.messageconsumer.self-service-api.clientId={{ .Values.kafkaRequestConsumer.clientId }} -blueprintsprocessor.messageconsumer.self-service-api.pollMillSec={{ .Values.kafkaRequestConsumer.pollMillSec }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageconsumer.self-service-api.topic=cds.blueprint-processor.self-service-api.request +blueprintsprocessor.messageconsumer.self-service-api.clientId=request-receiver-client-id +blueprintsprocessor.messageconsumer.self-service-api.pollMillSec=1000 +blueprintsprocessor.messageconsumer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageconsumer.self-service-api.scramPassword=${SASL_JAAS_PASS} # Self Service Response Kafka Message Producer -blueprintsprocessor.messageproducer.self-service-api.type={{ .Values.kafkaRequestProducer.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.bootstrapServers={{ .Values.kafkaRequestProducer.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.clientId={{ .Values.kafkaRequestProducer.clientId }} -blueprintsprocessor.messageproducer.self-service-api.topic={{ .Values.kafkaRequestProducer.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.clientId=request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.topic=cds.blueprint-processor.self-service-api.response +blueprintsprocessor.messageproducer.self-service-api.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.scramPassword=${SASL_JAAS_PASS} # AUDIT KAFKA FEATURE CONFIGURATION # Audit feature dumps CDS request to a topic as well as a truncated response message to another topic. ## Audit request -blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable={{ .Values.kafkaAuditRequest.enabled }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.type={{ .Values.kafkaAuditRequest.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.kafkaEnable=true +blueprintsprocessor.messageproducer.self-service-api.audit.request.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.request.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId={{ .Values.kafkaAuditRequest.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.topic={{ .Values.kafkaAuditRequest.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.request.clientId=audit-request-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.request.topic=cds.blueprint-processor.self-service-api.audit.request +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.request.scramPassword=${SASL_JAAS_PASS} ## Audit response -blueprintsprocessor.messageproducer.self-service-api.audit.response.type={{ .Values.kafkaAuditResponse.type }} -{{ if eq .Values.useStrimziKafka true }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.type=kafka-scram-plain-text-auth blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -{{- else -}} -blueprintsprocessor.messageproducer.self-service-api.audit.response.bootstrapServers={{ .Values.kafkaAuditRequest.bootstrapServers }} -{{- end }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId={{ .Values.kafkaAuditResponse.clientId }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.topic={{ .Values.kafkaAuditResponse.topic }} -{{ if and (eq .Values.kafkaRequestConsumer.type "kafka-scram-plain-text-auth") (eq .Values.useStrimziKafka true) }} -# SCRAM -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} -blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${JAAS_PASS} -{{ end }} +blueprintsprocessor.messageproducer.self-service-api.audit.response.clientId=audit-response-producer-client-id +blueprintsprocessor.messageproducer.self-service-api.audit.response.topic=cds.blueprint-processor.self-service-api.audit.response +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramUsername={{ include "common.name" . }}-ku +blueprintsprocessor.messageproducer.self-service-api.audit.response.scramPassword=${SASL_JAAS_PASS} # Executor Options blueprintsprocessor.resourceResolution.enabled=true @@ -225,3 +195,15 @@ blueprintprocessor.k8s.plugin.url=http://multicloud-k8s:9015/ #Workflow audit store configuration blueprintsprocessor.workflow.self-service-api.audit.storeEnable={{ .Values.workflow.storeEnabled }} + +#Tracing +spring.sleuth.enabled={{ .Values.global.tracing.enabled }} +spring.zipkin.baseUrl={{ .Values.global.tracing.collector.baseUrl }} +spring.zipkin.checkTimeout=5000 +spring.zipkin.service.name={{ include "common.name" . }} +spring.sleuth.messaging.jms.enabled=false +spring.sleuth.trace-id128=true +spring.sleuth.sampler.probability={{ .Values.global.tracing.sampling.probability }} +spring.sleuth.propagation.type=w3c, b3 +spring.sleuth.supports-join=false +spring.sleuth.web.skip-pattern={{ join "," .Values.tracing.ignorePatterns }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml deleted file mode 100644 index 555f4d4e60..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-topics.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestConsumer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaRequestProducer.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditRequest.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.kafkaAuditResponse.topic }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: 10 - replicas: 2 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml deleted file mode 100644 index 65ee1d2a96..0000000000 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/cds-kafka-user.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ if eq .Values.useStrimziKafka true }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.cdsKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.kafkaRequestConsumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestConsumer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaRequestProducer.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditRequest.topic }} - operation: All - - resource: - type: topic - name: {{ .Values.kafkaAuditResponse.topic }} - operation: All -{{ end }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index 1e4f5e10a0..c00d12fe74 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,38 +18,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} strategy: type: RollingUpdate rollingUpdate: - # This allow a new pod to be ready before terminating the old one + # This allows a new pod to be ready before terminating the old one # causing no downtime when replicas is set to 1 maxUnavailable: 0 - # maxSurge to 1 is very important for the hazelcast integration # we only want one pod at a time to restart not multiple # and break the hazelcast cluster. We should not use % maxSurge value # ref : https://hazelcast.com/blog/rolling-upgrade-hazelcast-imdg-on-kubernetes/ maxSurge: 1 template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -75,21 +62,6 @@ spec: name: {{ include "common.name" . }}-update-config - command: - - /app/ready.py - args: - - --container-name - - cds-db - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - name: fix-permission - command: - chown - -R - 1000:1000 @@ -99,6 +71,8 @@ spec: volumeMounts: - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints + name: fix-permission + containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -110,8 +84,6 @@ spec: value: {{ if (gt (int (.Values.replicaCount)) 2) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} - name: CLUSTER_ID value: {{ .Values.cluster.clusterName }} - - name: AAF_CREDSPATH - value: {{ .Values.certInitializer.credsPath }} - name: CLUSTER_NODE_ID valueFrom: fieldRef: @@ -122,10 +94,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "login") | indent 12 }} - name: CPS_PASS_PLAIN {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-creds" "key" "password") | indent 12 }} - {{ if .Values.useStrimziKafka }} - - name: JAAS_PASS - value: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-kafka-secret" "key" "password") | indent 12 }} - {{ end }} + - name: SASL_JAAS_PASS + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: password ports: - containerPort: {{ .Values.service.http.internalPort }} - containerPort: {{ .Values.service.grpc.internalPort }} @@ -133,7 +106,7 @@ spec: startupProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.startup.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -146,7 +119,7 @@ spec: livenessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.liveness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== @@ -157,17 +130,14 @@ spec: readinessProbe: httpGet: path: /api/v1/execution-service/health-check - port: {{ .Values.service.http.internalPort }} + port: {{ .Values.readiness.port }} httpHeaders: - name: Authorization value: Basic Y2NzZGthcHBzOmNjc2RrYXBwcw== initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + volumeMounts: - mountPath: {{ .Values.config.appConfigDir }}/application.properties name: processed-config subPath: application.properties @@ -180,15 +150,9 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/hazelcast.yaml name: {{ include "common.fullname" . }}-config subPath: hazelcast.yaml - - - mountPath: {{ .Values.config.appConfigDir }}/ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-config - subPath: ONAP_RootCA.cer - - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -198,10 +162,7 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: - name: {{ include "common.fullname" . }}-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -214,13 +175,10 @@ spec: path: logback.xml - key: hazelcast.yaml path: hazelcast.yaml - - key: ONAP_RootCA.cer - path: ONAP_RootCA.cer - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints - name: processed-config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml index 153740c553..a841811dd1 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright (c) 2019 IBM, Bell Canada +# Modification Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,19 +25,15 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.http.type }} ports: - port: {{ .Values.service.http.externalPort }} targetPort: {{ .Values.service.http.internalPort }} - {{- if eq .Values.service.http.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.http.nodePort }} - {{- end}} - name: {{ .Values.service.http.portName | default "http" }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} + name: {{ .Values.service.http.portName | default "http" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -48,7 +45,6 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.grpc.type }} ports: @@ -56,8 +52,8 @@ spec: targetPort: {{ .Values.service.grpc.internalPort }} name: {{ .Values.service.grpc.portName | default "grpc" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} --- apiVersion: v1 kind: Service @@ -69,16 +65,13 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: spec: type: {{ .Values.service.cluster.type }} + clusterIP: None ports: - port: {{ .Values.service.cluster.externalPort }} targetPort: {{ .Values.service.cluster.internalPort }} - {{- if eq .Values.service.cluster.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.cluster.nodePort }} - {{- end}} name: {{ .Values.service.cluster.portName | default "cluster" }} selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + app.kubernetes.io/name: {{ include "common.name" . }} diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index 87a1b03ada..3a0b320f5c 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2019 IBM, Bell Canada # Copyright (c) 2020 Samsung Electronics -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,20 +18,30 @@ # Global configuration defaults. ################################################################# global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefixExt: 304 - + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: true + globalCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera # image pull policy pullPolicy: Always - persistence: mountPath: /dockerdata-nfs - # This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) # This concerns CDS/AAI communication through HTTP when TLS is not being needed # Port value should match the one in aai/values.yml : service.externalPlainPort aaiData: @@ -39,9 +49,6 @@ global: ServiceName: aai # domain # http://aai:80 or https://aai:443 - #AAF is enabled by default - #aafEnabled: true - #enable importCustomCerts to add custom CA to blueprint processor pod #importCustomCertsEnabled: true @@ -65,13 +72,6 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.sdncDB.dbRootPassExternalSecret) . }}' password: '{{ .Values.config.sdncDB.dbRootPass }}' passwordPolicy: required - - uid: cds-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: password - value: '{{ .Values.config.someConfig }}' - policy: generate - uid: cps-creds type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.cps.cpsUserExternalSecret) . }}' @@ -79,36 +79,11 @@ secrets: password: '{{ .Values.config.cps.cpsPassword }}' passwordPolicy: required -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: cds-blueprints-processor-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: sdnc-cds - fqi: sdnc-cds@sdnc-cds.onap.org - public_fqdn: sdnc-cds.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.sdnc-cds - #enable below if we need custom CA to be added to blueprint processor pod - #importCustomCertsEnabled: true - #truststoreMountpath: /opt/onap/cds - #truststoreOutputFileName: truststoreONAPall.jks - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-blueprintsprocessor:1.4.1 +image: onap/ccsdk-blueprintsprocessor:1.8.1 pullPolicy: Always # flag to enable debugging - application support required @@ -132,7 +107,6 @@ config: # dbCredsExternalSecret: # dbRootPassword: password # dbRootPassExternalSecret - someConfig: blah cps: cpsUsername: '' cpsPassword: '' @@ -145,46 +119,52 @@ nodeSelector: {} affinity: {} -# If useStrimziKafka is true, the following also applies: -# strimzi will create an associated kafka user and the topics defined for Request and Audit elements below. -# The connection type must be kafka-scram-plain-text-auth -# The bootstrapServers will target the strimzi kafka cluster by default -useStrimziKafka: false -cdsKafkaUser: cds-kafka-user +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: cds-bp-processor + type: group + operations: [Read] + - name: cds.blueprint-processor + type: topic + patternType: prefix + operations: [Read, Write] +# Strimzi KafkaTopic config +kafkaTopic: + - name: cds.blueprint-processor.self-service-api.request + - name: cds.blueprint-processor.self-service-api.response + - name: cds.blueprint-processor.self-service-api.audit.request + - name: cds.blueprint-processor.self-service-api.audit.response + + +containerHttpPort: &svc_http_port 8080 +containerGrpcPort: &svc_grpc_port 9111 +containerTcpPort: &svc_tcp_port 5701 -kafkaRequestConsumer: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - groupId: cds-consumer - topic: cds.blueprint-processor.self-service-api.request - clientId: request-receiver-client-id - pollMillSec: 1000 -kafkaRequestProducer: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: request-producer-client-id - topic: cds.blueprint-processor.self-service-api.response - enableIdempotence: false -kafkaAuditRequest: - enabled: false - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-request-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.request - enableIdempotence: false -kafkaAuditResponse: - type: kafka-scram-plain-text-auth - bootstrapServers: host:port - clientId: audit-response-producer-client-id - topic: cds.blueprint-processor.self-service-api.audit.response - enableIdempotence: false +service: + http: + type: ClusterIP + portName: http + internalPort: *svc_http_port + externalPort: *svc_http_port + grpc: + type: ClusterIP + portName: grpc + internalPort: *svc_grpc_port + externalPort: *svc_grpc_port + cluster: + type: ClusterIP + portName: tcp-cluster + internalPort: *svc_tcp_port + externalPort: *svc_tcp_port + port: *svc_http_port # probe configuration parameters startup: initialDelaySeconds: 10 failureThreshold: 30 periodSeconds: 10 + port: *svc_http_port liveness: initialDelaySeconds: 1 @@ -193,28 +173,13 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: false + port: *svc_http_port readiness: initialDelaySeconds: 120 periodSeconds: 10 timeoutSeconds: 20 - -service: - http: - type: ClusterIP - portName: http - internalPort: 8080 - externalPort: 8080 - grpc: - type: ClusterIP - portName: grpc - internalPort: 9111 - externalPort: 9111 - cluster: - type: ClusterIP - portName: tcp-cluster - internalPort: 5701 - externalPort: 5701 + port: *svc_http_port persistence: volumeReclaimPolicy: Retain @@ -227,9 +192,7 @@ persistence: cluster: # Cannot have cluster enabled if the replicaCount is not at least 3 enabled: false - clusterName: cds-cluster - # Defines the number of node to be part of the CP subsystem/raft algorithm. This value should be # between 3 and 7 only. groupSize: 3 @@ -257,20 +220,25 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1.8Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "1.8Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "3.6Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "3.6Gi" unlimited: {} +readinessCheck: + wait_for: + services: + - '{{ .Values.global.mariadbGalera.service }}' + #Pods Service Account serviceAccount: nameOverride: cds-blueprints-processor @@ -280,3 +248,7 @@ serviceAccount: # workflow store flag workflow: storeEnabled: false + +tracing: + ignorePatterns: + - .*/execution-service/health-check diff --git a/kubernetes/cds/components/cds-command-executor/Chart.yaml b/kubernetes/cds/components/cds-command-executor/Chart.yaml index d89615984a..eaa1e8de9e 100755 --- a/kubernetes/cds/components/cds-command-executor/Chart.yaml +++ b/kubernetes/cds/components/cds-command-executor/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS Command Executor name: cds-command-executor -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml index da835162e7..07736cfa1e 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/deployment.yaml @@ -16,31 +16,19 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - command: - /app/ready.py args: - - --container-name - - cds-blueprints-processor + - --service-name + - cds-blueprints-processor-http env: - name: NAMESPACE valueFrom: @@ -51,39 +39,41 @@ spec: - name: PROMETHEUS_METRICS_ENABLED value: {{ .Values.metrics.serviceMonitor.enabled | quote }} - name: PROMETHEUS_PORT - value: {{ .Values.service.metrics.internalPort | quote }} + value: {{ .Values.metrics.serviceMonitor.internalPort | quote }} {{ end }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.grpc.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ .Values.service.grpc.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ .Values.service.grpc.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -94,9 +84,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" . }}-blueprints {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -104,5 +91,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-command-executor/templates/service.yaml b/kubernetes/cds/components/cds-command-executor/templates/service.yaml index 7540728ee9..c131358663 100755 --- a/kubernetes/cds/components/cds-command-executor/templates/service.yaml +++ b/kubernetes/cds/components/cds-command-executor/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright (c) 2019 Bell Canada +# Copyright (C) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,34 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.grpc.externalPort }} - targetPort: {{ .Values.service.grpc.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.grpc.portName | default "grpc" }} - {{- if .Values.metrics.serviceMonitor.enabled }} - - port: {{ .Values.service.metrics.externalPort }} - targetPort: {{ .Values.service.metrics.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.metrics.portName | default "metrics" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file +{{ include "common.service" . }} diff --git a/kubernetes/cds/components/cds-command-executor/values.yaml b/kubernetes/cds/components/cds-command-executor/values.yaml index 75a9915399..36718cf3fa 100755 --- a/kubernetes/cds/components/cds-command-executor/values.yaml +++ b/kubernetes/cds/components/cds-command-executor/values.yaml @@ -32,7 +32,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-commandexecutor:1.4.1 +image: onap/ccsdk-commandexecutor:1.8.1 pullPolicy: Always # application configuration @@ -62,14 +62,13 @@ readiness: service: type: ClusterIP - grpc: - portName: grpc - internalPort: 50051 - externalPort: 50051 - metrics: - portName: tcp-metrics - internalPort: 10005 - externalPort: 10005 + name: cds-command-executor + internalPort: 50051 + ports: + - name: grpc + port: 50051 + - name: &metricsPortname tcp-metrics + port: &metricsPort 10005 persistence: enabled: false @@ -82,18 +81,18 @@ ingress: resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "400Mi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "400Mi" unlimited: {} #Pods Service Account @@ -105,7 +104,8 @@ serviceAccount: metrics: serviceMonitor: enabled: false - port: tcp-metrics + port: *metricsPortname + internalPort: *metricsPort path: /actuator/prometheus basicAuth: enabled: false diff --git a/kubernetes/cds/components/cds-py-executor/Chart.yaml b/kubernetes/cds/components/cds-py-executor/Chart.yaml index 7fb96f9807..ea1723c31c 100755 --- a/kubernetes/cds/components/cds-py-executor/Chart.yaml +++ b/kubernetes/cds/components/cds-py-executor/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP CDS Py Executor name: cds-py-executor -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml b/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml index 754e0d0f50..1376eb7b37 100755 --- a/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-py-executor/templates/deployment.yaml @@ -63,9 +63,6 @@ spec: - name: ARTIFACT_MANAGER_SERVER_LOG_FILE value: {{ .Values.config.artifactManagerLogFile }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints resources: @@ -80,14 +77,10 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime # Py executor shares the blueprintsprocessor storage (for now) to # share uploaded CBA files. In the future it will be deprecated # when all parts of the CDS will make use of Artifact Manager - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-py-executor/values.yaml b/kubernetes/cds/components/cds-py-executor/values.yaml index 96056294e5..5cb6c40e6a 100755 --- a/kubernetes/cds/components/cds-py-executor/values.yaml +++ b/kubernetes/cds/components/cds-py-executor/values.yaml @@ -30,7 +30,7 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-py-executor:1.4.1 +image: onap/ccsdk-py-executor:1.8.1 pullPolicy: Always # default number of instances @@ -97,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "400Mi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "400Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/components/cds-sdc-listener/Chart.yaml b/kubernetes/cds/components/cds-sdc-listener/Chart.yaml index 39d0e6c1c3..1c35474347 100755 --- a/kubernetes/cds/components/cds-sdc-listener/Chart.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/Chart.yaml @@ -17,15 +17,18 @@ apiVersion: v2 description: ONAP CDS SDC listener microservice name: cds-sdc-listener -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml b/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml index 3710f5f510..fe4edc7779 100644 --- a/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/resources/config/application.yaml @@ -1,20 +1,19 @@ listenerservice: config: - asdcAddress: sdc-be.{{include "common.namespace" .}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }} #SDC-BE + sdcAddress: sdc-be.{{include "common.namespace" .}}:8080 #SDC-BE messageBusAddress: message-router.{{include "common.namespace" .}} #Message-Router user: cds #SDC-username password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U #SDC-password pollingInterval: 15 pollingTimeout: 60 relevantArtifactTypes: TOSCA_CSAR - consumerGroup: cds + consumerGroup: {{ (first .Values.kafkaUser.acls).name }} + consumerId: {{ (first .Values.kafkaUser.acls).name }}-sdc-listener environmentName: AUTO - consumerId: cds keyStorePassword: keyStorePath: activateServerTLSAuth : false - isUseHttpsWithDmaap: false - isUseHttpsWithSDC: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + isUseHttpsWithSDC: false archivePath: /opt/app/onap/sdc-listener/ grpcAddress: cds-blueprints-processor-grpc grpcPort: 9111 diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml index 3a6d76165b..2b24097a76 100644 --- a/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright (c) 2019 Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,47 +14,17 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - - command: - - /app/ready.py - args: - - --container-name - - sdc-be - - --container-name - - message-router - - --container-name - - cds-blueprints-processor - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -61,21 +32,24 @@ spec: env: - name: APP_CONFIG_HOME value: {{ .Values.config.appConfigDir }} - ports: - - containerPort: {{ .Values.service.http.internalPort }} - name: {{ .Values.service.http.portName }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + ports: {{- include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: httpGet: path: /api/v1/sdclistener/healthcheck - port: {{ .Values.service.http.portName }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{end}} readinessProbe: httpGet: path: /api/v1/sdclistener/healthcheck - port: {{ .Values.service.http.portName }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: @@ -85,8 +59,7 @@ spec: - mountPath: {{ .Values.config.appConfigDir }}/logback.xml name: {{ include "common.fullname" . }}-config subPath: logback.xml - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -105,5 +78,4 @@ spec: path: application.yaml - key: logback.xml path: logback.xml - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/cds/components/cds-sdc-listener/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml b/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml index 42bd2b33e9..e62653fff2 100644 --- a/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright (c) 2019 Bell Canada +# Copyright (c) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,25 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.http.externalPort }} - targetPort: {{ .Values.service.http.internalPort }} - {{- if eq .Values.service.type "NodePort"}} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- end}} - name: {{ .Values.service.http.portName | default "http" }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-sdc-listener/values.yaml b/kubernetes/cds/components/cds-sdc-listener/values.yaml index 9ceeec8081..4260965b5c 100644 --- a/kubernetes/cds/components/cds-sdc-listener/values.yaml +++ b/kubernetes/cds/components/cds-sdc-listener/values.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2019 Bell Canada +# Modification Copyright © 2022 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,14 +30,23 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/ccsdk-sdclistener:1.4.1 +image: onap/ccsdk-sdclistener:1.8.1 name: sdc-listener pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false -# application configuration +kafkaUser: + acls: + - name: cds + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + config: appConfigDir: /opt/app/onap/config @@ -61,10 +71,11 @@ readiness: service: type: ClusterIP - http: - portName: http - internalPort: 8080 - externalPort: 8080 + name: cds-sdc-listener + internalPort: 8080 + ports: + - name: http + port: 8080 persistence: enabled: true @@ -86,18 +97,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1500m" + memory: "700Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "0.5" + memory: "700Mi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "1.4Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1.4Gi" unlimited: {} #Pods Service Account @@ -105,3 +116,10 @@ serviceAccount: nameOverride: cds-sdc-listener roles: - read + +readinessCheck: + wait_for: + timeout: 30 + services: + - sdc-be + - cds-blueprints-processor-http diff --git a/kubernetes/cds/components/cds-ui/Chart.yaml b/kubernetes/cds/components/cds-ui/Chart.yaml index 2bf7c584e0..51485b76e1 100644 --- a/kubernetes/cds/components/cds-ui/Chart.yaml +++ b/kubernetes/cds/components/cds-ui/Chart.yaml @@ -17,18 +17,15 @@ apiVersion: v2 description: ONAP CDS UI name: cds-ui -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/cds/components/cds-ui/templates/deployment.yaml b/kubernetes/cds/components/cds-ui/templates/deployment.yaml index 6457ce3736..a58f1d9e29 100644 --- a/kubernetes/cds/components/cds-ui/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-ui/templates/deployment.yaml @@ -17,35 +17,18 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.fullname" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{- include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -58,6 +41,8 @@ spec: env: - name: HOST value: 0.0.0.0 + - name: PROTOCOL + value: "{{ .Values.config.env.protocol }}" - name: APP_ACTION_DEPLOY_BLUEPRINT_GRPC_ENABLED value: "{{ .Values.config.app.action.deployBlueprint.grpcEnabled }}" - name: API_BLUEPRINT_CONTROLLER_HTTP_BASE_URL @@ -74,23 +59,12 @@ spec: value: "{{ .Values.config.api.processor.grpc.port }}" - name: API_BLUEPRINT_PROCESSOR_GRPC_AUTH_TOKEN value: {{ .Values.config.api.processor.grpc.authToken }} - {{- if .Values.global.aafEnabled }} - - name: KEYSTORE - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12" - - name: PASSPHRASE - value: "{{ .Values.certInitializer.credsPath }}/mycreds.prop" - {{- end }} readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -100,9 +74,4 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cds/components/cds-ui/templates/service.yaml b/kubernetes/cds/components/cds-ui/templates/service.yaml index bfc3e30c84..e62653fff2 100644 --- a/kubernetes/cds/components/cds-ui/templates/service.yaml +++ b/kubernetes/cds/components/cds-ui/templates/service.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2017 Amdocs, Bell Canada, Orange +# Copyright (c) 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,28 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}-{{ .Values.service.internalPort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/cds/components/cds-ui/values.yaml b/kubernetes/cds/components/cds-ui/values.yaml index 204e1cc611..dbccd284c0 100644 --- a/kubernetes/cds/components/cds-ui/values.yaml +++ b/kubernetes/cds/components/cds-ui/values.yaml @@ -22,33 +22,14 @@ global: subChartsOnly: enabled: true -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: cds-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: sdnc-cds - fqi: sdnc-cds@sdnc-cds.onap.org - public_fqdn: sdnc-cds.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - fqi_namespace: org.onap.sdnc-cds - aaf_add_config: > - /opt/app/aaf_config/bin/agent.sh; - /opt/app/aaf_config/bin/agent.sh local showpass - {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop - # application image -image: onap/ccsdk-cds-ui-server:1.4.1 +image: onap/ccsdk-cds-ui-server:1.8.1 pullPolicy: Always # application configuration config: + env: + protocol: HTTP app: action: deployBlueprint: @@ -94,10 +75,13 @@ readiness: service: type: NodePort - portName: cds-ui name: cds-ui - nodePort: 97 internalPort: 3000 + ports: + - name: http + port: 3000 + nodePort: 97 + useNodePortExt: true ingress: enabled: false @@ -114,18 +98,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "200Mi" requests: - cpu: 10m - memory: 100Mi + cpu: "0.5" + memory: "200Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "200Mi" requests: - cpu: 200m - memory: 200Mi + cpu: "1" + memory: "200Mi" unlimited: {} #Pods Service Account diff --git a/kubernetes/cds/values.yaml b/kubernetes/cds/values.yaml index 58e6b65c6f..ac17183331 100644 --- a/kubernetes/cds/values.yaml +++ b/kubernetes/cds/values.yaml @@ -1,7 +1,7 @@ # Copyright © 2020 Samsung Electronics # Copyright © 2019 Orange, Bell Canada # Copyright © 2017 Amdocs, Bell Canada -# Modification Copyright © 2022 Nordix Foundation +# Modification Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +23,26 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - cdsKafkaUser: cds-kafka-user + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + #This flag allows NBI to instantiate its own mariadb-galera cluster + #When changing it to "true", also set "globalCluster: false" + #as the dependency check will not work otherwise (Chart.yaml) + localCluster: true + globalCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ################################################################# # Secrets metaconfig @@ -42,7 +61,6 @@ secrets: # application images pullPolicy: Always - subChartsOnly: enabled: true @@ -80,132 +98,15 @@ mariadb-galera: name: &mysqlDbName sdnctl nameOverride: &dbServer cds-db replicaCount: 1 + mariadbOperator: + galera: + enabled: false persistence: enabled: true mountSubPath: cds/data serviceAccount: nameOverride: *dbServer - mariadbConfiguration: |- - [client] - port=3306 - socket=/opt/bitnami/mariadb/tmp/mysql.sock - plugin_dir=/opt/bitnami/mariadb/plugin - - [mysqld] - lower_case_table_names = 1 - default_storage_engine=InnoDB - basedir=/opt/bitnami/mariadb - datadir=/bitnami/mariadb/data - plugin_dir=/opt/bitnami/mariadb/plugin - tmpdir=/opt/bitnami/mariadb/tmp - socket=/opt/bitnami/mariadb/tmp/mysql.sock - pid_file=/opt/bitnami/mariadb/tmp/mysqld.pid - bind_address=0.0.0.0 - - ## Character set - collation_server=utf8_unicode_ci - init_connect='SET NAMES utf8' - character_set_server=utf8 - - ## MyISAM - key_buffer_size=32M - myisam_recover_options=FORCE,BACKUP - - ## Safety - skip_host_cache - skip_name_resolve - max_allowed_packet=16M - max_connect_errors=1000000 - sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY - sysdate_is_now=1 - - ## Binary Logging - log_bin=mysql-bin - expire_logs_days=14 - # Disabling for performance per http://severalnines.com/blog/9-tips-going-production-galera-cluster-mysql - sync_binlog=0 - # Required for Galera - binlog_format=row - - ## Caches and Limits - tmp_table_size=32M - max_heap_table_size=32M - # Re-enabling as now works with Maria 10.1.2 - query_cache_type=1 - query_cache_limit=4M - query_cache_size=256M - max_connections=500 - thread_cache_size=50 - open_files_limit=65535 - table_definition_cache=4096 - table_open_cache=4096 - - ## InnoDB - innodb=FORCE - innodb_strict_mode=1 - # Mandatory per https://github.com/codership/documentation/issues/25 - innodb_autoinc_lock_mode=2 - # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ - innodb_doublewrite=1 - innodb_flush_method=O_DIRECT - innodb_log_files_in_group=2 - innodb_log_file_size=128M - innodb_flush_log_at_trx_commit=1 - innodb_file_per_table=1 - # 80% Memory is default reco. - # Need to re-evaluate when DB size grows - innodb_buffer_pool_size=2G - innodb_file_format=Barracuda - - ## Logging - log_error=/opt/bitnami/mariadb/logs/mysqld.log - slow_query_log_file=/opt/bitnami/mariadb/logs/mysqld.log - log_queries_not_using_indexes=1 - slow_query_log=1 - - ## SSL - ## Use extraVolumes and extraVolumeMounts to mount /certs filesystem - # ssl_ca=/certs/ca.pem - # ssl_cert=/certs/server-cert.pem - # ssl_key=/certs/server-key.pem - - [galera] - wsrep_on=ON - wsrep_provider=/opt/bitnami/mariadb/lib/libgalera_smm.so - wsrep_sst_method=mariabackup - wsrep_slave_threads=4 - wsrep_cluster_address=gcomm:// - wsrep_cluster_name=galera - wsrep_sst_auth="root:" - # Enabled for performance per https://mariadb.com/kb/en/innodb-system-variables/#innodb_flush_log_at_trx_commit - innodb_flush_log_at_trx_commit=2 - # MYISAM REPLICATION SUPPORT # - wsrep_replicate_myisam=ON - - [mariadb] - plugin_load_add=auth_pam - - ## Data-at-Rest Encryption - ## Use extraVolumes and extraVolumeMounts to mount /encryption filesystem - # plugin_load_add=file_key_management - # file_key_management_filename=/encryption/keyfile.enc - # file_key_management_filekey=FILE:/encryption/keyfile.key - # file_key_management_encryption_algorithm=AES_CTR - # encrypt_binlog=ON - # encrypt_tmp_files=ON - - ## InnoDB/XtraDB Encryption - # innodb_encrypt_tables=ON - # innodb_encrypt_temporary_tables=ON - # innodb_encrypt_log=ON - # innodb_encryption_threads=4 - # innodb_encryption_rotate_key_age=1 - - ## Aria Encryption - # aria_encrypt_tables=ON - # encrypt_tmp_disk_tables=ON - cds-blueprints-processor: enabled: true config: @@ -214,7 +115,6 @@ cds-blueprints-processor: dbPort: 3306 dbName: *mysqlDbName dbCredsExternalSecret: *dbUserSecretName - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafkaUser }}' cds-command-executor: enabled: true @@ -228,24 +128,22 @@ cds-sdc-listener: cds-ui: enabled: true - #Resource Limit flavor -By Default using small flavor: small -#segregation for different envionment (Small and Large) - +#segregation for different environment (Small and Large) resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} diff --git a/kubernetes/cli/Chart.yaml b/kubernetes/cli/Chart.yaml deleted file mode 100644 index 16885d96a3..0000000000 --- a/kubernetes/cli/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Command Line Interface -name: cli -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/cli/resources/configuration/lighttpd.conf b/kubernetes/cli/resources/configuration/lighttpd.conf deleted file mode 100644 index 0809868b35..0000000000 --- a/kubernetes/cli/resources/configuration/lighttpd.conf +++ /dev/null @@ -1,55 +0,0 @@ -{{/* -# Copyright 2018 Huawei Technologies Co., Ltd. -# Copyright 2021 Huawei Technologies Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -server.document-root = "/var/www-data/servers/open-cli/" -server.username = "www-data" -server.groupname = "www-data" -server.port = 443 -ssl.engine = "enable" -ssl.pemfile = "{{ .Values.certInitializer.credsPath }}/certs/fullchain.pem" - -mimetype.assign = ( - ".html" => "text/html", - ".txt" => "text/plain", - ".jpg" => "image/jpeg", - ".png" => "image/png" -) - -index-file.names = ( "index.html" ) -dir-listing.activate = "disable" - - -server.modules = ( - "mod_access", - "mod_proxy", - "mod_alias", - "mod_compress", - "mod_redirect", -# "mod_rewrite", -) - -#server.upload-dirs = ( "/var/cache/lighttpd/uploads" ) -server.errorlog = "/var/log/lighttpd/error.log" -server.pid-file = "/var/run/lighttpd.pid" -#compress.cache-dir = "/var/cache/lighttpd/compress/" -#compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" ) - -# default listening port for IPv6 falls back to the IPv4 port -## Use ipv6 if available -#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port -#include_shell "/usr/share/lighttpd/create-mime.assign.pl" -#include_shell "/usr/share/lighttpd/include-conf-enabled.pl" \ No newline at end of file diff --git a/kubernetes/cli/templates/NOTES.txt b/kubernetes/cli/templates/NOTES.txt deleted file mode 100644 index f3fe9c9d55..0000000000 --- a/kubernetes/cli/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/cli/templates/configmap.yaml b/kubernetes/cli/templates/configmap.yaml deleted file mode 100644 index ae515a0ec5..0000000000 --- a/kubernetes/cli/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-lighttpd - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/configuration/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/cli/templates/deployment.yaml b/kubernetes/cli/templates/deployment.yaml deleted file mode 100644 index 0a3f967eee..0000000000 --- a/kubernetes/cli/templates/deployment.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort1 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: lighttpd - mountPath: "/etc/lighttpd/lighttpd.conf" - subPath: lighttpd.conf - readOnly: true - env: - - name: OPEN_CLI_MODE - value: "{{ .Values.config.climode }}" - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: lighttpd - configMap: - name: {{ include "common.fullname" . }}-lighttpd - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/cli/templates/service.yaml b/kubernetes/cli/templates/service.yaml deleted file mode 100644 index eaa85086b3..0000000000 --- a/kubernetes/cli/templates/service.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort1 }} - targetPort: {{ .Values.service.internalPort1 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort1 }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort1 }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort1 }} - targetPort: {{ .Values.service.internalPort1 }} - name: {{ .Values.service.name }}{{ .Values.service.externalPort1 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/cli/values.yaml b/kubernetes/cli/values.yaml deleted file mode 100644 index db36661383..0000000000 --- a/kubernetes/cli/values.yaml +++ /dev/null @@ -1,134 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# Certificate configuration -################################################################# -certInitializer: - nameOverride: cli-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "cli" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.cli" - fqi: "cli@cli.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \ - -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \ - -alias ca_local_0 \ - -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** generating needed file" - cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.pem \ - {{ .Values.credsPath }}/certs/cacert.pem \ - > {{ .Values.credsPath }}/certs/fullchain.pem; - cat {{ .Values.credsPath }}/certs/fullchain.pem - echo "*** change ownership of certificates to targeted user" - chown -R 33 {{ .Values.credsPath }} - - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/cli:6.0.1 -pullPolicy: Always -flavor: small - -# application configuration -config: - climode: daemon - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: cli - externalPort: 443 - externalPort1: 9443 - internalPort: "443" - internalPort1: 9443 - nodePort: "60" - nodePort1: "71" - -ingress: - enabled: false - service: - - baseaddr: "cli-api" - name: "cli" - port: 443 - - baseaddr: "cli2-api" - name: cli - port: 9443 - config: - ssl: "redirect" - -# Configure resource requests and limits -# ref: http://kubernetes.io/docs/user-guide/compute-resources/ -resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 10m - memory: 500Mi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: cli - roles: - - read diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index a884d1a329..2fce88fe84 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -20,8 +20,8 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets COMMON_CHARTS_DIR := common EXCLUDES := -PROCESSED_LAST := cert-wrapper repository-wrapper -PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount certInitializer cmpv2Config +PROCESSED_LAST := repository-wrapper +PROCESSED_FIRST := repositoryGenerator readinessCheck serviceAccount cmpv2Config TO_FILTER := $(COMMON_CHARTS_DIR) $(PROCESSED_FIRST) $(EXCLUDES) $(PROCESSED_LAST) HELM_BIN := helm diff --git a/kubernetes/common/cassandra/.helmignore b/kubernetes/common/cassandra/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/cassandra/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/cassandra/Chart.yaml b/kubernetes/common/cassandra/Chart.yaml index bb4c5b4beb..9c86146bf5 100644 --- a/kubernetes/common/cassandra/Chart.yaml +++ b/kubernetes/common/cassandra/Chart.yaml @@ -18,15 +18,16 @@ apiVersion: v2 description: ONAP cassandra name: cassandra -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../serviceAccount' + condition: global.cassandra.enableServiceAccount diff --git a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh index f9f62739f2..50051b4b44 100644 --- a/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh +++ b/kubernetes/common/cassandra/resources/config/docker-entrypoint.sh @@ -93,4 +93,3 @@ if [ "$1" = 'cassandra' ]; then fi exec "$@" - diff --git a/kubernetes/common/cassandra/resources/exec.py b/kubernetes/common/cassandra/resources/exec.py index a7f297399e..ec2f0b4fc6 100644 --- a/kubernetes/common/cassandra/resources/exec.py +++ b/kubernetes/common/cassandra/resources/exec.py @@ -118,5 +118,3 @@ def main(argv): if __name__ == "__main__": main(sys.argv[1:]) - - diff --git a/kubernetes/common/cassandra/templates/backup/configmap.yaml b/kubernetes/common/cassandra/templates/backup/configmap.yaml index 9bbc69ba04..2c85a1a01f 100644 --- a/kubernetes/common/cassandra/templates/backup/configmap.yaml +++ b/kubernetes/common/cassandra/templates/backup/configmap.yaml @@ -13,6 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.backup.enabled }} apiVersion: v1 kind: ConfigMap @@ -28,3 +29,4 @@ data: {{ tpl (.Files.Glob "resources/restore.sh").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/exec.py").AsConfig . | indent 2 }} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/backup/cronjob.yaml b/kubernetes/common/cassandra/templates/backup/cronjob.yaml index 27f3cc690d..263ac28512 100644 --- a/kubernetes/common/cassandra/templates/backup/cronjob.yaml +++ b/kubernetes/common/cassandra/templates/backup/cronjob.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} apiVersion: batch/v1beta1 kind: CronJob metadata: @@ -37,7 +39,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --app-name - {{ include "common.name" . }} env: - name: NAMESPACE @@ -48,9 +50,23 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - name: "cassandra-backup-init" image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" command: - /bin/bash - -c @@ -132,9 +148,6 @@ spec: apiVersion: v1 fieldPath: metadata.namespace volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true {{- range $i := until (int .Values.replicaCount)}} - mountPath: /onap-data/cassandra-{{ $i }} name: data-dir-{{ $i }} @@ -223,13 +236,7 @@ spec: volumeMounts: - name: backup-dir mountPath: /backup - - name: localtime - mountPath: /etc/localtime - readOnly: true volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: scripts configMap: name: {{ include "common.fullname" . }}-configmap @@ -243,3 +250,4 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-backup-data {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/backup/pv.yaml b/kubernetes/common/cassandra/templates/backup/pv.yaml index 10c310077b..e7218fae7d 100644 --- a/kubernetes/common/cassandra/templates/backup/pv.yaml +++ b/kubernetes/common/cassandra/templates/backup/pv.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if eq "True" (include "common.needPV" .) -}} --- @@ -39,3 +41,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/backup/pvc.yaml b/kubernetes/common/cassandra/templates/backup/pvc.yaml index 6fd53618bc..56b3ba8b02 100644 --- a/kubernetes/common/cassandra/templates/backup/pvc.yaml +++ b/kubernetes/common/cassandra/templates/backup/pvc.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} {{- if .Values.backup.enabled }} +{{- if .Values.global.cassandra.useOperator }} +{{ else }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} --- kind: PersistentVolumeClaim @@ -39,3 +41,4 @@ spec: storageClassName: {{ include "common.storageClass" . }} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/cassandra/templates/cassOp.yaml b/kubernetes/common/cassandra/templates/cassOp.yaml new file mode 100644 index 0000000000..6b7052d10e --- /dev/null +++ b/kubernetes/common/cassandra/templates/cassOp.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.cassandra.useOperator }} +{{ include "common.k8ssandraCluster" . }} +{{- end }} diff --git a/kubernetes/common/cassandra/templates/configmap.yaml b/kubernetes/common/cassandra/templates/configmap.yaml index ab08c82fef..117100a441 100644 --- a/kubernetes/common/cassandra/templates/configmap.yaml +++ b/kubernetes/common/cassandra/templates/configmap.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.configOverrides }} apiVersion: v1 kind: ConfigMap @@ -25,3 +26,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/docker-entrypoint.sh").AsConfig . | indent 2 }} +{{- end }} diff --git a/kubernetes/common/cassandra/templates/ingress.yaml b/kubernetes/common/cassandra/templates/ingress.yaml new file mode 100644 index 0000000000..97d6155a09 --- /dev/null +++ b/kubernetes/common/cassandra/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/common/cassandra/templates/pv.yaml b/kubernetes/common/cassandra/templates/pv.yaml index a0d998cd07..00e61d3bb5 100644 --- a/kubernetes/common/cassandra/templates/pv.yaml +++ b/kubernetes/common/cassandra/templates/pv.yaml @@ -13,5 +13,6 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} - +{{- if not .Values.global.cassandra.useOperator }} {{ include "common.replicaPV" . }} +{{- end }} diff --git a/kubernetes/common/cassandra/templates/secrets.yaml b/kubernetes/common/cassandra/templates/secrets.yaml new file mode 100644 index 0000000000..181e5f98a7 --- /dev/null +++ b/kubernetes/common/cassandra/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada +# Copyright © 2019 Samsung Electronics +# Copyright © 2019-2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.cassandra.useOperator }} +{{ include "common.secretFast" . }} +{{- end }} diff --git a/kubernetes/common/cassandra/templates/service.yaml b/kubernetes/common/cassandra/templates/service.yaml index 8934d41c33..6b6f585d2f 100644 --- a/kubernetes/common/cassandra/templates/service.yaml +++ b/kubernetes/common/cassandra/templates/service.yaml @@ -14,4 +14,6 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{ include "common.headlessService" . }} +{{- end }} diff --git a/kubernetes/common/cassandra/templates/servicemonitor.yaml b/kubernetes/common/cassandra/templates/servicemonitor.yaml index 5297e692d2..57f4d3f412 100644 --- a/kubernetes/common/cassandra/templates/servicemonitor.yaml +++ b/kubernetes/common/cassandra/templates/servicemonitor.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} {{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml index 43367ee542..d76dde3454 100644 --- a/kubernetes/common/cassandra/templates/statefulset.yaml +++ b/kubernetes/common/cassandra/templates/statefulset.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.cassandra.useOperator }} apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -26,19 +27,9 @@ spec: type: {{ .Values.updateStrategy.type }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if or .Values.podAnnotations (and .Values.metrics.serviceMonitor.enabled .Values.metrics.podAnnotations) }} - annotations: - {{- if .Values.podAnnotations }} - {{- include "common.tplValue" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.podAnnotations }} - {{- include "common.tplValue" (dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }} - {{- end }} - {{- end }} spec: hostNetwork: {{ .Values.hostNetwork }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -47,9 +38,6 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-data mountPath: /var/lib/cassandra - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: cassandra-entrypoint mountPath: /docker-entrypoint.sh subPath: docker-entrypoint.sh @@ -178,9 +166,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime {{- range $key, $value := .Values.configOverrides }} - name: cassandra-config-{{ $key | replace "." "-" }} configMap: @@ -214,3 +199,4 @@ spec: requests: storage: {{ .Values.persistence.size | quote }} {{- end }} +{{- end }} diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml index 43ff171abb..0cd8545e3a 100644 --- a/kubernetes/common/cassandra/values.yaml +++ b/kubernetes/common/cassandra/values.yaml @@ -21,6 +21,81 @@ global: # global defaults mountPath: /dockerdata-nfs backup: mountPath: /dockerdata-nfs/backup + cassandra: + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + +k8ssandraOperator: + cassandraVersion: 4.1.8 + persistence: + #storageClassName: default + size: 10Gi + config: + clusterName: cassandra + secretName: &secretName cassandra-default-user + superuserName: &superusername cassandra + superuserPassword: &superuserpassword cassandra + casOptions: + authenticator: PasswordAuthenticator + authorizer: AllowAllAuthorizer + read_request_timeout: 15000ms + write_request_timeout: 15000ms + counter_write_request_timeout: 15000ms + request_timeout: 15000ms + auto_snapshot: false + commitlog_segment_size: 128MiB + commitlog_sync_period: 15000ms + concurrent_reads: 16 + concurrent_writes: 16 + counter_cache_size: 16MiB + jvmOptions: + heap_initial_size: 512M + heap_max_size: 4096M + hostNetwork: false + datacenters: + - name: dc1 + size: 3 + resources: + requests: + cpu: 2 + memory: 8Gi + limits: + cpu: 8 + memory: 8Gi + reaper: + enabled: true + tag: 3.8.0 + stargate: + enabled: false + tag: v1.0.77 + size: 1 + jvmOptions: + heapSize: 384Mi + +################################################################# +# Secrets metaconfig +# used to store the default superuser for k8ssandra-operator +################################################################# +secrets: + - uid: *secretName + type: genericKV + externalSecret: '{{ tpl (default "" .Values.k8ssandraOperator.config.userCredentialsExternalSecret) . }}' + envs: + - name: username + value: *superusername + - name: password + value: *superuserpassword + +ingress: + enabled: false + service: + - baseaddr: "reaper-dc1" + path: "/webui" + name: "cassandra-dc1-reaper-service" + port: 8080 # application image image: cassandra:3.11.4 @@ -101,16 +176,14 @@ service: podAnnotations: # sidecar.istio.io/inject: "false" - traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001" + traffic.sidecar.istio.io/excludeInboundPorts: "7000,7001,7199,50051" traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001" + traffic.sidecar.istio.io/excludeOutboundPorts: "7000,7001,7199,50051" + podManagementPolicy: OrderedReady updateStrategy: type: RollingUpdate -ingress: - enabled: false - persistence: enabled: true @@ -152,11 +225,11 @@ configOverrides: {} # Minimum memory for production is 4 CPU cores and 8GB memory resources: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "16Gi" requests: - cpu: 0.2 - memory: 2.5Gi + cpu: "0.2" + memory: "2.5Gi" backup: enabled: false cron: "00 00 * * *" diff --git a/kubernetes/common/cert-wrapper/Chart.yaml b/kubernetes/common/cert-wrapper/Chart.yaml deleted file mode 100644 index c42a319d7c..0000000000 --- a/kubernetes/common/cert-wrapper/Chart.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Wrapper chart to allow truststore to be shared among cert-initializer instances -name: cert-wrapper -version: 12.0.0 - -dependencies: - - name: certInitializer - version: ~12.x-0 - repository: 'file://../certInitializer' diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh deleted file mode 100755 index 96b0c0c0c8..0000000000 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2020-2021 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -CERTS_DIR=${CERTS_DIR:-/certs} -MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs} -WORK_DIR=${WORK_DIR:-/updatedTruststore} -ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks} -JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts} -TRUSTSTORE_OUTPUT_FILENAME=${TRUSTSTORE_OUTPUT_FILENAME:-truststore.jks} -SSL_WORKDIR=${SSL_WORKDIR:-/usr/local/share/ca-certificates} - -mkdir -p $WORK_DIR - -# Decrypt and move relevant files to WORK_DIR -for f in $CERTS_DIR/*; do - export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') - export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') - if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then - # Dont use onap truststore when aaf is disabled - continue - fi - if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then - # Dont use onap truststore when aaf is disabled - continue - fi - if echo $f | grep '\.sh$' >/dev/null; then - continue - fi - if echo $f | grep '\.b64$' >/dev/null - then - base64 -d $f > $WORK_DIR/`basename $f .b64` - else - cp $f $WORK_DIR/. - fi -done - -for f in $MORE_CERTS_DIR/*; do - if echo $f | grep '\.pem$' >/dev/null; then - cp $f $WORK_DIR/. - fi -done - -# Prepare truststore output file -if [ "$AAF_ENABLED" = "true" ] - then - echo "AAF is enabled, use 'AAF' truststore" - export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} - else - echo "AAF is disabled, using JRE truststore" - cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -fi - -# Import Custom Certificates -for f in $WORK_DIR/*; do - if echo $f | grep '\.pem$' >/dev/null; then - echo "importing certificate: $f" - keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt - if [ $? != 0 ]; then - echo "failed importing certificate: $f" - exit 1 - fi - fi -done - -# Import certificates to Linux SSL Truststore -cp $CERTS_DIR/*.crt $SSL_WORKDIR/. -cp $MORE_CERTS_DIR/*.crt $SSL_WORKDIR/. -update-ca-certificates -if [ $? != 0 ] - then - echo "failed importing certificates" - exit 1 - else - cp /etc/ssl/certs/ca-certificates.crt $WORK_DIR/. -fi diff --git a/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 b/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 deleted file mode 100644 index 71b6782c58..0000000000 --- a/kubernetes/common/cert-wrapper/resources/truststoreONAP.p12.b64 +++ /dev/null @@ -1,30 +0,0 @@ -MIIGFAIBAzCCBdoGCSqGSIb3DQEHAaCCBcsEggXHMIIFwzCCBb8GCSqGSIb3DQEHBqCCBbAw -ggWsAgEAMIIFpQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIIYleh/TibnoCAggAgIIF -eGle/QhuHZkU5OjTo1L4MUbBFMGEu2hFNjqzYC3fuvfSIdMUxVZ1vQspIPNiPs1+WZ/lB9vZ -vBkQZ6AyBNTqZlHk5vv1tNyLksZCMRWlPLB/GF8becTuawuC2+IJajmuN5aLG9Fsx9G+bKQ6 -fO/VUq4urhuOEhKtft2wVUrQON0GnDcUemj/OLE6jMWrNlrxVdCqqII8xs5yGr/qfIRtpIVx -NZOAJdlKGZcc47wIG+lXHDeibH4rtObOLSk6mY9bjQ7Omp6HsshOaFDsx/ZWiG1+H7ZRDSSK -v5qWpr5xEhBM66TufMi0Tn8XNUsjkKCar25acH1odQQIQLhpFcqDyKaqFQM/60fvH4CTQ1SA -7vhpfUx9y7t2cEIg8lDEhhOUSRIVr+iw0zhoknPxJLfPuhRDzVKm8KxADCVjVR29K9nBgIrF -IVQ4gW0RRmCcHqBPVoakWs0BdTzhMwWtnxTLkpSLZoMkoi/8wfw7SDhaV4G6qXXqvDVaWbwR -nqpZWeQBRDSqOEmsPuLzq2J1Ls/v9J5ZQpeqyyYinGCjUUlC+fE6nhCrNsHeWTOlmBUyh/kA -WDAx1LgctqTwgIpPrJzkjPCfIuJyO7lhHFyBK8j/8NwMUgA5zBismhtQ3kQ3GBmTCm1cFkdz -AR4cV30244Oe3GmJG8ZUWiTjIuq2Eo4ISUR1h50uXlCja9n9n964wPJkNJyHyUa5cqz/EAkM -vzeL0VNW7Jpym3gRxNLqYILFBjZnhC7R9RhHciHYwIEEMj9WywDE6hDZqFReI6N3ZQNIWnHt -Je6e1YFwduGWnQFnL33XZi7ZqVY9Pr7mwu9c/LaCUuwDwy2rtAY50cnpp9CfbIp3oD33sfNe -LMmCcEkRvl/BNMtifnWnsaiCCoUZxLe6d8JWudu4r8M+bdoIkqoIUSyhuIsjjKnYAE/wmZvy -nphgC9tN1g5rY5CxqEQXyGvaD/lRgxpchKqwFFF89dEU27llLPneRSiIpth/pnip104N7H/+ -I5RaHNfaiNTUGLJSqmewCPCKritGJogqaBCj8oiI8uGovQZEYd8kgaDao8FCrpOFaHFhlUxd -fltyOZImAQ4cLEywj9VZFz/AriV+FZWe0VS1A6pBCknwZJBBJPKSQ4fAoDwAWmQsiHRE6h/N -OcD9zh4XqnCgy2f07SOPBf8AnLoe9XJXVm5T6xG8ZwfrmtDYk9Ze2VTxFJsolcaz/58JqSe3 -2mc3nuQqhZEzP7bWoD68ekykfbm2qJcC82fxYKkooNJ1T/Aagh+Vxsc8t/ubAEAKzz4fXZY5 -hO2zuk3AIn6WkwKZwoHfuCXXH1o3vlGsQx59N2kvifNUZf5ZzSbHIB8Hefckh0W9FMYE99de -lKdv5H4BSIiZ4v7r/0AkiV0M6WJOdogkEBIBcE81URAI6uwBuq2vUMyhIlekvmGlfV1+70jR -T22rjPiaswc8+GqDoI1kRrEwHHYT8O2JLBkSBv9A6LkCJPNt2bepPnJM7OyShQ0srmwdZOpY -0YcDZwbWVQNPZqtvZJl860mMisXO9MRIBS1udkL2SgzWYNpgGJN/vaRgjQiDyN9B4x8a+5sx -7fCLzmcxHeP7eYBkmH4guPCRr8VZboQanShKje3iS6ukKI15aD9FnzGn3TwrMyLTqzvBZSct -yM5Ew7cwUe67OKAXATaLc3AK5OBAqyLGMsi5Q1C8Hd/zqu6tQ/aRUpqfocRIIVrO+zEVfPfA -DOTtA7y6FHY00J2WwOkmZ9CkUWURFadA1+w3oIvlAxMDTfvEstOfvIs5TJalPRjsQYFW2875 -9IQ01SN7jFYKGWzGfsdtDrEJC3157J9Kjy56QUNgYKVaYe0V26Olwir3mAGH4dSaQMVsMDEw -ITAJBgUrDgMCGgUABBTxE9oEHuqG7KvR83sl8JdO+A6MxAQIwdEAxeLiamcCAggA - diff --git a/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 b/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 deleted file mode 100644 index 4a92325b19..0000000000 --- a/kubernetes/common/cert-wrapper/resources/truststoreONAPall.jks.b64 +++ /dev/null @@ -1,2733 +0,0 @@ -/u3+7QAAAAIAAACBAAAAAgAXZGlnaWNlcnRhc3N1cmVkaWRyb290Y2EAAAF8EFmtSAAFWC41 -MDkAAAO7MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln -aWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgQ0EwHhcNMDYx -MTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln -aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy -dCBBc3N1cmVkIElEIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt -DhXO5EOAXLGH87dg+XESpa7cJpSIqvTO9SA5KFhgDPiA2qkVlTJhPLWxKISKityfCgyDF3qP -kKyK53lTXDGEKvYPmDI2dsze3Tyoou9q+yHyUmHfnyDXH+Kx2f4YZNISW1/5WBg1vEfNoTb5 -a3/UsDg+wRvDjDPZ2C8Y/igPs6eD1sNuRMBhNZYW/lmci3Zt1/GiSw0r/wty2p5g0I6QNcZ4 -VYcgoc/lbQrISXwxmDNsIumH0DJaoroTghHtORedmTpyoeb6pNnVFzF1roV9Iq4/AUaG9ih5 -yLHa5FcXxH4cDrC0kqZWs72yl+2qp/C3xag/lRbQ/6GW6whfGHdPAgMBAAGjYzBhMA4GA1Ud -DwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRF66Kv9JLLgjEtUYunpyGd -823IDzAfBgNVHSMEGDAWgBRF66Kv9JLLgjEtUYunpyGd823IDzANBgkqhkiG9w0BAQUFAAOC -AQEAog683+Lt8ONyc3pklL/3cmbYMuRCdWKuh+vy1dneVrOfzM4UKLkNl2BcEkxY5NM9g0lF -WJc1aRqoR+pWxnmrEthngYTffwk8lOa4JiwgvT2zKIn3X/8i4peEH+ll74fg38FnSbNd67IJ -Kusm7Xi+fT8r87cmNW1fiQG2SVufAQWbqz0lwcy2f8Lxb4bG+mRo64EtlOtCt/qMHt1i8b5Q -Z7dsvfPxH2sMNgcWfzd8qVttevESRmCD1ycEvkvOl77DZypoEd+A5wwzZr8TDRRu838fYxAe -+o0bJW1sj6W3YQGx0qMmoRBxna3iw/nDmVG3KwcIzi7mULKn+gpFL6Lw8gAAAAIAFWFuZnNl -Y3VyZXNlcnZlcnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAABfMwggXvMIID16ADAgECAggN0+O8 -bPlrsTANBgkqhkiG9w0BAQsFADCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF -UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYDVQQLEwtB -TkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9vdCBDQTAeFw0xOTA5 -MDQxMDAwMzhaFw0zOTA4MzAxMDAwMzhaMIGEMRIwEAYDVQQFEwlHNjMyODc1MTAxCzAJBgNV -BAYTAkVTMScwJQYDVQQKEx5BTkYgQXV0b3JpZGFkIGRlIENlcnRpZmljYWNpb24xFDASBgNV -BAsTC0FORiBDQSBSYWl6MSIwIAYDVQQDExlBTkYgU2VjdXJlIFNlcnZlciBSb290IENBMIIC -IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2+trK+ZkVJWCkKNypBkBnZwLgV9zSbqn -rPMETnuWC+wR4FumHM4b0g2DHCu4nh1+RTJgDwfpd1h+n2rIYU62JsFMjf9M7zSyH2XYuXj1 -ralxue9PWB2l3nQgl6HtaEzekhdLvKv/ZZqe+0fZV3LzCaGudkQTbpwtRDm8+cc7pFg9Qb20 -wkmjyA3Sly8HZVIAp27Ir2js9BSWtlcfVsM5nytt5PM+9jVk2gwcoYRLL0tL4iwknW2TQOu1 -I44yym9F06iJex7PHvpbQ4vNzagPasoMXrmeR4/w2bYKC1hlFzO5I+R3GX3LSi6Se08vEHex -jS9onGLM4FD47JGnVExXCdV2Y8XoZR7ubWrPCZ36fE+tYAj9VpkPFSx7qYCrjGGPSgd2Qt49 -9N2yJDNbuLWjRMmsf3c8HSPsgqmm4sgGTAL+rFyZmQsvEIqm9H/Vh3QNWUlF9vBxXDkp1r9K -I4v1XwFj0odzKLVLCvX4q4IsfnMlMh0LYwoXgQD/tnZe57SxQMohu9WAUeVIUmcs0mGJBw0P -zkJ3wERznERQoNsQCi2VHIGv5BzlFB7xNkEBAi99c6feQsxM6YkNVvefkdQDxmzJj9vYHOBA -mF1mmZiAbi3/AcXOy0YfrALGQ+auooQ8xU4ePW3JFEzjLkG7yjm/NjwqGapBh06lzksyed2Q -SX8CAwEAAaNjMGEwHwYDVR0jBBgwFoAUnF/QbGOjX5PKk5gIrYyHpSxcwTcwHQYDVR0OBBYE -FJxf0Gxjo1+TypOYCK2Mh6UsXME3MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/ -MA0GCSqGSIb3DQEBCwUAA4ICAQBOHrmKxqCYP27DacBqXElSrMsrXXg4wdVUhJ+T8IcZPSxm -iesNQvzM8HWFP4v0gF155RdnvTWC4vI8jn1bNstagAAp8s4rLPGPqm0Fk2xyx1br31AjKOVF -ED3oZ6OvDlUPkAli70tZovZT8cA15C/BJL15L04gIjv9GiCwpA4scO10P7gTlQZRyOiHJsqk -W2oWIZLdc2CeEBjePIHq6BjDfInyi1A+vRHiFQOoNn0zAWxIFdeIkJkExczmB/S89JDtE+Lq -i8OPozMPwSlME07aFVZxc3KCUPaaM3yisagaNHRlXM7R66tT4BqA2Oo6SeQmMJvlHIqoqRUy -hpmSChAjVhLg9s5M4ru+242ScwFmL2I+snInRTbtTVbjl5n/OjU+pVRKUllLYNvu/ngRf0rc -FHlgtmtkA9sVg+GivvYjl1DwCTM2p3GWJfO5Qn3bOD8sWKzoQuEO2NM7TC6C6YMuazHZ3UeG -T22XkS5P4ihxNRbR8nP+JSsHRyRjJ8j49tlr/BIxVgjAU0KvnNAzfvwG8DFEAxTxWOryag2p -EbKDvsUavwfqWdyjiDXvnHYyPE0GIs4V5d2e2I/a3tLEOeUXgc84R+t/iG1ZG9+fQhSufs+o -sGZl2jevn6o96ii23tUxWBaCW+q7GXUCcxrKSBohk5AKjpOEp307IxiSiaCNrAAAAAIAFWFm -ZmlybXRydXN0Y29tbWVyY2lhbAAAAXwQWa1IAAVYLjUwOQAAA1AwggNMMIICNKADAgECAgh3 -dwYnJqmxfDANBgkqhkiG9w0BAQsFADBEMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJt -VHJ1c3QxHzAdBgNVBAMMFkFmZmlybVRydXN0IENvbW1lcmNpYWwwHhcNMTAwMTI5MTQwNjA2 -WhcNMzAxMjMxMTQwNjA2WjBEMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1c3Qx -HzAdBgNVBAMMFkFmZmlybVRydXN0IENvbW1lcmNpYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQD2G09nByuhFfUGIssfAbLjc0UGREksu0klFNbOw7erLE/GQTKUV/oSp1sO -4o8fHoYZp6q1LblfDYrCr4U1eTItuxxiN/KxW0o9ys1xX+lCvpToyN75IkhkxuWrxittrQXw -+tULz5rl8FCkiztHpSNbenr4Mz+475mX4yDB1iiJz5T7uUXt40AXEdR08Asx4ismaptMV66s -ID66RXoF872baRWufU4gY8Q1djoHAsk3/cdH7ujxdh1zFfKXpLXIennZQqorf1z+ziZPo2aB -Na9EulQeHDAyZZ3mPJNeUE564zrUbswa+/nSN64kKqtXAyIoDUl1f7co2nW/juPcDnkxAgMB -AAGjQjBAMB0GA1UdDgQWBBSdk8ZTi17Krz+fHg/lmZW8JPaUjzAPBgNVHRMBAf8EBTADAQH/ -MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAWKz0BA7NwA3/Cv3UuhZfKb17 -aJlYSdK0HTdNfyd9RgZdQ8aGLj5zsiZ9T5OptsQqmqshlxSx3ozTq4kV2Gsk1PEWrtikXNR/ -UY7tGAGxk2O9vPhhgJqesc5CcOKpfQYlfSeh/m/ssx4k2uNLVRoAOzW0O9nXXTD9gROJ8sIG -K+1nxI7JQ7JcaxWJArxi/E7ytTOqsm/TCqJQ4/Y76C5EwttmOKkzVkjxbRszjQ2MP2A3ndPK -bX40fg2fcnaLG59y/VI1QUUCli8csppzSSGxSUdFR7TvajQRyU2azFm31gKeWk5ltZSuG98p -sBbxvwCeBzoXZLUEtSMhmQqVO5d87wAAAAIALHRydXN0d2F2ZWdsb2JhbGVjY3AyNTZjZXJ0 -aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAACZDCCAmAwggIHoAMCAQICDA1q -Xwg/KFw+UZXfXTAKBggqhkjOPQQDAjCBkTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlu -b2lzMRAwDgYDVQQHEwdDaGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIElu -Yy4xOjA4BgNVBAMTMVRydXN0d2F2ZSBHbG9iYWwgRUNDIFAyNTYgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwHhcNMTcwODIzMTkzNTEwWhcNNDIwODIzMTkzNTEwWjCBkTELMAkGA1UEBhMC -VVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdvMSEwHwYDVQQKExhUcnVz -dHdhdmUgSG9sZGluZ3MsIEluYy4xOjA4BgNVBAMTMVRydXN0d2F2ZSBHbG9iYWwgRUNDIFAy -NTYgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR+ -+2zmI+NzMgjKYOZTnLp0jRiweJBSgN04wEod0ajMk6SXBjjKDRVixo4BKmWdqt80kS6BweQz -kjHE/Qk6pj+to0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0O -BBYEFKNBBqyQbdFK63WlShCZs7Ghi0r3MAoGCCqGSM49BAMCA0cAMEQCIAfmVNoOoFqyrhGf -h8W2/2neJb74oLcI80TOKt8IIQw3AiAtJgOgBb1r0fZc+GXMhm2znDRIY4QJxY13GuLMnOF0 -ewAAAAIAGXQtdGVsZXNlY2dsb2JhbHJvb3RjbGFzczMAAAF8EFmtSAAFWC41MDkAAAPHMIID -wzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoM -IlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVt -cyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDMw -HhcNMDgxMDAxMTAyOTU2WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNV -BAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lz -dGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNz -IDMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9dZPwYiJvJK7genasfb3ZJNW4 -t/zN8ELg63iIVl6bmlQdTQyK9tPPcPRStdiTBONGhnFBSivwKixVA9ZIw+A5OO3yXDw/RLyT -PWGrTs0NvvAgJ1gORH8EGoel15YUNpDQSXuhdfsaa3Ox+M6pCSzyU9XDFES4hqX2iys52qMz -VNn6chr3IhUciJFrf2blw2qAsCTz34ZFiP0Zf3WHHx+xGwpzJFu5ZeAsVMhg02YXP+HMVDNz -kQI6pn97djmiH5a2OK61yJN0HZ65tOVgnS9W0eDrXltMEnAMbEQgqxHY9Bn20pxSN+f6tsIx -O0rUFJmtxxr1XV/6B7h8DR/Wgx6zAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0P -AQH/BAQDAgEGMB0GA1UdDgQWBBS1A/d2O2GCahKqGFPrAyGUv/7OyjANBgkqhkiG9w0BAQsF -AAOCAQEAVj3vlNW92nOyWL6ukK2YJ5f+AbGwUgC4TeQbIXQbfsDuXmkqJa9c1h3a0nnJ85cp -4IaH3gRZD/FZ1GSFS5mvJQQeyUapl96Cshtwn5z2r3Ex3XsFpSzTucpH9sry9uetuUg/vBa3 -wW306gmv7PO15wWeph6KU1HWk4HMdJP2udqmJQV0eVp+QD6CSyYRMG7hP0HHRwA11fXT91Q+ -gT3aSWqas+8QPebrb9HIIkfLzM8BMZLZGOMivgkeGj5asuRrDFR6fUNOuImle9eiPZaGzPIm -NC1qkp2aGtAw4l1OBLBfiyB+d8E9lYLRRpo7PHi4b6HQDWSieB4pTpPDpFQUWwAAAAIAGXQt -dGVsZXNlY2dsb2JhbHJvb3RjbGFzczIAAAF8EFmtSAAFWC41MDkAAAPHMIIDwzCCAqugAwIB -AgIBATANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVt -cyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBD -ZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMDgxMDAx -MTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lz -dGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVz -dCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290IENsYXNzIDIwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl82hVYAUdAqSzm1nz -HoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6ZrAIxlQjgeTN -uUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3anHqP1wvzp -esVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzlAVfF -mPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14 -np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOi -YQsfdOhyNsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPAC -uvxhI+YzmzB6azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q -/xWA5brXethbdXwFeilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO -4gWEyS8+eIVibslfwXhjdFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lD -fMjIq2SPDqO/nBudMNva0Bkuqjzx+zOAduTNrRlPBSeOE6FuwgAAAAIAH2NvbW9kb2VjY2Nl -cnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAKNMIICiTCCAg+gAwIBAgIQ -H0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT -EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RP -IENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMDgwMzA2MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZ -BgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR -Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBFQ0MgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQDR3svdcmCFYX7deSRFtSrYpn1PlIL -Bs5BAH+X4QokPB0BBO490o0JlwzgdeT6+3eKKvUDYEs2ixYjFq0JcfRK9ChQtP6IHG4/bC8v -CVlbpVsLM5niwz2J+Wos77LTBumjQjBAMB0GA1UdDgQWBBR1cacZSBm8nZ3qQUfflMRId5nT -eTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjEA -7wNbeqy3eApyt4jf/7VGFAkK+qDmfQjGGoe9GKhzvSbKYAydzpmfz1wPMOG+FDHqAjAU9JM8 -SaczepBGR7NjfRObTrdvGDeAU/7dIOA1mjbRxwG55tzd8/8dLDoWV9mSOdYAAAACABRzd2lz -c3NpZ25zaWx2ZXJjYS1nMgAAAXwQWa1IAAVYLjUwOQAABcEwggW9MIIDpaADAgECAghPG9Qv -VLsvSzANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWdu -IEFHMSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwHhcNMDYxMDI1MDgzMjQ2 -WhcNMzYxMDI1MDgzMjQ2WjBHMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFH -MSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUA -A4ICDwAwggIKAoICAQDE8Yd/03gx9zjJ+MOZQ7zH97w3505xukuPpXMdXG6YrgNXrjg3Qy8X -PR/IzmgQwXiuGQMrEPoseYP26LlouVXyBESnOfn8BIse8aJNJ/lhe7q35aITtuthPtBs0eb7 -+l7tHbSeoDVboZLL8EmS/oUKBT7m2QviT7vclTf8kekyNSLRHzpOJ4WdsBWUMtphDUdNYEKu -kkfog1pQWOmKi7ldodzdmUofNme7SOSDtjfrSDqvD2ePFwfoBMrvajGH1MC2+ZRxe2dkuLaR -SkJ7ZS4wagz1kO6V5vLNguzZoUrs9rJL5UWF5m14kwQunIJtNqnEMWQfhoMLKvQ1CnjJVc9B -sEfpMJ+ZvmGoBoS5KHpfONkbqTiwg39zwcM7SCqCDyGbuMyoNcOEG4OzPr6klWkBOokAeATZ -yfSZGatWfluLhjkVkaQQLAkygGCzk8AqthgLnX6NSfIQSn/51UYvGZKjmacmrLuMPOYOvEcH -3HNR8XBkLwj5tEcdMGxE6ik3hZJoZryDOP57OS7TUPAf+15gtqmm+idB8ZsYcvL1hHRKyWfE -VK5IZN+M0W6wHeEHjwgemZxx6UzYpfdHEh900VGehvPCoiNAC3PbS6bncwaMwaDpwVmsRvrm -L/jPcZxGbbnEFY04eQNFSO/EXdcI7oc5IoayDQ9YQ/dxqUgu/erWHwIDAQABo4GsMIGpMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQXoM3B5EG2Ols7y0Wd -vRzCmPqGWDAfBgNVHSMEGDAWgBQXoM3B5EG2Ols7y0WdvRzCmPqGWDBGBgNVHSAEPzA9MDsG -CWCFdAFZAQMBATAuMCwGCCsGAQUFBwIBFiBodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24u -Y29tLzANBgkqhkiG9w0BAQUFAAOCAgEAc8aB4CfSLQ/glTDimkF/UCxfX2JhqYZqaRgMdEnW -XYTqQVIYb1itUFYgasa9KGlYkdyRETWpOh28GqVgntgff0WRadl+u3hywQYPKs6PhXBhrKDN -C7g5KVaEMk6Guz3EKtnXH3Lu/lGhIkGxcQJjGoKwYqteVxIf38vddaDAXXmQjBvgUObeMf6Y -e3BfpZDYrfgCtm/TYN1ASyLFPa06ep8aGkeReTO6gtwyaQOWbh9L8HH+42dyoLG/XIvk+pki -x4S5G40jlz/tJeDPZbv1YQTv3R6yWkEiWqGfXSzoW8ltqQwMeKpgxlaPAVoMaLxpGXnEH36X -Bb/F6SRRXtTVS1Pt2SNaNgNlo8EDrUEw80YbhZCvZbXVseQWW3h1HZd6bVmpKo973sOHiRCZ -SXN4yD29UTV0KtXxfmkbKrs7vSW4mlo9cmGQZofuDNZN1BF0C2r+CwP8o1VXif5Ky65bFwXI -8o0jMVM40i1qP4K5jQhq915BdG7DEX4HrClgkT84ylcQDb0wL8el5kGg2q4Fh5qgpGVsTAkM -ibq407nAk4ow+o3lmmsVAU5nqtpiVj6ECGbSxDZ9pz4Q/Ijg1IDlAL2q804Go3pq+WJy4wlP -65sOASPxn7t83NxsEZclsvK0YxTSBipnjIP1zuoH2JpqHuzkCrsqTOsJYDnOymLYLm4AAAAC -AA1jYWRpc2lncm9vdHIyAAABfBBZrUgABVguNTA5AAAFbTCCBWkwggNRoAMCAQICCQCSuIjb -sIrBYzANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJTSzETMBEGA1UEBxMKQnJhdGlzbGF2 -YTETMBEGA1UEChMKRGlzaWcgYS5zLjEZMBcGA1UEAxMQQ0EgRGlzaWcgUm9vdCBSMjAeFw0x -MjA3MTkwOTE1MzBaFw00MjA3MTkwOTE1MzBaMFIxCzAJBgNVBAYTAlNLMRMwEQYDVQQHEwpC -cmF0aXNsYXZhMRMwEQYDVQQKEwpEaXNpZyBhLnMuMRkwFwYDVQQDExBDQSBEaXNpZyBSb290 -IFIyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoqPEAAnWhV0tbRT2wsNznjXC -cVV+gfurRlDgwXxJeOareVg82v98HJ/YlwJ4PmtBBOlBvb4DLEX2L2TUq12jRz1km+lomsbM -Gz+6vrKLNAIumFUZ/Ixvql/aTM5NAyGj2NI0k1aWy0wMABY8XxrNyMdspq3TMae86OXhZtbS -+wO0QWXJEK4OBWPGgGppMP3S7pDvDSffn5Vz9OEl2mwW3kE4NOqL/NHoBBRhLUF+rMd3TstR -VPtekhgbBFpoxsnE+rcToJi3ESu31lfMfJ4X0csl/oZOJC5WDHhNngESpiunAWVufGIdhITf -6sBrtaUqlYPDUxEMcx0LskaQ0UI6zkBula3/xpStbpeEjn1vnoqADUltc+J7kh7D88Hz6y4F -b9kbzzd2BMi0WuQXp8vddh/QGXboLAWz1pw02JbcYYeRBeRECDPB2rkIZdSusjYN67o4ugzl -m57rjWbdmc/WiUH2BJKKKSltazoc53V9AnEO88DnvcsZ3Z1gssJmYLaxBO7J5oa5mmZAqOcR -7YFFA4v2Z1nowQYRvd3PgAJPZUB4XEdQyJvmH4F75ESoW4Wa4t5a1cf5OkRmS+QyVHzkbJyz -Dj0XorI0EtZ+sqhJu9F6KEC+ohYf3+Q3HxFz+5AKZUOiDXz4BgFVM32wDbj09a6lQld8NhGM -e17EA52MeZ0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD -VR0OBBYEFLWZ+K+wlPXjINYKrc5OVqQubkLtMA0GCSqGSIb3DQEBCwUAA4ICAQAmBl5w52Uz -yIJu2ZwXOht6ZrIB9ng7aV4v6v9O+SjDmCphTLQkEop9bREU95y1yua8nieOTBnIqb16wNc2 -Dm2Fcm6oxqJt9vpzY3+8bnkIHJ2KnxqKU6bYu9k1VbERxakDs1Y7uYSTIl5+wfYSUovqLGe8 -/jZM9bjP0bNJkjvTKQ6ZG5b3Ybg7xCu2eGy0I2/w/dOyXnUfmZWorPba4cUxe/vRRrPSvGe0 -YlS6CfdjsJOimvnpUi6LYBKr/PVgVu8QXIvEGkLcg1tkDsu1vNZPwXw8bo0Tbft76zDQ3E2v -xdW2pUxbccnoMb7oOAZIoRri6tLeEjlYGv+ADoJ15rfJB2wO7/848ZhxxLd/DhXQJWm9Ip0r -7QX2Rkes7cDw1Dvi7O6WW5ATTh5WOuuw75a7liMRuvJDhnRklcgodd8dNbrSN4M4Uzg2O89s -6flrDtD7BOhPd9dlAXiGDHo+IWLxf2NxDMmfRNuoJ6J1vm6BPtfA6xuYD3BcNLKKzMCFGOtu -erP3WqEHv6lCkvNgIpfkFKEHm052wI59/aQlx0ft/x9zrMzDpelvCo6bZcJQhbWjoFMSzFWH -YfOBrhBGYb1EIbjCPXTPfiQ1+hwHDps9IsrvMS+MrBK970Ao/Clnn7ITT2YkxFMZ6R4pFe/m -bbB/LWf982wbdUaj5UoX6aTXCwAAAAIADXNlY3VyZXRydXN0Y2EAAAF8EFmtSAAFWC41MDkA -AAO8MIIDuDCCAqCgAwIBAgIQDPCOXAgWpa1Cf/DrJxhZ0DANBgkqhkiG9w0BAQUFADBIMQsw -CQYDVQQGEwJVUzEgMB4GA1UEChMXU2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xFzAVBgNVBAMT -DlNlY3VyZVRydXN0IENBMB4XDTA2MTEwNzE5MzExOFoXDTI5MTIzMTE5NDA1NVowSDELMAkG -A1UEBhMCVVMxIDAeBgNVBAoTF1NlY3VyZVRydXN0IENvcnBvcmF0aW9uMRcwFQYDVQQDEw5T -ZWN1cmVUcnVzdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKukgeWVzfX2 -FI7CT8rU4niVWJxB4Q2ZQCQXOZEzZum+4YOvYlyJ0fwkW2Gz4BERQRwdbvC4u/jep4G6pkjG -nx29vo6pQT64lO0pGtSO0gMdA+9tDWccV9cGrcrI9f4Or2YlSASWC12juhbDCE/RRvgUXPLI -XgGZbf2IzIaowW8xQmxSPmjL8xk037uHGFaAJsTQ3MBv396gwpEWoGQRS0S8Hvbn+mPeZqx2 -pHGj7DaUaHp3pLHnDi+BeuK1cobvomuL8A/b01k/unK8RCSc43Oz969XL0Imnal0ugBS8kvN -U3xHCzaFDmapCJcWNFfBZveA4+1wVMeT4C4oFVmHursCAwEAAaOBnTCBmjATBgkrBgEEAYI3 -FAIEBh4EAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUQjK2 -FvoE/f5dS3rD/fdMQB1aQ68wNAYDVR0fBC0wKzApoCegJYYjaHR0cDovL2NybC5zZWN1cmV0 -cnVzdC5jb20vU1RDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQEFBQADggEB -ADDtT0rhWDpSclu1pqNlGKa7UTt36Z3q059c4EVlew3KW+JwULKUBRSuSceNQQcSc5R+DCMh -/bwQf2AQWnL1mA6s7Ll/3XpvXdMc9P+IBWlCqQVxyLesJugutIxq/3HcuLHfmbx8IVQr5Fii -u1cprp6poxkmD5kuCLDv/WnPmRoJjeOnnyvJNjR7JLN4TJUXpAYmHrZkUjZfYGfZnMUFdAvn -ZyPSCPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR3ItH -uuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jEAAAACAAlhY2N2cmFp -ejEAAAF8EFmtSAAFWC41MDkAAAfXMIIH0zCCBbugAwIBAgIIXsO3pkN/pOAwDQYJKoZIhvcN -AQEFBQAwQjESMBAGA1UEAwwJQUNDVlJBSVoxMRAwDgYDVQQLDAdQS0lBQ0NWMQ0wCwYDVQQK -DARBQ0NWMQswCQYDVQQGEwJFUzAeFw0xMTA1MDUwOTM3MzdaFw0zMDEyMzEwOTM3MzdaMEIx -EjAQBgNVBAMMCUFDQ1ZSQUlaMTEQMA4GA1UECwwHUEtJQUNDVjENMAsGA1UECgwEQUNDVjEL -MAkGA1UEBhMCRVMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCbqau/YUqXry+X -Zpp0X9DZlv3P4uRm7x8fRzPCRKPfmt4ftVTdFXxpNRFvu8gMjmoYHtiP2Ra8EEg2XPBjs5Ba -XCQ316PWywlxufEBcoSwfdtNgM3802/J+Nq2DoLSRYWoG2ioPej0RGy9ocLLA76MPhMAhN9K -SMDjIgro6TenGEyxCQ0jVn8ETdkXhBilyNpAlHPrzg5XPAOBOp0KoVdDaaxXbXmQeOW1tDvY -vEyNKKGno6e6Ak4l0Squ7a4DIrhrIA8wKFSVf+DuzgpmndFALW4ir50awQUZ0m/A8p/4e7MC -QvtQqR0tkw8jq8bBD5L/0KIV9VMJcRz/RROE5iZe+OCIHAr8Fraocwa48GOEAqDGWuzndN9w -rqODJerWx5eHk6fGioozl2A3ED6XPm4pFdahD9GILBKfb6qkxkLrQaLjlUPTAYVtjrs78yM2 -x/474KElB0iryYl0/wiPgL/AlmXz7uxLaL2diMMxs0Dx6M/2OLuc5NF/1OVYm3z61PMOm3WR -5LpSLhl+0fXNWhn8ugb2+1KoS5kE3fj5tItQo05iifCHJPqDQsGH+tUtKSpacXpkatcnYGMN -285J9Y0fkIkyF/hzQ7jSWpOGYdbhdQrqeWZ2iE9x6wQl1gpaepPluUsXQA+xtrn13k/c4LOs -OxFwYIRKQ26ZIMApcQrAZQIDAQABo4ICyzCCAscwfQYIKwYBBQUHAQEEcTBvMEwGCCsGAQUF -BzAChkBodHRwOi8vd3d3LmFjY3YuZXMvZmlsZWFkbWluL0FyY2hpdm9zL2NlcnRpZmljYWRv -cy9yYWl6YWNjdjEuY3J0MB8GCCsGAQUFBzABhhNodHRwOi8vb2NzcC5hY2N2LmVzMB0GA1Ud -DgQWBBTSh7Tj3zcnk1X2VuqB5TbMjB4/vTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaA -FNKHtOPfNyeTVfZW6oHlNsyMHj+9MIIBcwYDVR0gBIIBajCCAWYwggFiBgRVHSAAMIIBWDCC -ASIGCCsGAQUFBwICMIIBFB6CARAAQQB1AHQAbwByAGkAZABhAGQAIABkAGUAIABDAGUAcgB0 -AGkAZgBpAGMAYQBjAGkA8wBuACAAUgBhAO0AegAgAGQAZQAgAGwAYQAgAEEAQwBDAFYAIAAo -AEEAZwBlAG4AYwBpAGEAIABkAGUAIABUAGUAYwBuAG8AbABvAGcA7QBhACAAeQAgAEMAZQBy -AHQAaQBmAGkAYwBhAGMAaQDzAG4AIABFAGwAZQBjAHQAcgDzAG4AaQBjAGEALAAgAEMASQBG -ACAAUQA0ADYAMAAxADEANQA2AEUAKQAuACAAQwBQAFMAIABlAG4AIABoAHQAdABwADoALwAv -AHcAdwB3AC4AYQBjAGMAdgAuAGUAczAwBggrBgEFBQcCARYkaHR0cDovL3d3dy5hY2N2LmVz -L2xlZ2lzbGFjaW9uX2MuaHRtMFUGA1UdHwROMEwwSqBIoEaGRGh0dHA6Ly93d3cuYWNjdi5l -cy9maWxlYWRtaW4vQXJjaGl2b3MvY2VydGlmaWNhZG9zL3JhaXphY2N2MV9kZXIuY3JsMA4G -A1UdDwEB/wQEAwIBBjAXBgNVHREEEDAOgQxhY2N2QGFjY3YuZXMwDQYJKoZIhvcNAQEFBQAD -ggIBAJcxAp/n/UNnSEQU5CmH7UwoZtCPNdpNYbdKl02125DgBS4OxnnQ8pdpD70ER9m+27Up -2pvZrqmZ1dM8MJP1jaGo/AaNRPTKFpV8M9xii6g3+CfYCS0b78gUJyCpZET/LtZ1qmxNYEAZ -SUNUY9rizLpm5U9EelvZaoErQNV/+QEnWCzI7UiRfD+mAM/EKXMRNt6GGT6d7hmKG9Ww7Y49 -nCrADdg9ZuM8Db3VlFzi4qc1GwQA9j9ajepDvV+JHanBsMyZ4k0ACtrJJ1vnE5Bc5PUzolVt -3OAJTS+xJlsndQAJxGJ3KQhfnlmstn6tn1QwIgPBHnFk/vk4CpYY3QIUrCPLBhwepH2NDd4n -Qeit2hW3sCPdK6jT2iWH7ehVRE2I9DZ+hJp4rPcOVkkO1jMl1oRQQmwgEh0q1b688nCBpHBg -vgW1m54ERL5hI6zppSSMEYCUWqKiuUnSwdzRp+0xESyeGabu4VXhwOrPDYTkF7eifKXeVSUG -7szAh1xA2syVP1XgNce4hL60Xc16gwFy7ofmXx2utYXGJt/mwZrpHgJHnyqobalbz+xFd3+Y -J5oyXSrjhO7FmGYvliAd3djDJ9ew+f7Zfc3Qn48LFFhRny+Lwzgt3uiP1o2HpPVWQxaZLPSk -VrQ0uGE3ycJYgBugl6H8WY3pEfbRD0tVNEYqi4Y7AAAAAgAhZW50cnVzdHJvb3RjZXJ0aWZp -Y2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAAElTCCBJEwggN5oAMCAQICBEVrUFQw -DQYJKoZIhvcNAQEFBQAwgbAxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJbmMu -MTkwNwYDVQQLEzB3d3cuZW50cnVzdC5uZXQvQ1BTIGlzIGluY29ycG9yYXRlZCBieSByZWZl -cmVuY2UxHzAdBgNVBAsTFihjKSAyMDA2IEVudHJ1c3QsIEluYy4xLTArBgNVBAMTJEVudHJ1 -c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjExMjcyMDIzNDJaFw0yNjEx -MjcyMDUzNDJaMIGwMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjE5MDcG -A1UECxMwd3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNl -MR8wHQYDVQQLExYoYykgMjAwNiBFbnRydXN0LCBJbmMuMS0wKwYDVQQDEyRFbnRydXN0IFJv -b3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC2lbZDQvrGbSpvSN+UTDlXBe7DeRFBaDbt7P6aAY+hOCj89xBGZi5NHhqxGk7G0cCV -iLDJ/zGLMwPbt4N7PiCEXu2yViin+OC5QHE3xctHDpcqaMAilWIV20fZ9dAr/4JLya0+3kzb -kIBQPwmKhADsMAo9GM37/SpZmiOVFyxFnh9uQ3ltDFyY/kinxSNHXF79bucetPZoRdGGg1ui -io2x4ymA/iVxiK2+vI+sUpZLqlGN5BMxGehOTZ/brLNq1bw5VHHKenp/kN19HYDZgbtZJsIR -/uaT4veA5GX7NDcOKYBwTa84hi6ef1evnheu6xzLKCFfthzY56IEIvnT2tjLAgMBAAGjgbAw -ga0wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wKwYDVR0QBCQwIoAPMjAwNjEx -MjcyMDIzNDJagQ8yMDI2MTEyNzIwNTM0MlowHwYDVR0jBBgwFoAUaJDkZ6SmU4DHhmak8fdL -Q/uEvW0wHQYDVR0OBBYEFGiQ5GekplOAx4ZmpPH3S0P7hL1tMB0GCSqGSIb2fQdBAAQQMA4b -CFY3LjE6NC4wAwIEkDANBgkqhkiG9w0BAQUFAAOCAQEAk9QwsNcDICrQ+WPokQwFIKlfGcp7 -ck7UsdvQlvtUWhksDAj3sryFqJ1/bTtSsyrb59SEjGP2D8smAZFQbPRfFOKTdMATnjA6UOO0 -YMUc8CJEjXFHrMgayembmgBgE/9wfl8RTUkbsxVSe8lU2r+dla9rmtie6fHkQ43iEUQ6v6+9 -g0JzUouqu6cpz/VkHApN0byqrJ8q0P9/f9p96rHtMCXBhNo00lt4g1bsnDbDJuIR9mdJHZKr -jPvr/3ruhUqnUIDwp1xKlC5fBZk8UkHgzbRjzwFDupyD3I9gO/NatLR7rtoLkDh174EdZtL3 -V3A2s7/8KK9xJYVbE/4ef1q0PAAAAAIAHGlkZW50cnVzdHB1YmxpY3NlY3RvcnJvb3RjYTEA -AAF8EFmtSAAFWC41MDkAAAVqMIIFZjCCA06gAwIBAgIQCgFCgAAAAUUjz0Z8AAAAAjANBgkq -hkiG9w0BAQsFADBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYDVQQD -EyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwHhcNMTQwMTE2MTc1MzMyWhcN -MzQwMTE2MTc1MzMyWjBNMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MSowKAYD -VQQDEyFJZGVuVHJ1c3QgUHVibGljIFNlY3RvciBSb290IENBIDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQC2IpT8pEiv6EdrCvsnduTyP4o7ekosMSqMjbCpwzFrqHd2hCa2 -rIFCDQjrVVi7evi8ZX3yoG2LqEfpYnYeEe4IFNGyRBb06tD6Hi9e28tzQa68ALBKK0CyrOE7 -S8ItneShm+waOh7wCLPQ5CQ1B5+ctMlSbdsHyo+1W/CD80/HLaXIrcuVIKQxKFdYWuSNG5qr -ng0M8gozOSI5Cpcu81N3uURF/YTLNiCBWS2ab21ISGHKTN9T0a9SvESfqy9rg3LvdYDaBjMb -XcjaY8ZNzaxmMc3R3j6HEDbhuaR672BQssvKplbgN6+rNBM5Jeg5ZuSYeqoSmJxZZoY+rfGw -yj4GD3vwEUs3oERte8uojHH01bWRNszwFcYr3lEXsZdMUD2xlVl8BX0tIdUAvwFnol57plzy -9yLxkA2T26pEUWbMfXYD62qoKjgZl3YNa4ph+bz27nb9cCvdKTz4Ch5bQhyLVi9VGxyhLrXH -Fub4qjySjmm2AcG1hp2JDws4lFTo6tyePSW8Uybt1as5qsVATFSrsrTZ2fjXctscvG29ZV/v -iDUqZi/u9rNl8DONfJhBaUYPQxxp+pu10GFqzcpL2UyQRqsVWaFHVCkugyhfHMKiq3IXAAaO -ReyL4jM9f9oZRORicsPfIsbyVtTdX5Vy7W1f90gDW/3FKqD2cyOEEBsB5wIDAQABo0IwQDAO -BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU43HgntinQtnbcZFr -lJPrw6PRFKMwDQYJKoZIhvcNAQELBQADggIBAEf63QqwEZE4rU1d9+UOl1QZgkiHVIyqZJnY -Wv6IAcVYpZmxI1Qjt2odIFflAWJBF9MJ23XLblSQdf4an4EKwt3X9wnQW3IV5B4Jaj0z8yGa -5hV+rVHVDRDtfULAj+7AmgjVQdZcDiFpboBhDhXAuM/FSRJSzL46zNQuOAXeNf0fb7iAaJg9 -TaDKQGXSc3z1i9kKlT/YPyNtGtEqJBnZhbMX73huqVjRI9PHE+1yJX9dsXNw0H8GlwmEKYBh -Hfpe/3OsoOOJuBxxFcbeMX8S3OFtm6/n6J91eEyrRjuazr8FGF1NFTwWmhlQBJqymm9li1Jf -PFgEKCXAZmExfrngdbkaqIHWchezxQMxNRF4eKLg6TCMf4DfWN88uieW4oA0beOY02QnrEh+ -KHdcxiVhJfiFDGX6xDIvpZgF5PgLZxYWxoK4Mhn5+bl53B/N66+rDt0b20XkeucC4pVd/Gnw -U2lhlXV5C15V5jgclKlZM57IcXR5f1GJtshquDDIajjDbp7hNxbqBWJMWxJH7ae0s1hWx0nz -fxJoCTFx8G34Tkf71oXuxVhAGaQdp/lLQzfcaFpPz+vCZHTetBXZ9FRUGi8c15dxVJCO2SCd -Uyt/q4/i6jC8UDfv8Ue1fXwsBOxonbRJRBD0ckscZOf85muQ3Wl9af0AVqW3rLatt8o+Ae+c -AAAAAgAkZW50cnVzdC5uZXRwcmVtaXVtMjA0OHNlY3VyZXNlcnZlcmNhAAABfBBZrUgABVgu -NTA5AAAELjCCBCowggMSoAMCAQICBDhj3vgwDQYJKoZIhvcNAQEFBQAwgbQxFDASBgNVBAoT -C0VudHJ1c3QubmV0MUAwPgYDVQQLFDd3d3cuZW50cnVzdC5uZXQvQ1BTXzIwNDggaW5jb3Jw -LiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5l -dCBMaW1pdGVkMTMwMQYDVQQDEypFbnRydXN0Lm5ldCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eSAoMjA0OCkwHhcNOTkxMjI0MTc1MDUxWhcNMjkwNzI0MTQxNTEyWjCBtDEUMBIGA1UEChML -RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBpbmNvcnAu -IGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0 -IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -ICgyMDQ4KTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1NS6kShrLqoyAHFRZk -KitL0b8LSk2O7YB2pWe3eEDAc0LIaMDbUyvdXrh2mDWTixqdfBM6Dh9btx7P5SQUHrGBqY19 -uMxrSwPxAgzcq6VAJAB/dJShnQgps4gL9Yd3nVXN5MN+12pkq4UUhpVblzJQbz3IumYM4/y9 -uEnBdolJGf3AqL2Jo2cvxp+8cRlguC3pLMmQdmZ7lOKveNZlU1081pyyzykD+S+kULLUSM4F -MlWK/bJkTA7kmAd123/fuQhVYIUwKfl7SKRphuM1Px6GXXp6Fb3vAI4VIlQXAJAmk7wOSWiR -v/hH052VQsEOTd9vJs/DGCFiZkNw1tXAB+ECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFXkgdERgL7YibkIozH5oSQJFrlwMA0GCSqGSIb3 -DQEBBQUAA4IBAQA7m49WmzDnU5l8enmnTZfXGZWQ+wYfyjN8RmOPlmYk+kAbISfK5nJz8k/+ -MZn9yAxMaFPGgIITmPq2rdpdPfHObvYVEZSCDO4/la8Rqw/XL94fA49XLB7Ju5oaRJXrGE+m -H819VxAvmwQJWoS1btgdOuHWntFseV55HBTF49BMkztlPO3fPb6m5ZUaw7UZw71eW7v/I+9o -GcsSkydcAy1vMNAethqs3lr30aqoJ6b+eYHEeZkzV7oSsKngQmyTylbe/m2ECwiLfo3q15gh -xvPnPHkvXpzRTBWN4ewiN8yaQwuX3ICQjbNnm29ICBVWz7/xK3xemnbpWZDFfIM1EWVRAAAA -AgAOc2VjdXJlZ2xvYmFsY2EAAAF8EFmtSAAFWC41MDkAAAPAMIIDvDCCAqSgAwIBAgIQB1Yi -pOjUiolN9BPI8PjqpTANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMX -U2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwHhcN -MDYxMTA3MTk0MjI4WhcNMjkxMjMxMTk1MjA2WjBKMQswCQYDVQQGEwJVUzEgMB4GA1UEChMX -U2VjdXJlVHJ1c3QgQ29ycG9yYXRpb24xGTAXBgNVBAMTEFNlY3VyZSBHbG9iYWwgQ0EwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvNS7YrGxVaQZx5RNoJLNP2MwhR/jxYDiJ -iQPpvepeRlMJ3Fz1Wuj3RSoC6zFh1ykzTM7HfAo3fg+6MpjhHZevj8fcyTiW89sa/FHtaMbQ -bqR8JNGuQsiWUGMu4P51/pinX0kuleM5M2SOHqRfkNJnPLLZ/kG5VacJjnIFHovdRIWCQtBJ -wB1g8NEXLJXr9qXBkqPFwqcIYA1gBBCWeZ4WNOaptvolRTnIHmX5k/Wq8VLcmZg9pYYaDDUz -+kulBAYVHDGA76oYa8J719rO+TMg1fW9ajMtgQT7sFzUnKPiXB3jqUJ1XnvUd+85VLrJChgb -EplJL4hL/VBi0XPnj3pDAgMBAAGjgZ0wgZowEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P -BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFK9EBMJBfkiD2045AuzshHrmzsmk -MDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc2VjdXJldHJ1c3QuY29tL1NHQ0EuY3Js -MBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQBjGghAfaReUw132HquHw0L -URYD7xh8yOOvaliTFGCRsoTciE6+OYo68+aCiV0BN7OrJKQVDpI1WkpEXk5X+nXOH0jOZvQ8 -QCaSmGwb7iRGDBezUqXbpZGRzzfTb+cnCDpOGR86p1hcF895P4vkp9MmI50mD1hp/Ed+stCN -i5O/KU9DaXR2Z0vPB4zmAve14bRDtUstFJ/53CYNv6ZHdAbYiNE6KTCEztI5gGIbqMdXSbxq -VVFnFUq+NQfk1XWYN3kwFNspnWzFacxHVaIw98xcf8LDmBxrThaA63p4ZUWiABqvDA1VZDRI -uJK58bRQKfJPIx/abKwfROHdI3hRW8cWAAAAAgAgbmV0bG9ja2FyYW55KGNsYXNzZ29sZClm -dGFuc3R2bnkAAAF8EFmtSAAFWC41MDkAAAQZMIIEFTCCAv2gAwIBAgIGSUEs5AAQMA0GCSqG -SIb3DQEBCwUAMIGnMQswCQYDVQQGEwJIVTERMA8GA1UEBwwIQnVkYXBlc3QxFTATBgNVBAoM -DE5ldExvY2sgS2Z0LjE3MDUGA1UECwwuVGFuw7pzw610dsOhbnlraWFkw7NrIChDZXJ0aWZp -Y2F0aW9uIFNlcnZpY2VzKTE1MDMGA1UEAwwsTmV0TG9jayBBcmFueSAoQ2xhc3MgR29sZCkg -RsWRdGFuw7pzw610dsOhbnkwHhcNMDgxMjExMTUwODIxWhcNMjgxMjA2MTUwODIxWjCBpzEL -MAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRUwEwYDVQQKDAxOZXRMb2NrIEtmdC4x -NzA1BgNVBAsMLlRhbsO6c8OtdHbDoW55a2lhZMOzayAoQ2VydGlmaWNhdGlvbiBTZXJ2aWNl -cykxNTAzBgNVBAMMLE5ldExvY2sgQXJhbnkgKENsYXNzIEdvbGQpIEbFkXRhbsO6c8OtdHbD -oW55MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCRec75LbRTDofTjl5Bu0jBF -HjzuZ9lk4BqKf8owyoPjIMHj9DrTlF8afFttvzBPhCf2nx9JvMaZCpDyD/V/Q4Q3Y1GLeqVw -/HpYzY6b7cNGbIRwXdrzAZAj/E4wqX7hJ2Pn7WQ8oLjJM2P+FpD/sLj916jAwJRDC7bVWaae -VtAkH3B5r9s5VA1lddkVQZQBr17s9o3x/61k/iCa11zr/qYfCGSji3ZVrR47KGAuhyXoqq8f -xmRGILdwfzzeSNuWU7c5d+Qa4scWhHaXWy+7GRWF+GmF9ZmnqfI0p6m2pgP8b4Y9VHx2BJtr -+UBdADTHLpl1neWIA6pN+APSQnbAGwIDAKiLo0UwQzASBgNVHRMBAf8ECDAGAQH/AgEEMA4G -A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUzPpnk/C2uNClwB7zU/2MU9+D15YwDQYJKoZIhvcN -AQELBQADggEBAKt/7hwWqZw8UQCgwBEIBaeZ5m8BiFRhbvG5GK1Krf6BQCOUL/t1fC8oS2Ik -gYIL9WHxHG64YTjrgfpioTtaYtOUZcTh5m2C+C8lcLIhJsFyUR+MLMOEkMNaj7rP9KdlpeuY -0fsFskZ1FSNqb4VjMIDw1Z4fKRzCbLBQWV2QWzuoDTDPv31/zvGdg73JRm4gpvlhUbohL3u+ -pRVjodSVh/GeufOJ8z2FuLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aUL -NmLazAZfNou2XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7EAAAAC -ABN0ZWxpYXNvbmVyYXJvb3RjYXYxAAABfBBZrUgABVguNTA5AAAFPDCCBTgwggMgoAMCAQIC -EQCVvhag9y5G8Xs5gnL6i82WMA0GCSqGSIb3DQEBBQUAMDcxFDASBgNVBAoMC1RlbGlhU29u -ZXJhMR8wHQYDVQQDDBZUZWxpYVNvbmVyYSBSb290IENBIHYxMB4XDTA3MTAxODEyMDA1MFoX -DTMyMTAxODEyMDA1MFowNzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlh -U29uZXJhIFJvb3QgQ0EgdjEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDCvusn -8CGj82kmVX6dxVUWkVz97yG/U4B6LdKRjGMx8Owk8MOl0nJ8EG30N7fl5nx56oy1gouuSLas -ANxldewqTV/Bh/UgZSuBqEc+iSOVMBaQf+hXB0jnGa6/RWexNxsGKv7e+ax9g/teuuSPl2e+ -S46NZAdXOFVpNDY9E0jvT+LTZh6kzxq3XjYz1LQGvRgB/XeEUABF9Yxd6CO8fv414e1Qe6kw -jRnTCY5oZ12/PJcYU7spYsXKXnLBx5bU2y2gtB9pA+zq4lDxDDzwrPNTLfAc9e1sOTlzgBbI -UrAjzeA+3N08R6C7NYrimGiLvuW/cu7S+qXtEu38mBipJnbcKEsQIBzTfxZ3Le1vgPdJu1MF -u11ox9TIdRY/iVqL9xdH1Ezx0ol5Pk09mKhh3joe0vheA+DByRyM041N05U2szdfY2ObMxTw -LSZrU3yJjDLCbuw9IQA5yaFo4lCDLrA6K/M2oKwv5G9hwlEJOT6LU7m7Z9rcU7l2WTadQ+Ug -4D0yYIUiUbfHM7vdFS+keKYHe4FGNgSG3Xk1x5UsO7CjFzXlcx+0XFnv2uoQZXt60H+fs7Qq -Nztwi5tbuSu37LJREpdTKVrU8BIQ3E8CuxKSL2LUP2lDfA3W/Fh1AYidWBZL3rqQ/0cBiQZq -9l+ykGqzAqYCiL+zR34q2dX6aHg1TQIDAQABoz8wPTAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud -DwQEAwIBBjAdBgNVHQ4EFgQU8I9ZOACz9Y+algzV6/p7qhfoExIwDQYJKoZIhvcNAQEFBQAD -ggIBAL7kXGJOJPQMCP/w0wxo5JNJIj9EJ2+7bd6DZs6ozA389ZoG5XcUkeudQXuZKoTl//wh -wV3w5B9Xt3WpoV8CJv/Xx/dO3k/49xxGwHpPQCwiNfAZsdBrZyywqODAQDc19oRcXOOvQnj+ -p8kNUOoNhHb2Ue+DU8Z6/w5WSS6PetYM5idU400KYHJizZEH1qW/yJlr7cQZ5qtMETjFbzHi -bknIP3aAJgMmKeA29vYgU+MXcDQXnWNoHmvsw02GuBMwL11GDUdD1RuqWQ65XI0GSK10h1/H -/DFUQRPixyEOnuAeDeHAe0OFkMWKWMZlCnhX8sYjDwHZIEveD/uShXUqXHONbXslkcruRa4G -SwDM07FZUNo6iDspQ0ZelytUzlNvjUrnlvq/cQ5Ci3z9KKDQSMraxIFMu6JzkybI6wzWJoi2 -wCTPu71b63V96QiOhjMseXcJaaWJ/LNwkId2j9Miu0LOvXMLICYq0Js9cB4kbM2HdqkXlrfP -DZL7jhipmEnRnv5gRHIhuRntwvUx8TlIiJAkdVQWrc70+GkUZDn7o7i6cEDHJxy/xFZT+mNl -0PMcDhb1a4ZYTRjU5A2OpZ1bkdx2JFA/xir72bectdbm0NnoGYsVcUitt+rYWYjUkL8Ws9np -rFlhVMgcusrByuG5IEyPOpOJpaDMv9P2daR1lm1WAAAAAgA0YXV0b3JpZGFkZGVjZXJ0aWZp -Y2FjaW9uZmlybWFwcm9mZXNpb25hbGNpZmE2MjYzNDA2OAAAAXwQWa1IAAVYLjUwOQAABhgw -ggYUMIID/KADAgECAghT7Dvu+7JIXzANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJFUzFC -MEAGA1UEAww5QXV0b3JpZGFkIGRlIENlcnRpZmljYWNpb24gRmlybWFwcm9mZXNpb25hbCBD -SUYgQTYyNjM0MDY4MB4XDTA5MDUyMDA4MzgxNVoXDTMwMTIzMTA4MzgxNVowUTELMAkGA1UE -BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVz -aW9uYWwgQ0lGIEE2MjYzNDA2ODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMqW -a47q+PvxojXgf0za4MNS1322EMgCXrNDKsRParLKHF0omngRGmlZV6+1IELkiw/m31umA5Iv -9RHkYtcycTjZBAxxqz1Rfg8H32MFXOm/lG/BKYLAtNpRsME8u603SlzK8Us2DiSrv8OEd/2o -UPSx58Yv0i1ZjXoKTpZpUgKqNpjs/PoUgww3H8mSN3/XgS3lxLngPjT+Z/Q+ZtHT9EDPXmI0 -D3AGPiAYWs73chslbJN0FJOjc7EOqocQI1lfIAUZR+1ojpISyl381iuykjwgz+FfryC+oHZ/ -duXsGoZhMz7ne7Q/oA+Oorlqb7mHJm9BbIimUP1qYwv1kxYbGY+y7ZubyZD1AQzfGT0PPjgj -yS+PDNEC/htV1k7QjTyvT6Tz/q8q0wWdeQihy1cxtJzIkLJn9BgWkzr8R9jReJYxH7orDF9d -ma1jiVokIHbY3/2rTqYiqp1e5ieKfWgpo+eKuNoRuxctmZ0TJEb3xeLYn45/x490bVqy6HL1 -rO4kEK0vFNr/LZpGcUe+Qt+7Adv0f9MojzFZW9PJAqa0Uspul/tDxQgmb4r0u/2fKKoN1UXz -Ezod2MB4j0FnPB6UZK57C8Xo2QGIORqXhmRB1TuHDG76D8a9SBS/OU3UnkG2j5YdY5aT2ZUG -eDFonjcGO4CJRWE5I8cbRKMV5Rz4kjC7AgMBAAGjge8wgewwEgYDVR0TAQH/BAgwBgEB/wIB -ATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGXN66s1HgA+ftV0wBy0c0cOGmQvMIGmBgNV -HSAEgZ4wgZswgZgGBFUdIAAwgY8wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuZmlybWFwcm9m -ZXNpb25hbC5jb20vY3BzMFwGCCsGAQUFBwICMFAeTgBQAGEAcwBlAG8AIABkAGUAIABsAGEA -IABCAG8AbgBhAG4AbwB2AGEAIAA0ADcAIABCAGEAcgBjAGUAbABvAG4AYQAgADAAOAAwADEA -NzANBgkqhkiG9w0BAQUFAAOCAgEAF32g+bTdxcXrrUsktaECq92liEqyD1VLK1eMO+Ux3f7E -MvHnW2SWNjIY7KUyd9fjRLbAESqAuT1qbnyb0638w9aj5mQpfNHhOB6CK/8nZa/7FhXELnGE -5bX/+qRHvWQyu/YlhKInQvUgsMITEBHNEBW6QpAq0kThlibrMUgS/SrayQbPdB6pS9WHKPl5 -NJI+LkTo9o9PjzU/JbM53GMqkGsgX8RSEk6XLCqsnZfeSPKjZtvC0oOVpmanniUP6QszkWUK -WsPZVBLdr8NODh8mXg3cs43s1YFw3tJPJAXzbE71TElmjdH/0gslQUj+UYTGQq+ABM/QfmRJ -5PLfouyxTMAqHee0sWWixLzxmPSqcAdjtLjaO0z6QCIwWxGm8AUOxgIDSKuGm4Xd293qonaA -c331nATERY3nuRyLnurXddFysd51ROdCfeJXa33cmbw9gyjqgJONxUxlwXCBuDj8QzGy9gM0 -R7Ks+yIGyx7dF0ccX2a50xqi2hGxpLwjyeS+h/+5lLb4XSBK1F/nvWh7ZfIVHtI6qS3p2Gsk -rJdYREetWRjxIWVw3s40YKhA8fM8pMMoI4z+JzNDQKAXPOvqO7BypqO5SkteFkj0srzIjJLF -nZ+scja8NIA0a6mLksC4F+3sdlP1JAGMsyLoS3xVxp36oxS7ZYVubk8Sfgo8nZUAAAACAA5h -Y3JhaXpmbm10LXJjbQAAAXwQWa1IAAVYLjUwOQAABYcwggWDMIIDa6ADAgECAg9dk40wZzbI -Bh0ax1SEaQcwDQYJKoZIhvcNAQELBQAwOzELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQt -UkNNMRkwFwYDVQQLDBBBQyBSQUlaIEZOTVQtUkNNMB4XDTA4MTAyOTE1NTk1NloXDTMwMDEw -MTAwMDAwMFowOzELMAkGA1UEBhMCRVMxETAPBgNVBAoMCEZOTVQtUkNNMRkwFwYDVQQLDBBB -QyBSQUlaIEZOTVQtUkNNMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAunGAekyG -bn/IE23Axn0cAJePLAwjuxCaQKkat4eI+JtWavvme46Lko6nJV1ZEds2LrdRFx+pCB8EFyRY -qjdKGN/lOdRX/dfBLJEBkeIi1APAWPx3R+yPPnRDuqw0jU04dmeOsMhvMDNYcVy09Wtu1AFQ -uBN+bEqjSdEgGe68wCkYZafe/u/dCpAh5xpnkkIQmF9PMLw+HEW0ENdoQBTAQPrndxd65guP -ZVs82ZpS27W9nkbPPeuRBQLAlrJ2TE0QljuS+px/D5nfviM1RR4CXP61qJuZJdpe8yLDOfXk -Ki7Txh/EbKrFHGoBBUov0sXBqDQmXWal0gIh+Ri3BvVOmW+oq0xR6M9QGMV3yDkJLEmSMpmo -uxcXebBaxeajxFllRzWDXqnoNQuZu+TNIMabSgY5tWj8IrruVYwrTurzseP8tpma1UL6cU0I -z4ceanF9+dO06aVxgXvCTkeWpfZ2haMoj+mAboFTpW1fuEj5wvk2pi5J/7iWwowHs5uIWPzr -GxzeLXDil5IwoYnjvFWoJ9ZL7ZCti/pjJVktqDXdypczvOXNx53R7O9eDkqQBiZjrbnZNS0H -unZlLKxXj330B5TXgQKWXaMHSdV60Ff5G+dTRnWqsHlCy2hxCOlgvTlpzvSvw1ZAx61Sognk -b4ZHih/rKCddgyCvBMlsVpqLRvUCAwEAAaOBgzCBgDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQU933F/cTomht3ZKf1HaDMv4dgmm0wPgYDVR0gBDcwNTAz -BgRVHSAAMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuY2VydC5mbm10LmVzL2RwY3MvMA0G -CSqGSIb3DQEBCwUAA4ICAQAHkErf8yNO8MOcUWWbnCKiigyF83Mpa03+AeKpDGMBvwRnpZ2Y -X/0BE/rsmmLphv62YtJuTJT7wHVFfGUM+LI3z6wPz41v+Rn3j+we8nCe8Mq477f/djd2W/Zu -iPOvYjIikw06ao4UZgwtU3RXZR7Vst0jgTulZiMnZwmP4XeqQ81lUQjtUVj+5jn5y0eEpBXx -druk7qQ7xF/vsjOWERi3yWW+GOGjpNz6GPnTvBObOXo0utNB+/oyiiq3K4YLaYM4vs2KLgtw -rY0mku4e9QErCtnWl5tu4KgZHDohiwweQK0D591mfvW5IA0D6Jb5gkXUOeCgAF3XmOZ9nmdz -w5oq96uLoToU7zS8Ug6JmJoEQIQdfkVpk1fO6874UHxPHG4EQ5v51jsjGOnqjtFNRo3xO+Rq -yrr7I7eb+pkBKVpYWi3j+dRtDiatwW40vDL4DAX6ZaPbOzeDIunW3HIz/V3yIL12PCPaKPf5 -G+tZZNXcX3J+IPzNibWQZ01iej9OrR3DOf569CgW30H2SIAF1w9ReawQq9TsA2bmarC6MZJC -QGq+OtNy4Wo3VbysHZW3aWHyQ5F05qDTCiRGoQiv1tpFGZbUUx1bhHnwwPdH74uPxQaunUxi -nf9GBPjTybYQJUB1/haqyUpghi+67zB35FTiuISZWICqE4tROk9I9ou2swAAAAIAE2dkY2F0 -cnVzdGF1dGhyNXJvb3QAAAF8EFmtSAAFWC41MDkAAAWMMIIFiDCCA3CgAwIBAgIIfQmX/vBH -6nowDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMCQ04xMjAwBgNVBAoMKUdVQU5HIERPTkcg -Q0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQuMR8wHQYDVQQDDBZHRENBIFRydXN0QVVU -SCBSNSBST09UMB4XDTE0MTEyNjA1MTMxNVoXDTQwMTIzMTE1NTk1OVowYjELMAkGA1UEBhMC -Q04xMjAwBgNVBAoMKUdVQU5HIERPTkcgQ0VSVElGSUNBVEUgQVVUSE9SSVRZIENPLixMVEQu -MR8wHQYDVQQDDBZHRENBIFRydXN0QVVUSCBSNSBST09UMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEA2aMW8Mh0dHeb7zMNOwZ+Vfy1YI92hhJCfVZmPoiC7XJjDp6L3TQsAlFR -wxn9WVSEyfFrs0yw6ehGXTjGoqcuEVe6ghWinI9tsJlKCvLriXBjTnnEt1u9ol2x8kECK62p -OqPseQrsXzrj/e+APK00mxqriCZ7VqKChh/rNYmDf1+uKU49tm7srsHwJ5uu4/Ts765/94Y9 -cnrrpftZTqfrlYwiOXnhLQiPzLyRuEH3FMEjqcOtmkVEs7LXLM3GKeJQEK5cy4KOFxg2fZfm -iJqwTTQJ9Cy5WmYqsBebnh52nUpmMUHfP/vFBu8btn4aRjb3ZGM74zkYI+dndRTVdVeSN72+ -ahsmUPI2JgaQxXABZG12ZuGR224HwGGALrIuL4xwp9E7PLOR5G62xDtw8mySlwnNR30YwPO7 -ng/Wi64HtloPzgsMR6flPri9fcebNaBhlzpBdRfMK5Z3KpIhHtmVdiBnaM8Nvd/WHwlqmuLM -c3GkL30SgLdTMEZeS1SZD2fJpcjyIMGC7J0R38IC+xo70e0gmu9lZJIQDSri3nDxGGeCjGHe -uLzRL5z7D9Ar7Rt2ueQ5Vfj4oR24qoAATILnsn8JuLwwoC8N9VKejveSswoAHQBUlwbgsQfZ -xw9cZX08bVlX5O2ljelAU58VS6Bx9hoh49pwBiFYFIeFd3mqgnkCAwEAAaNCMEAwHQYDVR0O -BBYEFOLJQJ9NzuiaoXzPDj9lxSmIahlRMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgGGMA0GCSqGSIb3DQEBCwUAA4ICAQDRSVfgp8xoWLoBDysZzY2wYUWsEe1jUGn4H3++Fo/9 -nesLqjJHdtJnJO29fDMylyrHBYZmDRd9FBUb1Ov9H5r2XpdptxolpAqzkT9fNqyL7FeoPueB -ihhXOYV0GkLH6VsTX4/5COmSdI31R9KrO9b7eGZONn356ZLpBN79SWP8bfsUcZNnL0dKt7n/ -HipzcEYwv1ryL3ml4Y0M2fmyYzeMN2WFcGpcWwlyua1jPLHd+PwyvzeG5LuOmCd+uh8W4XAR -8gPfJWIyJyYYMoSf/wA6E7qaTfRPuBRwIrHKK5DOKcFw9C+df/KQHtZa37dG/OaG+svgIHZ6 -uqbL9XzeYqWxi+7egmaKTjowHz+Ay60nugxe19CxVsp3cbK1daFQqUBDF8Io2c9Si1vIY9RC -PqAzekYu9wogRlR+ak8x8YF+QnQ4ZXMn7sZ8uI7XpTrXmKGcjBBV09tL7ECQ8s1uV9JiDnxX -k7Gnbc2dg7sq5+W2O3FYrf3RRbxake5TFW/TRQl1brqQXR4EzzffHqhmsYzmIGrv/EhOdJhC -rylvLmrH+33RZjEizIYAfmaDDEL0vTSSwxrqT8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaAp -JUqlyyvdimYHFngVV3Eb7PVHhPOeMTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0gAAAAIA -Cml6ZW5wZS5jb20AAAF8EFmtSAAFWC41MDkAAAX1MIIF8TCCA9mgAwIBAgIQALC3WhZIX7/h -y/WL1xnmfTANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBF -IFMuQS4xEzARBgNVBAMMCkl6ZW5wZS5jb20wHhcNMDcxMjEzMTMwODI4WhcNMzcxMjEzMDgy -NzI1WjA4MQswCQYDVQQGEwJFUzEUMBIGA1UECgwLSVpFTlBFIFMuQS4xEzARBgNVBAMMCkl6 -ZW5wZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ03rKDx6sp4boFmVq -scIbRTJxldn+EFvMr+eleQGPicPK8lVx93e+d5TzcqQsRNiekpsUOqHnJJAKClaOxdgmlOHZ -SOEtPtoKct2jmRXagaKH9HtuJneJWK3W6wyyQXpzbm3benhB6QiIEn6HLmYRY2xU+zydcsC8 -Lv/Ct90NduM61/e0aL6i9eOBbsFGb12N4E3GVFWJGjMxCrFXuaOKmMPsOzTFlUFpfnXCPCDF -YbpRR6AgkJOhkEvzTnyFRVSa0QUmQbC1TR0zvsQDyCV8wXDbO/QJLVQnSKwv4cSsPsjLkkxT -OTcj7NMB+eAJRE1NZMDhDVqHIrytG6P+JrUV86f8hBnp7KGItERphIPzidF0BqnMC9bC3ieF -UCbKF7jJeodWLBoBHmy+E60QrLUk9TiRodZL2vG70t5HtfG8gfZZa88ZU+mNFctKy6lvROUb -Qc/hhqfK0GqfvEyNBjNaooXlkDWgYlwWTvDjovoDGrQscbNYLN57C9saD+veIR8GdwYDsMnv -mfzAuU8Lhij+0rnq49qlw0dpEuDb8PYZi+17cNcC1u2HGCgsBCRMd+RIihrGO5rUD8r6ddIB -QFqNeb+Lz0vPqhbBleStTIo+F5HUsWLlguWABKQDfo2/2n+iD5dPDNMN+9fR5XJ+HMh3/1ua -D7euBUbl8agW7EekFwIDAQABo4H2MIHzMIGwBgNVHREEgagwgaWBD2luZm9AaXplbnBlLmNv -baSBkTCBjjFHMEUGA1UECgw+SVpFTlBFIFMuQS4gLSBDSUYgQTAxMzM3MjYwLVJNZXJjLlZp -dG9yaWEtR2FzdGVpeiBUMTA1NSBGNjIgUzgxQzBBBgNVBAkMOkF2ZGEgZGVsIE1lZGl0ZXJy -YW5lbyBFdG9yYmlkZWEgMTQgLSAwMTAxMCBWaXRvcmlhLUdhc3RlaXowDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFB0cZQ6o8iV7tJHP5LGx5r1VdGwFMA0G -CSqGSIb3DQEBCwUAA4ICAQB4pgwWSp9MiDrAyw6lFn2fuUhfGI8NYjb2zRlrrKvV9pF9rnHz -P7MOeIWblaQnIUdCSnxIOvVFfLMMjlF4rJUT3sb9fbgakEyrkgPH7UIBzg/YsfqikuFgba56 -awmqxinuaElnMIAkejEWOVt+8Rwu3WwJrfIxwYJOubv5vr8qhT/AQKM6WfxZSzwoJNu0FXWu -DYi6LnPAvViH5ULy617uHjAimcs30cQhbIHsvm0m5hzkQiCeR7Csg1lwLDXWrzY0tM07+DKo -7+N4ifuNRSzanLh+QBxh5z6ikixL8s36mLYp//Pye6kfLqCTVyvehQP5aTfLnnhqBbTFMXiJ -7HqnheG5ezzevh55hM6fcA5ZwjUukCox2eRFekGkLhObNA5me0mrZJfQRsN5nXJQY6aYWwa9 -SG3YOYNw6DXwBdGqvOPbyALqfP2C2sJbUjWumDqtujWTI6cfSN01RpiyEGjkpTHCClguGYEQ -yVB1/OpaFs4R1+7vUIgtYf8/QnMFlEPVjjxOAToZpR9GTnfQXeWBIiGH/pR9hNiTrdZoQ0iy -2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z -WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxwAAAAIAGm9pc3Rl -d2lzZWtleWdsb2JhbHJvb3RnY2NhAAABfBBZrUgABVguNTA5AAACbTCCAmkwggHvoAMCAQIC -ECEqVgyu2gyrQEW/K6ItOuowCgYIKoZIzj0EAwMwbTELMAkGA1UEBhMCQ0gxEDAOBgNVBAoT -B1dJU2VLZXkxIjAgBgNVBAsTGU9JU1RFIEZvdW5kYXRpb24gRW5kb3JzZWQxKDAmBgNVBAMT -H09JU1RFIFdJU2VLZXkgR2xvYmFsIFJvb3QgR0MgQ0EwHhcNMTcwNTA5MDk0ODM0WhcNNDIw -NTA5MDk1ODMzWjBtMQswCQYDVQQGEwJDSDEQMA4GA1UEChMHV0lTZUtleTEiMCAGA1UECxMZ -T0lTVEUgRm91bmRhdGlvbiBFbmRvcnNlZDEoMCYGA1UEAxMfT0lTVEUgV0lTZUtleSBHbG9i -YWwgUm9vdCBHQyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABEzpUMDGD3IYvNjxurOJ4nlK -oxana1Qk21H/6vQJJMMLIp/LaieCgQ3SwK8x5HSCbsol2Yx1nfHb0JqiSyF+FqdjkNI51LGH -eF8Ylg9QGzU3D2rG3NkTTaSOkDfmvVsxkaNUMFIwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB -/wQFMAMBAf8wHQYDVR0OBBYEFEiHFKzjw56QYDrXyonu062MtFBmMBAGCSsGAQQBgjcVAQQD -AgEAMAoGCCqGSM49BAMDA2gAMGUCMCbHaVvc1eey58gMjIzD3XmMG2PVyVKUTk2CSnMesoCE -qSXATFptSSlgeBPifkjrZAIxANs0IDII/5pJAraI3hSvXWyZcY0aP4vX4KI2hhwHgjp2U/3C -ou3ve7CAT1gPS1M5vQAAAAIAHWUtdHVncmFjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZ -rUgABVguNTA5AAAGTzCCBkswggQzoAMCAQICCGpoPpxRm8tTMA0GCSqGSIb3DQEBCwUAMIGy -MQswCQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1xJ9yYSBFQkcg -QmlsacWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEuxZ4uMSYwJAYDVQQLDB1F -LVR1Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYGA1UEAwwfRS1UdWdyYSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTAeFw0xMzAzMDUxMjA5NDhaFw0yMzAzMDMxMjA5NDhaMIGyMQsw -CQYDVQQGEwJUUjEPMA0GA1UEBwwGQW5rYXJhMUAwPgYDVQQKDDdFLVR1xJ9yYSBFQkcgQmls -acWfaW0gVGVrbm9sb2ppbGVyaSB2ZSBIaXptZXRsZXJpIEEuxZ4uMSYwJAYDVQQLDB1FLVR1 -Z3JhIFNlcnRpZmlrYXN5b24gTWVya2V6aTEoMCYGA1UEAwwfRS1UdWdyYSBDZXJ0aWZpY2F0 -aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOL1P5MFUR6F -YlReegv1GAeDrn6vfPfUimulY0M5uUv3w8ZkiT2ULlSAUjk5B0tL3YUHdofMvy+VTMx9pz28 -Rw+YcPiMhR50jpJtG0DRmQ27dW7IqWuawIQxr8pDy+srNOiPl2sBm9UOSgiqW5J0hUPTgK6h -iFuus+peyxaad0TIofZUaM7ej5crultAAgxkF8C1k83h8RNmzgx579GRKKtfoBJSMHMZjo/h -jAeiw7tK8OofFajuJcykRvgbIu+zDkO6LCS4xSxc1Bz4XWS9w5NeKKc/J/GOHtMqUAWjVdnL -5zlTwJiejFRiiyaw932NfOTGnmZCVYJH57JYjWb3B3wuNuZQHD/bQyTFv4ZHebN5HPda9BPs -bPg/4lkfle5CPrmtqDKFSZdG/ksxj1rLrXRHH+mRt98oBCKg1A9d4nlP6myFhr2ops7k+sPh -s67ePFHuyxN8AX+EDl1RlJ4TDLYupUz5OXA2b5bKLgxEVcXK+l0Co9/WZIxaswEKqbUKRxf/ -75FAKo6hRjoxmOUR/My7SVaK/LnQYZpvZWzmw8s+dUn+j6fiicVn151GE04xdjsks54RZYar -f+8d1Pi856xaXLdaR1xVzlW0InFbWwvwz9ygYWTqqddoCmOn4A0/oK/TqtJ+71Gg5lErVZIV -F1PLt2YOZkz4+XVMkOcScMdFAgMBAAGjYzBhMB0GA1UdDgQWBBQu49uySdCcVHlc+icq/sxO -0uhOVDAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFC7j27JJ0JxUeVz6Jyr+zE7S6E5U -MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEABTc69E23ReJFdSSPtndS6BzY -EJNl8/JZBqQ+HinsXdHQq3zgCpBIeO1OmAOZ/ihgkR0wHbhjfKjmNbX602F25tYHS8ppmrKE -eneTRRcVnyTQmBMS/7ugLv1OTIf4zlyqmBsF4ABGSoKApTOLKNztONPf5T7p/vtZ3WGET9JU -lhNhEz6PgGm+k0e1NUPSWrs9XO+zQkfNO1UTBrAJ2/1j9jqICplvfuHOG1NqRGYjUQh7vFtS -ov0GNzhAYY9KlriQN/hmx3iQABUui61RNVMHqGtorvlOPAcmzQgFcMw5P3a9pdNnJgGGplPS -YDt8Q39ViryVGsEoOUwfQ9KR9HJZirlW/D+0ndpwnHZajENQ7o4wck3f/0n3xqln2W2sAhHi -OhYlp1gIy29TQZxIOEdoM9HXx4/UdCHUwwWQev/OloixFSldI6vQYKEST970F80y5cm/yEOt -/S6O8a/i9Jj6Eh8g2MCnDIXFkPQ7LZYmsSy+TKvrsdKKydt4Ew8eCZ1tjwCfAtrB+h96egnE -SuaIKpefiYv9N19fOs44WYZLr3ELtNjycE+fMhPjsKdX5draQ8uENPIoxOpt9CrvwWt22vt+ -u4U80lPCTb5x4UXR/SNnDRN1+89lZyKdrrAJ0Qn/HTS//iOXN9I5+j0NBgu02zujq29cHbZ+ -6LOCNO0GXCQAAAACAA9xdW92YWRpc3Jvb3RjYTMAAAF8EFmtSAAFWC41MDkAAAahMIIGnTCC -BIWgAwIBAgICBcYwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1 -b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMzAeFw0wNjExMjQx -OTExMjNaFw0zMTExMjQxOTA2NDRaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRp -cyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDMwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDMV0IWVJzmmNPTTe7+7cefQzlKZbPoFog02w1ZkXTPkrgEQK0C -SzGrvI2RaNggDhoB4hp7Thdd4oq3P5kazethq8Jlph+3t723j/z9cI8LoGe+AaJZz3HmDyl2 -/7FWeUUrH556VOijKTVopAFPD6QuN+8bv+OPEKhyq1hX51SGyMnzW9os2l2ObjyjPtr7guXd -8lyyBTNvijbO0BNO/79KDDRMpsMhvVAEVeuxu537RR5kFd5VAYwCdrXLoT9CabwvvWhDFlaJ -Kjdhkf2mrk7AyxRllDdLkgbvBNDInIjbC3uBr7E9KsRlOni27tyAsdLTmZw67mtaa7ONt9XO -nMK+pUsvFrGeaDsGb659n/je7Mwpp5ijJUMv7/FfJuGITfhebtfZFG4ZM2mnO4SJk8RTVROh -UXhA+LjJou57ulJCg54U7QVSWllWp5f8nT8KKdjcT5EOE7zelaTfi5m+rJsziO+1ga8bxiJT -yPbH7pcUsMV8eFLI8M5ud2CEpukqdiDtWAEXMJPpGovgc2PZapKUSU60rUqFxKMiMPwJ7Wgi -c6aIDFUhWMXhOp8q3crhkODZc6tsgLjoC2SToJyMGf+z0gzskSaHirOi4XCPLArlzW1oUeva -PwV/izLmE1xr/l9A4iLItLRkT9a6fUg+qGkM17uGcclzuD87nSVL2v9A6wIDAQABo4IBlTCC -AZEwDwYDVR0TAQH/BAUwAwEB/zCB4QYDVR0gBIHZMIHWMIHTBgkrBgEEAb5YAAMwgcUwgZMG -CCsGAQUFBwICMIGGGoGDQW55IHVzZSBvZiB0aGlzIENlcnRpZmljYXRlIGNvbnN0aXR1dGVz -IGFjY2VwdGFuY2Ugb2YgdGhlIFF1b1ZhZGlzIFJvb3QgQ0EgMyBDZXJ0aWZpY2F0ZSBQb2xp -Y3kgLyBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudC4wLQYIKwYBBQUHAgEWIWh0 -dHA6Ly93d3cucXVvdmFkaXNnbG9iYWwuY29tL2NwczALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE -FPLAE+CCQz777i9nMpY1XNu4ywLQMG4GA1UdIwRnMGWAFPLAE+CCQz777i9nMpY1XNu4ywLQ -oUmkRzBFMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEbMBkGA1UE -AxMSUXVvVmFkaXMgUm9vdCBDQSAzggIFxjANBgkqhkiG9w0BAQUFAAOCAgEAT62gLEz6wPJv -92ZVqyM07ucp2sNbtrCD2dDQ4iH782CnO11gUyeim/YIIirnv6By5ZwkajGxkHon24QRiSem -d1o417+shvzuXYO8BsbRd2sPbSQvS3pspweWyuOEn62Iix2rFo1bZhfZFvSLgNLd+LJ2w/w4 -E6oM3kJpK27zPOuAJ9v1pkQNn1pVWQvVDVJIxa6f8i+AxeoyUDUSly7B4f/xI4hROJ/yZlZ2 -5w9Rl6VSDE1JUZU2Pb+iSwwQHYaZTKrzchGT5Or2m9qoXadNt54CrnMAyNojA+j56hl0YgCU -yyIgvpSnWbWCar6ZeXqp8kokUvd0/bpO5qgdAm6xDYBEwa7TIzdfu4V8K5Iu6H6li92Z4b8n -by1dqnuH/grdS/yO9SbkbnBCbjPsMZ57k8HkyWkaPcBrTiJt7qtYTcbQQcEr6k8Sh17rRdhs -9ZgC06DYVYoGmRmioHfRMJ6szHXug/WwYjnPbFfiTNKRCw51KBuav/0aQ/HKd/s7j2G4aSgW -QgRecCocIdiP4b0jWy10QJLZYxkNc91pvGJHvOB0K7Lrfb5BG7XARsWhIstfTsEokt4YutUq -KLsRixeTmJlglFwjz1onl14LBQaTNx47aTbrqZ5hHY8y2o4M1nQ+ewkk2gF3R8Q7zTSMmfXK -4SVhM7JZG+Ju1zdXtg2pEtoAAAACAA9xdW92YWRpc3Jvb3RjYTIAAAF8EFmtSAAFWC41MDkA -AAW7MIIFtzCCA5+gAwIBAgICBQkwDQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCQk0xGTAX -BgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1b1ZhZGlzIFJvb3QgQ0EgMjAe -Fw0wNjExMjQxODI3MDBaFw0zMTExMjQxODIzMzNaMEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQK -ExBRdW9WYWRpcyBMaW1pdGVkMRswGQYDVQQDExJRdW9WYWRpcyBSb290IENBIDIwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCaGMpLlA0ALa8DKYrwD4HIrkwZhR0In6spRIXz -L4GtMh6QRr+jhiYaHv5+HBg6XJxgFyo6dIMzMH1hVBHL7avg5tKifvVrbxi3Cgst/ek+7wrG -sxDp3MJGF/hd/aTa/55JWpzmM+Yklvc/ulsrHHo1wtZn/qtmUIttKGAr79dgw8eTvI02kfN/ -+NsRE8Scd3bBrrcCaoF6qUWD4gXmuVbBlDePSHFjIuwXZQeVikvfj8ZaCuWw419eaxGrDPmF -60Tp+ARz8un+XJiM9XOva7R+zdRcAitMOeGylZUtQofX1bOQQ7dsE/He3fbE+Ik/0XX1ksOR -1YqI0JDs3G3eicJlcZaLDQP9nL9bFqyS2+r+eXyt66/3FsvbzSUr5R/7mp/iUcw6UwxI5g69 -ybR2BlLmEROFcmMDBOAENisgGQLodKcftslWZvB1JdxnwQ5hYIizPtGo/KPaHbDRsSNU30R2 -be1B2MGyIrZTHN81Hdyhdyox5C315eXbyOD/5YDXC2Og/zOhD7osFRXql7PSorW+8oyWHhqP -HWykYTe5hnMz15eWniN9gqRMgeKh0bpnX5UHoycR7hYQe7xFSkyyBNKr79X9DFHOUGoIMfmR -2gyPZFwDwzqLID9ujWc9Otb+fVuIyV77zGHcizN300QyNQliBJIWENieJ0f7OyHj+OsdWwID -AQABo4GwMIGtMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBQahGK8 -SEwzJQTU7tD2A8QZRtGUazBuBgNVHSMEZzBlgBQahGK8SEwzJQTU7tD2A8QZRtGUa6FJpEcw -RTELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxGzAZBgNVBAMTElF1 -b1ZhZGlzIFJvb3QgQ0EgMoICBQkwDQYJKoZIhvcNAQEFBQADggIBAD4KFk2fBluornFdLwUv -Z+YTRYPENvbzwCYMDbVHZF34tHLJRqUDGCdViXh9duqWNIAXINzng/iN/Ae42l9NLmeyhP3Z -RPx3UIHmfLTJDQtyU/h2BwdBR5YM++CCJpNVjP4iH2BlfF/nJrP3MpCYUNQ3cVX2kiF495V5 -+vgtJodmVjB3pjd4M1IQWK4/YY7yarHvGH5KWWPKjaJW1acvvFYfzznB4vsKqBUsfU16Y8Zs -l0Q80m/DShcK+JDSV6IZUaUtl0HaB0+pUNqQjZRG4T7wlP0QADj1O+hA4bRuVhogzG9Yje0u -RY/W6ZM/57Es3zrWIozchLsib9D45MY56QSIPMO661V6bYCZJPVsAfv4l7CUW+v90m/xd2gN -NWQjrLhVoQPRTUIZ3Ph1WVaj+ahJefivDrkRoHy3au000LYmYjgahwz46P0u05B/B5EqHdZ+ -XIWDmbA4CD/pXvk1B+TJYm5Xf6dQlfe6yJvmjqIBxdZmv3lh8zwc4bmCXF2gw+nYSL0ZohEU -GW6yhhtoPkg3Goi3XZZenMfvJ2II4pEZXNLxId26F0KCl3GBUzGpn/Z9Yr9y4aOTHcyKJloJ -ONDO1w2AFrR4pTqHTI2KpdVGl/IsELm8VCLAAVBpQ570su9t+Oza8eOx79+Rj1QqCyXBJhnE -UhAFZdWCEOrCMc0uAAAAAgAlZW50cnVzdHJvb3RjZXJ0aWZpY2F0aW9uYXV0aG9yaXR5LWVj -MQAAAXwQWa1IAAVYLjUwOQAAAv0wggL5MIICgKADAgECAg0Apot5KQAAAABQ0JH5MAoGCCqG -SM49BAMDMIG/MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UE -CxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIg -RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTMwMQYDVQQDEypFbnRy -dXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBFQzEwHhcNMTIxMjE4MTUyNTM2 -WhcNMzcxMjE4MTU1NTM2WjCBvzELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIElu -Yy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsT -MChjKSAyMDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEzMDEG -A1UEAxMqRW50cnVzdCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRUMxMHYwEAYH -KoZIzj0CAQYFK4EEACIDYgAEhBPJ0LptQXvibNDrVV9mAhok9FuJaUfjuMJ98fICxZ+g9lvV -iwYZhk9TEG0HJCehoPjVRxlhTH3KkyfqdAzvb5YJ/mPscF02rWd3rsmdfFVEOqJjUR/142LU -qUcHPswgo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU -t2PnGt2N6QimVYOk4GpQQWURQkkwCgYIKoZIzj0EAwMDZwAwZAIwYXnY5UJH3xyuU5kXtm8c -feG/EZTRA4h15I2JpIp3Rt5tYe8C9fu138z+Tv/+qeanAjBbmdeFNwa1ewj96yeLSpT54fqn -jiYI6HySaG1z2G8mrCECuJm3JkFbJWCu0Ega7gYAAAACABpvaXN0ZXdpc2VrZXlnbG9iYWxy -b290Z2JjYQAAAXwQWa1IAAVYLjUwOQAAA7kwggO1MIICnaADAgECAhB2sSBSdPCFh0az+CMa -9sLAMA0GCSqGSIb3DQEBCwUAMG0xCzAJBgNVBAYTAkNIMRAwDgYDVQQKEwdXSVNlS2V5MSIw -IAYDVQQLExlPSVNURSBGb3VuZGF0aW9uIEVuZG9yc2VkMSgwJgYDVQQDEx9PSVNURSBXSVNl -S2V5IEdsb2JhbCBSb290IEdCIENBMB4XDTE0MTIwMTE1MDAzMloXDTM5MTIwMTE1MTAzMVow -bTELMAkGA1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxIjAgBgNVBAsTGU9JU1RFIEZvdW5k -YXRpb24gRW5kb3JzZWQxKDAmBgNVBAMTH09JU1RFIFdJU2VLZXkgR2xvYmFsIFJvb3QgR0Ig -Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYF7ccSiQq1pexyuIe+30475j1 -sjmYTie4EV170iWUiIIVJmobMbuoWyEhK9gPTp9a8bFa5HnWMiMr4VPMmUVce0+tvL+HSgtL -l1qo9kjsfXsNzSEG354V/UGKSLcg9KF6G1fUXVD/umfYI5kfyD/j3v9vW3exa264yWT34cpB -Rg4pcdC5I/zJgV9O92/fv4Stc2S7t0KOafbUdh1+nae4V4pRZ3LX1Ki4lVRAcwP26vTr/ihC -dz+dIxuytj2AFAdMLk/31QoWDb1mQzd+I0N5w0CG9Uwp2o6arQ2lBIeIHoXj6VPVm8iLA2N4 -6+AZSm67L2szZFiTrWm/jxvvgkjHAgMBAAGjUTBPMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBQ1D8g2Y17io+z5O2YVzlFS45GaPTAQBgkrBgEEAYI3FQEEAwIB -ADANBgkqhkiG9w0BAQsFAAOCAQEAQEz7h7KZgZB+ncWwsCbNiHsrMo1uuCFxWJd9rjcUrz7n -95riffZxmJkEqkN0eKPjSWE+c4xNlOD5ccS2Fg5TeB/WoocvAjmBKTyvFZghMP4okACM0eHL -+l7I/fgQRjuieEKRF3RVCt5QZ01m0af//dnAtaijis5m9Q9DzacrV3tjRmqqLlLY9O3hba0p -kHhIuuEjqqOJ7LWrlsC0S6Idl5568m5Acd9o8WVNznwF31NlqaXwsZcEcBVGA5jU0r9UtKBY -fVJv2lYmYtTY24kxbxzwIsLTYhw1zUxpFVQakJje6x5fynfHy449Q2mcmljQJDvfG0CWfjWt -gcdOcbqIEwAAAAIAJW5hdmVyZ2xvYmFscm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8 -EFmtSAAFWC41MDkAAAWmMIIFojCCA4qgAwIBAgIUAZQwHqIL3fXFMyqxQ0Rx+NZQTQ0wDQYJ -KoZIhvcNAQEMBQAwaTELMAkGA1UEBhMCS1IxJjAkBgNVBAoMHU5BVkVSIEJVU0lORVNTIFBM -QVRGT1JNIENvcnAuMTIwMAYDVQQDDClOQVZFUiBHbG9iYWwgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eTAeFw0xNzA4MTgwODU4NDJaFw0zNzA4MTgyMzU5NTlaMGkxCzAJBgNVBAYT -AktSMSYwJAYDVQQKDB1OQVZFUiBCVVNJTkVTUyBQTEFURk9STSBDb3JwLjEyMDAGA1UEAwwp -TkFWRVIgR2xvYmFsIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3 -DQEBAQUAA4ICDwAwggIKAoICAQC21PGTXLVAiQqrDZBbUGOukJR0F0Vy1ntlWilLp1agS7gv -QnXp2XskWjFlqxcX0TM62RHcQDaH38dq6SZeWYp34+hInDEW+j6RscrJo+KfziFTowI2MMtS -AuXaMl3Dxeb57hHHi8lEHoSTGEq0n+USZGnQJoViAbbJAh2+g1G7XNr4rRVqmfeSVPc0W+m/ -6imBEtRTkZazkVrd/pBzKPswRrXKCAfHcXLJZtM0l/aM9BhK4dA9WkW2aacp+yPOiNgSnABI -qKYPszuSjXEOdMWLyEz59JuOuDxp7W87UC9Y7cSw0BwbagzivESq2M0UXZR4Yb8ObtoqvC8M -C3GmsxY/nOb5zJ9TNeIDoKAYv7vxvvTWjIcNQvcGufFt7QSUqP620wbGQGHfnZ3zVHbOUzoB -ppJB7ASjjw2i1QnK1sua8e9DXcCrpUHPXFNwcMmIpi3Ua2FzUCaGYQ5fG8Ir4ozVu53BA0K6 -lNpfqbDKzE0K70dpAy8i+/Eozr9dUGWokG2zdLAIx6yo0es+nPxdGoMuK8u180SdOqcXYZai -cdNwlhVNt0xz7hlcxVs+Qf6sdWA7G2POAN3aCJBitOUt7kinaxeZVL6HSuOpXgRM6xBtVNbv -8ejyYhbLgGvtPe31HzClrkvJE+2KAQHJuFFYwGY6sWZLxNUxAmLpdIQM201GLQIDAQABo0Iw -QDAdBgNVHQ4EFgQU0p+I36HNLL3s9TsBAZMzJ7LrYEswDgYDVR0PAQH/BAQDAgEGMA8GA1Ud -EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBADLKgLOdPVQG3dLSLvCkASELZ0jKbY7g -yKoNqo0hV4/GPnrK21HUUrPUloSlWGB/5QuOH/XcChWB5Tu2tyIvCZwTFrFsDDUIbatjcu3c -vuzHV+YwIHHW1xDBE1UBjCpD5EHxzzp6U5LOogMFDTjfArsQLtk70pt6wKGm+LUx5vR1yblT -mXVHIloUFcd4G7ad6Qz4G3bxhYTeodoS76TiEJd6eN4MUZeoIUCLhr0N8F5OSza7OyAfikJW -4Qsav3vQIkMsRIz75Sq0bBwcupTgE34h5prCy8VCZLQelHsIJchxzIdFV4XTnyliIoNRlwAY -l3dqmJLJfGBs32x9SuRwTMKeuB330DTHD8z7p/8Dvq1wkNoL3chtl1+afwkyQf3NosxabUzy -qkn+Zvjp2DXrDige7kgvOtB5CTh8piKCk5XQA76+AqAF3SAi428diDRgxuYKuQl1C/AH6GmW -Ncf7I4GOODm4RStDeKLRLBT/DShycpWbXgnbiUSYqqFJu3FS8r/2/yehNq+4tneI3TqkbZs0 -kNwUXTC/t+sX5Ie3cdCh13cV1ELX8vMxmV2b3RZtP+oGI/hGoiLtk/bdmuYqh7GYVPEi92tF -4+KOdh2ajcQGjTa3FPOdVGm3jjzVpG2Tgbet9r1ke8LJaDmgkpzNNIaRkPpkUZ3+/uul9XXe -ifdyAAAAAgAJZ3Rzcm9vdHI0AAABfBBZrUgABVguNTA5AAACDjCCAgowggGRoAMCAQICEG5H -qciLlLbouzsq2KKywZkwCgYIKoZIzj0EAwMwRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdv -b2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0MB4XDTE2MDYy -MjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2ds -ZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFI0MHYwEAYHKoZIzj0C -AQYFK4EEACIDYgAE83Rzp2iLYK5DuDXFgTB7S0md+8FhzubeRr1r1WEYNa5A3XP3iZEwWus8 -7oV8okB2O6nGuEfYKueSkWpz6bFyOZ8pn6KY019eWIZlD6GEZQbR3IvJx3PIjGov5cSr0R2K -o0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgEzW63T/ -STaj1dj8tT7FavCUHYwwCgYIKoZIzj0EAwMDZwAwZAIwalBSdAjEcNyeUHQh6I16IcNPlm4V -0SI1YS36CDfuGW2t27LMfQc09WAZLLU02W8gAjADcbG6o2ALhu2aCGqVaJ/is+GTZHxek6bf -eS2NheOUzyNdcczysE3W/pnIlKl1ouMAAAACAAlndHNyb290cjMAAAF8EFmtSAAFWC41MDkA -AAIQMIICDDCCAZGgAwIBAgIQbkepx2ypcyRAiQ8DVd2NHTAKBggqhkjOPQQDAzBHMQswCQYD -VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxML -R1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAwWjBHMQswCQYDVQQG -EwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIGA1UEAxMLR1RT -IFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uF -xh1MJ7x/JlFyb+Kf1qPKzEUURout736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSW -RQmx1WyRRK2EE46ajA2ADDL24CejQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD -AQH/MB0GA1UdDgQWBBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEA -gFukfCPAlaUs3L6JbyO5o91lAFJekazInXJ0glMLfalAvWhgxeG4VDvBNhcl2MG9AjEAnjWS -dIUlUfUk7GRSJFClH9voy8l27OyCbvWFGFPouOOaKaqW04MjyaR7YbPMAuhdAAAAAgAUZGln -aWNlcnRnbG9iYWxyb290ZzMAAAF8EFmtSAAFWC41MDkAAAJDMIICPzCCAcWgAwIBAgIQBVVW -vPJepDU1w6QP1atFcjAKBggqhkjOPQQDAzBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGln -aUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2Vy -dCBHbG9iYWwgUm9vdCBHMzAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJ -BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2Vy -dC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEczMHYwEAYHKoZIzj0CAQYF -K4EEACIDYgAE3afZu4q4C/sLfyHS8L6+c/MzXRq8NOrexpu80JX28MzQC7phW1FGfp4tn+6O -YwwX7Adw9c+ELkCDnOg/QW07rdOkFFk2eJ0DQ+4QE2xy3q6Ip6FrtUPOZ9wj/wMco+I+o0Iw -QDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUs9tIpPmhxdiu -NkHMEWNpYim8S8YwCgYIKoZIzj0EAwMDaAAwZQIxAK288mw/EkrRLTnDCgmXc/SINoyIJ7vm -iI1Qhadj+Z4y3maTD/HMsQmP3Wyr+mt/oAIwOWZbwmSNuJ5Q3KjVSaLtx9zRSX8XAbjIho9O -jIgrqJqpisXRAL34VOKa5Vt8sycXAAAAAgAJZ3Rzcm9vdHIyAAABfBBZrUgABVguNTA5AAAF -XjCCBVowggNCoAMCAQICEG5HqcZas+cgxTCaP2hS8m8wDQYJKoZIhvcNAQEMBQAwRzELMAkG -A1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMT -C0dUUyBSb290IFIyMB4XDTE2MDYyMjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UE -BhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dU -UyBSb290IFIyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzt79pvvs7BQ0PAcG -WmxZ9xk13ffBnVWq0807pJNy7wr6bZ328IWAW6FIUp85xbfuKKzvy3ZoFLnfrQFsmR/EIh2f -/nJ34Cxbr+QEv09yoBo0mOg5aOyVJXt2oeZpuYUZvYmM/q3tNupzvP+D4st9wdLOSrONBZ6L -SZPfwVvQbl7wLjAugvz6vLQXCkjliJvFm2vesMq0A/Da9JC4ZWT3XEyt6H5mXpnXuMI+yNAT -na3u5EV7iVX3ih9iUoQSs8JAl+OKH0eRpnRa0vixYygQuLMJuFZ3QKImmHnG/t8l7j7loH/U -YQ9RSzw/jNrhcHTYwmih+cEM6aHif7tVPHYG7mpOzJKIME2avU8LSJqEtZij1ftzwVdh3ShW -dROuh47nDFEJEHWITLyN+Xs81CJIHyrc62u7RLHLM3EyRq+tSvGM6HQ6rOcaInOA0jD3JULH -Ijs7Eq2WLsbDdgeqILc1SVfpkknodhZyMWcrln6Ko8eUViK/akt+ASGyIzLf5JpEbVlbXfUA -oBybxniXjZD/m8iqtK8RUTle2ftnrdVbEZ0ymhu91bpbpcnLJWlTVSdc4Mo2y4hh+x630Mvu -FvvTpkzekqXU4t/1BlTeLp1LtJMwqoHO3RrcUXMNT3Dp5bYWIRl5suaJC3VkytWrvAnBGKH/ -1FShhTz9FCQDsofTpLcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wHQYDVR0OBBYEFLv/yo4jn0+ZytviaKalFScXHtkOMA0GCSqGSIb3DQEBDAUAA4ICAQC2 -afCmd/6e7guBreHAqcf5NR1AgqvmBLTfy/cdD4PwfhNNjYzu4zMiwzn8QN9uQUtCU74WiPHS -OF7EaJkcmFKTjOdo7Rtqc3oFQE1/ZTvWWPHOg0dg4/+XqZxgdxhVtX4Ik8/Q9jxnAxVhCfmB -efXsU6SfyY8Bi3PEd3bcg6L1DEkaqHbekptk+LMsxSfTB8AIgKSYkuMBlgKqAu6PO8XRbQoz -MHN4uU9UFr8LB6GkXObLyVyEjw/gFXcsfiZ+2sRL26cWdwewzXXockLWlYSdhoPy5JDNCUfU -iwNw2lrGA0L07Tei8BtQVEsO2ITeGSiZgUeuCRs/SNHDb+KwYBf17iMCpdoAW22Qq+6i6Rs7 -6cdEJ0WOa5/1pIS8d/lrl6w+UUWiEabMhe4KaPI+UDh6JGIeFyA3bWpNtwmbyfykWPW2+5xO -GLuVAuehrZsH7jZrJNI5hsGTg1DSgUaoX2JXLLtsZIgIbu8TVF/dLcRnY9PPiTe/nSD0+3qD -m6AegQBQwuQMIllSEO1DVocA+BRSpx2Lk4yiTUZ/J8ZxmyTe5NqGiw1+ayDBwJ7hZdhqo6bo -hYs6BwgcuvWPVZoYdX7l7IFm0SFzoTVEC4A9W5xebyoXltGDI4hmbeaG4nAyL1Ii58jnf8Qs -YF0vw6+eRQXDhAK3/SwIUk+C3aPw1IYJAgAAAAIAEnN3aXNzc2lnbmdvbGRjYS1nMgAAAXwQ -Wa1IAAVYLjUwOQAABb4wggW6MIIDoqADAgECAgkAu0AcQ/VeT7AwDQYJKoZIhvcNAQEFBQAw -RTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEfMB0GA1UEAxMWU3dpc3NT -aWduIEdvbGQgQ0EgLSBHMjAeFw0wNjEwMjUwODMwMzVaFw0zNjEwMjUwODMwMzVaMEUxCzAJ -BgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1NpZ24gQUcxHzAdBgNVBAMTFlN3aXNzU2lnbiBH -b2xkIENBIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv5O5+iyQOEm6p -UC0WRDuSklzKuF2EkkITKrxlV4JAPlckzVCLJSq3b/zvotDAHwIkShOWjyMT5ihYAKNHxwan -hCMru72WK39VzIvBVx8OYmUP3T1WinParn5tuoEcfkKMIDXZQ02E+oTbUizzDid3C2u/ES9y -eJ8u2D7mGDdaKnL52mKQkpXKH5zpszwry/MBE79az8G1CmC93bWZZFO4oJazb+Imd5GM4GIQ -Ap80D6TVkjNR3r6NuoR6YDxq258r7N7eAT9uTeVQhsu0r+1EQMXKWoza0it8qO6+puUKqg6l -3wVSt1XHIl0yapeXYxPbydt5NnuFOkrFUon5JOedd6mC/1UcpXFpK9ECJPKzJtRr2gRV5cEK -x20wN5Aq5J4UM14WF1XFW7XLNImS8Z0mj6EH1MayeFDbDAwLfAuMQde56d2MiPejTbIyzNgX -2s23zmad1P1e/72XPil1536nYlivJTSlQcc9vA1QygMDDwhaH5VzeGK/r3IUaQ6l5QMOeI4m -KELwBwtiIBBnOUb6qQPMBDh6Zu8gg7WMSlaOkQD8jlyC3oigw+Jobn2N7zzdZfRdrFHvJICu -qlaXb/mtfdphP5h3PKWRthyMJtplogltweJU47nKTEyAj3d7YJoe37bySB4Ouk5UbZjg4aIa -ondQz8RjkuxHGZ3r5mvOwQIDAQABo4GsMIGpMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBRbJXuWpGVRfrg588B4Zl7oOufw7jAfBgNVHSMEGDAWgBRbJXuW -pGVRfrg588B4Zl7oOufw7jBGBgNVHSAEPzA9MDsGCWCFdAFZAQIBATAuMCwGCCsGAQUFBwIB -FiBodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tLzANBgkqhkiG9w0BAQUFAAOCAgEA -J7rjlHzxrsDeF+bl2NX1VLCD9LvNXgV7T591Zq886FZ+/HJ4OAPZK2IbALn46WDNzM5RisdQ -MW7hSn4YL2lZtj1kgSvjg4TmIoeOfeDuAplhuB70uCuIEhaEwjGTOJYxprk7Uz/DJJNWW2mS -7MXBuzgA4+wXqbjcx3wBg58yR7pSIjQdMnoJVqd8JTapPUvawIJvCrsSyIdLJxH5Hi3Hkz+e -218ma1LZLorxFMZEjRWpt7+93qYa7q4t+0h3F/677K8Y9SpR8DmEl5VsbhvDK8R0YHklsAon -399e0jnPRX1CS9+zLB7Fxl3KVTqgnGmaj9rvsrA8n4dsEitlcBVSMRokz28xI1AfjE+PI8N0 -QWMcVagU3T7gUVDP8RswVg6SsIKF2IPLImS8Lbgl1VSiuAbqrZKkJKDBhrVKE2pHzy4LVpVU -y86a22q0prLbQQiGJ3f3aqBCbAs4ztd1UDKSwt8rMCJI0NVBOCVdpOldn8aUddBF/TCXQ4+Q -qwrHhnNgSmkt3qV41wbaap5LPnc6IBMiAdC/aJ5jYGs1TQttuqE9wJPgfyOzVa1yJU5G+dIW -77BkwQGe6cqgapgOz9hg8i9JuORC4Tg1FvTIbk/3gVbouqO+I6+u/W8D4AI7MHb6G21BzwGx -6bjJZvTbJvM6pHTySSRbybDQV8H6Pnrhl8kAAAACABVjb21vZG9hYWFzZXJ2aWNlc3Jvb3QA -AAF8EFmtSAAFWC41MDkAAAQ2MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQsw -CQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxm -b3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj -YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezELMAkGA1UE -BhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEa -MBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBT -ZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL5AnfRu4ep2hxxNRUSO -vkbIgwadwSr+GB+O5AL686tdUIoWMQuaBtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70 -VJoSCsN6sjNg4tqJVfMiWPPe3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5 -YZ92IFCokcdmtet4YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4 -qMsXeDZRrOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm -ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQUoBEKIz6W -8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wewYDVR0f -BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2 -aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNl -cnZpY2VzLmNybDANBgkqhkiG9w0BAQUFAAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMym -trwUSWgEdujm7l3sAg9g1o1QGE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHC -v8S5dIa2LX1rzNLzRt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8 -tqtlbgT2G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi -l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3smPi9WIs -gtRqAEFQ8TmDn5XpNpaYbgAAAAIAFGRpZ2ljZXJ0Z2xvYmFscm9vdGcyAAABfBBZrUgABVgu -NTA5AAADkjCCA44wggJ2oAMCAQICEAM68eanEamguyhksR0J+uUwDQYJKoZIhvcNAQELBQAw -YTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRp -Z2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3QgRzIwHhcNMTMwODAx -MTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNl -cnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBH -bG9iYWwgUm9vdCBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALs3zTTce2vJ -smiQrUp1/0a6IQoIjfUZVMn7iNvzrvI6iZE8euarBhprz6wt6F4JJES6Ypp+1qOofuBUdSAF -rFC3nGMabDDc2h8Zsdce3v3X4MuUgzeu7B9DTt17LNK9LqUv5Km4rTrUmaS2JembawBgkmD/ -TyFJGPdnkKthBpyP8rrptOmSMmu181foXRvNjB2rlQSVSfM1LZbjSW3dd+P7SUu0rFUHqY+V -s7Qju0xtRfD2qbKVMLT9TFWMJ0pXFHyCnc1zktMWSgYMjFDRjx4Jvheh5iHK/YPlELyDpQrE -Zyj2cxQUPUZ2w4cUiSE0Ta8PRQymSaG6u5zFsTODKYUCAwEAAaNCMEAwDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFE4iVCAYlebjbuYP+vq5Eu0GF485MA0G -CSqGSIb3DQEBCwUAA4IBAQBgZyiUbw5IY+sx3epnGNWJfTzFi0p/6b7bKxffsF9zdyoyEzmB -Z0KEI/JFZzXsiL/4j7BhDDSkriBMhMbb+DXhdtnfpkK7x0QIhn82dCRa2mwNFFk1vfJJ3bYf -ybMNRyo9mS+7XLu11CDhmV9TRhXbaJvw8zDVPjHijYSe44ra2pY+NROlX/D5cFBwR0ERVxlO -wI+uBsSVExcvGyWfdfKxjpmhbxOxQXH+iCrITxAgVdfzFEXl4ET06oeVMpMO/lNG+iyd/4si -uUvZCUWk3qS4mljdG31Sn45ZQ4iBpJ4m1W+t3Q3GN33tA5Ib5Xdfdu48jcRdVlui2WZuszU3 -5TK2AAAAAgAJZ3Rzcm9vdHIxAAABfBBZrUgABVguNTA5AAAFXjCCBVowggNCoAMCAQICEG5H -qcVLRwwN7DPQibkc9OEwDQYJKoZIhvcNAQEMBQAwRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoT -GUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIxMB4XDTE2 -MDYyMjAwMDAwMFoXDTM2MDYyMjAwMDAwMFowRzELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdv -b2dsZSBUcnVzdCBTZXJ2aWNlcyBMTEMxFDASBgNVBAMTC0dUUyBSb290IFIxMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAthECix7joXebO9y/lD63ladAPKH9gvl9MgaCcfb2 -jH/76Nu8ai6Xl6OMS/kr9rH5zoQdsfnFl97vufKj6bwSiV6nqlKr+CMny6SxnGPb15l+8Ape -62im9MZaRw1NEDPjTrETo8gYbEvs/AmQ351kKSUjB6G00j0uYODP0gmHu81I8E3CwnqIiru6 -z1kZ1q+PsAewnjHxgsHA3y6mbWwZDrXYfiYaRQM9sHmklCitD38m5agI/pboPGiUU+6DOogr -FZYJsuB6jC511pzrp1Zkj5ZPaK49l8KEj8C8QMALXL32h7M1bKwYUH+E4EzNktMg6TO8Upmv -MrUpsyUqtEj5cuHKZPfmghCN6J3Cioj6OGaK/GP5Afl4/Xtcd/p2h/rs37EOeZVXtL0m79YB -0esWCruOC7XFxYpVq9Os6pFLKcwZpDIlTirxZUTQAs6qzkm06p98g7BAe+dDq6dso499iYH6 -TKX/1Y7DzkvgtdizjkXPdsDtQCv9Uw+wp9U7DbGKogPeMa3Md+pvez7W35EiEua++tgy/BBj -FFFy3l3WFpO9KWgz7zpm7AeKJt8T11dleCfeXkkUAKIAf5qoIbapsZWwpbkNFhHax2xIPEDg -fg1azVY80ZcFuctL7TlLnMQ/0lUTbiSw1nH69MG6zO0b9f6BQdgAmD06yK56mDcYBZUCAwEA -AaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOSvKyZx -GitIJ4UvUmYs7/CJE3E+MA0GCSqGSIb3DQEBDAUAA4ICAQA4lgruPbSWHl/vnZwLM58r4Mr9 -0o4KH0F0pXyqhNTl8h7mN1IynAvRYR2/KMG2RCk1dXeYsnzZvXSsimjjqTEJKQFgc+NHfFOo -kEon70vXn5PngjbOmmgMgufP1BAWb18OmVz2H3F97+97L37qNtaXcAsV7tdcVmozpeNJOAy4 -ffuNhaSxWV70auHdofZkRK7mUYMhZsYRPvPOR+6cKB8l2v+sZpXdNQ9c7yAsYv2RuqnM/Fqc -k4GDKZdKfFpytDnQt3fLef1pOpI37W44ZUZ+6WC9eYiXXzgS9O6vW4LIhtXhmW2MBPJ2ukn2 -bultHl+g7yeCdkD4ptNYXA8sQtpCxnuINMfB2EWbwT7FYR3ZY1BJ9jSFauAYxW5Hq0FCKZv2 -YA3SMdNjmCOTWgCBSLTvzYrNyc+Z7tmeqjbhaEtxSRQ2KDo9Hc6ajyXmgHFhK7V7zPklFoHh -MV+ho34WpJwWapcYvXZypQueHTbmL6EvvnCRD6jm2vjEkkBsJX57swncshetgETwaKWPlHX/ -dFroqAJ8DAniqUsLoIULYrnvoTGS++/2UQSJbOipdKG7F7O1/UkPfDzsgxggQ07Vk7q0NLEf -FjYfDOZkORZM3OD+HcipYj1A6srFNAK0romIMzXcLBNz2Cfx0HLudTsi3phoZlvxxmNHVRy6 -pQhRdaZIJQAAAAIAC2RzdHJvb3RjYXgzAAABfBBZrUgABVguNTA5AAADTjCCA0owggIyoAMC -AQICEESvsIDWoye6iTA5hi74QGswDQYJKoZIhvcNAQEFBQAwPzEkMCIGA1UEChMbRGlnaXRh -bCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzAeFw0wMDA5 -MzAyMTEyMTlaFw0yMTA5MzAxNDAxMTVaMD8xJDAiBgNVBAoTG0RpZ2l0YWwgU2lnbmF0dXJl -IFRydXN0IENvLjEXMBUGA1UEAxMORFNUIFJvb3QgQ0EgWDMwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQDfr+mXUAiDV7TMYmX2kILsx9MsazDKW+zZw33HQMEYFIvg6DN2SSrj -PyFJk6xODq8+SMtl7vzTIQ9l0irZMo+M5fd3sBJ7tZXAiaOpuu1zLnoMBjKDon6KFDDNEaDh -Kji5eQox/VC9gGXft1Fjg8jiiGHqS2GB7FJruaLiSxoon0ijngzaCY4+Fy4e3SDfW8Yqiqsu -vXCtxQsaJZB0csV7aqs01jCJ/+VoE3tUC8jWruxanJIePWSzjMbfv8lBcOwWctUm7DhVOUPQ -/P0YXEDxl+vVmpuNHbraJbnG2N/BFQI6q9pu8T4u9VwInDzWg2nkEJsZKrYpV+PlPZuf8AJd -AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTE -p7Gkeyxx+tvhS5B1/8QVYIWJEDANBgkqhkiG9w0BAQUFAAOCAQEAoxosmxcAXKke7ihmNzq/ -g8c/S8MJoJUgXePZWUTSPg0+vYpLoHQfzhCCnHQaHX6YGt3LE0uzIETkkenM/H2l22rl/ub9 -4E7dtwA6tXBJr/Ll6wLx0QKLGcuUOl5IxBgeWBlfHgJa8Azxsa2p3FmGi27pkfWGyvq5ZjOq -WVvO4qcWc0fLK8yZsDdIz+NWS/XPDwxyMofG8ES7U3JtQ/UmSJpSZ7dYq/5ndnF42w2iVhQT -OSQxhaKoAlowR+HdUAe8AgmQAOtkY2CbFryIyRLm0n2Ri/k9Mo1ltOl8sVd26sW2KDm/FWUc -yPZ3lmoKjXcL2JELBI4H2ym2Cu6dgjU1EAAAAAIACGNlcnRpZ25hAAABfBBZrUgABVguNTA5 -AAADrDCCA6gwggKQoAMCAQICCQD+3OMBD8lI/zANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQG -EwJGUjESMBAGA1UECgwJRGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0aWduYTAeFw0wNzA2Mjkx -NTEzMDVaFw0yNzA2MjkxNTEzMDVaMDQxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90 -aXMxETAPBgNVBAMMCENlcnRpZ25hMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -yGjxydbWszR1JoIe7LS+6lzhJu0RR2HhonwWeEAh5GCeWshj4cSxlpL/GG1pI+ErYvfd4jYv -kQe5SM8O7Hm2LOc0S3AIJaM8hxsZ8oEHDziQGdMR/oa08tFeHh6WzYBszjsxk7byoNCplRJ9 -pZrMa8iEVoozqeciFVMW8MwX7Fdf6aIKmAne41+cb9xI44ULFVqmup+sSOMJsvf0Mt5eNL4c -eF1CW84OIo9NkNd9MhizCyxqv44/FBGJIA53FLU9lAiH9yUe1bJgAOxvKiglbio+GGMXJT8+ -RCAW9ibIJa4FSrTnYyzzjBZTflz7ERoIwUZinyK48cKNadz6OlgG3wIDAQABo4G8MIG5MA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBrt/kE5kLQkWb4B8lLVRfZaOdwRMGQGA1UdIwRd -MFuAFBrt/kE5kLQkWb4B8lLVRfZaOdwRoTikNjA0MQswCQYDVQQGEwJGUjESMBAGA1UECgwJ -RGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0aWduYYIJAP7c4wEPyUj/MA4GA1UdDwEB/wQEAwIB -BjARBglghkgBhvhCAQEEBAMCAAcwDQYJKoZIhvcNAQEFBQADggEBAIUDHpJx9kKv4aNhnuvz -wA/ypdTalebWvmg2PX5uH0yK79EPIW1epVJjzhL47yrab+s3/hMCx8s7PiJr2mEuf9RyPd0w -4R5MQBmMD9ec0YMwe5hZ3H3GuQwpTKEzoutnOmWE05bi7XZFcI+1K975I9ZJbjwUtcafNR5Q -0MGPanBEAmLLrh1oQaeqV+hTqgfSBvbVFAYLkQN1LGxytWGVmg2LuQ3n9d9Uzd7m2NYJCJdj -5cEusLdEJsAmwK9VMJ471TYqGQT0XB7/zyy3/9D9h0AR1REju0jAIamkKC39FfiwTiv0MFsh -/BGRNL5B73udl3X/l5XAllgv6rtG17vk2S4AAAACAB1kaWdpY2VydGhpZ2hhc3N1cmFuY2Vl -dnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAAA8kwggPFMIICraADAgECAhACrFwmagtAm48LefKu -RiV3MA0GCSqGSIb3DQEBBQUAMGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJ -bmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IEhpZ2gg -QXNzdXJhbmNlIEVWIFJvb3QgQ0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBs -MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGln -aWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBSb290IENB -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxszlc+b71LvlLS0ypt/lgT/JzSVJ -tnEqw9WUNGeiChywX2mmQLHEt7KP0JikqUFZOtPclNY823Q4pErMTSWC90qlUxI47vNJbXGR -fmO2q6Zfw6SE+E9iUb74xezbOJLjBuUIkQzEKEFV+8taiRV+ceg1v01yCT2+OjhQW3cxG42z -xyRFmqesbQAUWgS3uhPrUQqYQUEiTmVhh4FBUKZ5XIneGUpX1S7mXRxTLH6YzRoGFqRoc9A0 -BBNcoXHTWnxV215k4TeHMFYE5RG0KYAS8Xk5iKICEXwnZreIt3jyygqoOKsKZMK/Zl2VhMGh -JR6HXRpQCyASzEG7bgtROLhLywIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/ -BAUwAwEB/zAdBgNVHQ4EFgQUsT7DaQP4v0cB1JgmGggC72NkK8MwHwYDVR0jBBgwFoAUsT7D -aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQEFBQADggEBABwaBpfc15yfPIhmBghXIdsh -R/gqZ6q/GDJ2QBBXwYrzetkRZY41+p78RbWe2UwxS7iR6EMsjrN4ztvjU3lx1uUhlAHaVYea -JGT2imbM3pw3zag0sWmbI8ieeCIrcEPjVUcxYRnvWMWFL04w9qAxFiPI5+JlFjPLvxoboD34 -yl6LMYtgCIktDAZcUrfE+QqY0RVfnxK+fDZjOL1EpH/kJisKxJdpDemM4sAQV7jIdhKRVfJI -adi8KgJbD0TUIDHb9LpwJl2QYJ68SxcJL7TLHkNoyQcnwdJc9+ohuWgSnDycv578gFybY83s -R6olJ2egN/MAgn1U16n46S4To3foH0oAAAACACJ1c2VydHJ1c3Ryc2FjZXJ0aWZpY2F0aW9u -YXV0aG9yaXR5AAABfBBZrUgABVguNTA5AAAF4jCCBd4wggPGoAMCAQICEAH9bTD8o8pRqBu8 -ZA41Ay0wDQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVy -c2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3 -b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X -DTEwMDIwMTAwMDAwMFoXDTM4MDExODIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQI -EwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJU -UlVTVCBOZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw12 -7c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC -tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQfjtTkUcYR -Z0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9X -Wrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND -8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND -5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjN -hLixP6Q5D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ -WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMa -TLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX -HAc/DVL17e8vgg8CAwEAAaNCMEAwHQYDVR0OBBYEFFN5v1qqK0rPVIDh2JvAnfKyA2bLMA4G -A1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQBc1HwN -z/cBfUGZZQxzxVKfy/jPmQZ/G9pDFZ+eAlVXlhTxUjwnh5Qo7R86ATeidvxTUMCEm8ZrTrqM -IU+ijlVikfNpFdi8iOPEqgv976jpS1UqBiBtVXgpGe5fMFxLJBFV/ySabl4qK+4LTZ9/9wE4 -lBSVQwcJ+2Cp7hyrEoygml6nmGpZbYs/CPvI0UWvGBVkkBIPcyguxeIkTvxY7PD0Rf4is+sv -jtLZRWEFwZdvqHZyj4uMNq+/DQXOcY3mpm8fbKZxYsXY0INyDPFnEYkMnBNMcjTfvNVx36px -3eG5bIw8El1l2r1XErZDa//l3k1mEVHPma7sF7bocZGM3kn+3TVxohUnlBzPYeMmu2+jZyUh -XebdHQsuaBs7gq/sg2eF1JhRdLG5mYCJ/394GVx5SmAukkCuTDcqLMnHYsgOXfc2W8rgJSUB -tN0aB5x3AD/Q3NXsPdT6uz/MhdZvf6kt37kC9/WXmrU12sNnsIdKqSieI47/XCdr4bBP8wfu -AC7UWYfLUkGV6vRH1+5kQVV8jVkCld1incK57loodISlm7eQxwwH3/WJNnQy1ijBsLAL4JxM -wxzW/ONptUdGgS+igqvTY0RwxI3/LTO6rY97tXCIrj4Zz0Ao2PzIkLtdmSL1UuZYxR+IMUPu -iB3Xxo48Q2odpxjefT0W8WL5ypCo/QAAAAIADmNlcnRzaWducm9vdGNhAAABfBBZrUgABVgu -NTA5AAADPDCCAzgwggIgoAMCAQICBiAGBRZwAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQG -EwJSTzERMA8GA1UEChMIY2VydFNJR04xGTAXBgNVBAsTEGNlcnRTSUdOIFJPT1QgQ0EwHhcN -MDYwNzA0MTcyMDA0WhcNMzEwNzA0MTcyMDA0WjA7MQswCQYDVQQGEwJSTzERMA8GA1UEChMI -Y2VydFNJR04xGTAXBgNVBAsTEGNlcnRTSUdOIFJPT1QgQ0EwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC3M7l+yCVKjrXbtCgbqleQ6NEi02S605Po1KyGYUBqYFdoVIRNvGpU -AgX/35uaKq5dB49Kwyh/7/sr+nnxx63wEFMkkItmyaiIq69aowDpvrpG7ltzeywXgoFeYiyh -AmWzvcUrAH7E/AMzVw3t4vrOXUXWOM01trLB0JyBSqrksgFcHY9fmcSxrduIIeuQCIKA8zCj -Q+aQgq5VKEntW9epEDgO/o9MW5tG6kH1sAh0w9CIM7Z813Tf3ITRQw51OaElQCjqeMsOLC45 -nYyLbhYcLyaCEOLjZZQKBMBe911b+BDi0Lp6S/veNwAAGlso49Kccz4yh5ihyVEv196sM7NP -AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgHGMB0GA1UdDgQWBBTg -jJvbJUmz8XyG1rJChwvQa6DZ5DANBgkqhkiG9w0BAQUFAAOCAQEAPtIciS41/Ph13eZ/ZYj0 -ckzJLNcyTvPdGXlHvY47W5MPUEkkE2sUBnLvCdOhoeNAhMnnGDJ0PEhuD59L1Pce05OGZFSX -Y3JQ1VXP+iCTAqKbwyOTThZVdqBweW3NIR/PLy28GeOIMfhZGoEJyJemdMdgxFvMV46ydf0b -AgnbWW9yk2n3MUHWiDi/h7K9Fnn5quS+iCXdYScjHLUxBwQ2tBqQvaB0cVCJbbwU4w+GrvGr -PsegCcyjSNHg22TnkrXPr3JDcIv5w4Q8E6p+kptXU5P6cMKRDjH5m2dd6ZY4Xl+zc06IFWfe -nnYQYiC+VWmVQwA5TfbusFpOSURUWF9CgwAAAAIADWFtYXpvbnJvb3RjYTQAAAF8EFmtSAAF -WC41MDkAAAH2MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQD -AzA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24gUm9v -dCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkGA1UEBhMCVVMx -DzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgNDB2MBAGByqGSM49 -AgEGBSuBBAAiA2IABNKrijdPo1MN/sGKe0uoe0ZLY7Bi9i0b2whxIdIA6GO9mif78DluXeo9 -pcmBqqNbIJhFXRbb/egQbeOc4OO9X4Ri83BkM6DLJC9wuoihKqB1+IGuYgbEgds5bimwHvou -XKNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFNPsxzpl -bszh2naaVvuc84ZtV+WBMAoGCCqGSM49BAMDA2gAMGUCMDqLIfG9fhGt0O9Yli/W651+kI0r -z2ZVwyzjKKlwCkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRM -StuW1KyLa2tJElMzrdfkviT8tQp21KW8EAAAAAIAEGNlcnRzaWducm9vdGNhZzIAAAF8EFmt -SAAFWC41MDkAAAVLMIIFRzCCAy+gAwIBAgIJEQA0tk7GNi02MA0GCSqGSIb3DQEBCwUAMEEx -CzAJBgNVBAYTAlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04g -Uk9PVCBDQSBHMjAeFw0xNzAyMDYwOTI3MzVaFw00MjAyMDYwOTI3MzVaMEExCzAJBgNVBAYT -AlJPMRQwEgYDVQQKEwtDRVJUU0lHTiBTQTEcMBoGA1UECxMTY2VydFNJR04gUk9PVCBDQSBH -MjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDFdRmRfUR0dIf+DjuW3NgBFszu -Y5HnC2/OOwppGnzC46+CjobXXo9X69MhWf05N0IwvlDqtg+piNguLWkh59E3GE59kdUWX2tb -AMI5Qw02hVK5U2UPHULlj88F0+7cDBrZuIt4ImfkabBoxTzkbFpG583H+u/E7Eu9aqSs/cwo -Ue+StCmrqzWaTOTECMYmzPhpn+Sc8CnTXPnGFiWeI8MgwT0PPzhAsP6CRDiqWhqKa2NYOLQV -07YRaXseVO6MGiKscpc/I1mbySKEwQdPzH/iV8oScLumZfNpdWO9lfsbl83kqK/20U6o2Ypx -JM02PbyWxPFsqa7lzw1uKA2wDrXKUXt4FMMgL3/7FFXhEZn91QqhngLjYl/rNUssuHLoPj1P -rCy7Lobio3aP5ZMqz6WryFyNSwb/EkaseMsUBzXgqd+L6a8VTxaJW732jcZZroiFDsGJ6x9n -xUWO/203Nit4ZoORUSs9/1F3dmKh7Gc+PoGD4FapUB8fepmrY7+EF3fxDTvf95xhszWYijqy -7DwaNz9+j5LP2RIUZNoQAhVB/0/E6xyjyfqZ90bp4RjZsbgyLcsUDFDYg2WD7rlcz8sFWkz6 -GZdr1l0T08JcVLwyc6B49fFtHsufpaafItzRUZ6CeWRgKRM+o/1Pcmqr4tTluCRVLERLiohE -nMqE0yo7AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1Ud -DgQWBBSCIS1mxteg4BXrzkwJd8RgnlRuAzANBgkqhkiG9w0BAQsFAAOCAgEAYN4auOfyYILV -AzOBywaK8SJJ6ejqkX/GM15oGQOGO0MBzwdw5AgeZYWR5hEit/UCI46uuR59H35s5r0l1ZUa -8gWmr4UCb6741jH/JclKyMeKqdmfS0mbEVeZkkMR3rYzpMzXjWR91M08KCy0mpbqTfXERMQl -qiCA2ClV9+BB/AYm/7k29UMUA2Z44RGx2iBfRgB4ACGlHgAoYXhvqAEBj500mv/0OJD7uNGz -cgbJceaBxXntC6Z58hMLnPddDnskk7RI24Zf3lCGeOdA5jGokHZwYa+cNywRtYK3qq4kNFty -DGkNzVmf9nGvnAvRCjj5BiKDUyUM/FHE5r7iOZULJK2v0ZXkltd0ZGtxTgI8qoXzIKNDOXZb -bFD+mpwUHmUUihW9o4JFWklWatKcsWMy5WHgUyIOpwpJ6st+H6jiYoD2EEVSmAYY3qXNL3+q -1Ok+CHLsIwMCPKaq2LxndD0UF/tUSxfj03k9bWtJySgOLnRQvwzZRjoQhsmnP+mg7H/rpXdY -aXHmgwo38oZJar55CJD2AhZkPuXaTH4MNMn5X7azKFGnpyuqSfqNZSlO42sTp5SjLVFteAxE -y9/eCG/Oo2Sr05WE1LlSVHJ7liXMvGnjSG4N0MedJ5qq+BOS3R7fY581qRY27Iy4g/Q9iY/N -tBde17MXQRBdJ3NghVdJIgcAAAACAA1hbWF6b25yb290Y2EzAAABfBBZrUgABVguNTA5AAAB -ujCCAbYwggFboAMCAQICEwZsn9V0lzZmPzsLmtnonnYD8kowCgYIKoZIzj0EAwIwOTELMAkG -A1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMzAe -Fw0xNTA1MjYwMDAwMDBaFw00MDA1MjYwMDAwMDBaMDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQK -EwZBbWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDMwWTATBgcqhkjOPQIBBggqhkjO -PQMBBwNCAAQpl6fGQX/ADZvoARtWxvJSpbotshLo0i7X+snF2KptH3OBOzuYazl8M6XFToaO -gBdoYkVXfURYHbM35WcI62beo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB -hjAdBgNVHQ4EFgQUq7bb1waeN6wwhgeRcMecxBmxeMAwCgYIKoZIzj0EAwIDSQAwRgIhAOCF -kqMXt435Kwalk6wamGhhcvrhodD7HHhgpkOZxbjEAiEAnALv8ZScs5b568Yq+LYs/jqQFBbX -jGMkSBzfMH3VaDsAAAACAA1hbWF6b25yb290Y2EyAAABfBBZrUgABVguNTA5AAAFRTCCBUEw -ggMpoAMCAQICEwZsn9KWNYafCg/lhnj4Wya7ijcwDQYJKoZIhvcNAQEMBQAwOTELMAkGA1UE -BhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJvb3QgQ0EgMjAeFw0x -NTA1MjYwMDAwMDBaFw00MDA1MjYwMDAwMDBaMDkxCzAJBgNVBAYTAlVTMQ8wDQYDVQQKEwZB -bWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDIwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQCtlp8tnEpMSoF5UZnsistrYFETvE1tBvywCI3dGRBqxyYMNdjAbyCE6ZSx -m4UDw1vbSujI+JB22VtP40zoBjZNzJqsPQyQK5LUBhlgrDdEeYWBgq1aN+ANzJ2mTFJ26kOd -twTRUPZV4NXSpkmF6Tfpyn6uXJVNSJo/riBabYiV2TS4UhpDkLC/bAW5tni36tDkOjwSU2L/ -SvJ7vjUFqRI04/NkdGIsPQBJWij+MkS7h91lJwJxO9pK9x/azfchVZBPD+yuguGfa9lF07vw -X4ftPCw5hto/3uxyVet5o63b3XywuhzO/N5PNXbPD/h4H2o2UUYnYVvpns/wolV9fCWKby+0 -xc+ELiv9DVEQbPtfG7wbfsWuO5gBMZL/C1f0mrK5V+mr7w120fDu9M6Gp+Bu6bRpod9p9jPG -aS6XE56lh7BXEIE3yVOzu3/2ktGc0Bj0km7ag0+mY5lMpfte7yFkeiBfbGSFFcs36WIMCyoW -3AEuMto+S/WeOvYXQJTvnpEIhvq+Y6haM+zLdEOV+WxpUjbHKW/8VQNcH/ufvUfr50lHlQtO -iSIJSeD1YR7xvy6Kcm6AWf9XOvl1MqNOX+ztKGLZTXPyzIEXYO3N69zbp8rFfgK98lQIVP20 -LQksF1RKmNFU4VFnCNLtbn5vP9ItgVkpZsuQOZURHnQn/t3rrwIDAQABo0IwQDAPBgNVHRMB -Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUsAzwTDD0BVgCSP0z5VKvS4Tj -ZlIwDQYJKoZIhvcNAQEMBQADggIBAKqogI8OeKPgotTN5vWYejvqAAOwlw6TvFqo9iyMcoep -sfx/c/1jcXilh1nPMOENELITWm2C9WrmgJ+gBQto5Edrx2rftv13MnLlGPoJ9KCTLF3SjHWF -dmWQDAN5tzEjY614gwmGaITK//nPJpqSeefNS8XnYacXy/OpEpOTa6foL1OSxGBYsMwCURhb -hY1iWWO2rbTemvsm9wAnwF1VN3SZyVB/41kuROMsJe7sTDJ3tJ8a6UtdIMXa/RyHFsZD6NS7 -JppFcF6pCzdT4kZ7J/3gRvKJt8xCtssoJm7Zpck6yEETYPdQjBWusm0aFRpXeOaSKtllkII/ -bAKvrhI6J5Y2BNcdooBjqZvx5bq0fBSwTsmxH3RfOPZR6pv6LKIR1KktJxpFsa+yTnENwFhG -1mkGy1PLs/5rQc1Bfn1MD3xyeXpZzV5KDqybqZhzeXy09My5uAcMsnRcuMdviKGQp/Sq+b9n -OvQaFWIet5++PbEpr2ehEvJYEBlTAzAbuBqJ9py9lwOOownzHYsh8bTf5BzRn2UCBupc1hOz -hO+ipVyMdymnaMBrrkDSqLTqzfCNSzicGZobKFS4iZDvynWBPh7yZCTHGK9O/0eeB/Y1ZaTT -Clb/9RdkbO+oIiVJk7bfABfaWH5d7sUbsNHRXyEQx/nzugIKJwfF8dbH0+D7CWBsAAAAAgAU -dHJ1c3Rjb3Jyb290Y2VydGNhLTIAAAF8EFmtSAAFWC41MDkAAAYzMIIGLzCCBBegAwIBAgII -JaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5h -bWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMu -IGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0G -A1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzEx -NzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5h -bWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQL -DB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJv -b3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnIG7CKqJiJJWQ -dsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2NyuCb7GgypGmSaIwLgQ5W -oD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2 -YVpHI7TYabS3OtB0PAx1oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbI -XvRR/u8OYzo7cbrPb1nKDOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFap -RBF37120Hapeaz6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTC -HWKF3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88oWP7 -+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNMg9zXEJ9L/cb4 -Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3mjOAPF5GP/fDsaOGM8bo -Xg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh8N0JqSDIvgmk0H5Ew7IwSjiqqewY -mgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5Yww -YrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAO -BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWy -OrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89Ni -qpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL/V9l -FDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RXCI/hOWB3S6xZ -hBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYaZH9bDTMJBzN7Bj8RpFxw -PIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2Umw9Lje4AWkcdEQOsQRiv -h7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JML -iI+h2IYURpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8 -hAs/hCBcNANExdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQgu -LvqcAFLTxWYp5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/ -D1Fu1uwJAAAAAgANYW1hem9ucm9vdGNhMQAAAXwQWa1IAAVYLjUwOQAAA0UwggNBMIICKaAD -AgECAhMGbJ/Pmb+MCjni8HiKQ+aWNlvKMA0GCSqGSIb3DQEBCwUAMDkxCzAJBgNVBAYTAlVT -MQ8wDQYDVQQKEwZBbWF6b24xGTAXBgNVBAMTEEFtYXpvbiBSb290IENBIDEwHhcNMTUwNTI2 -MDAwMDAwWhcNMzgwMTE3MDAwMDAwWjA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9u -MRkwFwYDVQQDExBBbWF6b24gUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAsniAccp41eNxr0eAUHR9btjXiHb0mWj3WCFg+XSEAS+sAi2G06BDek6ypNA2ugG+ -jdtIyAcXNkz07ogjxz7rN/W1GfhJaLDe17l2OB1hnqT+gjal5UpW5EXh+f20Fvp02pybNTkv -+rAgUAZsetCAsqb5r+xHGY9QOAfcooc5WPi61an5SGcwlu6UeF5viaNRwDCGZqFFZrpU66PD -kflI3P/R6DAtfS10cDXXiCT3nsRZbrtzhxfyMkYouEP6tx2qyrTynyQOLUv3cVxeaf/qlQLL -OIquUDhv2/stYhvFxx5U4XfgZ8gPnIcj1j9AIH8ggMSATD47JCaOBK5smsiqDQIDAQABo0Iw -QDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUhBjMhTTsvAyU -lC4IWZzHshBOCggwDQYJKoZIhvcNAQELBQADggEBAJjyN1pBkKEaxXZRKCA2Iw6u5ii7qviU -rkikMH8b/CSNS7TIoZf2tvF6cMhTk8wIKOOYJc8jpPneIdN8hQmtTpp1OsILaol4dkRHGGVs -jUGOO3+ay/S1p1DXBSw36ANLrelhoAJu9fLwxbLtW7fc+pRcd54TpX9SrZXy+JM73otcW8pa -UltgrxT3S++j+59AlW0xVPxC08dGHyOt2Q9IcJrZdXhx0XJDNHVuV1nCAlwmYCnPIxkWjohD -pdTkywj7IxFD6EMpcmKhqV1eCNSQrrjYzhTC0FXyhvbEk0N3ZmHAuehB15d4YANuSnKupdF9 -uhCehmwbirlZM/jrxJC+8bkAAAACABR0cnVzdGNvcnJvb3RjZXJ0Y2EtMQAAAXwQWa1IAAVY -LjUwOQAABDQwggQwMIIDGKADAgECAgkA2pvscfMDsBkwDQYJKoZIhvcNAQELBQAwgaQxCzAJ -BgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYD -VQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENl -cnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMTAe -Fw0xNjAyMDQxMjMyMTZaFw0yOTEyMzExNzIzMTZaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UE -CAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lz -dGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC/jreV4sImEmszGcdAWAqrWaqNAKP8gMdQe47UICa6MhLYI1RJJRAi -mJ1G0sHJnk4bLiwOOPMaJWgcploF5h6LSL+YlnQ+acrptXilBrzVAF4JCvInelL8LdWx6rSJ -YSTzGhPbqc9S7Qwkurme7H4AdPqTrWwpkq5RtLvTV7+z86iNnPQkSyrWmZ70nv7AfkI65wuV -U9q3aA6QTPtwP49KLJTzJt1jaamU2BBOxUcIkJkbF025bG7vYJURjiGAtb2gc9jQsnfERepa -Jvtmdnb4Bh9hbQ9VxYO3EFZyBgel87EaAwVkDp1aitaGcBsk3v4oiivQarD8eqLcsnkOi2UP -AgMBAAGjYzBhMB0GA1UdDgQWBBTua0k8ej8N47EJt4rIqxmfczNQ5zAfBgNVHSMEGDAWgBTu -a0k8ej8N47EJt4rIqxmfczNQ5zAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAQEAJRjUkY8T7o8eHRFT2i1EKRmgHmsxnk0Onq09XEFvlSskoXmY -Ojg2+7tmnkj/kJDvPdS4m7SHdT8gm85yz6FVwU1kohkGoQczDAsp5fHqq6PstQp0kMd9cvLX -XJ+R75GLt9ztZqLPjmY7vJ86AuAn3RaYwJXUCqTkgZp1lDWckF+INwatWZUKsNFn0xnKiecy -WjYcPoKoWpO+xtBkkbbP2bYYz9t+0mWjpsSOFzHB+35229OF41iyd3p2O2wvUBzn2/ZneR/1 -gpWaB6cUr4/cKCFnCdLWTVocGRyOd1zDlCQ9MmtLftR4lIO+N03OX8ceTjzgiTOVCw+lMtY8 -WnksGQAAAAIAJHNzbC5jb21yb290Y2VydGlmaWNhdGlvbmF1dGhvcml0eWVjYwAAAXwQWa1I -AAVYLjUwOQAAApEwggKNMIICFKADAgECAgh15t/LwWhbqDAKBggqhkjOPQQDAjB8MQswCQYD -VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NT -TCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBSb290IENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5IEVDQzAeFw0xNjAyMTIxODE0MDNaFw00MTAyMTIxODE0MDNaMHwxCzAJBgNVBAYT -AlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UECgwPU1NMIENv -cnBvcmF0aW9uMTEwLwYDVQQDDChTU0wuY29tIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkgRUNDMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAERW6pUMSmIzaeXyiNF8uWImQ/3HqOHcwI -s6JxJLqOSbkEG0eWWKstlcjtngg1yCfriYxTWOtiiv7wWw9rMVJjQTuJzezsto0Z0zQH3LvG -Bn/CRZXsy3+oI+AJ6YH680fTo2MwYTAdBgNVHQ4EFgQUgtGFczDnNQTTjgKS++Wk0cQh6M0w -DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSC0YVzMOc1BNOOApL75aTRxCHozTAOBgNV -HQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDZwAwZAIwb+frWRGkYM9hsJZ77QX5LxOR3O3l/FBr -EUZGsxwhAGK7vsPn6M0HmfkNC11yPsSqAjAfvLoL4jAk+3xtgFUKmT6ADTPlZqOzo7ul1YuP -CSymXX7i8AcIaG3SfGluX9/lamUAAAACACRzc2wuY29tcm9vdGNlcnRpZmljYXRpb25hdXRo -b3JpdHlyc2EAAAF8EFmtSAAFWC41MDkAAAXhMIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJ -KoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdI -b3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRpb24xMTAvBgNVBAMMKFNTTC5jb20gUm9v -dCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBSU0EwHhcNMTYwMjEyMTczOTM5WhcNNDEwMjEy -MTczOTM5WjB8MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0 -b24xGDAWBgNVBAoMD1NTTCBDb3Jwb3JhdGlvbjExMC8GA1UEAwwoU1NMLmNvbSBSb290IENl -cnRpZmljYXRpb24gQXV0aG9yaXR5IFJTQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAPkP3aMrfcvQKv7sZ4Wm5y4bunfh4/WvpOz6Sl2RxFdHaxh3a3by/ZPkPQ/CFp4LZsNW -lJ4Xg4XOVu/yFv0AYvUiCVToZRdOQbngT0aXqhvIuG5iXmmxX9sqAn78bMrzQdjt0Oj8P2FI -7bADFB0QDksZ4LtO7IZl/zbzXmcCC52GVWH9ejjt/uIZALdvoVBidXQ8oPrIJZK0bnoix/ge -oeOy3ZExqysdBP+lSgQ36YWkMyv94tZVNHwZpEpox7Ko07fKoZOI68GXvIz5HdkihCR0xwQ9 -aqkpk8zruFvh/l8lqjRYyMEjVJ0bmBHDOJx+PYZspQ9AhnwC9FwCTyjLrnGfDzrIM/4RJTXq -/LrFYD3ZfBjVsqnTdXgDciLKOsMf7yzlLqn6niy2UUb9rwPW6mBo6oUWNmuF6R7As93EJNyA -KoFBbZQ+yODJgUEAnl6/f8UImKIYLEJAs/lvOCdLToD0PYFH4Ih86hzOtXVcUS4cK38acijn -ALXRdMbX5J+tB5O2UzU1/Dfkw/ZdFr4hc96SCvigY2q8lpJqPvi8ZVWb3vUNiSYE/CUapiVp -y8JtynziWV+XrOvvLsi81xtZPCvM8hnIk2snYxnP/Okm+Mpxm3+T/jRnhE6Z6/yzeAkzcLpm -pnbtG3PrGqUNxCITIJRWCk4sbE6x/c+cCbqiM+2HAgMBAAGjYzBhMB0GA1UdDgQWBBTdBAkH -ovV6fVJTEpKV7jiAJQ2mWTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFN0ECQei9Xp9 -UlMSkpXuOIAlDaZZMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIBgRlCn7 -Jp0cHh5wYfGVcpNxJK1ok1iOMq8bs3AD/CUrdIWQPXhq9LmLpZc7tRiRux6n+UBbkflVma8e -EdBcHadm47GUBwwyOabqG7B52B2ccETjit3E+ZUfijhDPwGFpUenPUayvOUiaPd7nNgsPgoh -yC0zrL/FgZkxdMF1ccW+sfAjRfSda/wZY52jvATGGAslu1OJD7OAUN5F7kR/q5R4ZJjT9ijd -h9hwZXT7DrkT66cPYakylszeu+1jTBi7qUD3oFRuIIhxdRjqerQ0cuAjJ3dctpDqhiVAq+8z -D8ufgr6iIPv2tS0a5sKFsXQP+8hlAqRSAUfdSSLBv9jra6x+3uxjMxW3IwiPxg+NQVrdjsW5 -j+VFP3jbutIbQLH+cU0/4IGiul607BXgk90IH37hVZkLId6Tngr75qNJvTYw/ud3sqB1l7Ut -gYgXZSD32pAAn8lSzDLKNXz1PQ/YK9f1JmzJBjSWFupwWRoyeXkLtoh/D1JIPb9s2KJELtFO -t3JY04kTlf5Eq/jXixtunLwsoFvVagCvXzfh1foQC5ichucmj87w7G6KVwuA406ywKBjYZC6 -VWg3dGq2ktufoYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA -8ShYIc2wBlX7Jz9TkHCpBB5XJ7kAAAACABpkLXRydXN0cm9vdGNsYXNzM2NhMmV2MjAwOQAA -AXwQWa1IAAVYLjUwOQAABEcwggRDMIIDK6ADAgECAgMJg/QwDQYJKoZIhvcNAQELBQAwUDEL -MAkGA1UEBhMCREUxFTATBgNVBAoMDEQtVHJ1c3QgR21iSDEqMCgGA1UEAwwhRC1UUlVTVCBS -b290IENsYXNzIDMgQ0EgMiBFViAyMDA5MB4XDTA5MTEwNTA4NTA0NloXDTI5MTEwNTA4NTA0 -NlowUDELMAkGA1UEBhMCREUxFTATBgNVBAoMDEQtVHJ1c3QgR21iSDEqMCgGA1UEAwwhRC1U -UlVTVCBSb290IENsYXNzIDMgQ0EgMiBFViAyMDA5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAmfGENHC6L7cwoI69fATPvmK8mf2Cl9J6CmeWOAn2EE6VInOZjdoVLecF/Blz -IreOmAC8PD2soWz71nklS63wzGTaiD4puA8J0zTdM/Vi0eHNGenuGE9MWK7iHtYMWxVa2Dq4 -xBhkHuMzsrWJd04Mv9mUaxOXbxKj/pmpBMwV7GBoNu0Ie7f1v5PtZjGDjMZxNIdOF+qvi5GN -HFZBriI3XjfyHdnRLQ0vaVGnvmamijoqvccaseEU8L46HbnPW7Fq/rSxRiCi+x47cO+TmH2M -c5byxe+FcK0pJvweBD4coNgPy1KDYnzui1OVkKlXouphBdj5TcQn+m6t7fnXUfdrpQIDAQAB -o4IBJDCCASAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU05SKTGITKhkuzK9yin0215oc -3GcwDgYDVR0PAQH/BAQDAgEGMIHdBgNVHR8EgdUwgdIwgYeggYSggYGGf2xkYXA6Ly9kaXJl -Y3RvcnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFzcyUyMDMlMjBDQSUy -MDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2Nh -dGlvbmxpc3QwRqBEoEKGQGh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3Rfcm9v -dF9jbGFzc18zX2NhXzJfZXZfMjAwOS5jcmwwDQYJKoZIhvcNAQELBQADggEBADTte1o8pJSI -7xoRdQcvs/48+h5RJuuH9ine4PHUxiQJ6cHPVRu0MNnOGv4GUaYVpC3vsku/ICglSdGmNnc0 -6GTfUrERx3N6zTmewq2McSHyWmuv3zxOVa+yhGUUibl3yyoxvs+jbc9vSJQyRm/ncYygpoQZ -NwfyA0UJK4Z1fN9faVcA227YpnIiS1DUdZhW37cY/0NDUK56RHvweVHXQz2n04HT8MlPudrG -l4bQgsPkQm3+sOJkTg4m50A0JrUIidcIY2M4J3UeM+puqN2fmU90TYGJgEvdmpcpXC++gUG5 -jP/qfWAGns3XPdMuoxW8qOYm5W/D3LgDIeqfFvEsVLUAAAACACRuZXR3b3Jrc29sdXRpb25z -Y2VydGlmaWNhdGVhdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAPqMIID5jCCAs6gAwIBAgIQ -V8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEhMB8GA1UE -ChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9u -cyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5 -WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAw -LgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0G -CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwzc7ME -L7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPPOCwGJgl6cvf6 -UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rlmGNpSAW+Lv8ztumXWWn4 -Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1QV1uiUV7PTsmjHTC5dLR -fbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7 -azCPL0YCorEMIuDTAgMBAAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadM -MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0 -dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRo -b3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc86fRZ -ZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/h1AcgsLj4DKA -v6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH/nxxH2szJGoeBfcFaMBq -EssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3HtvwKeI8lN3s2Berq4o2jUsbzRF0ybh -3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe -2MPr+8ukYEywVaCge1eyAAAAAgAVYWZmaXJtdHJ1c3RuZXR3b3JraW5nAAABfBBZrUgABVgu -NTA5AAADUDCCA0wwggI0oAMCAQICCHxPBDkc1JktMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV -BAYTAlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0 -d29ya2luZzAeFw0xMDAxMjkxNDA4MjRaFw0zMDEyMzExNDA4MjRaMEQxCzAJBgNVBAYTAlVT -MRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEfMB0GA1UEAwwWQWZmaXJtVHJ1c3QgTmV0d29ya2lu -ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSEzDMXLmuUbGthUqDro895lEzl -lICZy1VkRGWPZ2TiBuNcN0n2L5uEhB4t8mCdME7MhIXiLM8env42qzN3NUTYNZYaPTboeg7Y -1UehammL2fy7Oq55WtX01nG7mpAja5q3iHSHDB5fuZ4t+qtTK9y7dj6TTAgIjB6iIxzUaq0i -upkBLm1ly74kZlUkS0BEsRvX4cKFwN4QPz3tuPzx8SNT3L9ll2/Z+UBxjX29ldTOvqBeJyPe -/abQJg4AKes8RvA9YL8/UNLcJkFRnhQ3QgSjcFeoG4ftLfp77owK46lmiRnLQfndRDZhz+J3 -Rsh99vSSgTb92zTxcn7zDBa9tBUCAwEAAaNCMEAwHQYDVR0OBBYEFAcf0uec2sJuokC0sHpQ -EFB0xMi9MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUA -A4IBAQCJV7IWeqjC/dbZm5s0wpy0MhRNp6Tf7L6nvvhD25E3zrQyLlBVGjVOdkNxIO+Td04V -cC6Hw8EdbdzLtSfULFbRUlM6RNJzyMQbBWVaYpKc7kGNMdvnNOpZIdUBetdkuGQ5zcntr+1L -A0inoJkBgNxlozauZVlIT4JLyGXxVx3lWS4KP2zY0fXlCbRsVAAK4BVNh3Vtt1iWWt1t0gCg -9JtIvsM3pLo24HyHhZcaFaLeLqJbva8Y+ZBQzXBZ+CdnR8vHoAc6fdEsXWwZOma1ff2Rb4Kx -vgiT2xRH8aI3x0WePMd3r2Sok9/2aYOCYPJJQjTtWgBUhRwWNpIMXPqmrb/bAAAAAgATZ2xv -YmFsc2lnbnJvb3RjYS1yNgAAAXwQWa1IAAVYLjUwOQAABYcwggWDMIIDa6ADAgECAg5F5rsD -gzPDhWVI5v9FUTANBgkqhkiG9w0BAQwFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3Qg -Q0EgLSBSNjETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0x -NDEyMTAwMDAwMDBaFw0zNDEyMTAwMDAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9v -dCBDQSAtIFI2MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIC -IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAlQfoc8pm+ewUyns89w0I8bRFCyyCtEjG -61s8roO4QZIzFKRvf+kqzMawiGvFtonRxrL/FM5RFCHsSt0bWsbWh+5NOhUG7WRmC5KAykTe -c5RO86eJf094YwjIElBtQmYvTbl5KE1SGooagLcZgQ5+xIq8ZEwhHENo1z08isWyZtWQmrcx -BsW+4m0yBqYe+bnrqqO4v76CY1DQ8BiJ3+QPefXqoh8q0nAue+e8k7ttU+JIfIwQBzj/ZrJ3 -YX7g6ow8qrSk9vOVShIHbf2MsonP0KBhd8hYdLDUIzr3XTrKotudCd5dRC2Q8YHNV5L6frxQ -BGM032uTGL5rNrI55KwkNrfw77YcE1eTtt6y+OKFt3OiuDWqRfLgnTahb1SK8XJWbi6IxVFC -RBWU7qPFOJabTk5aC0fzBjZJdzC8cTflpuwhCHX85mEWP3fV2ZGXhAps1AJNdMAU7f05+4Py -XhShBLAL6f7uj+FuC7IIs2FmCWqxBjplllnA8DX9ydoojRoRh3CBCqiadR2eOoYFAJ7bgNYl -+dwFnidZTHY5W+r5paHYgw/R/98wEfmFzzNI9cptZBQselhP00sIScWVZBpjDnk99bOMylit -nEJFeW4OhxlcVLFltr+Mm9wT6Q1vuC7cZ27JixG1hBSKABlwg3mRl5HUGie/Nx4yB9gUYzwo -TK8CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE -FK5sBaOTE+Ki5+LXHNbH8H/IZ1OgMB8GA1UdIwQYMBaAFK5sBaOTE+Ki5+LXHNbH8H/IZ1Og -MA0GCSqGSIb3DQEBDAUAA4ICAQCDJe3o0f2VUs2ewASgkWnmXNCE3tytok/oR3jWZZipW6g8 -h3wCitFutxZz5l/AVJjVdL7BzeIRka0jGD3d4XJElrSVXsB7jpl4FkMTVlezorM7tXfcQHKs -o+ubNT6xCCGh58RDN3kyvrXnnCxMvEMpmY4w06wh4OMd+tgHM3ZUACIquU0gLnBo2uVT/INc -053y/0QMRGby0uO9RgAabQK6JV2NoTFR3VRGHE3bmZbvGhwEXKYV73jgef5d2z6qTFX9mhWp -b+Gm+99wMOnD7kJG7cKTBYn6fWN7P9BxgXwA6JiuDng0wyX7rwqfIGvdOxOPEoziQRpIenOg -d2nHtlx/gsge/lgbKCuobK1ebcAF0nu364D+JTf+AptorEJdw+71zNzwUHXSNmmc5nsE324G -abbeCglIWYfrexRgemSqaUPvkcdM7BjdbO9TLYyZ4V7ycj7PVMi9Z+ykD0xF/9O5MCMHTI8Q -v4aW2ZlatJlXHKTMuxWJU7osBQ/kxJ4ZsRg01Uyduu33H68klQR4qAO77oHl2l98i0qhkHQl -p7M+S8gsVr3HyO844lyS8Hn3nIS6dC1hASB+ftHyTwdZX4stQ1LrRgyU4fVmR3l31VRbH60k -N8tFWk6gREjI2LCZxRWECfbWSUnAZbjmGnFuoKjxguhFPmzWAtcKZ4MFWsmkEAAAAAIAFmds -b2JhbHNpZ25lY2Nyb290Y2EtcjUAAAF8EFmtSAAFWC41MDkAAAIiMIICHjCCAaSgAwIBAgIR -YFlJ4CYuu1X5CneKcflK2GwwCgYIKoZIzj0EAwMwUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBF -Q0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxT -aWduMB4XDTEyMTExMzAwMDAwMFoXDTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFs -U2lnbiBFQ0MgUm9vdCBDQSAtIFI1MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpH -bG9iYWxTaWduMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAER0UOlvt9Xb/pOdEh+J8LttV7HpI6 -SFkc8GIxLcB6KP4ap1yztsyX50XUWPrRd21DosCHZTQKH3rd6zwzocWdTaRvQZU4f8kehOvR -nkmSh5SHDDqFSmafnVmTTZdhBoZKo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw -AwEB/zAdBgNVHQ4EFgQUPeYpSJvqB8ohREom3m7e0oPQn1kwCgYIKoZIzj0EAwMDaAAwZQIx -AOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg515dTguDnFt2KaAJJiFqYgIwcdK1 -j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnOxwy8p2Fp8fc74SrL+SvzZpA3AAAAAgAWZ2xv -YmFsc2lnbmVjY3Jvb3RjYS1yNAAAAXwQWa1IAAVYLjUwOQAAAeUwggHhMIIBh6ADAgECAhEq -OKQclgoE3kKyKKUL6DSYAjAKBggqhkjOPQQDAjBQMSQwIgYDVQQLExtHbG9iYWxTaWduIEVD -QyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNp -Z24wHhcNMTIxMTEzMDAwMDAwWhcNMzgwMTE5MDMxNDA3WjBQMSQwIgYDVQQLExtHbG9iYWxT -aWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkds -b2JhbFNpZ24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4xnnTj2wlDp8uORkcA6SumuU5 -BwkWymOxuYb4ilfBV85C+nOh92VC/x7BALJucw7/xyHlGKSq2XE/qNS5zowdo0IwQDAOBgNV -HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVLB7rUW44kB/+wpu+74z -yTyjhNUwCgYIKoZIzj0EAwIDSAAwRQIhANySoaATps8DsObEIZeQ+hRXLQPs7jzTbsqobHa8 -ot67AiAnqIUnNZtWxqPyR9K3bhsCABeqZ6YVkd76lOx7C/ifhAAAAAIADXN6YWZpcnJvb3Rj -YTIAAAF8EFmtSAAFWC41MDkAAAN2MIIDcjCCAlqgAwIBAgIUPopdB+xV0jLVt+O2XwHrLdzk -1uQwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCUEwxKDAmBgNVBAoMH0tyYWpvd2EgSXpi -YSBSb3psaWN6ZW5pb3dhIFMuQS4xGDAWBgNVBAMMD1NaQUZJUiBST09UIENBMjAeFw0xNTEw -MTkwNzQzMzBaFw0zNTEwMTkwNzQzMzBaMFExCzAJBgNVBAYTAlBMMSgwJgYDVQQKDB9LcmFq -b3dhIEl6YmEgUm96bGljemVuaW93YSBTLkEuMRgwFgYDVQQDDA9TWkFGSVIgUk9PVCBDQTIw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3vD5QqEvNQLXOYeeWyrSh2gwisPq1 -e3YAd4wLz32ohswmUeQgPYUM1ljj5/QqGJ3a0a4m7utT3PSQ1hNKDJA8w/Ta0o4NkjrcsbH/ -ON7Dui1fgLkCvUqdGw+0w8LBZwPd3BucPbOw3gAeqDRHu5rr/gsUvTaE2g0gv/pby6kWIK05 -YO4vdbbnl5z5Pv1+TW9NL++IDWr63fE9biCloBK0TXC5ztdyO4mTp4CEHCdJckm1/zuVnsHM -yAHs6A6KCpbns6aH5db5BSsNl0BwPLqsdVqc1U2dAgrSS5tmS0YHF2Wtn2yIANwiieDhZNRn -vDF5YTy7ykHNXGoAyDw4jlivAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/ -BAQDAgEGMB0GA1UdDgQWBBQuFqlKGLXLzPVvUPMjX/hd56zwyDANBgkqhkiG9w0BAQsFAAOC -AQEAtXP4A9xZWx126aMqe5Aosk3AM0+qmrHUuOQn/6mWmc5G4G18TKI4pAZw8PRBEew/R40/ -cof5O/2kbytTAOD/OblqBw7rHRz2onKQy4I9EYKL0rufKq8h5mOGnXkZ7/e7DDWQw4rtTw/1 -zBLZpD67oPwglV9PJi8RI4NOdQcPv5vRtB3pEAT+ymCPoky4rc/hkA/NrgrHXXu3UNLUYfrV -FdvXn4dRVOul4+vJhaAlIDf7js4MNIThPIGyd05DpYhfhmehPea0XGG2Ptv+tyjFogeutcrK -jSoS75ftwjCkySp6+/NNIxuZMzSgLvWpCz/UXeHPhJ/iGcJfitYgHuNztwAAAAIAE2dsb2Jh -bHNpZ25yb290Y2EtcjMAAAF8EFmtSAAFWC41MDkAAANjMIIDXzCCAkegAwIBAgILBAAAAAAB -IVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0g -UjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4 -MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0Eg -LSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8RgJD -x7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsTgHeMCOFJ0mpi -Lx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmmKPZpO/bLyCiR5Z2KYVc3 -rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hpsk+QLjJg6VfLuQSS -aGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPa -bumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w -HQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvA -UKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s -bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBd -RoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQit -Chws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlh -LxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fAAAAAgATZ2xvYmFsc2lnbnJv -b3RjYS1yMgAAAXwQWa1IAAVYLjUwOQAAA74wggO6MIICoqADAgECAgsEAAAAAAEPhibmDTAN -BgkqhkiG9w0BAQUFADBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG -A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0wNjEyMTUwODAwMDBa -Fw0yMTEyMTUwODAwMDBaMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIyMRMw -EQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAps8kDr4ubyiZRULEqz4hVJsL03+EcPoSs8u/h1/Gf4bTsjBc -1v2t8Xvc5fhglgmSEPXQU977e35ziKxSiHtKpspJpl6op4xaEbx6guu+jOmzrJYlB5dKmSoH -L7Qed7+KD7UCfBuWuMW5Oiy81hK561l94tAGhl9eSWq1OV6INOy8eAwImIRsqM1LtKB9DHlN -8LgtyyHK1WxbfeGgKYSh+dOUScskYpEgvN0L1dnM+eonCitzkcadG6zIy+jgoPQvkItN+7A2 -G/YZeoXgbfJhE4hcn+CTClGXilrOr6vV96oJqmC93Nlf33KpYBNeAAHJSvo/pOoHAyECjoLK -A8KbjwIDAQABo4GcMIGZMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud -DgQWBBSb4gdXZxwewGoG3lm0mi3f3BmGLjA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3Js -Lmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjIuY3JsMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSa -Ld/cGYYuMA0GCSqGSIb3DQEBBQUAA4IBAQCZgVOHHGiXhpHs4Eq4RAurgawnT9bBuBxDeLMM -mvzqLDxuYRtNSyn1nwUdJsG46YMAYkW2qQiTuakzSxiawviHiE7b3XE0GsFU2kY/4NMqq21U -IvU6Ys0gb7opidfdke7TXKI+oVtB9d/lZEMt6dU5q9Ki37eL0MCAGRxFwC2M6PgtpHRWScUF -tU8V3m5EeDmHqH6783kYkbv0b53B8Iw1jF0B+8Ntue9EbXlGMX4K/qmCwf/vq24gxFDJX51N -mxeMDOUByaBBanNT+qVQtG4lD/tMGPT9UtmOabHoEQ/eiNj7HUn3qt6VzyB4wmAS2yVAjGr8 -fkI4QGQS956B4ZMuAAAAAgAKb25hcHRlc3RjYQAAAXw8eG62AAVYLjUwOQAABUIwggU+MIID -JqADAgECAgkAnq7twKfOtZ0wDQYJKoZIhvcNAQELBQAwLDEOMAwGA1UECwwFT1NBQUYxDTAL -BgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMB4XDTE4MDQwNTE0MTUyOFoXDTM4MDMzMTE0MTUy -OFowLDEOMAwGA1UECwwFT1NBQUYxDTALBgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwDmmSBGzs2EYbh7Dkmi6HJhqSBhTIVobXbX7 -+HyptJ23SFVC/nr4QDjVirtcaJ7tFgNAr02YAUXeCu4T7pfvC8mIKGn4LJ3uwUydvrm5aHER -3FZMzYEkWuB/NScfxkLGBoKjdcfg/OUpHLYtBAkQkQLCX9FmZEJeKMy3l72Hxehlj98qQpxl -lSxY0IylOjbrrCO8D0xcuZ2BF5GPT6+sKOs2rL6G3AkPO2iIdaJg+pPqjwS8ZyCM2qOVnHs1 -Q1/wx8sMHKooXr7BFse/UYqOff9WKN3jkW/yuLJFhE6IVqe9tXqMh8GS/w9lteDZUNaxiyCn -w0C8zEr6JXxw74KTeUEjYY49lsISqk9VNhstTPqxzMCUJfBCg/MMhljBhrd5H+BgtjWA/aIR -Uc5FqDdss9qn1lfkTwNmTNM1OOi+8uTwpoKZ9xpQwmwG0N0ClxSK3PXRydHJlzWxfeATV/cO -nNAzq30Lmw5XJGENxKsqqrBv2bRKzThcBL0Wyow/dRZhDKoNdLGVQBhpfz3a7yZXWHGe3aCN -vbZGWhcwzpOi8zexKslLTAf6XWfOd3poVd+1L8bhlUhVn8t9PWKzhK2jI9ZkLDDCXLXPyolD -/OGKnk2BlPFDDiaLvDDfkNg90BA4KhqN9K8WOqyVD9w9GL8xEK7Tv2F5Vvl9CefNW2ekVBEC -AwEAAaNjMGEwHQYDVR0OBBYEFFNVM/JL69BRscF4msEoMXvv6u1JMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0G -CSqGSIb3DQEBCwUAA4ICAQA/H8hor3ifTbA/GmdhPL4tUsjHB2r+RrA13ohuIzMvzvOY0wOY -dwZt+hEKPw6SG6CBf0vHX8KSGleKa5ixk4VCLluWv+76/iYhuyBuaL3uP5xQcM/TMvJy9K/E -oe3LnUvCZpf1rjCQmXnMFTg7Wx38f21ZwSbAnf2W0qgEoHFz3hlzeIybnK1FYaP7SsrMsMBc -RamhnlsTk8slq4DpQMLEMt+zcXCFtLu4OCDFi9+PJIXkUI0RP3ign6byztV4e+hryI8Yq9es -ip13tcMeeokmVUqvub1LR8xvIQHxyLZG05cO33eJ9jW6GgS0TKSfh2oFKnx7O80yfChd1g8O -9N324IAV5YUtWt4EBbF3bmE+wFORkDmGlr+sD6Yq/oB/hUFWJivxzPh1kKwUKG6KhV5t72KC -Gt+MH/+op6kWM8ULKPMo3W7Qkqb/bH85GrGRM40byne4PCgg7KKZRxO1My/jZt9gPzxEpqSp -IVcT0b5nQuVooAGp+Mrj2j+2wCn5zkug2ViWUqGd607dAB2tofB2YLfoGGiCHNHWOlfvnUBx -mfZUfdDhcrKnTVwk0Ikiu5r4D5vHrOHdHJbrMgiRtEJsRP5QP7iavxYhxITea1FlWWeFQM7j -P3/9YoxXPBL1GHz+S6zOsYUjUpCjNcIcutx7dg/pFhl8553v0tdpHBd1hgAAAAIAD2Vtc2ln -bnJvb3RjYS1jMQAAAXwQWa1IAAVYLjUwOQAAA3cwggNzMIICW6ADAgECAgsArs8AusTPMvhD -sjANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEU -MBIGA1UEChMLZU11ZGhyYSBJbmMxHDAaBgNVBAMTE2VtU2lnbiBSb290IENBIC0gQzEwHhcN -MTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBWMQswCQYDVQQGEwJVUzETMBEGA1UECxMK -ZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMxHDAaBgNVBAMTE2VtU2lnbiBSb290 -IENBIC0gQzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP66m58ZkFzNgoIUrz -czRRhFYQ9aBPLBLj+hOaJ9DP+XkadF8deTn8W/hwjuCSUvfkJflUg9kd08hahT9ex7YH7j7A -zpqvrFZCKjklcNa/tXs2raz2c9zN1x2Kg6X7K5AVN2scJkfcOylWk2qzwWo6nT31wZc4WAWL -HBHj5LS4XYUdg/54XwtFaBhIpUZzNDv+D8h2u8cY8wXRhvOF7ee52TKtVYjOpraRsE+sfhUj -lvY/8CA0Ft4KxsQERXl/p/2+0qmlr5zFIyr3PCFsva+PTsU6svM0EvzfgBpJpNSplfeeiV6i -iayUy6hom6+KZSfNie7djLVrKXBDoGkL5LkPAgMBAAGjQjBAMB0GA1UdDgQWBBT+oeBwHioD -OVJaQr5ckYV6GKpNtTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG -9w0BAQsFAAOCAQEAwkpW+hUheyii6eUd+/gtxDmWQUw7JyzEbBgVgMasr0dZLyYL4zaw7zv+ -Q5dJMpkSFVvfESn/q1P4u8F4D6ycU69XvWiMPWkz8KOgI2M7ZGciRK3VcctWKniSo08SMTY2 -4t7+AMSjYA8nraCwirU2elKhvSf0ICdi6E2UJBPkCgTpPKsuyEMJSsZhBOVJNH7TxMj1D8Cq -6bpUXvNjK09PUNT+uXuZjD3ALrwCK9PEQOSKBzEem84mmRP7EeqaIgwRGcdeG4FQMMiWEm7n -y0F/kTuiR7dUgBvcAMyakOrDw1AGYgwwwBVIp6hZfOGuIqLiCnoP+mKrUkzh8d/KvoMNQgAA -AAIAEmVtc2lnbmVjY3Jvb3RjYS1jMwAAAXwQWa1IAAVYLjUwOQAAAi8wggIrMIIBsaADAgEC -Agp7cbaCVrgSfJyoMAoGCCqGSM49BAMDMFoxCzAJBgNVBAYTAlVTMRMwEQYDVQQLEwplbVNp -Z24gUEtJMRQwEgYDVQQKEwtlTXVkaHJhIEluYzEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290 -IENBIC0gQzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBaMQswCQYDVQQGEwJV -UzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMxIDAeBgNVBAMT -F2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE/aVhrnsm -EB3ptyIwrgb0gbOxQnGVObzTUuOvr/nylzWSNkYOh5WNuTla6bvf0P7IB0E8u1Vvg6Nq+2Kw -gYkCcH1IxUrj6SJUIk2Tu0IMr3ecI6Z912ERzmXH+H/+9fKpo0IwQDAdBgNVHQ4EFgQU+1pI -0IAgQPKo6QAHaRl3p+bD9M8wDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI -KoZIzj0EAwMDaAAwZQIxALTYLwKJ/bZMYrpDThOEcrWu3Rze1rXcVo9YQFot3iBMIoPKk6h+ -7hJAx9aHT/jfhQIwHBRk5HyWgxGcsNFaYUumD0nTAPyh/OSl/3+t1zDQx3d/voEHVTBQIBT1 -VzgKqDFRAAAAAgAPZ2xvYmFsdHJ1c3QyMDIwAAABfBBZrUgABVguNTA5AAAFhjCCBYIwggNq -oAMCAQICC1pLvVr7T4pb+mXlMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNVBAYTAkFUMSMwIQYD -VQQKExplLWNvbW1lcmNlIG1vbml0b3JpbmcgR21iSDEZMBcGA1UEAxMQR0xPQkFMVFJVU1Qg -MjAyMDAeFw0yMDAyMTAwMDAwMDBaFw00MDA2MTAwMDAwMDBaME0xCzAJBgNVBAYTAkFUMSMw -IQYDVQQKExplLWNvbW1lcmNlIG1vbml0b3JpbmcgR21iSDEZMBcGA1UEAxMQR0xPQkFMVFJV -U1QgMjAyMDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK4uVq0bHO/2lY+gdxsr -02OPhE1Fog+fW0WrWXtRNPnsi4p4xd1rr73E35NFHr+ROAuuDhbnQXP427vRuFHgy4M7czhu -d4oPWWMmzacqzlT7uOLAfEfOYHw/snPywBm2ipKHNQ2QKKLkFQRjPrqv7nxezKaLULI490Fj -ys7/aY9oDpU25cy5jAnKS90xkJbIzB/9VpY0244c6iy+hS5j3aqpldP9KZUT8MiYk9ktFkeQ -EYOiOiKiKFei6/7AjCigpn3nKkI7goBjpWMfGcx8smaowtNtN2/ifgZR2UWEHxLOJFJkhQtI -gE6HsSIiMKrrrr7gAuBA6LBCgANRqrR+qkTXQ2HzomsWiUmko6QrigLEePRoisHkejaxbxuW -G3dJjdTJBnKPz1Pj3BeFIErcmCfTkSYrRx5pB6/eouTk1GsLs1581CSARylpO27orP1A69jt -cXEr8uhYHetBlyLFH9Q50CePh+MY9OCpRg31dDqCLtBuLJGjMVw7Rup7BBBWXoAd9aVl6IL8 -4geMYkX1IN5GcIahvJPTHnSmbLAs9wMMiAzL1HJThrxgRvOYasLxv0P5cCB3yjdBeVVSY41b -Ep/FaMSInazyMKu3ozGXZ62PFw9sx3PtJJRryIOa0Jo3SQSrsRbIbElJLauh0IyS8kFKeSEl -22PXtpynfkJp+zpjAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG -MB0GA1UdDgQWBBTcLh/RYTd55KvV1bMScWg9amicIjAfBgNVHSMEGDAWgBTcLh/RYTd55KvV -1bMScWg9amicIjANBgkqhkiG9w0BAQsFAAOCAgEAkfBCAmhA7sNowFQv3+xiw8OeiqAxKKqD -jqRWlhIQhla6l3LSVDB8rRnVHWhv+xRC2I0O87XRpeMCQl7c6EZYBzUCMOC8dErBQyr/2xrQ -sK9sw/3Ls/V/bQMuWVadLS01jLLWQxcskgrLXeiMD0twQ9CC/6jMv6SUwL6HvYrjk3vGj5sW -nSdlvHrFQoJsXAfQqcGIYETpmIUWX/iPygEQziXD+WAboMWXw9MsiDGivTDs0NDAEvHBOePl -9fjWSt00zftvwU/jAItW4pL3KLJCd3IjZ8c/ERWyxAMFvrsRewq/qG7n/1hDz5tnoIAHth3K -rW3qQRF+LXST+8K8vlFExe9oJSeA48ig1BLs2aU3HTd8tJHK2tSxloHvaFx2EEmvfqU3gLEc -Ur0zgUyP+d1l2RTNiiVY9OLFg6UJkNRsFGO1QN/rwPzEWH4NFBaHVCduVuRwhLhsMhJ+gjFD -vtfdfKGtrtarIBLvCsMQjEmWNdwLdV6xT9VPNA4RIAd1Q0XpoxHarKOZwrZ5J+K578ji9jUp -enT6xX+CBWKmCuposnlHBm7yV6gVM8b3eEo9Qntrfv73RurR647viGhb6MHZcX79ZO//Z0eI -WCUvPoYHvfuo5YKorKXTaUPNMYhJhFOSwLE5GzmDATDE8qn60AO9cjdgVh82fL05kfVtDb97 -15IAAAACABNidXlwYXNzY2xhc3Mzcm9vdGNhAAABfBBZrUgABVguNTA5AAAFXTCCBVkwggNB -oAMCAQICAQIwDQYJKoZIhvcNAQELBQAwTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBh -c3MgQVMtOTgzMTYzMzI3MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDMgUm9vdCBDQTAeFw0x -MDEwMjYwODI4NThaFw00MDEwMjYwODI4NThaME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRC -dXlwYXNzIEFTLTk4MzE2MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAzIFJvb3QgQ0Ew -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCl2gqVFlDjlfJenXYxBjJ6m/EQdrgA -mrVSNs0kR7CfGGS8mvb61XnYkGJMIi/eOD3W4KjpHCzbeBHpjmhRFXLH8zOH5KBdC1zgVwcq -MPXNxDd3KE0Ykea/1VL9cS1wPufGxIrj8CgL9HaYoYuHVbI6E/y3Pic3jiLjqE8q72C7Pbc5 -ww4BR5ldEk/bQ/pXoe35nb4RRyZbE5irXRaKsDccV51F/4iWNr+7ygd7b4dj19AyatZdbAzx -s2454msxLjkAJxTeOMDsGWaGEuidchYTZFLHqTcc/YIw7YQYHfSuXP9wEwDrsfUzekvWVfgF -jUtpsPWzKDZcFMRRc01rC/E0B9sXOdfcKHtr9Z/zLsFPFyoQ88zK6Ov9a6sump8tgm4E1FIB -ky09hvx+/N/vQh2ma++5IMb3vaCnlf2n5okk2MyMNGziIy/ZEhohuVWRbwuReRkMrUCIC3Di -etIO2GhIu4ITORBY6dgqB8YS21jb0jtVEEcFFWdifhhjpkY/CQ5UMl6/DWJ6J++A6NvZSwZa -N1ol0AgSd9RvCVCXPcgdw9+MRTBWxtNkq2bzwF6WnMPE78N8a4s6eX+zSc894omfoDBLhbmc -lCR5j31rqUVoDyvQ8docy2m4yklibcjQY2LdYA9Yqo+hvAWlZqLPG3ayhGSxTDlSwDC68IxL -ArC2twIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRHuM3/5W/u+LLsL04O -+SWwjjxrwzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAAAgI0E1BJDCQGJg -7+I1TNc/rOI0kLihb3b6FhakSDcs6ZDC8jz4Cp/YgeW7W9olLKSnVXEkMvbIC/K8aviTrLIH -wl+f28zIiqq+am/hSRDMMdeAu7vI2KIOZFfqovXCqTEV0iBq7PwiASjPhriAHqnMEaU88haz -R5380oAhxMvQR3BBocqDGQgsbfJdd5yKFBPUNhyS8OUGN9ym5pCbOI9caxtGhkNCXz4BB1NU -XWV994pzoZpUWh8pQxQnwoUPtYh7GjuUtx1gp7Wc5ylpV1qbk3pDMBsD12LIQKaq/GTkSteR -UwGoIIhunF9EuctggTTsb9N92khf67SQvC2pHAusHNWiaCCABNb8sY8vu0oxDUqGHOviNikm -9drYxPJ1Yc9+rnZjSnpAZZOH+B6AjIblhtaPDvxTLGDoFmEaoj5De805YFRq9fKJJgFog0ii -M+jJBJGyETQRPurQQxkfA5OQDP9RPVf0QW7hy6C+68ljzW3M5Pg2qmid7b1dl3BEDbYONdzh -DF27oFGUy34W6xEvo5JFyExx2bzJmVJXRi9Qz701afQ9Fc4GpSwPPvaBupS7w7u/ZXjShnn/ -STsagwzw3njsyPJNTBregin4wVra7e7mJ17oRdCdHFGoaKtE49CLauP4O7vcTddk8lG+5qqr -Wukx7ga8c78TYgqfx7mXAAAAAgAfY29tb2RvcnNhY2VydGlmaWNhdGlvbmF1dGhvcml0eQAA -AXwQWa1IAAVYLjUwOQAABdwwggXYMIIDwKADAgECAhBMqvnK22Nv4B/3TthbA4adMA0GCSqG -SIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy -MRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UE -AxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMDAxMTkwMDAwMDBa -Fw0zODAxMTgyMzU5NTlaMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5j -aGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEr -MCkGA1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZI -hvcNAQEBBQADggIPADCCAgoCggIBAJHoVJLSClaxrA0k3cXPRGd0mSs3o30jcABxvFPfxPoq -Eo9LfxBWvZ9wcrdhf8lLDxenPeOwBGHu/xGXx/SGPgr6Plz5k+Y0etkUa+ecs4Wggnp2r3GQ -1+z9DfqcbPrfsIL0FH75vsSmL09/mX+1/GdDcr0MANaJ62ss0+2PmBwUq37l42782KjkkiTa -Q2tiuFX96sG8bLaL8w6NmuSbbGmZ+HhIMEXVreENPEVg/DKWUSe8Z8PKLrZr6kbHxyCgsR9l -3kgIuqROqfKDRjeE6+jMgUhDZ05yKptcvUwbKIpcInu0q5jZ7uBRg8MJRk5tPpn6lRfafDNX -QTyNUe0LtlyvLGMa31fIP7zpXcSbr0WZ4qNaJLS6qVY9z2+q/0lYvvCo//S4rek3+7q49As6 -+ehDQh6J2ITLE/HZu+GJYLiMKFasFB2cCudx688O3T2plqFIvTz3r7UNIkzAEYHsVjv206Li -W7eyBCJSlYCTaeiOTGXxkQMtcHQC6otnFSlpUgK7199QalVGv6CjKGF/cNDDoqosIapHziic -BkV2v4IYJ7TVrrTLUOZr9EyGcTDppt8WhuDY/0Dd+9BCiH+jMzouXB5BEYFjzhhxayvspoq3 -MVw6akfgw3lZ1iAar/JqmKpyvFdK0kuduxD8sExB5e0dPV4onZzMv7NR2qdH5YRTAgMBAAGj -QjBAMB0GA1UdDgQWBBS7r34CPfqm8TyEjq3uOJjs2TIy1DAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQwFAAOCAgEACvHVRoS3rlG7bLJNQRQAk0ycy+XA -VM+gJY4C+f2wog31IJg8Ey2sVqKw1n4Rkukuup4umnKxvRlEbGE1opq0FhJpWozh1z6kGugv -A/SuYR0QGyqki3rF/gWm4cDWyP6ero8ruj2Z+NhzCVhGbqac9Ncn05XaN4NyHNNz4KJHmQM4 -XdVJeQApHMfsmyAcByRpV3iyOfw6hKC1nHyNvy6TYie3OdoXGK69PAlo/4SbPNXWCwPjV54U -99HrT8i9hyO3tklDeYVcuuuSC6HG6GioTBaxGpkK6FMskruhCRh1DGWoe8sjtxrCKIXDG//Q -K2LvpHsJkZhnjBQBzWgGamMhdQOAiIpugcaF8qmkLef0pSQQR4PKzfSNeVixBpvnGirZnQHX -lH3tA0rK8NvoqQE+9VaZyR6OST275Qm54E9Jkj0WgkDMzFnG5jrtEi5pPGyVsf2qHXt/hr4e -DjJG+/sTj3V/TItLRmP+ADRAcMHDuaHdpnDiBLNBvOmAkepknHrhIgOpnG5vDmVPbIeHXvNu -oPl1pZtA6FOyJ51KucB3IY3/h/LevIzvF9+3SQvR8m4wCxoOTnbtEfz16Vayfb/HbQqTjKXQ -wLYdvjpOlKLXbmwLwop8+iDzxOTlzQ2oy5GSsXyF7LUUaWYOgufNzsgtplF/IcE1U4UGSl2f -rbsbX3QAAAACAA5jZXJ0dW1lYy0zODRjYQAAAXwQWa1IAAVYLjUwOQAAAmkwggJlMIIB66AD -AgECAhB4jydcgRJSIKUE0C3dunP0MAoGCCqGSM49BAMDMHQxCzAJBgNVBAYTAlBMMSEwHwYD -VQQKExhBc3NlY28gRGF0YSBTeXN0ZW1zIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZp -Y2F0aW9uIEF1dGhvcml0eTEZMBcGA1UEAxMQQ2VydHVtIEVDLTM4NCBDQTAeFw0xODAzMjYw -NzI0NTRaFw00MzAzMjYwNzI0NTRaMHQxCzAJBgNVBAYTAlBMMSEwHwYDVQQKExhBc3NlY28g -RGF0YSBTeXN0ZW1zIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhv -cml0eTEZMBcGA1UEAxMQQ2VydHVtIEVDLTM4NCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IA -BMQojqsYW2q+bmQ3Y+TN7Ks698yhuA6CSdeGKZ+hlPLjYHiYgXgGTfLsmg5XYIOftOYXLxqz -XQJbiSM8whEFKqeIExjzUITXvTQsJ4lV/85M59+mHyjE8FTDuXy3U63rwqNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQUjQZmdCR2OvOJ97zWvUd9L7wQX0swDgYDVR0PAQH/BAQD -AgEGMAoGCCqGSM49BAMDA2gAMGUCMANVLabmGMR878lQbsEnD5yHr27VGwgYvZIpwe+UkXjS -OhxViWLlGwkeumRr8Xa01AIxALRChJn/q+ee+5GXJ13csFswcc5eOBpq2SXn6vdhklb46to2 -wodlli5yJS9/38MTyQAAAAIAHHNlY3VyaXR5Y29tbXVuaWNhdGlvbnJvb3RjYTIAAAF8EFmt -SAAFWC41MDkAAAN7MIIDdzCCAl+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQG -EwJKUDElMCMGA1UEChMcU0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UECxMe -U2VjdXJpdHkgQ29tbXVuaWNhdGlvbiBSb290Q0EyMB4XDTA5MDUyOTA1MDAzOVoXDTI5MDUy -OTA1MDAzOVowXTELMAkGA1UEBhMCSlAxJTAjBgNVBAoTHFNFQ09NIFRydXN0IFN5c3RlbXMg -Q08uLExURC4xJzAlBgNVBAsTHlNlY3VyaXR5IENvbW11bmljYXRpb24gUm9vdENBMjCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANAVOVKxUrO6xVmCxF1SrjpDZYBLx/KWvNs2 -l9amZIyoXvDjChz335c9S672XewhtUGrzbl+dp+++T42NKA7wfYxEUV0kz1XgMX5iZnK5atq -1LXaQZAQwdbWQonCv/Q4EpVMVAX3NuRFg3sUZdbcDE3R3n4MqzvEFb46VqZab3ZpUql6ucjr -appdUtAtCms1FgkQhNBqyjoGADdH5H5XTz+L62e4iKrFvlNVspHEfbmwhRkGeC7bYRr6hfVK -kaHnFtWOojnflLhwHyg/i/xAXmODPIMqGplrz95Zajv8bxbXH/1KEOtOghY6rCcMU/Gt1SSw -awNQwS08Ft1ENCcadfsCAwEAAaNCMEAwHQYDVR0OBBYEFAqFqXdlBZh8QIH4D5csOPEK7DzP -MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBM -OqNErLlFsceTfsgLCkLfZOoc7llsCLqJX2rKSpWeeo8HxdpFcoJxDjrSzG+ntKEju/Ykn8sX -/oymzsLS28yN/HH8AynBbF0zX2S2ZTuJbxh2ePXcokgfGT+Ok+vx+hfuzU7jBBJV1uXk3fs+ -BXziHV7Gp7yXT2g69ekuCkO2r1dcYmh8t/2jioSgrGK+KwmHNPBqAbubKVY8/gA3zyNs8U6q -tnRGEmyR7jTV7JqR50S+kDFy1UkC9gLl9B/rfNmWVan/7Ir5mUf/NVoCqgTLiluHcSmRvaS0 -eg29mvVXIwAHIRc/SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03AAAAAgARc3RhcmZpZWxk -Y2xhc3MyY2EAAAF8EFmtSAAFWC41MDkAAAQTMIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0B -AQUFADBoMQswCQYDVQQGEwJVUzElMCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywg -SW5jLjEyMDAGA1UECxMpU3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMDQwNjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMG -A1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZpZWxk -IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3DQEBAQUAA4IB -DQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf8MOh2tTYbitTkPskpD6E -8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN+lq2cwQlZut3f+dZxkqZJRRU6ybH -838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZ -GD3/cVE8MC5fvj13c7JdBmzDI1aaK4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSN -F4Azbl5KXZnJHoe0nRrA1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgED -o4HFMIHCMB0GA1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/ -X7fRzt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0YXJm -aWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBDbGFzcyAyIENl -cnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD -ggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3L7IezMdeatiDh6GX70k1PncGQVhi -v45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56Deruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsg -Gh1o+Re49L2L7ShZ3U0WixeDyLJlxy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMt -lb71cZBDzI0fmgAKhynpVSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNzi -PTnNvT51cKEYWQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5QAAAACABthY3Rh -bGlzYXV0aGVudGljYXRpb25yb290Y2EAAAF8EFmtSAAFWC41MDkAAAW/MIIFuzCCA6OgAwIB -AgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1p -bGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0 -YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENBMB4XDTExMDkyMjExMjIwMloXDTMwMDkyMjEx -MjIwMlowazELMAkGA1UEBhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlz -IFMucC5BLi8wMzM1ODUyMDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBS -b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp8bEpSmkLO/lGMWwUKNv -UTufClrJwkg4CsIcoBh/kbWHuUA/3R1oHwiD1S0eiKD4j1aPbZkCkpAW1V8IbInX4ay8IMKx -4INRimlNAJZaby/ARH6jDuSRzVju3PvHHkVH3Se5CAGfpiEd9UEtL0z9KK3giq0itFZljoZU -j5NDKd45RnijMCO6zfB9E1fAXdKDa0hMxKufgFpbOr3JpyI/gCczWw63igxdBzcIy2zSekci -RDXFzMwujt0q7bd9Zg1fYVEiVRvjRuPjPdA1YprbrxTIW6HMiRvhMCb8oJsfgadHHwTrozmS -Bp+Z07/T6k9QnBn+locePGX2oxgkg4YQ51Q+qDp2JE+BIcXjDwL4k5RHILv+1A7TaLndxHqE -guNTVHnd25zS8gebLra8Pu2Fbe8lEfKXGkJh90qX6IuxEAf6ZYGyojnP9zz/GPvG8VqLWeIC -rHuS0E4UT1lF9gxeKF+w6D9Fz8+vm2/7hNN3WpVvrJSEnu68wEqPSpP4RCHiMUVhUE4Q2OM1 -fEwZtN4Fv6MGn8i1zeQf1xcGDXqVdFUNaBr8EBtiZJ1t4JWgw5QHVw0U5r0F+7if5t+L4sbn -fpb2U8WANFAoWPASUHEXMLrmeGO89LKtmyuy/uE5jF66CyCU3nuDuP/jVo23Eek7jPKxwV2d -pAtMK9myGPW1n0sCAwEAAaNjMGEwHQYDVR0OBBYEFFLYiDrIn3hm7YnzezhwlMkCAjbQMA8G -A1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUUtiIOsifeGbtifN7OHCUyQICNtAwDgYDVR0P -AQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQALe3KHwGCmSUyIWOYdiPcUZEim2FgKDk8T -Nd81HdTtBjHIgT5q1d07GjLukD0R0i70jsNjLiNmsGe+b7bAEzlgqqI0JZN1Ut6nna0Oh4lS -cWoWPBkdg/iaKWW+9D+a2fDzWochcYBNy+A4mz+7+uAwTc+G02UQGRjRlwKxK3JCaKygvU5a -2hi/a5iB0P2avl4VSM0RFbnAKVy06Ij3Pjaut2L9HmLecHgQHEhb2rykOLpn7VU+Xlff1ANA -TIGk0k9jpwlCCRT8AKnCgHNPLsBA2RF7SOp6AsDT6ygBJlh0wcBzIm2Tlf05fbsq4/aC4yyX -X04fkZT6/iyj2HYauE2yOE+b+h1IYHkm4vP9qdCa6HCPSXrW5b0KDtst842/6+OkfcvHlXHo -2qN8xcL4dJIEG4aspCJTQLas/kx2z/uUMsA1n3Y/buWQbqCmJqK4LL7RK4X9p2jIugErsWx0 -Hbhzlefut8cl8ABMALJ+tguLHPPAUJ4lueAI3jZm/zel0btUZCzJJ7VLkn5l/9Mt4blOvH+k -QSGQQXemOR/qnuOf0GZvBeyqdn6/axag67XH/JJULysRJyU3eExRarDzzFhdFPFqSBX/wge2 -sY0PjlxQRrM9vwGYT7JZVEc+NHt4bVaTLnPqZih4zR0Uv6CPLy64Lo7yFIrM6bV8+2ydDKXh -lgAAAAIAJXRydXN0d2F2ZWdsb2JhbGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAF -WC41MDkAAAXeMIIF2jCCA8KgAwIBAgIMBfcOhtpJ80Y1LrqyMA0GCSqGSIb3DQEBCwUAMIGI -MQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0NoaWNhZ28xITAf -BgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1c3R3YXZlIEds -b2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNzA4MjMxOTM0MTJaFw00MjA4MjMx -OTM0MTJaMIGIMQswCQYDVQQGEwJVUzERMA8GA1UECAwISWxsaW5vaXMxEDAOBgNVBAcMB0No -aWNhZ28xITAfBgNVBAoMGFRydXN0d2F2ZSBIb2xkaW5ncywgSW5jLjExMC8GA1UEAwwoVHJ1 -c3R3YXZlIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCAiIwDQYJKoZIhvcNAQEB -BQADggIPADCCAgoCggIBALldUShLPDeS0YLOvR29zd24q88KPuFd5dyqCblXAj7mY2Hf8g+C -Y66j96xz0XznswuvCAAJWX/NKSqIk4cXGIDtiLK0thAfLdZfVaITXdHG6wZWiYj+rDKd/VzD -Bcdu7oaJuogDnXIhhpCujwOl3J+IKMujkkkP7NAP4m1ET4BqstTnoApTAbqOl5F2brz81Ws2 -5kCI1nsvXwXoLG0R8+eyvpJETNKXpP7ScoFDB5zpET71ixpZfR9oWN0EACyW80OzfpgZdNmc -c9kYvkHHNHnZ9GLCQ7mzJ7Aiy/k9UscwR7PJPrhq4ufogXBeQotPJqX+OsIgbrv4Fo7NDKm0 -G2x2EOFYeUY+VM6AqFcJNykbmROPDMjWLBz7BegIlT1lRtzuzWniTY+HKE40Cz7PFNm73bZQ -mq131BnW2hqIyE4bJ3XYsgjxroMwuREOzYfwhI0Vcnyh78zyiGG69Gm7DIwLdVcEuE4qFC49 -DxweMqZiNu5m4iK4BUBjECLzMx10coos9TkpoNPnG4CELcU9402x/RpvumUHO1jsQkUm+9ja -JXLE9gCxInm943xZYkqcBW89zubWR2OZxiRvchLIrH+QtAuRcOi35hYQcRfO3gZPSEF9NUqj -ifLJS3tBEW1ntwiYTOURGa5CgNz7kAXU+FDKvuStx8KU1xad5hePrzb7AgMBAAGjQjBAMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJngGWcNYtt2s9o9uFvo/ULSMQ6HMA4GA1UdDwEB -/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAmHNw4rDT7TnsTGDZqRKGFx6W0OhUKDtkLSGm -+J1WE2pIPU/HPinbbViDVD2HfSMF1OQc3Og4ZYbFdada2zUFvXfeuyk3QAUHw5RSn8pk3fEb -K9xGChACMf1KaA0HZJDmHvUqoai7PF35owgLEQzxPy0QlG/+4jSHg9bP5Rs1bdID4bANqKCq -RieCNqcVtgimQlRXtpla4gt5kNdXElE1GYhBaCXUNxeEFfsBctyV3lImIJgm4nb1J2/6ADtK -YdkNy1GTKv0WBpanI5ojSP5RvbbEsLFUzt5sQa0WZ37b/TjNuThOssFgy50X31ieemKyJo90 -lZvkWx3SD92YHJtZuSPTMaCm/zjdzyBP6VhWOmfD0faZmZ26NraAL4hHT4a/RDqA5Dccprrq -l5gR0IRiR2Qequ5AvzSxnI9O4fKSTx+O856X3vOmeWqJcU9LJxdI/uz0UA9PSX3MReO9ekDF -QdxhVicGaeVyQYHTtgGJoC86cnn+OjC/QezHYj6RS8fZMXZC+fc8Y+wmjHMMfRod6qh8h6jC -J3zhM0EPz8/8AKAigJ5Kp28AsEFFtyLKaEjFQqKu3R3y4G5OBVixwJAWKqQ9EEC+j2Jjg6mc -gn0tAumDMHzLJ8n9HmYAsC7TIS+OMxZsmO0QqAfWzJPP29FpHOTKyeC2nOnOcXHebD8WpHkA -AAACAApjZmNhZXZyb290AAABfBBZrUgABVguNTA5AAAFkTCCBY0wggN1oAMCAQICBBhKzNYw -DQYJKoZIhvcNAQELBQAwVjELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0NoaW5hIEZpbmFuY2lh -bCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEVMBMGA1UEAwwMQ0ZDQSBFViBST09UMB4XDTEy -MDgwODAzMDcwMVoXDTI5MTIzMTAzMDcwMVowVjELMAkGA1UEBhMCQ04xMDAuBgNVBAoMJ0No -aW5hIEZpbmFuY2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEVMBMGA1UEAwwMQ0ZDQSBF -ViBST09UMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA111rzRA/HwVZ1QVNN7EO -7JgrjhUd+pNLF4IhcRBS11FkcBbCVWlNjhVtn78MG8Lgo2fWDKzPIq6vd1QqS0yKU1J6w+4u -3rNxJcHpXT3uoS+j9yo8ySMdaqsdoafx8+yg1UTPFc9yLx1jl+iZ+f2TpFSATFLUUqsuSd+Q -zbhfvj/eocpNINQl6IQpU7exiB//+tqQnwqpLUE/sfEYKe4WWSw0SRqoBteoiNIDcnoy4upo -TW4slmV7yln68uLd7jAs+8xGrMRj629/Nis0cxKUf9/MJp7xcl1QZVmPabOHXjJvwxiKtZWP -sHo33lpFO8c24e9n0TnTl1tzYhlILYccBvt0mCBJc/AF0huxoKO3G3DTiGm5WtY49GLcJYt4 -v/jofrhcyZVPX6ctuSBrz2vd9Q30grf0smYuECj2l1p7lhaPARktbG5/OVgGZIMBg4PDTZLd -MsaHpDfpFs6qLWivCoFlOnDBm61NbVTKKi1LhRuzgOZwRQ1rXjXwfzu4nOQEcIkSJZPaCpki -YGpjYE52BphOvYOtHViKJYXSx2UeLY7G37bG4X+KBCEVKXTwPpyQnQwu8Yo+WqoMCR7H1Tyj -7ZfDHjT6OPkIDuPAXSuD0VZqybaoVFMueDJnPYJ/dND74bYFYLlw244L+RNYb3FgEFIQucFB -Ce9yH2cxeP+WBY0CAwEAAaNjMGEwHwYDVR0jBBgwFoAU4/4t/SjQC7W6tqLEvwaqBYyT+y8w -DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOP+Lf0o0Au1urai -xL8GqgWMk/svMA0GCSqGSIb3DQEBCwUAA4ICAQAlxrpr64fL3oI5lj3wRKdrhHMD3p0rT7og -f7x4ss+XsBuc89d5LvVIttL7F4jm03o/7VMT0OIvannLACMo5h43VzWJhMJ2TzQ2rWfDzkEG -iMX37tgauNYLf1D/k6oXS4zs7VJgsqQG6k7r9GsZ/ev1GuAlKprcx0E298h0BYQ5lTnWCzuk -J/oI2Fwe+ARgUhEoKAP/71NmAKVKNBZmfP0JpK6eZxpvQQtrBhObj4ZxBbQvjYlmMyl2VJoR -+Cf6sj+R4M4NG/MwGq2/Il0b078lBU3hkhp/mZ88RJPK1EBJbICH1wQ6wzJSNQ5W+KXdfcSL -DREfU8seshe2aHda4NTLyAeu9Toujje30AFLQyl3jDmXj4Ja+FHliaAY52h/XQou+6NHDj2m -I3rGAcePyF6/bYBWvookujPqn+EyEZ7x0k+A9htArzieEVB5cxISzeZsnSyIcjwwgQaRIupZ -rdoZLiLCjbmMh+BmvHMjXyFkY4BI9aA8GD2UyEhBHUC6Xv7+VjmhyM9enhlkRhDaF5G3BYCs -i5mSfeei2AcLNifnSHlgisPXE1z4ckDfSsvPmQAKAAsRldpWRQOICp9n0NV5saiNQG0NwnpA -+vNfZEeSy1O5u1nOT/3QFVMB2N/r2eZ279AjuzupebPVAinNiaOWD0o1505CwHXNB8/mLOt7 -LgAAAAIAFWRpZ2ljZXJ0dHJ1c3RlZHJvb3RnNAAAAXwQWa1IAAVYLjUwOQAABZQwggWQMIID -eKADAgECAhAFmxtXno4hMuI5B72nd3VcMA0GCSqGSIb3DQEBDAUAMGIxCzAJBgNVBAYTAlVT -MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xITAf -BgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBHNDAeFw0xMzA4MDExMjAwMDBaFw0zODAx -MTUxMjAwMDBaMGIxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNV -BAsTEHd3dy5kaWdpY2VydC5jb20xITAfBgNVBAMTGERpZ2lDZXJ0IFRydXN0ZWQgUm9vdCBH -NDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL/mkHNo3rvkXUo8MCIwaTPswqcl -LskhPfKK2FnC4SmnPVirdprNrnsbhA3EMB/zG6Q4FutWxpdtHauyefLKEdLkX9YFPFIPUh/G -nhWlfr6fqVcWWVVyr2iTcMKyunWZanMylNEQRBAu34LzB4TmdDttceItDBvuINXJIB1jKS3O -7F5OyJP4IWGbNOsFxl7sWxq868nPzaw0QF+xembud8hIqGZXV59UWI4MK7dPpzDZVu7Ke13j -rclPXuU15zHL2pNe3I6PgNq2kZhAkHnDeMe2scS1ahg4AxCN2NQ3pC4FfYj1gj4QkXCrVYJB -MtfbBHMqbpEBfCFM1LyuGwN1XXhm2ToxRJozQL8I11pJpMLmqaBn3aQnvKFPObURWBf3JFxG -j2T3wWmIdph2PVldQnaHiZdpekjw4KISG2aadMreSx7nDmOu5tTvkpI6nj3cAORFJYm2mkQZ -K37AlLTSYW3rM9nF30sEAMx9HJXDj/chsrIRt7t/8tWMcCxBYKqxYxhElRp2Yn72gLD76GSm -M9GJB+G9t+ZDpBi4pncB4Q+UDCEdslQpJYls5Q5SUUd0viastkF13nqsX40/ybzTQRESW+UQ -UOsxxcpyFiIJ33xMdT9j7CFfxCBRa2+xq4aLT8LWRV+dIPyhHsXAj6KxfgommfXkaS+YHS31 -2amyHeUbAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1Ud -DgQWBBTs1+OC0nFdZEzfLmc/57qYrhwPTzANBgkqhkiG9w0BAQwFAAOCAgEAu2HZfalsvhfE -kRvDoaIAjeNkaA9Wz3eucPn9mkqZucl4XAwMX+TmFClWCzZJXURj4K2clhhmGyMNPXnpbWvW -VPjSPMFDQK4dUPVS/JA7u5iZaWvHwaeoaKQn3J35J64whbn2Z006Po9ZOSJTROvIXQPK7VB6 -fWIhCoDIc2bRoAVgX+iltKevqPdtNZx8WorWojiZ83iL9E3SIAveBO6Mm0eBcg3AFDLvMFku -ruBx8lbkapdvklBtlo1oepqyNhR6BvIkuQkRUNcIsbiJeoQjYUIp5aPNoiBB19GcZNnqJqGL -FNdMGbJQQXE9P01wI4YMStyB0swylIQNCAmXHE/A7msgdDDS4Dk0EIUhFQEI6FUy3nFJ2SgX -UE3mvk3RdazQyvtBuEOlqtPDBURPLDab4vriRbgjU2wGb2dVf0a1TD9uKFp5JtKkqGKX0h7i -7UqLvBv9R0oN32dmfrJbQdA75PQ79ARj6e/CVABRoIoqyc54zNXqhwQYs86vSYiv85KZtrPm -YQ/ShQDnUBrkG5WdGaG5nLGbsQAe79APT0JsyQq87kP6OnGlyE0mpTX9iV28hWIdMtKgK1Tt -mlfB2/oQzxm3i0objwG2J5VT6LaJbVu8aNQj6ItRolb58KaAoNYes7wPD1N1KarqE3fk3oyB -Ia0HEEcRrYc9B9F1vM/zZn4AAAACACRlbnRydXN0cm9vdGNlcnRpZmljYXRpb25hdXRob3Jp -dHktZzQAAAF8EFmtSAAFWC41MDkAAAZPMIIGSzCCBDOgAwIBAgIRANm1Q3+vqTkPAAAAAFVl -rVgwDQYJKoZIhvcNAQELBQAwgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1FbnRydXN0LCBJ -bmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1zMTkwNwYDVQQL -EzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxMjAw -BgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEc0MB4XDTE1 -MDUyNzExMTExNloXDTM3MTIyNzExNDExNlowgb4xCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1F -bnRydXN0LCBJbmMuMSgwJgYDVQQLEx9TZWUgd3d3LmVudHJ1c3QubmV0L2xlZ2FsLXRlcm1z -MTkwNwYDVQQLEzAoYykgMjAxNSBFbnRydXN0LCBJbmMuIC0gZm9yIGF1dGhvcml6ZWQgdXNl -IG9ubHkxMjAwBgNVBAMTKUVudHJ1c3QgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt -IEc0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsewsQu7i0TD/pZJH4i3DumSX -bcr3DbVZwbPLqGgZ2K+EbTBwXX7zLtJTmeH+H17ZSK9dE43b/2MzTdMAArzE+NEGCJR5WIoV -3imz/f3ET+iq4qA7ec2/a0My3dl0ELn39GjUu9CH1apLiipvKgS1sqbHoHrmSKvS0VnM1n4j -5pds8ELl3FFLFUHtSUrJ3hCX1nbB76W1NhSXNdh4IjVS70O92yfbYVaCNNzLiGAMC1rlLAHG -VK/XqsEQe9IFWrhAnoanw5CGAlZSCXqc0ieCU0plUmr1POeo8pyvi73TDtTUXm6Hnmo9RR3R -XRv06QqsYJn7ibT/mCzPfB3pAqoEmh643IhuJbNsZvc8kPNXwbMv9W3y+8qh+CmdRouzavbm -Zwe+LGcKKh9asj5XxNMhIWNlUpEbsZmOeX7m640A2Vqq6nPopIICR5b+W45UYaPrL0swsIsj -dXJ8ITzI9vF01Bx7owVV7rtNOzK+mndmnqxpkCIHH2E6lr7lmk/MBTwoWdPBDFSoWWG9yHJM -6Nyfh3+9nEg2XpWjDrk4JFX8dWbrAuMINClKxuMrLzOg2qOGpRKX/YAr2hRC45K9PvJdXmd0 -LhyIRyk0X+IyqJwlN4y6mACXi0mWHv0liqzc2thddG5msP9E36EYxr5ILzeUePiVSj9/E15d -Wf10hkNjc0kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD -VR0OBBYEFJ84xFYjwznooHFs6FRM5Og6sb9nMA0GCSqGSIb3DQEBCwUAA4ICAQAS5UKme4sP -DORGpbZgQIeMJX6tuGguW8ZAdjwD+MlZ9POrYs4QjbRaZIxowLByQzTSGwv2LFPSypBLhmb8 -qoMi9IsabyZIrHZ3CL/FmFz0Jomee8O5ZDIBf9PD3Vht7LGrhFV0d4QEJ1JrhkzO3bll/9bG -Xp+aEJlLdWr+aumXIOTkdnrG0CSqkM0gkLpHZPt/B7NTeLUKYvJzQ85BK4FqLoUWlFPUa19y -IqtRLULVAJyZv967lDtX/Zr1hstWO1uIAeV8KEsD+UmDfLJ/fOPtjqF/YFOOVZ1QNBIPt5d7 -bIdKROf1beyAN/BYGW5KaHbwH5Lk6rWS02FREAutp9lfx1/cH6NcjKF+m7ee01ZvZl4HliDt -C3T7Zk6LERXpgUl+b7DUUH8i119lAg2m9IUe2K4GS0qn0jFmwvjO5QimpAKWRGhXxNUzzxkv -FMSUHHuk2fCfDrGA4tGeEWSpiBE6doLlYsKA2KSD7ZPvfC+QsDJMlhVoSFLUmQjAJOgc47Ol -IQ6SwJAfzyBfyjs4x7dtOvPmRLgOMWuIjnDrnBdSqEGULoe256YSxXXfW8AKbnuk5F6G+TaU -33fD6Q3AOfF5u0aOq0NZJ7cguyPpVkAh7DE9ZapD8j3fcEThuk0mEDuYn/PIjhs4ViFqUZPT -kcpG2om3PVODLAgfi49T3f+sHwAAAAIAF2NlcnR1bXRydXN0ZWRuZXR3b3JrY2EyAAABfBBZ -rUgABVguNTA5AAAF1jCCBdIwggO6oAMCAQICECHW0EpPJQ/JMjf8ql4SjekwDQYJKoZIhvcN -AQENBQAwgYAxCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xvZ2llcyBT -LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJDAiBgNVBAMT -G0NlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EgMjAiGA8yMDExMTAwNjA4Mzk1NloYDzIwNDYx -MDA2MDgzOTU2WjCBgDELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9n -aWVzIFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEkMCIG -A1UEAxMbQ2VydHVtIFRydXN0ZWQgTmV0d29yayBDQSAyMIICIjANBgkqhkiG9w0BAQEFAAOC -Ag8AMIICCgKCAgEAvfl4+ObVgAxknYYblmRnPyI6HnUBfe/7XGeMycxca6mR5rlC5SBLm9qb -e7mZXdmbgEvXhEArJ9PoujC7Pgkap0mV7ytAJMKXx6fumyXvqAoAl4Vaqp3cKcniNQfrcE1K -1sGzVrihQTib0fsxf4/gX+GxPw+OFklg1waNGPmqJhCrKtPQ0WeNG0a+RzDVLnLRxWPa52N5 -RH5LYySJhi40PylMUosqp8DikSiJucBb+R3Z5yet/5oCl8HGUJKbAiy9qbk0WQq/hEr/3/6z -n+vZnuCYI+yma3cWKtvMrTscpIfcRnNeGWJoRVfkkIJCu0LW8GHgwaM9ZqNd9BjuiMmNF0Up -mTJ1AjHuKSbIawLmtWJFfzcVWiNoidQ+3k4nsPBADLxNF8tNorMe0AZa3faTz1d1mfX6hhpn -eLO/lv403L3nUlbls+V1e9dBkQXcXWnjlQ1DufyDljmVe2yAWk8TcsbXfSl6RLpSpCrVQUYJ -IP4ioLZbMI28iQzV13D4h1L92u+sUS4Hs07+0AnacO+Y+lbmbdu1V0vc5SwlFcieLnhO+Nqc -noYsylfzGuXIkosagpZ6w7xQEmnYDlpGizrrJvojybawgb5CAKT41v4wLsfSRvbljnX98sy5 -0IdbzAYQYLuDNbdeZ95H7JlI8aShFf6tjGKOOVVPORa5sWOd/7cCAwEAAaNCMEAwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQUtqFUOQLDoD+Oirz61PgcptE6Dv0wDgYDVR0PAQH/BAQD -AgEGMA0GCSqGSIb3DQEBDQUAA4ICAQBxpQ7O5Om/PzjViVrEAmH7TMUUFy2LT1NrEBf8ZYTH -EEmQ3tvHJpOIJm9w1gJeOaD3j6uWtaUTXIEUbQ6BghEbik7GT6XdYh5E3wlZ9Ft3CzfpiyDG -+ApOLlgc6zPQz4Zgydr7gC+eTGCEeD0hZNb7QR8YD+fJdXG9vVzeNIc+QbAO9rnWPwkTlhQv -3podWrlWzjU6sF9wTV7jKfEjKHJZtqvCjGYmHHcsJnY1iyinaaD5O/Uj3YUQdMmQA1aR56+6 -R9QSlxEi46JJlGznt5RLui2k2jOLTKZE/1o8xh1k2LUx5KY8eqhXC9vtYRrL8c5zd2Okh29M -UTjW5F/Hn7aBKuSFSHlYXjv42wKCZ8E528N0Sz02Hvkpk4hoW6hEGSHwp+iBDSzokza0N7LK -sBsmepolH5qagJ5LKj/7o5r+czJxwp7GcuGKaCfx5A+0xEylYZP4lxAHKjAlqbnIcbjvaMwt -fvXgfg+CqG+2umyDQ3fNipIXoZ5beBY9ReIzct3hZsqZ08nFJv0NaARGrrbZm4y+Gb6xxvIZ -41wCyizYb0oH2ck12kB18sSnGW+eQhCYdeaVi2C87cUS14rO1ZhcVpYDxe53BjX/z+TuPxNh -7tvaLYXwza6dshgJRcOSoXIX/Ee2oAss8cTeQ2gIal878HZj+8wGLKbG4g61ub4kjwAAAAIA -JGVudHJ1c3Ryb290Y2VydGlmaWNhdGlvbmF1dGhvcml0eS1nMgAAAXwQWa1IAAVYLjUwOQAA -BEIwggQ+MIIDJqADAgECAgRKU4woMA0GCSqGSIb3DQEBCwUAMIG+MQswCQYDVQQGEwJVUzEW -MBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5ldC9s -ZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAtIGZvciBhdXRo -b3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBB -dXRob3JpdHkgLSBHMjAeFw0wOTA3MDcxNzI1NTRaFw0zMDEyMDcxNzU1NTRaMIG+MQswCQYD -VQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRy -dXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkgRW50cnVzdCwgSW5jLiAt -IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQDEylFbnRydXN0IFJvb3QgQ2VydGlm -aWNhdGlvbiBBdXRob3JpdHkgLSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ALqEtnLbngxr4pnpMAGnduoyuJVBGsnaYU5Ycs/+9oJ5v3NhBgqlJ9izX9NFThxy1k4y8nKK -D/eDGdBqgIAARR6wx+eavxJXJxyjaC8Kh71qaw5eZfMcd9XUhY1wIbSzMueLotWGOQKxuNJH -zuTJScQ7p977VH1XvvDobsJ5sjoLVeJQmBYyE1wveFbBwpSz8lrkJ5qfJNfG7NCbJYLjzMLE -RcWMl3oGayoRn6kKbkg7b9vUERlC948Hv/VTX5w+9Bcs5mmsTjJMYnfqt+jluzS8GYuunFHn -t361U7EzIuVtz3A8Gvrim2e2g/SNpa9iTE3gWKxkNBID+LaNlGMkpHECAwEAAaNCMEAwDgYD -VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGpyJnrQHu995ztpUdRs -jZ+QEmarMA0GCSqGSIb3DQEBCwUAA4IBAQB5nx2WxrZ5PyKNh9OHAwRgamuaLlmJcxGsQ9H1 -E/+NOSvA8r1PcIypL+oXxAtUntQblpgzPKitYqIAdqtZaW4GHX7EuUSNmK8S1GHbChlGR/Pr -92PBQAVApdK39LWaNr+piHaIBFUEK5yHfxo3PH4tpRrY1Ileyr2sPWzYba/V83YPzTuIOCKd -bJOaxD2/ghtlP6YPXar85bIVyrWtxrw90ITo6gZysE05Mni/PhGcC6SdmiHz8JsLMHjbwdyH -Q/68Y5rKxcIcyceN/zsSWAjmtj3seixO+4OWzgw8aYdUc6RzwpP/URCsFVQB2PwFsYmhf3SD -mknX3E57ikhvi0X2AAAAAgA0aGVsbGVuaWNhY2FkZW1pY2FuZHJlc2VhcmNoaW5zdGl0dXRp -b25zZWNjcm9vdGNhMjAxNQAAAXwQWa1IAAVYLjUwOQAAAscwggLDMIICSqADAgECAgEAMAoG -CCqGSM49BAMCMIGqMQswCQYDVQQGEwJHUjEPMA0GA1UEBxMGQXRoZW5zMUQwQgYDVQQKEztI -ZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENlcnQuIEF1dGhv -cml0eTFEMEIGA1UEAxM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0 -aW9ucyBFQ0MgUm9vdENBIDIwMTUwHhcNMTUwNzA3MTAzNzEyWhcNNDAwNjMwMTAzNzEyWjCB -qjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh -ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxRDBCBgNV -BAMTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgRUNDIFJv -b3RDQSAyMDE1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkqBB6EuChFzi+DERmYZkTgklL51B -LwquNU90lbJRZGuNa+Y/cJXwBURHpnI4UHaVAlqOriie+S1Ome8sSG9MJSno0XFb3x3BdTe0 -1/p7ekKcagpWWnxpC6qACSRsfsFGo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE -AwIBBjAdBgNVHQ4EFgQUtCILgpkkAQ6cu+QO/b/7lyCTmSowCgYIKoZIzj0EAwIDZwAwZAIw -Z84WYjiirGJFp6mVJMAaJ5wyO8DA1bqp5/gEQ1OF7lIh3p31JYM+nlhLL9dnEw4hAjAF4XUB -3mjtKh9NTAkIDexLrWQXKOd1zkVlciEXyyJBDowTmDiaVG2byuJ86gJYIpEAAAACAB50d2Nh -cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAN/MIIDezCCAmOg -AwIBAgIBATANBgkqhkiG9w0BAQUFADBfMQswCQYDVQQGEwJUVzESMBAGA1UECgwJVEFJV0FO -LUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFUV0NBIFJvb3QgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwHhcNMDgwODI4MDcyNDMzWhcNMzAxMjMxMTU1OTU5WjBfMQswCQYDVQQG -EwJUVzESMBAGA1UECgwJVEFJV0FOLUNBMRAwDgYDVQQLDAdSb290IENBMSowKAYDVQQDDCFU -V0NBIFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IB -DwAwggEKAoIBAQCwfnK4pAOU5qfeCTiRShFAh6d8WWQUe7UREN3+v9XAu1bihSX0NXIP+FPQ -QeFEAcK0HMMxQhZHhTMidrIKbw/lJVBPhYa+v5guEGcevhEFhgWQxFnQfHgQsIBct+HHK3XL -fJ+utdGdIzdjp9xCoi2SBBtQwXu4PhvJVgSLL1KbralW6cH/ralYhzC2gfeXRfwZVzsrb+RH -9JlF/h3x+JejiB03HFyP4HYlmlD4oFT/RJB2I9IyxsOrBr/8+7/zrX2SYgJbKdM1o5OaQ2Rg -XbL6Mv87BK9NQGr5x+PvI/1ry+UPizgN7gr8/g+YnzAx3WxSZfmLgb4i4RxYA7qRG4kHAgMB -AAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqOFsm -jd6LWvJPelSDGRjjCDWmujANBgkqhkiG9w0BAQUFAAOCAQEAPNV3PdrfibqHDAhUaiBQkr6w -QT25JmSDCi/oQMCXKCeCMErJk/9q56YAf4lCmtYR5VPOL8zy2gXE/uJQxDqGfczafhAJO5I1 -KlOy/usrBdlsXebQ79NqZp4VKIV66IIArB6nCWlWQtNoURi+VJq/REG6Sb4gumlc7rh3zc5s -H62Dlhh9DrUUOYTxKOkto557HnpyWoOzeW/vtPzQCqVYT0bf+215WfKEIlKuD8z7fDvnaspH -YcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZYiesZSLX0zzG -5Y6yU8xJzrww/nsOM5D77dIUkR8HrwAAAAIAEHR3Y2FnbG9iYWxyb290Y2EAAAF8EFmtSAAF -WC41MDkAAAVFMIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMC -VFcxEjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMTVFdD -QSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5NTlaMFExCzAJ -BgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsTB1Jvb3QgQ0ExHDAaBgNV -BAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPS -nIyOt7h52yvVavKOZsTuKwEHktSz0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWR -zvAZEk2tY/XTP3VfKfChMBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2G -b3PpN0Wp8DbHzIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJ -Tibc46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2yKsi -2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCilaLOz9qC5wc0 -GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYPoA/pyJV/v1WRBXrPPRXA -b94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQABDzfuBSO6N+pjWxnkjMdwLfS7JLI -vgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcEqYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MG -z19qCkKxHh53L46g5pIOBvwFItIm4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYw -DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6g -cFGn90xHNcgL1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqS -pqsnLhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WFH6vP -NOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNoRI2T9GRwoD2d -KAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+nile98FRYB/e2guyLXW3 -Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh15QaiDLxInQirqWm2BJpTGCjAu4r -7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXI -RfmswZ/ZuepiiI7E8UuDEq3mi4TWnsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWS -sT2RTyaGvWZzJBPqpK5jwa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVf -P5VhK8E7zeWzaGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer -/qmyKwbQBM0AAAACABFnbG9iYWxzaWducm9vdHI0NgAAAXwQWa1IAAVYLjUwOQAABV4wggVa -MIIDQqADAgECAhIR0ru51yMYnkBfCp0t0N8lZ9EwDQYJKoZIhvcNAQEMBQAwRjELMAkGA1UE -BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExHDAaBgNVBAMTE0dsb2JhbFNpZ24g -Um9vdCBSNDYwHhcNMTkwMzIwMDAwMDAwWhcNNDYwMzIwMDAwMDAwWjBGMQswCQYDVQQGEwJC -RTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEcMBoGA1UEAxMTR2xvYmFsU2lnbiBSb290 -IFI0NjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKysdDLos2Xluu1DJh2miQ1F -uimIsqQdY93TwSwJV4k5oVXpZzR3DG7kVR1SJdITa17hHam3fYkyXw2enyx6Y2BAH6awtniP -mVSWCFiu5Aa8YgUCFr+vqCMDtpQPvG5swsvVprsM6fbBAvsh3mbdF6t0Qu/wdC8l9OprVVuQ -253fXocKQPutGWv798pgiN7awY/WrtV/1DyD7tcWTINFM2sn0IbQHC1r86t98YWp9SjSre/z -hEsch/wTozpyoloRK9YncSftgS1tZoGSh7QbWHrMPwr6Rk9NeFz4K0jjBITLXfa0arNl/EKe -USYjIMs9FPmB7WUWAE8aZJdmCM+Me+MrwJ35FPIb8VZqFr8shYXNeDia60JqAjQYgxdOlFb4 -toK185bdPfO+fyB3PnsZI2ss1HJzQ1d94PjXaU8XNgT5wJBgN0Xe5gzYdI2unKJtdF1Cvgb1 -2WRuAhCsibBMOwdNQH4kxYqYgnmOpKeCII0j+idxyd/GQXSgTfaRFtxGjF8pYzFZcQzYb8K2 -Mn375l1Tpn4V/Lt1fF3s+PYXHOzHaxnL83vwKwel2Wx5VHZsnRymbg7peQyoI2qj3xswMZ+x -VHv+astmqtxl0KKeSpoHIWuBj9vEWfreIsAEnOOqWzaT6D29eqGdC3axC8ed/c+YqAbC+Cqj -oYOgtyVypQLjAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0G -A1UdDgQWBBQDXKtzgYeozLCm1ZTiNpZJ/wWZLDANBgkqhkiG9w0BAQwFAAOCAgEAfHjs9gIs -u1t+kitdOdy+2B2iQjNN+e+kKjtEaR6s2UWjTjyn2CRRslQck07E73uThWAm6glI4PW7x+lo -0rtqMXHMea4RqPCZ/eUfvC+ozFfrdsQhpkdTVU1ovwWk7tcmq2LaQzdL4sa15bKDGTrH09tN -ngh68+7PPmL7rOhgzNHHoVyDRcRFzPMXaxTJBAI+0iSmeekezqLnwVkVnx3iS5o+n3YILWvY -ulcU2oPq/oxV6dBOqcx3MbFEEXpcsT7TFEUVGGIkE9LLTc5cg8E28hC1DohtuOFWn4nelmY5 -R2Qsbk2uYnu/YHQZuFaskqwWMu2taFX+mLrTNN70yWHDDob2S4Rg7g17tTJYeZFVLIFDs3Qf -eqolnh3XoYu5zUIuBKRmg02JNbZsqDZKeSF4ItBCvNFAMZChvgTPymft9fCA02DJgyoiBdAH -O1K/DJ6qK/m75h+PJbqFjRceAv5dUARXz/4tvO9cwBqrtp8kxt9zaEiQLBT0P1Ia5NLLFMNh -ac/i+RjFujOfFKMEXblx97WU2PYzwVrBNIt8m92TOucTonBhn6+P69jFdfgzZtR0Zzo3d5zn -3aQPdkNmikPyn/sMQnhj0eIPb3vUoT10l4W3SDlB1iD80Dqz+uhvxIq6cTe+i5exeDFPs+e2 -AxPOVJ2uJVnMfzVfCPdARTF4KnoAAAACABdiYWx0aW1vcmVjeWJlcnRydXN0cm9vdAAAAXwQ -Wa1IAAVYLjUwOQAAA3swggN3MIICX6ADAgECAgQCAAC5MA0GCSqGSIb3DQEBBQUAMFoxCzAJ -BgNVBAYTAklFMRIwEAYDVQQKEwlCYWx0aW1vcmUxEzARBgNVBAsTCkN5YmVyVHJ1c3QxIjAg -BgNVBAMTGUJhbHRpbW9yZSBDeWJlclRydXN0IFJvb3QwHhcNMDAwNTEyMTg0NjAwWhcNMjUw -NTEyMjM1OTAwWjBaMQswCQYDVQQGEwJJRTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQL -EwpDeWJlclRydXN0MSIwIAYDVQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowS7IquYPVfoJnKatXnUKeLh6JWAsbDjW44r -KZpk36Fd7bAJBW3bKC7OYqJi/rSI2hLrOOshncBBKwFSe4h30xyPx7q5iLVqCedz6BFAp9HM -ymKNLeWPC6ZQ0qhQwyjq9aslh4qalhypZ7g/DNX3+VITL8Ib1XBw8I/AEsoGy5rh2cozenfW -+Oy58WhEQkgT0sDCpK5eYP62pgX8tN0HWQLUWRiYY/WlY+CQDH1dsgZ684Xq69QDrl6EPl// -Fe1pvPk5NnJ1z3dSTfPJkCy5PeXJI1M/HySYIVwHmSm9xjrs526GOmuXdGMzvWgYMfB4jXa/ -/J6OXSqGp02Q3CcaOQIDAQABo0UwQzAdBgNVHQ4EFgQU5Z1ZMIJHWMys+ghUNoZ7OrUETfAw -EgYDVR0TAQH/BAgwBgEB/wIBAzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEB -AIUMXY7kb1FoQgWg3btPJyWEA733ZP0t1zDjpBAX69opKbZ5P3b2GRMjuBAK+Vik1GFwvQRh -ahKKF9UKvcW8MHzW6QwljYZAT+zMo344xjcRT+3daDGOTNKzAXTuvnVeB0gaf3D/FlyEwHmF -uAX9f75lEaMPwAK0+FI3OQTVqTF6GL+gKvQSmfejRYLjPF71nZ61yJ58Lsiknk4IFEtt/XBt -axpjvWTmH7fO8PKfLrsbt/JQiHOSwuLjFo2aMgKrjhjd6RAR7n41q5CvPjCUetAzPadlD/X8 -jp5iz0dELAFdux21MtJH0jgu0P6B3DJqHrXuPNX854EdGcMkQupjOakAAAACABNidXlwYXNz -Y2xhc3Mycm9vdGNhAAABfBBZrUgABVguNTA5AAAFXTCCBVkwggNBoAMCAQICAQIwDQYJKoZI -hvcNAQELBQAwTjELMAkGA1UEBhMCTk8xHTAbBgNVBAoMFEJ1eXBhc3MgQVMtOTgzMTYzMzI3 -MSAwHgYDVQQDDBdCdXlwYXNzIENsYXNzIDIgUm9vdCBDQTAeFw0xMDEwMjYwODM4MDNaFw00 -MDEwMjYwODM4MDNaME4xCzAJBgNVBAYTAk5PMR0wGwYDVQQKDBRCdXlwYXNzIEFTLTk4MzE2 -MzMyNzEgMB4GA1UEAwwXQnV5cGFzcyBDbGFzcyAyIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDXx173wQfUd/tDIfT09Wnk7jIB26OGH+RZDbrndYNS6+ocYRVI -ux0HyoyusNyWnerDYJKGgihznFYG/0tk8AwqN0m15c8MfO7xSrtzMGXz1S+Dtn7j5/Weq2D5 -0/GdknSK5ByWrFuA6bX0MYejUfzHfqFvjlN31JfBVTOSPhgvddSthknLla9UBmzYBhONW//h -JhlZwCS6gXF5kERQaCSUX7izEfEpQWGjQcsjNtXB8TJQEE5/9IaT7ITTjrxLv1wBTgc93BSK -lAqk6nP7C1HoEwcY+g7xK9FUFX084fe0GUJnYl534KJV7LbZaRfVOq9E7UrFnuR6J3zlddeq -yyXn32sK2w9Nk06ooM17LvJZAWq3DbgHgX6LOBs45gpXmT3uIeij9QwW3YvsNI6cKhwAFReN -aIPScJ8YCM0RaNXJa1LNxEaP3LXz2FdzHumUOQS/09443rRT7Gkcon7Ej+QbcK3yovn79xZk -ZmmfSVGi4hUYZwZKf9VstU2zM+Bh612+6ZgPMtcdSzwuWgFSkQny3+qN2AZAY6oR5P7DN54U -Uj/04szyYZPR/Wdr11Kuv2irQEOgVzVTePBT+GFCB2TG12+bTDgNY6xirzaLonMKDfUhvXSq -TepyA0nbx18dYmPH/d2R7DPu9W20bjBo3sjWJrB1Xnu0ByCYoXYyuE1sTwIDAQABo0IwQDAP -BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTJgHfgYpKC9Uac87r3TMPeuKOtOTAOBgNVHQ8B -Af8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAFNfIfW6sDpSOSySsGwAye/OIO8G8pae6aR0 -f3oW/Lf1tvsVGz+rpsByXRCxce68T+OtrANtLnEur8TjraO9DBGntP9KsnsQEB+nV0GywK70 -LFnWRxCI8yFRKTDKYIavRqsd7TpbsJTeRONBCKLB7B3W/U+21kfQFAvK5sq1e3d+QR9eg8e2 -jDmWsD+WgUFvYJDi6Pn7InHZfbM9Rr+0hK+QHA+PEmqv7+4eeq4CSooXK3b+rFSJJCxPP7ay -p06MqJGX+ynGe1wtuctmtreoWxJRhbUJfmJ4cP6pamC2HQ55DP3K6iSAcsOXP/J3q0MiCsfr -tgyEgiyAa0GKCMDrpWvfmRLLitVegAyR4CYINkjF+jgRNf8lgy3yer/a/Y7+pctFLB/EiFOu -dw7ZmnbFjiwdo7rV7DKuwKqs99F6TevUB+JI9yKOsKSfas6OsrJg9KMi0CPrlFp6ad0Pv0BX -rGtZUNmjmeFu/o0BeScjFd6SnXsJTVrnS0gwWhjmCm3mj+DSu+bffG4hgsFoOU20mFhmYsxK -kF7D+icEsXkVdJnMvq0g3iZgHOtWUaaj6uSjP6f/YdzxWk1sMiND7qyo7u5KEgk8XXHCvnn6 -wodoHQv9XGnMBtCafVSZKsk5GhmvSypD82NdWljiL+Md5KnW0ArQnr/XgQnxyccmDayYFlag -AAAAAgAXZGlnaWNlcnRhc3N1cmVkaWRyb290ZzMAAAF8EFmtSAAFWC41MDkAAAJKMIICRjCC -Ac2gAwIBAgIQC6Fa+h3foLVJRK/NJKBs7DAKBggqhkjOPQQDAzBlMQswCQYDVQQGEwJVUzEV -MBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYD -VQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzMwHhcNMTMwODAxMTIwMDAwWhcNMzgw -MTE1MTIwMDAwWjBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYD -VQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv -b3QgRzMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQZ57ysRGXtzbg/WPuNsVepRC0FFfLvC/8Q -dJ+1YlJfZn4f5dwbRXkLzMZTCp2NXQLZqVneAlr2lSoOjThKiknGvMYDOAdfVdp+CW7if17Q -RSAPWXYQ1qAk8C3eNvJsKTmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGG -MB0GA1UdDgQWBBTL0L2p4ZgFUaFNN6KDec6NHSrkhDAKBggqhkjOPQQDAwNnADBkAjAlpIFF -AmsSS3V0T8gj43DydXLefInwz5FyYZ5eEJJZVrmDxxDnOOlYJjZ91eQ0hjkCMHw2U/Aw5WJj -OpnitqM7mzT6HtoQknFekROn3aRukswy1vUhZscv6pZjamVFkpUBtAAAAAIAFmNlcnR1bXRy -dXN0ZWRuZXR3b3JrY2EAAAF8EFmtSAAFWC41MDkAAAO/MIIDuzCCAqOgAwIBAgIDBETAMA0G -CSqGSIb3DQEBBQUAMH4xCzAJBgNVBAYTAlBMMSIwIAYDVQQKExlVbml6ZXRvIFRlY2hub2xv -Z2llcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIjAg -BgNVBAMTGUNlcnR1bSBUcnVzdGVkIE5ldHdvcmsgQ0EwHhcNMDgxMDIyMTIwNzM3WhcNMjkx -MjMxMTIwNzM3WjB+MQswCQYDVQQGEwJQTDEiMCAGA1UEChMZVW5pemV0byBUZWNobm9sb2dp -ZXMgUy5BLjEnMCUGA1UECxMeQ2VydHVtIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSIwIAYD -VQQDExlDZXJ0dW0gVHJ1c3RlZCBOZXR3b3JrIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEA4/t9o3K6wvDJFIf1awFO4W5AB7ptJ11/91sts1rHUV+rpDKmYYe2bg+G0jAC -l/jXaVehGDldamR5xgFZrDwxSjh80gTSSyjoIF87B6LMTXPb865Px1bVWqeWifrzq2jUI4ZZ -J88JJ7ysbnKDHDBy3+Ci6dLhdHUZvSqeexVUBBvXQzmtVSjF4hq79MDkrjhJM8x2hZ85RdKk -nvISjFH4fOQtf/WsX+sWn7Et0brMkUJ3TCXJkDhv2/DM+44el1k+1WBO5gUo7Ul5E0u6SNsv -+XLTOcr+H9g0cvW0QM8xAcPs3hEtF10fuFDRXhmnad4HMyjKUJX5p1TLVIZQRan5SQIDAQAB -o0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQIds3LB/8k9sXN7buQvOKEN0Z19zAO -BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEFBQADggEBAKaorSLOAT2mo/9i0Eidi15ysHhE -49wcrwn9I0j6vSrEuVUEtRCjjSfeC4Jj0O7eDDd5QVsisrCaQVymcODU0HfLI9MA4GxWL+Fp -DQ3Zqr8hgVDZBqWo/5U30Kr+4rP1mS1FhIrlQgnXdAIv94nYmem8J9RHjboNRhx3zxSkHLmk -McScKHQDNP8zGSal6Q10tz6XxnboJ5ajZt3hrvJBW8qYVoNzcOSGGtIxQbovvi0TWnZvTuhO -gQ4/WwMioBK+ZlgRSssDxLQqKi2WF+A5VLxI03YnnZotBqbJ7DnSq9ufmgsnAjUpsUCV5/no -nFWIGUbWtzT1fs45mtk48VH3TywAAAACABdkaWdpY2VydGFzc3VyZWRpZHJvb3RnMgAAAXwQ -Wa1IAAVYLjUwOQAAA5owggOWMIICfqADAgECAhALkxw61jln6mcjv8OvmvRLMA0GCSqGSIb3 -DQEBCwUAMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT -EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBH -MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYD -VQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMT -G0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBANnnKC9SPzZySYiTNPP4ah4xVICfrVRBtUfflqjUr4AtuQrPdf2JpX0k+uMiDCu8 -lRcLM78ZTUEGkAC9DE0Q/ge15xxuIlUxZZe90xfSHmLz2+psUIw/hAyWz7fLA+DKbaEUTBuJ -3e0AsFJ8r5FssTgT0ekSCMAAsBwrEdp3cDabrs55h9yCcOYJdHBVaa+jaJ+/3bZ5s/KdcClV -9Kv/lWHzyUBvHdG+k7vTiCq7nb9yWlZxOz/U89EK/ijvo+7Zma8D049gt/KSobG9iYkfMM3D -pi5iM64WAndEWueBCjynRC55uD8EvFygh+Ebr1GOzews+vj+bfA6fKqL5GeVMY0CAwEAAaNC -MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFM7DSrmZVfK4 -22C/qX69VrWXNqfWMA0GCSqGSIb3DQEBCwUAA4IBAQDKpVWM48hBbmknp3UR7zyGNm/SncZ4 -OB1plqKSaS44bJt9BNSJpbExN4rJIcyrbM2LHJrWv0jSMmbBisDzLzrvwOPUkYbRUOMD23N3 -b0o5U+3eJse1fa8rQtF1YuNKKwLHUEvgaeKWbA5EZhBEj60F6/h5rKYb6Dc0nVPJYaqiUq9K -cBaGwjrIsRNwNtjP7vQKNNVbTP0HnKK62QFyXPNNwd0OsRwNxGO+rfQU+4nsokEOTMzIV0DQ -bgOqzQyOiZmZbPA8MK8432+8o74pICerdP8TInjel1JVHoO1VCAD7q7AT1beN8zDf6oEJ7vT -d7hi2xd8nCgiE3Nszyb1iinnAAAAAgAKaXNyZ3Jvb3R4MQAAAXwQWa1IAAVYLjUwOQAABW8w -ggVrMIIDU6ADAgECAhEAghDPsNJA41lEY+C7Y4KLADANBgkqhkiG9w0BAQsFADBPMQswCQYD -VQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTAT -BgNVBAMTDElTUkcgUm9vdCBYMTAeFw0xNTA2MDQxMTA0MzhaFw0zNTA2MDQxMTA0MzhaME8x -CzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBTZWN1cml0eSBSZXNlYXJjaCBHcm91 -cDEVMBMGA1UEAxMMSVNSRyBSb290IFgxMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAregkc/QUN/ObnitXKByHvty33ziQjG485legePd1wqL+9Wpu9gBPKNveaIZsRJO2sWP9 -FBJrvx/S6jGbIX7RMzy6SPXded+zuP8S8SGaS8GKhnFpSmZmbI9+PHC/rSkiBvPkwOaAruJL -j7eZfpQDn9NHl3yZSCNT6DiuTwpvgy7RSVeMgHS22i/QOI17A3AhG3XyMDz6j67d2mOr6xZP -wo4RS37PC+j/tXcu9LJ7SuBMEiUMcI0DKaDhUyTsE9nuGb8Qs0qMP4mjYVHerIcHlPRjcewu -4m9bmIHhiVw0eWx27zuQYnnm26SaLybF0BDhDt7ZEI4W+7f3qPfH5QIHmI82CJXn4jeWDTZ1 -nvsOcrEdm7wD+UkF2IHdBbQq1kHprAF2lQoP2N/VvRIfNS8oF2zSmMGoCWR3bkc3us6sWV5o -nX9y1onFBkEpPlk+3Sb1JMkRp1qjTEAfRqGZtac6UW6GO559cqcSBXhZ7T5ReBULA4+N0C8F -sj57ShxLcwUS/Mbq4FATfEOTdLPKdOeOHwEI0DDUW3E2tAe6wTAwXEi3gjuYpn1giqKjKYLM -ur2DBBuigwNBodYF8RvCtvCofIY7RqhIKojcdpp2vx9qpT0Zj+s482TeyCsNCij/99viFULU -ItAnXeF5/hjncIitTubZizrG3SdRbv+8ZPUzQ08CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26ZtuMA0GCSqG -SIb3DQEBCwUAA4ICAQBVH1ipvLKoUNAMsdgaaSAnKQisYXVcim74guVpL9X2Vku5uHMQWdMh -l37nTHH7stJgrTmoC+oXIVaF8VAOWevO4FnpuskV74adj4SA9uTpkZDcF5tiG0XwZpXSfG/C -6jvvH8/L1q4n8amwyK79fX6a+iIE6//Zf+qRKyKxFw6P8oo0W1jY/AHJVLm4JsyKiDOJTC2E -PILf7pZXBbosu/fEt8dOO4K+Mcgic3OS0cKApDk5EDMjgkw8n4ayVZgdvimGjCKbnuJrO1c6 -gnBN3AnHicsKB01s6F2Oye/Oq8e7tStORdZK0CbM5XLKCGqlleMVofek7cksX6X7/6woAi6+ -13u743F7kBbTB15GU3w3B0KM08SWnNWZtSrglRqASK5MOQfOzEekUpUrurj7rdIzU33lHU1t -1aGxx0Jv5kAnNVyjKLcHjeeNM5DnI5/7UJx5bEbVtBWzlm5+mwyWOrhSLT/WW+H7CMKE/iSo -o4narGrhGCqxqENhW9Mf3DuNdvIt6I113xczbD1T+3vLQV//3KLQYTjhlrisXYs313XVM8CZ -Ea6dQcFydYS+AkFCX2ckSJTRmye+Bz+5uE+BdFHherftnSPivuDVKAQTPDEDnt16bI/GBxjG -f95Hjj8ongQGz6VUNHe97Imb6RdD31vbX/6OHleizUCdfmIi2t4YJwAAAAIAGXVjYWV4dGVu -ZGVkdmFsaWRhdGlvbnJvb3QAAAF8EFmtSAAFWC41MDkAAAVeMIIFWjCCA0KgAwIBAgIQT9Ir -j/VkyDOeTzRYZiNwYDANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwI -VW5pVHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwHhcNMTUw -MzEzMDAwMDAwWhcNMzgxMjMxMDAwMDAwWjBHMQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5p -VHJ1c3QxJTAjBgNVBAMMHFVDQSBFeHRlbmRlZCBWYWxpZGF0aW9uIFJvb3QwggIiMA0GCSqG -SIb3DQEBAQUAA4ICDwAwggIKAoICAQCpCQcoEwKwmeBkqh5DFnpzsZGgdT6o+uM4AHrsiWog -D4vFsJszA1qGxliG1cGFu0/GnEBNyr7uaZa4rYEwmnySBesFK5pI0Lh2PpbIILvSsPGP2KxF -Rv+qZ2C0d35qHzwaUnoEPQc8hQ2E0B92CvdqFN9y4zR8V05WAT558aopO2z6+I9tTcg1367r -3CTueUWnhbYFiN6IXSV8l2RnCdm/WhUFhvMJHuxYMjMR83dksHYf5BA1FxvyDrFspCqjc/wJ -Hx4yGVMR59mzLC52LqGj3n5qiAno8geK+LLNEOfic0CTuwjRP+H8C5SzJe98ptfRr5//lpr1 -kXuYC3fUfugH0mK1lTnj8/FtDw5lhIpjVMWAtuCeS31HJqcBCF3RiJ7XwzJE+oJKCmhUfzhT -A8ykADNkUVkLo4KRel7sFsLzKuZi2irbWWIQJUoqgQtHB0MGcIfS+pMRKXpITeuUx3BNr2fV -UbGAIAEBtHoIppB/TuDvB0GHr2qlXov7z1CymlSvw4m6WC31MJixNnI5fkkE/SmnTHnkBVfb -lLkWU41Gsx2VYVdWf6/wFlthWG82UBEL2KwrlRYaDh8IzTY0ZRBiZtWAXxQgXy0MoHgKaNYs -1+lvK9JKBZP8nm9rZ/+I8U6laUpSNwXqxhaN0sSZ0YIrO7o1dfdRUVjzyAfd5LQDfwIDAQAB -o0IwQDAdBgNVHQ4EFgQU2XQ65DA9DfcS3H5aBZ8eNJr34RQwDwYDVR0TAQH/BAUwAwEB/zAO -BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBADaNl8xCFWQpN5smLNb7rhVpLGsa -GvdftvkHTFnq88nIua7Mui563MD1sC3AO6+fcAURap8lTwEpcOPlDOHqWnzcSbvBHiqB9RZL -cpHIojG5qtr8nR/zXUACE/xOHAbKsxSQVBcZEhrxH9cMaVr2cXj0lH2RC47skFSOvG+hTKv8 -dGT9cZr4QQehzZHkPJrgmzI5c6sq1WnIeJEmMX3ixzDx/BR4dxIOE/TdFpS/S2d7cFOFyrC7 -8zhNLJA5wA3CXWvp4uXViI3WLL+rG761KIcSF3Ru/H38j9CHJrAb+7lsq+KePRXBOy5nAliR -n+/4Qh8st2j1da3Ptfb/EX3C8CSlrdP6oDyp+l3cpaDvRKS+1ujl5BOWF3sGPjLtx7dCvHaj -2GU4Kzg1USEODm8uNBNA4StnDG1KQTAYI1oyVZnJF+A83vbsea0rWBmirSwiGpWOvpaQXUJX -xPkUAzUrHC1RVwinOt4/5Mi0A3PCwSaAuwtCH60NryZy2sy+s6ODWA2CxR9GUeOcGMyNm43s -Set1UNWMKFnKdDTajAshqx7qG+XH/RU+wBeq+yNuJkbL+vmxcmtpzyKEC2IPrNkZAJSidjzU -LZrtBJ4tBmIQN1IchXIbJ+XMxjHsN+xjWZsLHXbMfjKaiJUINlK73nZfdklJrX+9ZSCyycEr -dhh2n1axAAAAAgAGZWMtYWNjAAABfBBZrUgABVguNTA5AAAFWjCCBVYwggQ+oAMCAQICEO4r -PevUId4UqGKsBPPdxAEwDQYJKoZIhvcNAQEFBQAwgfMxCzAJBgNVBAYTAkVTMTswOQYDVQQK -EzJBZ2VuY2lhIENhdGFsYW5hIGRlIENlcnRpZmljYWNpbyAoTklGIFEtMDgwMTE3Ni1JKTEo -MCYGA1UECxMfU2VydmVpcyBQdWJsaWNzIGRlIENlcnRpZmljYWNpbzE1MDMGA1UECxMsVmVn -ZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwgKGMpMDMxNTAzBgNVBAsTLEpl -cmFycXVpYSBFbnRpdGF0cyBkZSBDZXJ0aWZpY2FjaW8gQ2F0YWxhbmVzMQ8wDQYDVQQDEwZF -Qy1BQ0MwHhcNMDMwMTA3MjMwMDAwWhcNMzEwMTA3MjI1OTU5WjCB8zELMAkGA1UEBhMCRVMx -OzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChOSUYgUS0wODAx -MTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYD -VQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMG -A1UECxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzAN -BgNVBAMTBkVDLUFDQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMix0/il0KV -iEeDQPYdF/ODcyQeUfOYisOSuP9AkAVwh2DJAKm1lGUZIhUXwkNsZkSaDQQ+OW+lS3qqY7eK -RJ3ZY5GEZuAoD7pC426O9xQnk2nukQ6jXw6x62aick8SE4Zlej7bTwf0pwlg2jpCmceyf7MW -lRzH+TS1lIXVmV6gSKB+5xdluKJ1uB7z5UJ9r+3zikhkXYIUk9jA5P+zUHLydvazXUJQedCU -PmsMAL7Yaw5OKuw+0syCohhlMxN3nppdGhPYw9s9yJd67nDtp+Z823HPLZRi323W9Ti+P6WF -Chm4qNgJdUJwxOrvyw7INKgSIpgMuBOUtkvs8NCQ5ycCAwEAAaOB4zCB4DAdBgNVHREEFjAU -gRJlY19hY2NAY2F0Y2VydC5uZXQwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -HQYDVR0OBBYEFKDDi0SqN6VFv5eAWtHxeKKb6V2NMH8GA1UdIAR4MHYwdAYLKwYBBAH1eAED -AQowZTAsBggrBgEFBQcCARYgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwwNQYI -KwYBBQUHAgIwKRonVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyYXJyZWwgMA0G -CSqGSIb3DQEBBQUAA4IBAQCgSFuCAfZNSLg5VTWcgHpTmdVa/7FxO8w5CZRe1trvvgFbXdMe -2P19T82gQeA0k7/L4oacN5KQVhzc6ykF5cSexzXfigzNxSFD6aqI5TXAGUJjWgJepEgYOoVv -3J28P52cwYe4emEI6XcLf3Cret3ZlyxkHoW/vHSWocN6EuwMGm6DDDzockaf+0jVXpfmsaH4 -5O9GJZScidtpOL7sXA5Wx2VR5VCIiL9C1Ss95fm6ni6zyvRzkgILvkxm6yD+ucu1mX/mthP6 -yktN2e5TRgY7xk6tk1qBfmwqS2oFRYzyIaQxkIdsZZydpWCVOlJ/9dGrCG7z7lv5iD1+uG9u -A+RCAAAAAgAmc3NsLmNvbWV2cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHllY2MAAAF8EFmt -SAAFWC41MDkAAAKYMIIClDCCAhqgAwIBAgIILCmcWxbtBZUwCgYIKoZIzj0EAwIwfzELMAkG -A1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9T -U0wgQ29ycG9yYXRpb24xNDAyBgNVBAMMK1NTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9u -IEF1dGhvcml0eSBFQ0MwHhcNMTYwMjEyMTgxNTIzWhcNNDEwMjEyMTgxNTIzWjB/MQswCQYD -VQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24xGDAWBgNVBAoMD1NT -TCBDb3Jwb3JhdGlvbjE0MDIGA1UEAwwrU1NMLmNvbSBFViBSb290IENlcnRpZmljYXRpb24g -QXV0aG9yaXR5IEVDQzB2MBAGByqGSM49AgEGBSuBBAAiA2IABKoSR5CYG/vvw0AHgyBO8TCC -ogbR8pKGYfL2IWjKAMTH6kMAVIbc/R/fALhBYlzccBYy3h+Z1MzFB8gIH2EWB1E9fVwHU+M1 -OIzfzZ/ZLg1KthkuWnBaBu2+8KGwytAJKaNjMGEwHQYDVR0OBBYEFFvKXuXe0oGqzagtZFG2 -2XKbl+ZPMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUW8pe5d7SgarNqC1kUbbZcpuX -5k8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA2gAMGUCMQCK5kCJN+vp1RPZytRrJPOw -PYdGWBrssd9v+1a6cGvHOMzosYxPD/fxZ3YOg9AeUY8CMD32IygmTMZgh5Mmm7I1HrrW9zzR -HM76JTymGoEVW/MSD2zuZYrJh6j5B+BimoxcSgAAAAIAFGRpZ2ljZXJ0Z2xvYmFscm9vdGNh -AAABfBBZrUgABVguNTA5AAADszCCA68wggKXoAMCAQICEAg74FaQQkaxoXVqyVmRx0owDQYJ -KoZIhvcNAQEFBQAwYTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcG -A1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEgMB4GA1UEAxMXRGlnaUNlcnQgR2xvYmFsIFJvb3Qg -Q0EwHhcNMDYxMTEwMDAwMDAwWhcNMzExMTEwMDAwMDAwWjBhMQswCQYDVQQGEwJVUzEVMBMG -A1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQD -ExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAOI74RFy3qik06NXqlCijwt3kMmipe4SzpZbAQkgzAGTp04wt1P3Q8RpAFed4o0i3YcG -QACBCc7OG4O/3807cUbi1mbHBbN2JxaPe54elX3ut0ijCNrWr3oMOQZlf0pdH7wX+Ku+7ijX -dH96eJlZhWhuXCMyS79OwOhabeNwv3cQv/wB9oXZqEQQWDKpdRjV0aK+R+InavSaM/hJCGCL -1F+0OoS/oapKTH0+z09fbHZeoEs3kZ7cIuZtzhQajmrL/s2zFGQXx1spnjK/8u760wtC1Ku3 -QTLaDNTv+IHVu41YP7Ub6EkoonDaMQTd97IW8kwKTgeo7Uo9XrV/o5DDrycCAwEAAaNjMGEw -DgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAPeUDVW0Uy7ZvCj -4hsbw5eyPdFVMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB -BQUAA4IBAQDLnDeqSBMSCvrdRJxPUrD0364E9Xl5CKMkGPxLK4TALbnVx/70wR9Yy7htnHp0 -55gpqxG143Cgoc1MiJmTjJFw4qsPHL6Tqf9j1eQHYNOjv51bCfHVjuNT9I5j+j+n27Rm32Jm -1tFuQY3yLbXqd0qfnVjiK1nAQCPtLSiCRT55VJImmOCASKg37/DWeWAW3qzoDs1urEQXOC9J -2uFFPiq5NlPPOlAG9y7oxFdJbGEhGNUErXg8LDqAa6frrxUU6diJwbk4bOKRbIr/ZLl3JVcw -wBsko+Hc6d9HfLW0JAgFMOwtvQu/Rb9Quanz65gBEq3IiMaYNF+NCjzG6dWVlW3eAAAAAgAY -ZC10cnVzdHJvb3RjbGFzczNjYTIyMDA5AAABfBBZrUgABVguNTA5AAAENzCCBDMwggMboAMC -AQICAwmD8zANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJERTEVMBMGA1UECgwMRC1UcnVz -dCBHbWJIMScwJQYDVQQDDB5ELVRSVVNUIFJvb3QgQ2xhc3MgMyBDQSAyIDIwMDkwHhcNMDkx -MTA1MDgzNTU4WhcNMjkxMTA1MDgzNTU4WjBNMQswCQYDVQQGEwJERTEVMBMGA1UECgwMRC1U -cnVzdCBHbWJIMScwJQYDVQQDDB5ELVRSVVNUIFJvb3QgQ2xhc3MgMyBDQSAyIDIwMDkwggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTskrPekfvdZsj+jov1lBFiTU6xmvb/tsA -aKjgAxEdN1AIn01KaJQ1s1PRlGOnIFav3lF47Co980hIUD4K30ZViydtwxBNDZFSQ9iH4F1O -NrUhyl85QARfW37Mo8YrqUAe2TaE1kjzkh40RiAkwaRRjkoa71A/aV0Zf0XDxwGPUckj6HKu -tLxWCX8SyxyxrymQCslVzA/TtBrtRzVaSu2ccwQh0Kq9DBO1AMombMRrDJRalZTaUJrx/6Ur -ZjGkyTig3x0fuAku86foZ1KrlR/gRj7YpMPKWsUxgOhImp+Uaf4Z3dhzfIHKlt6O7bMyBWWE -NObm/VcQtV92vy+wEA3FAgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW -BBT92hTEnzDeIb0eQjn8q2MjSeDxhDAOBgNVHQ8BAf8EBAMCAQYwgdMGA1UdHwSByzCByDCB -gKB+oHyGemxkYXA6Ly9kaXJlY3RvcnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3Ql -MjBDbGFzcyUyMDMlMjBDQSUyMDIlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1ERT9jZXJ0 -aWZpY2F0ZXJldm9jYXRpb25saXN0MEOgQaA/hj1odHRwOi8vd3d3LmQtdHJ1c3QubmV0L2Ny -bC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yXzIwMDkuY3JsMA0GCSqGSIb3DQEBCwUAA4IB -AQB/l9swyN+knH0heoBwzhQSaYgUlWBEAayy6TBPm1DCZth+jTC1cDHp4mnH83DbIBWG0A3w -vqwBdYTOfp9Nv7dgO5zzyh3iXmjYo52X5UBg0jYh/tC0uBfadKN/1N+wmAKsb2trLCUkcqFl -7iVa5eYy5/Lfq0n685BpI9sE2edcWPxl1Je+zPwuCswlKjUE+GCRFXU9Qf8jHxnIbOuCUwSm -5EwiTY2Mus5bc+xkVFBt0ZxV+2nDNsOMvDyFpmsKJg3gk5hgrn7GJJeKYV+RjmaSCYc2zYub -LT72UdRQ1FkovYPyzCh7U4Zt2CaIcNfqkc0+ucrAkG5axl50Zddc/qPiAAAAAgAsc3RhcmZp -ZWxkc2VydmljZXNyb290Y2VydGlmaWNhdGVhdXRob3JpdHktZzIAAAF8EFmtSAAFWC41MDkA -AAPzMIID7zCCAtegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UEBhMCVVMxEDAO -BgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVs -ZCBUZWNobm9sb2dpZXMsIEluYy4xOzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290 -IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz -NTk1OVowgZgxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290 -dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTswOQYDVQQD -EzJTdGFyZmllbGQgU2VydmljZXMgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANUMOsQq+U7i9b4Zl1+OiFOxHz/Lz58g -E20pOsgPfTz3a3Y4Y9k2YKibXlwAgLIvWX/2h/klQ4bnaRtSmpDhcePYLQ1Ob/bISdm28xpW -riu2dBTrz/sm4xq6HZYuajtYlIlHVv8loJNwU4PahHQUw2eeBGg6345AWh1KTs9DkTvnVtYA -cMtS7nt9rjrnvDH5RfbCYM8TWQIrgMw0R9+53pBlbQLPLJGmpufehRhJfGZOozptqbXuNC66 -DQO4M99H67FrjSXZm86B0UVGMpZwh94CDklDhbZsc7tk6mFBrMnUVN+HL8cisibMn1lUaJ/8 -viovxFUcdUBgF4UCVTmLfwUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E -BAMCAQYwHQYDVR0OBBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMA0GCSqGSIb3DQEBCwUAA4IB -AQBLNqaEd2ndOxmfZyMIbw5hyf2E3F/YNoHN2BtBLZ9g3ccaaNnRbobhiCPPE95Dz+I0swSd -HynVv/heyNXBve6SbzJ08pGCL72CQnqtKrcgfU28elUSwhXqvfdqlS5sdJ/PHLTyxQGjhdBy -Pq1zqwubdQxtRbeOlKyWN7Wg0I8VRw7j6IPdj/3vQQF3zCepYoUz8jcI73HPdwbeyBkdiEDP -fUYd/x7H4c7/I9vG+o1VTqkC50cRRj70/b17KSa7qWFiNyi2LSr2EIZkyXCn0q23KXB56jza -YyWf/Wi3MOxw+3WKt21gZ7IeyLnp2KhvAotnDU0mV3HaIPzBSlCNsSi6AAAAAgAOY2VydGln -bmFyb290Y2EAAAF8EFmtSAAFWC41MDkAAAZfMIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZB -bcTjpuEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3Rp -czEcMBoGA1UECwwTMDAwMiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9v -dCBDQTAeFw0xMzEwMDEwODMyMjdaFw0zMzEwMDEwODMyMjdaMFoxCzAJBgNVBAYTAkZSMRIw -EAYDVQQKDAlEaGlteW90aXMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgxMDAwMzYxGTAXBgNV -BAMMEENlcnRpZ25hIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDN -GDllGlmx6mQWDoyUJJV8g9PFOSbcDO8WV43X2KyjQn+Cyu3NW9sOty3tRQgXstmzy9YXUnIo -245Onoq2C/mehJpNdt4iKVzSs9IGPjA5qXSjklYcoW9MCiBtnyN6tMbaLOQdLNyzKNAT8kxO -AkmhVECe5uUFoC2EyP+YbNDrihqECB63aCPuI9Vwzm1RaRDuoXrC0SIxwoKF0vJVdlB8JXrJ -hFwLrN1CTivngqIkicuQstDuI7pmTLtipPlTWmR7fJj6o0ieD5Wupxj0auwuA0Wv8HT4Ks16 -XdG+RCYyKfHx9WzMfgIhC59vpD++nVPiz32pLHxYGpfhPTc3GGYo0kDFUYqMwy3OU4gkWGQw -FsWq4NYKpkDfePb1BHxpE4S80dGnBs8B92jAqFe7OmGtBIyT46388NtEbVncSVmurJqZNjBB -e3YzIoejwpKGbvlw7q6Hh5UbxHq9MfPU0uWZ/75I7HX1eBYdpnDBfzwboZL7z8g81sWTCo/1 -VTp2lc5ZmIoJlXcymoO6LAQ6l73UL77XbJuiyn1tJslV1c/DeVIICZkHJC1kJWumIWmbat10 -TWuXekG9qxf5kBdIjzb5LdXF2+6qhUVB+s06RbFo5jZMm5BX7CO5hwjCxAnxl4YqKE3idMDa -xIzb3+KhF1nOJFl0Mdp//TBt2dzhauH8XwIDAQABo4IBGjCCARYwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFBiHVuBud+4kNTxOc5of1uHieX4rMB8GA1Ud -IwQYMBaAFBiHVuBud+4kNTxOc5of1uHieX4rMEQGA1UdIAQ9MDswOQYEVR0gADAxMC8GCCsG -AQUFBwIBFiNodHRwczovL3d3d3cuY2VydGlnbmEuZnIvYXV0b3JpdGVzLzBtBgNVHR8EZjBk -MC+gLaArhilodHRwOi8vY3JsLmNlcnRpZ25hLmZyL2NlcnRpZ25hcm9vdGNhLmNybDAxoC+g -LYYraHR0cDovL2NybC5kaGlteW90aXMuY29tL2NlcnRpZ25hcm9vdGNhLmNybDANBgkqhkiG -9w0BAQsFAAOCAgEAlLieT/DjlQgi581oQfccVdV8AOItOoldaDgvUSILSo3L6btdPrtcPbEo -/uRTVRPPoZAbAh1fZkYJMyjhDSSXcNMQH+pkV5a7XdrnxIxPTGRGHVyH41neQtGbqH6mid2P -HMkwgu07nM3A6RngatgCdTer9zQoKJHyBApPNeNgJgH60BGM+RFq7q89w1DTj18zeTyGqHNF -kIwgtnJzFyO+B2XleJINugHA64wcZr+shncBlA2c5uk5jR+mUYyZDDl34bSb+hxnV29qao6p -K0xXeXpXIs/NX2NGjVxZOob4Mkdio2cNGJHc+6Zr9UhhcyNZjgKnvETq9Emd8VRY+WCv2hik -LyhF3HqgiIZd8zvn/yk1gPxkQ5Tm4xxvvq0OKmOZK8l+hfZx6AYDlf7ej0gcWtSS6Cvu5zHb -ugRqh5jnxV/vfaci9wHYTfmJ0A6aBVmknpjZbyvKcL5kwlWj9Omvw5Ip3IgWJJk8jSaYtlu3 -zM63Nwf9JtmYhST/WSMDmu2dnajkXjjO11INb9I/bbEFa0nOipFGc/T2L/Coc3cOZayhjWZS -aX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw3kAP+HwV96LO -PNdeE4yBFxgX0b3xdxA61GU5wSesVywlVP+i2k+KYTlerj1KjL0AAAACABNhdG9zdHJ1c3Rl -ZHJvb3QyMDExAAABfBBZrUgABVguNTA5AAADezCCA3cwggJfoAMCAQICCFwzy2IsX7MyMA0G -CSqGSIb3DQEBCwUAMDwxHjAcBgNVBAMMFUF0b3MgVHJ1c3RlZFJvb3QgMjAxMTENMAsGA1UE -CgwEQXRvczELMAkGA1UEBhMCREUwHhcNMTEwNzA3MTQ1ODMwWhcNMzAxMjMxMjM1OTU5WjA8 -MR4wHAYDVQQDDBVBdG9zIFRydXN0ZWRSb290IDIwMTExDTALBgNVBAoMBEF0b3MxCzAJBgNV -BAYTAkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlYU7l28qOy47z6bzKTW+ -zxisPqrZ+E2gPhpHubya3/L+zD5H6HqWwiSONfSpDPyC/W3BcmInvepr6+eKzFQ+kFDPgNSV -++i1gtQUxbapVSVX27FQ9rBgZFl6ac8Dt28Nvso+b3Ry6qowKnNivkmRYcgR/g4DKvdqINwC -FQ1eFWr844LBtcWdZAlso1mYByfHG5YrYXRxbEPx9zWJEOCe7FWhNyKihwQFLEd9tBy5Yilm -KMq34ZP1pJQDmblwhbXmSOqNUPzZ3sxvBw7dC3KdgDAWB5U/KA79xXVPU9Z0mrQkLo4Ckc92 -xZseVXSceCGx8C3xC5/C1ZYYH/BUInqMBwIDAQABo30wezAdBgNVHQ4EFgQUp6UGsSymCWDu -0ZfpcK68Oxls2yEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSnpQaxLKYJYO7Rl+lw -rrw7GWzbITAYBgNVHSAEETAPMA0GCysGAQQBsC0DBAEBMA4GA1UdDwEB/wQEAwIBhjANBgkq -hkiG9w0BAQsFAAOCAQEAJnc025RIhipBnSw+BpBgxIysC1S4H7l70wc55Po+e7I9Tu2fI72X -82tc7+79QKbfoZOhCoas7yDQeQG9ePcZ2CQxNAQBproVmsMn3NhPD8wYY/+ZDw6Ra3UW4SH8 -2CbHR7emz1hycX664U2VRzvJr22htMHsifa0Dzi14mTcJc+m2+uaXJmhxQje/eba1dZaRQzE -t8K1FO+0Ef8OFbX19dvGvetap/BWIqk8ZVTGFai9hp7Ng5ZoenGBieEL4eoRG2gIzGme7J5B -nkQyJnrihwpxPevkWqTS28XNxt5gf7nzT0SS7yq3GD6nGdkLfbE3QUKwumAd8v4JEbDwh3un -nQAAAAIAE2NlcnR1bXRydXN0ZWRyb290Y2EAAAF8EFmtSAAFWC41MDkAAAXEMIIFwDCCA6ig -AwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6MQswCQYDVQQGEwJQTDEh -MB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2Vy -dGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0Ew -HhcNMTgwMzE2MTIxMDEzWhcNNDMwMzE2MTIxMDEzWjB6MQswCQYDVQQGEwJQTDEhMB8GA1UE -ChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwggIiMA0G -CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDRLY67tzbqbTeRn06TpwXkKQMlzhyC93yZn0EG -ze2jusDbCSzBfN8pfktlL5On1AFrAygYo9idBcEq2EXxkd7fO9CAAozPOA/qp1x4EaTByIVc -JdPTsuclzxFUl6s1wB52HO8AU5853BSlLCIls3Jy/I2z5T4IHhQqNwuIPMqw9MjCoa68wb4p -Z1Xi/K1ZXP69VyywkI3C7Te2fJmItdUDmj0VDT06qKhF8JVOJVkdzZhpu9PMMsmN74H+rX2J -u7pgE8pllWeg8xn2A1bUatMn4qGtg/BKEiJ3HAVz4hlxQsDsdUaakFjgao4rpUYwBI4Zshfj -vqm6f1bxJAPXsiEodg42MEx51UGamqi4NboMOvJEGyCI98Ul1z3G4z5D3Yf+xOr1Uz5MZf87 -Sst4WmsXXw3Hw09Omiqi7VdNIuJGmj8PkTQkfVXjjJU30xrwCSss0smNtA0Aq2cpKNgB9RkE -th2+dv5yXMSFytKAQd8FqKPVhJBPC/PgP5sZ0jeJP/J7UhyM9uH3PAeXjA6iWYEMspA90+NZ -Ru0PqafegGtaqge2Gcu8V/OXIXoMsSt0Puvap2ctTMSYnjYJdmZm/Bo/6khUHL4wvYBQv3y1 -zgD2DGHZ5yQD4OMBgQ692IU0iL2yNqh7XAjlRICMb/gv1SHKHRzQ+8S1h9E6Tsd2tTVItQID -AQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSM+xx1vALTn04uSNn5YFSqxLNP -+jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIBAEii1QALLtA/vBzVtVRJHlpr -9OTy4EA34MwUe7nJ+jW1dReTagVphZzNTxl4WxmB82M+w85bj/UvXgF2Ez8sALnNllI5SW0E -TsXpD4YN4fqzX4IS8TrOZgYkNCvozMrnadyHncI013nR03e4qllY/p0m+jiGPp2Kh2RX5Rc6 -4vmNueMzeMGQ2Ljdt4NR5MTMI9UGfOZR0800McD2RrsLrfw9EAUqO0qRJe6M1ISHgCq8CYyq -OhNf6DR5UMEQGfnTKB7U0VEwKbOukGfWHwpjscWpxkIxYxeU72nLL/qMFH3EQxiJ2fAyQOaA -4kZf5ePBAFmo+eggvIksDkc0C+pXwlM2/KfUrzHN/gLldfq5Jwn58/U7yn2fqSLLiMmq0Uc9 -NneoWWRrJ8/vJ8HjJLWG965+Mk2weWjROeiQWMODvA8s1pfrzgzhIMfatz7DP78v3DSk+ysh -zWePS/Tj6tQ/50+6uaWTRRxmHyH6ZF5v4HaUMst19W7l9o/HuKTMqJZ9ZPskWkoDbGs4xugD -Q5r3V7mzKWmTOPQD8rv7gmsHINFSH5pkAnuYZttcTVoP0ISVoDwUQwbKytu4QTbaakRnh6+v -40URFWkIsr4WOZckbxJF0WddCajJFdr60qZfE2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyR -VJ12AMXDuDjbAAAAAgAaaWRlbnRydXN0Y29tbWVyY2lhbHJvb3RjYTEAAAF8EFmtSAAFWC41 -MDkAAAVkMIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK -MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3Qg -Q29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQwMTE2MTgxMjIzWjBK -MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVuVHJ1c3Qg -Q29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCn -UBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZsh -q0PirK1ehm7zCYofWjK9ouuU+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN -2WIrvyQfYo3fw7gpS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9 -t++uP0D1bVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi -T0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCLvYf5jysj -CiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjKVsk9+w8YfYs7wRPC -TY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZKdHzVWYfCP04MXFL0PfdSgvHq -o6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHTc+XvvqDtMwt0viAgxGds8AgDelWAf0ZO -lqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hvl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6 -aMN7/zHwcz09lCqxC0EOoP5NiGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD -VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcN -AQELBQADggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH -6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwtLRvM7Kqa -s6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93nAbowacYXVKV7cnd -JZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3+wYQ+nVZZjFHKdp2mhzpgq7v -mrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRKW2XviQzdFKcgyxilJbQN+QHwotL0AMh0 -jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pTAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpC -dNTDd1lzzY9GvlU47/rokTLql1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyq -orkqG5w2gXjtw+hG4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0 -K+l+J6fZmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A -7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6HAAAAAgAbc3RhYXRkZXJuZWRl -cmxhbmRlbmV2cm9vdGNhAAABfBBZrUgABVguNTA5AAAFdDCCBXAwggNYoAMCAQICBACYlo0w -DQYJKoZIhvcNAQELBQAwWDELMAkGA1UEBhMCTkwxHjAcBgNVBAoMFVN0YWF0IGRlciBOZWRl -cmxhbmRlbjEpMCcGA1UEAwwgU3RhYXQgZGVyIE5lZGVybGFuZGVuIEVWIFJvb3QgQ0EwHhcN -MTAxMjA4MTExOTI5WhcNMjIxMjA4MTExMDI4WjBYMQswCQYDVQQGEwJOTDEeMBwGA1UECgwV -U3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJsYW5kZW4g -RVYgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPHfon5JEs60jOD -NSxp7NwJpONRqCUrebgIPeCRuoSFxoWkyubJLlOkySQe/VVmcV0sxWBoBLfZwlImOIik1jtA -psLNP82Yk7NUFFiWVdVQ/oatpGN/XIf2juYnkmcXkgIDLNzWZnTt3Wf/wWGNY08Pm20XMCbv -q9IfEKD5xX8WaYEDR+0eaI1yoU2yJsa6bF9t1q/RsROOqa3zXml1Jhg+QSshf+6LXQcGnUPE -KQor/Co+hss8gzr5yQ3axZnivHhBM3bhvy9d5aSYUAwV3eD6nH84aNCypnqn0TG9fopYJ0Oz -ujOR06eYFVya5tMPddn8QZiXPqol24+SLrB7DF/xY6k3+Zt1aUwoJiXa1fIScEVV499zXjf1 -IWyQjjVaydMj69PAvnisQihYZqVGbXAC1xD5S1T8XYZKh89/ykWsEVq1IFGNL4hHlznAz7rA -QgFAmUghC2un0v2W1dG+Rp1J4AumoCJOONDBPDC8cI8sdczQxYxROz2UCGQmYX25w2WPFJwh -0Kr9F3IDj72bjOZeU565ne+Cu+G84nJBWyGU00U3lNHfCTld5yOqmh3KbagKhoWKgr5CB9by -OIJz2odb5TzTnj6nO570A7P58X0TdAL/u6Hl+gB5HKZmQYhcYFemLgnEuv2az6cfQMO7zFoK -VUs7OHZRuGOLhJQW5lbzAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD -AgEGMB0GA1UdDgQWBBT+qwCQmJ4k/KnMGor7J7i/MG6oOzANBgkqhkiG9w0BAQsFAAOCAgEA -z3csbla+TrO2hACUq0fJDdJ2x4afHQfTtrS7CHivadILSd4zxaytwogCfQa3NQLBYMm/xOiU -3tTTqRMlWv5uoq59Bdx982zwfqaN7tnXzlgX6KkprnNIh+ebym4poWRfGRP3rgYQ/1HGm01V -JU+TmRABU3XxE87HpkFB0r+IpX9F/Ky4pbUzDILE+wf2auUlhF8GysGGORHbWM13OyzCTA9e -muPwqz5hG1AkwsD08RnwESm2pRgCm9djTHCMR6MDQ1y5XUagDW//WY6+3Z9yw1sr34xbzuUM -RmySsgqjTFRCGBUSGL3a/Lp0bv/BtqBk2KlfVa6fXGp2lthzZ4f7TX9c7mnKcxD7iqn9nr02 -OElJh/QOFPDph7g/p096Wo551JPku2hShKxs6fOYcFVyMvk0qytJtc0gYuQ6emdjq5bcba6X -7PyfdlaILmbPW7bJpLDXBbrhJy+TuyYqopOwG/OOvh1Ao7k2jz6CGhpeiOpQ+Fnig0YpC+NE -XOGVtmmQmhRvl66Bz2jvmZq+tefhf/j6E0cWTMxtCEDni3hvUIJEUD9mBoqrQ4RWSg8gLYYO -9dLb0nqKS82l6E7xXiYlAVkjoH7S9n4hV9cnvBVXTKRGweCDHgxMTR9PBhni+aj0OoKhsnlD -edatb3onkAOk6iSHP9m92enyX1BJHO7s1y4AAAACACV0dWJpdGFra2FtdXNtc3Nsa29rc2Vy -dGlmaWthc2ktc3VydW0xAAABfBBZrUgABVguNTA5AAAEZzCCBGMwggNLoAMCAQICAQEwDQYJ -KoZIhvcNAQELBQAwgdIxCzAJBgNVBAYTAlRSMRgwFgYDVQQHEw9HZWJ6ZSAtIEtvY2FlbGkx -QjBABgNVBAoTOVR1cmtpeWUgQmlsaW1zZWwgdmUgVGVrbm9sb2ppayBBcmFzdGlybWEgS3Vy -dW11IC0gVFVCSVRBSzEtMCsGA1UECxMkS2FtdSBTZXJ0aWZpa2FzeW9uIE1lcmtlemkgLSBL -YW11IFNNMTYwNAYDVQQDEy1UVUJJVEFLIEthbXUgU00gU1NMIEtvayBTZXJ0aWZpa2FzaSAt -IFN1cnVtIDEwHhcNMTMxMTI1MDgyNTU1WhcNNDMxMDI1MDgyNTU1WjCB0jELMAkGA1UEBhMC -VFIxGDAWBgNVBAcTD0dlYnplIC0gS29jYWVsaTFCMEAGA1UEChM5VHVya2l5ZSBCaWxpbXNl -bCB2ZSBUZWtub2xvamlrIEFyYXN0aXJtYSBLdXJ1bXUgLSBUVUJJVEFLMS0wKwYDVQQLEyRL -YW11IFNlcnRpZmlrYXN5b24gTWVya2V6aSAtIEthbXUgU00xNjA0BgNVBAMTLVRVQklUQUsg -S2FtdSBTTSBTU0wgS29rIFNlcnRpZmlrYXNpIC0gU3VydW0gMTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK91MDOqu2vTmSwSN4TZjXuXgNNu5/+bUJU+kJVWQtcZfCaEjZL6 -AR06D+JkOLeMvOiI+Yskqy6j9TfkQI4YJXmDdR87/2yoxcZW+LTtikSjq2xM/B3Q3O9ovc/k -qs7wVfeiNNSDazd8HML+tQPsV868tLXF7QAPUzcqTfRPDIP7hs/L/oxOvYf5p4shV5x63wNn -iSydl2GnELhVkH8OLSc4dN/n/dpOEuNNFSICyODg/A+titfJVFDMOw/KFoCE0FFWw45Wf4ki -My/mhQq9pagbNt7T3CxtO8cTvVkjLOblpPfYC+3qkEBEqJW7k9XQgDS2RngOHwCTRuHu6fns -TxcCAwEAAaNCMEAwHQYDVR0OBBYEFGU/x4qGxjzdPFRcNfg67VIMR1fIMA4GA1UdDwEB/wQE -AwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqP+HxMo6u4ZhcS17P -ax5qCdIiqRLHXld9c1ZkgIR6k+QJuRDNnyon4QB3vkjINaiBn+S4LMl/DrDSSzdd6rnVC140 -vfRzKcPtJhWcfghTiliN0Eso38Gz3yDz+ePjOt/MnJTYTk/Daxe393LorWYztSVTq+D4TKmd -/fINuq652arGa/mTu66ruJc8Axq6Q8aWuUVyOLOnoZY9kXt+wCFTTIft8gtUlVGT1SKlDYrx -kw4+VA6w2MlO3PIxMlbqZPnqtZ0WZkJy83/TsTFD/KSOF/FtI6uUZvit+w8IbiYtfxcHCbKM -+1DAn5aNz7b9AJ1aFJq/AkT1wcKfIl6iD6HjAAAAAgANdHJ1c3Rjb3JlY2EtMQAAAXwQWa1I -AAVYLjUwOQAABCQwggQgMIIDCKADAgECAgkAhIIsXxxi0EAwDQYJKoZIhvcNAQELBQAwgZwx -CzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw -IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29y -IENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3IgRUNBLTEwHhcNMTYw -MjA0MTIzMjMzWhcNMjkxMjMxMTcyODA3WjCBnDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBh -bmFtYTEUMBIGA1UEBwwLUGFuYW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMg -Uy4gZGUgUi5MLjEnMCUGA1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRcw -FQYDVQQDDA5UcnVzdENvciBFQ0EtMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AM+P4BG1n6h2dtvfD1Tvc2Mpgq1HxqNr7f5fM/hDUekaM5ExF6B0xNSnAeaykj5qne0O+XSY -QNM/A4AGgkDoseKnUacdgyZrq976F5Er2MasHrGeGQHVl6bqDbfEVR8nfNII1XYfKRWHQDnd -OEURddCapzTgv83IUh25R34NuLvGDPZzVxZafkORH1U6xm1EBKqcqZynTIkXg66jBF5SgIse -EiURGdcMfX0xREHq26+wHO+B0CzFmiGbPe1CO1Am8uzOcWEGYiFUTn/BnT5/IIyAyyrYl2LI -gzORfbCiWg9X6DvM8iWy1Hwv7E3GoToVeue2XTX19khKNkVm1LqYWMECAwEAAaNjMGEwHQYD -VR0OBBYEFESeSPXMbUjUoEt//lkkL4OXmZqGMB8GA1UdIwQYMBaAFESeSPXMbUjUoEt//lkk -L4OXmZqGMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUA -A4IBAQAFPjVcFXCbycdzYW9yK9TCj/JDXQLOxJS5lBGDZ13iZ2x1dr+7DKo2xq1Hk2PcHn7W -3i7+6RkyOAN/FPYAcyxZsSEG4fusGJUMo/+ZlvcrJ5vVJMwd3cE64JhEsMTkPnexc6lkLPYc -AXw/XUWFwIXnJY+V3BfzPJ8abrDK4x0q6Uxj+iRhYtbafrYcbPUCHdQq3VWQ6yoRRzwuXnSy -giKlfVMfRewnkX3nIhbowGg22MbxT4BEMvnh0dEdqt6oq5wEr60gDmSYTaVrwEhYlmlN3AeM -UZOi358PPYtgtIKNqghOYkXg+QvS4OA8W95ccSclwuYDgYsQU+PHVaK0n9fmAAAAAgAPZW1z -aWducm9vdGNhLWcxAAABfBBZrUgABVguNTA5AAADmDCCA5QwggJ8oAMCAQICCjH15GIMbFjt -1tgwDQYJKoZIhvcNAQELBQAwZzELMAkGA1UEBhMCSU4xEzARBgNVBAsTCmVtU2lnbiBQS0kx -JTAjBgNVBAoTHGVNdWRocmEgVGVjaG5vbG9naWVzIExpbWl0ZWQxHDAaBgNVBAMTE2VtU2ln -biBSb290IENBIC0gRzEwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBnMQswCQYD -VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s -b2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1TaWduIFJvb3QgQ0EgLSBHMTCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAJNLu+lmiu6dW9U0k9AbHsPnnrhkM39jeGi0zS5xddeb -IMZNKby2aGCK9yGaVjVa83a92M2a/5NWS6VZBqGTNCndFjR1TvKBtMeWTq0ZFVJK/jxwdXDN -ryurFZozPKqzi6rNQ/316nD/7c8RO5TOTjIW0yNAKnezrzwBLGztmSyL2U5pmLL3j0GwMnhh -1g1fw/qiQJIdXBfmcD4156K3wmLiq6Q4TLU5NW/qA2n6OlRohW3W8i9DVR6RDQ7Y1WqkltET -PCx4UOg6ktIXVuU1GkAcPo0s7TnfQuCDQXTfo83ChmBIaONpC1QAi+R2aSENeU40CF4Uwsyx -t63XfHCKx4UCAwEAAaNCMEAwHQYDVR0OBBYEFPvvDYaesOPdqbnxIRd/PvzwdysaMA4GA1Ud -DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBZ//KM9Yd9 -cT2jnxtb0dr405xrNr2bqWHr3hYsdD2e5nXa17qnvEIX5z2R6+V93T6c8c+SrGxIzMIiP2k7 -xbYVL6M1xmgqHFevOe+N0DXDGAx7AFYczYsZdN6+DxLg0KqhPwI0sXDOnRjWCAMJRu5g4H62 -xEkEUX1wYLyqsv95cnqmHT1fKvjK4v05t0e5637fBCOv+pwGB+n7Y5OAQLXGbAoxKM4Mn8+z -IzWAQY1sxDd7gS+AoUBChenZOI3ooVPNAb9p6FoG8kULkPqu4b+d8q5XPKWuslb0i2VA6f0x -gSz0OQnY7muntKYdFaWY9wGB2IV981FccYjeuswfgH5KAAAAAgAPdWNhZ2xvYmFsZzJyb290 -AAABfBBZrUgABVguNTA5AAAFSjCCBUYwggMuoAMCAQICEF3fsdpao+1dvlplIGUDkO8wDQYJ -KoZIhvcNAQELBQAwPTELMAkGA1UEBhMCQ04xETAPBgNVBAoMCFVuaVRydXN0MRswGQYDVQQD -DBJVQ0EgR2xvYmFsIEcyIFJvb3QwHhcNMTYwMzExMDAwMDAwWhcNNDAxMjMxMDAwMDAwWjA9 -MQswCQYDVQQGEwJDTjERMA8GA1UECgwIVW5pVHJ1c3QxGzAZBgNVBAMMElVDQSBHbG9iYWwg -RzIgUm9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMXmK2987yYFJ6OBJNpv -ywH5mZqpMsIih2FBkTvLw2gbBsVMqSvBZxciHSvt+SmJk6J4vZJroKMNon7Kk7Om0Yw11XX5 -F/bPRcXleux3k6CPI64OGgN/vtTQ7S57q0YjW/8s5lR6lMAqFfDJjbB6OyTh12jiMTwGM0a2 -VBGmpS8iVCpYDQEC8foVUWdswPrXtht/0VaILxo6jTu7ghHgRwDQUoer+4Z+DyRrQJ00Z7yN -xy2Gb3k+jqk8F0t/sJnjsHFg3Av1ZMPOQ7xtcbnS3idbiujYxq7hWX3PKC01uJVWGvGyWEu3 -EjfIfLPtS4DhjfoyI7Zvt0iVCLFEToWMOgJUIC/fv1dPOzqQIdfBJjVUIOzHP0fs71q/S3rB -rTsXUFxi2A9LStwr+m68c5LN7MdQ6EGW16l+bdjpHY+KtblYkrpKkisMVv2A6wjwXiluGxwM -r4+Tia3bvaOeIcqJGezftcMa6xb+eDZM1m7QPhcckBdrJrr7ei+/ERwYDi1zA4+g5TWgWuJM -dR1x4Tk4U3hAzIOT1wqenVuPiuTl4EjkSLJHzU4qdSp78iL2yb4JkZZXeoiIrO5wrPncKeMM -HDsSTkTWp06wJsjz2RqXkWjq741GBtJWRViaPAwPg7gFJcM5zzukNIm3eRIvR8XnqZdp/KZ3 -Z7Xfe/F6ZRXkYVZlAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ -MB0GA1UdDgQWBBSBxIzM9eQw/6UMCF+MFWchdAHf3zANBgkqhkiG9w0BAQsFAAOCAgEAE2Ui -9Y4rrUTky/+5aObDgEg9BHv6Iy967Tbass5t9uae5V9Yj8s3MqHIZbauOD01Gz68O7YE0Lz5 -SfWb94XFNrbLvPjIOdXkXwe9FVSXdMrK7U+6umR2n4G4hEVJTI1vouuxzNHDlNpEwubi6hjo -oh8nBbrX5dapzd3vdpiNAA7NG/oDt46AWA4nP1L7lKLKXmXJ1oTauTVx8ybAT3fmgSfSdzua -FG959PbQ4dOUutBXUb0nBQ3B/cgSMO5vjRErCJ3U1L+ARRSaiETaMOq0p+Pu71uC1T7WrXiS -21w889it+rhrf8Q2KLYCFYpULJywF3OO0DejFDyYlQAMKQVbnklJsV/H48vPJ2WONRe3V8gw -2UFbuRS26MIPlDGnlJjMauu14Sf1EKgB6I4SYuiIzLV/RpfAmxBmOBo2Rl8iaD3fycYTJ6tT -BqyiPIYGZW+xfrEpRJqjuklpKGmP1+VfrQSGZG8aoAzFCGLOgKPQ8+xo3r4zxxdbf4DETEyx -poSKwzu4Cc0UgboY41RXNv7bL3xHoTozyPlYO0RPscoCiQSWKGjFS7gmibvWMy9Q1f6aiboY -MpJUxlvgnfle5Q0im/ba4sghsmIhqoZAsi5k01/I434RZ0UfBf7jou+zqLPzfY/4DB8iHy1w -tLgBNHYwAOUjeKdW11AfivsG9cIZ8NAAAAACABJlbXNpZ25lY2Nyb290Y2EtZzMAAAF8EFmt -SAAFWC41MDkAAAJSMIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQsw -CQYDVQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo -bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMwHhcN -MTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJTjETMBEGA1UECxMK -ZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9sb2dpZXMgTGltaXRlZDEgMB4G -A1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQj -pQy4LRL1KPOxst3iAhKAnjlfSU2fySU0WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyz -dc6LBtCGI79G1Y4PPwT01xySfvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQW -BBR8XQKEE9TMipuBzhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB -/zAKBggqhkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB -CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD+JbNR6iC -8hZVdyR+EhCVBCyjAAAAAgAbc2VjdXJpdHljb21tdW5pY2F0aW9ucm9vdGNhAAABfBBZrUgA -BVguNTA5AAADXjCCA1owggJCoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwUDELMAkGA1UEBhMC -SlAxGDAWBgNVBAoTD1NFQ09NIFRydXN0Lm5ldDEnMCUGA1UECxMeU2VjdXJpdHkgQ29tbXVu -aWNhdGlvbiBSb290Q0ExMB4XDTAzMDkzMDA0MjA0OVoXDTIzMDkzMDA0MjA0OVowUDELMAkG -A1UEBhMCSlAxGDAWBgNVBAoTD1NFQ09NIFRydXN0Lm5ldDEnMCUGA1UECxMeU2VjdXJpdHkg -Q29tbXVuaWNhdGlvbiBSb290Q0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -s7P+f9Ntse8WfFelDG12ii9Lv2T7TO6K8PMpfPX/7irg6em6W2QimppvLDomaVEFmSbc1Rxq -ccaafR6d3XxsxoxnZ0o++HGwGSepCQymlb9LjAz6VZg72OgioUtxOHmsl5Jps4l+6iFoBpgU -lofSYTa8bSdWnlfuwMBW/TLPpNmOwiPXjajz2CWsl+RwOPS2OrSdO5cmQ6OhvElZckwjMIcB -WPZOvhxoVmavzUFdyLNNKlVGqx/aHuJAPdvNfbmSgJw33QyWZJ3cIvdki99h3hWUUhWgfVLJ -S6ghycax7cvDlWDRD/CrcPjfy01+7Nb6q9m9f1Typel5+tnWdiQocwIDAQABoz8wPTAdBgNV -HQ4EFgQUoHNJmWjchVtl45soL1efvTO8B0gwCwYDVR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wDQYJKoZIhvcNAQEFBQADggEBAGhAqai75E9debMFtRezYBPrxpJd4NHTav77vpttv8cF -bVkgxBzwt9qEWAJj+kgW70+lC/dKmPI/nhutR2tjzghH61I/eJyvTa741U/PmpgqEEE5UsTd -2ZsO75MBrrIuymhCJEJssLM6Ps3p2kjEFcvp+QcPklBJit0xl1/J6TeqO1lll5QyybOfPjpi -WMVJrWIOcaUyqi/GiXZDQBMTZz2iVCUQy/E68tn620lWu6b+p0E1w+CIYcmIx982ECKYWeqw -SvtWFnNurE33IqFPrR16LUUn5TDBXvLaE8slQlGVRwOMbCHMdELtU/8zi48PVwEWL8+m7slw -IhS9/b5sCwMAAAACABxjb21vZG9jZXJ0aWZpY2F0aW9uYXV0aG9yaXR5AAABfBBZrUgABVgu -NTA5AAAEITCCBB0wggMFoAMCAQICEE6BLYqCZeALAu4+NQJG5T0wDQYJKoZIhvcNAQEFBQAw -gYExCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcT -B1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMScwJQYDVQQDEx5DT01PRE8g -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5 -WjCBgTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE -BxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxJzAlBgNVBAMTHkNPTU9E -TyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBANBAi4ty45Eb91HBG1QEmNOpv8Hmil07h/u7iM4N4y8/BpbwoilQma7bO6FXsHRRcc3t -QpFNQf6pyNhqhndEu1lml1BetNQscETP2jeVQmk8MMRxs1LwIU2h2Lo5fByeoySd8oMWmKoW -fEObFVu3rjSR/tRiJhhGmj/rwfnxkFfrrHoNi9tyMGpm1eBGo3DcaNn/BEiJd9616ftnbUHp -vDm9MtliAvGxqD1uN5ziL+LToiaLxrhVQ4jhIz6l0iQ5akerANShs6kl/g0/px2601HBC6Ta -rDjvVVAkBWVGkzRPLY2txtQhGdKOygVhcQdzR+WKGRK9BE3OTpylSKy7JvcCAwEAAaOBjjCB -izAdBgNVHQ4EFgQUC1jli8ZMFTekQKkwqSG+RzZaVv8wDgYDVR0PAQH/BAQDAgEGMA8GA1Ud -EwEB/wQFMAMBAf8wSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5jb21vZG9jYS5jb20v -Q09NT0RPQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAD6Y -npv2G+nXObd4rh1yGEnTh+RDgus/yar1qLXvVXwhUmX51Q3hbPQ+jJNzkS4CxE4HcW/Ajzhh -CKgegQrALyAvQYuR3EhFvPHG3rp2azPIAC0xRkzt553PiJT/M8BW6CSGJrjYODjfKmvdEszH -P0cXTKLCBpYJ1tv+PzxGQd9Y4lYPPDvBHJM12ThSrO7I7C4wTpQ1tCQfS3hp2vICOMyVUpPw -cCVZnCBnxO75i1dh9JJ2fT+EjVW36OWs1fH1GVamWvuQHK+T6+Uc1GeXXQQOvguDpheDuTAS -oMUzFQW5DfvHBXbj2EqN/DQXo8YhKL4wRTEex3i+WGE4rDviAWUAAAACABF4cmFtcGdsb2Jh -bGNhcm9vdAAAAXwQWa1IAAVYLjUwOQAABDQwggQwMIIDGKADAgECAhBQlGzsGOrVnE3Vl+91 -j6CtMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3LnhyYW1w -c2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMxLTAr -BgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDExMDEx -NzE0MDRaFw0zNTAxMDEwNTM3MTlaMIGCMQswCQYDVQQGEwJVUzEeMBwGA1UECxMVd3d3Lnhy -YW1wc2VjdXJpdHkuY29tMSQwIgYDVQQKExtYUmFtcCBTZWN1cml0eSBTZXJ2aWNlcyBJbmMx -LTArBgNVBAMTJFhSYW1wIEdsb2JhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJ -KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJgkHr0VtLrfx4ylJ7Y4C2nztk6oLC4hHVxE3yFd -fiN0/l5+tEq3pq0fruAGFuKbW9lndGtdgI8pnYYb2ZwNmG12EChY5GWwf0qYeZ/gwzF+gCu1 -jMBAOxGG0MuihjZgpNUwgm3ZbtAPEgQzl19PYVrw5PmRq+cdO7zoz/RrLTR84khhHI7zYUTM -b6BKqZSwTdrnqTR6cjioQcw8lBF968imjLeGy8ozO9k9N4v7ej6GLOdz1wpXrGSbGev0DwQI -iqwDFxlk9FolIo00LLL2aB0SbdOKHhTaxI+m4iOF1XoNvWrg6ezsF7tCG2eqJe1FgyH8wcl8 -1WI++vLFLdP91GUCAwEAAaOBnzCBnDATBgkrBgEEAYI3FAIEBh4EAEMAQTALBgNVHQ8EBAMC -AYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxk+iPQZjhAmczmLkBKyNXLXpthswNgYD -VR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC54cmFtcHNlY3VyaXR5LmNvbS9YR0NBLmNybDAQ -BgkrBgEEAYI3FQEEAwIBATANBgkqhkiG9w0BAQUFAAOCAQEAkRU5AwEbZ/tKHPkKYFuh2k2X -YvkkUyfXgmROkC7DSRsrmtz8qHhnNfEd8BG9t0jjEPYN3z/SybaqVaRIugLb3lkuFVs7nRZ9 -R9c36l9NdhI2ux/XoYEERiCjLG2pngF+PynOAJPf/cmSc4mJZJ7nK+QckSzSuc59zm8xmdPm -vtIekPAJFHlcI6tN0tohH02ZeZ3hzyefEJsciA2wimRBMbgObJAkpJtccY+6u34cG9tqgA8h -vOnbprdA9LKLqbHk75oa0D1pme6oKKPhPLPwshGcz3xA5t3nQ32i2Dq1qY3yNJnE1BDhBv0J -hBA77sRM9OwnfELCdHyCignJtAMlvAAAAAIAEXF1b3ZhZGlzcm9vdGNhM2czAAABfBBZrUgA -BVguNTA5AAAFZDCCBWAwggNIoAMCAQICFC71mwIop9t6/9Wjqe69A6DPEmodMA0GCSqGSIb3 -DQEBCwUAMEgxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYD -VQQDExVRdW9WYWRpcyBSb290IENBIDMgRzMwHhcNMTIwMTEyMjAyNjMyWhcNNDIwMTEyMjAy -NjMyWjBIMQswCQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEeMBwGA1UE -AxMVUXVvVmFkaXMgUm9vdCBDQSAzIEczMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAs8sOEGeO6hSXpzIqClY2f2hMx7NvOiMUkf8Zf6XKrO6zdp166Ysbq2sx2/oLU0yvxaUa -eTyKTP+s3yXeTtmCMgtE3srbjKyjbhaDO6ZkSzKJ+xYWOH7rQ+LTdErCYgpzCt1Js1fSsAqF -nXE83qPLwDLzATkgQxs10VOzse7Fk2mCPha1KEah3uqJCe1DuAVGiob1WUe+G28BIRC5/anS -KMoQOQnKEzbPnK2tQHR5KwI/NP/6IGl90+5h9bqz5zDQNyOGcmFFKUhZaG93pi6BvgdNb6/O -xEUTkRRwBo8fn/iHabEO78OJGevqHGH8emyK3NYDC54muhLd1FQ5qyajM+p1gdotzQ9P5APR -7xWXG2uQxQKQk2YCIbFH3ouaSoC5VY+1oi/A1jNn2n7Ep7QEROtH++ZYufcM8HsrscBwKcNA -Yi07SGncIzxI63sJealt2qgwmM+AcgOIpltGrnJ5fAgDIWWut+EcpbEqojHeZgT3wHTocd7/ -PVnMliYSi4WVVxqra3ULRD0RKDx7Ybfij2dP5ew8TGCAaVc4HgFbjVXox9/AzHcjNEl1fPaY -Eest3u1BLhQFAn/g/iDrNecRrCLOVz3eyTBtEAOFzfH/jBa1wbI+iGxgf5BPlff2La0BOQcE -+nWAfb9JUO3vycR8HOuAftu20N0T/snTnNeyl6kCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMYX0Lyo6gJD8hsGmV0rkCC515zkMA0GCSqG -SIb3DQEBCwUAA4ICAQA0YdlWtRKHVU3dozUxRrukB3K8X2Fi6KX7CzexPLaz+imdfwL1pMmo -k7d6cShpj3PhUpDa1b465bd2alaAId9d5uk6nuU+9qJpxyoKsBhH3CBwfVKjPll8wbrJyBVA -Ycpy1nCs0rfwHOSGKfDO72hj0LUgihVhmn6GmLTJwnb7zLowFsyjYcZ0E+Vr76MV6gP+E4tk -5NPB0uiE+0nREE15Zuuq/fSNMR5wFK3c3mcTTIEVYby32ZF3cRmBYLvwWKW1nAv3jyJVJ8BL -AW07mQ3UHZtjZy/Q7g3KZryUT6at7fzuY6xXP2Ulz7KGj9AI/7h2FG7e5Sfsq3i1U7m2P+gg -+dKovmFGyoeMhPP58aBomyIegSabEASRccAGH9yg07lWp+OYLX+Dnd+MK5wyjjKU8AE8Iiqf -Q8Iuw5g5Bzh7/F4AQh/zMiZ5g4T25fDBURLACx4EIwxUpUwvScVK0bZuYA1r/GuLhSRkt4kO -qyVHWzzPfkm9x+kKxtr3fg4XCNNIl9BxkvAPOT40ahx92PIirrtp9DO0pkhV0Q8OJujstgst -p4U1zf1ZyJ/RzT5aKTS5PYTOsWXUWZGRVnUhwXee+XrhYJ3TrQQY9HzrXpOPU0oiKfhIKz5N -hqxbf8sGmVlg2FhllY1E0fd/fid/fa6A9QdMtj6ccVSZBEv9WPmY9AAAAAIAEnNlY3VyZXNp -Z25yb290Y2ExMQAAAXwQWa1IAAVYLjUwOQAAA3EwggNtMIICVaADAgECAgEBMA0GCSqGSIb3 -DQEBBQUAMFgxCzAJBgNVBAYTAkpQMSswKQYDVQQKEyJKYXBhbiBDZXJ0aWZpY2F0aW9uIFNl -cnZpY2VzLCBJbmMuMRwwGgYDVQQDExNTZWN1cmVTaWduIFJvb3RDQTExMB4XDTA5MDQwODA0 -NTY0N1oXDTI5MDQwODA0NTY0N1owWDELMAkGA1UEBhMCSlAxKzApBgNVBAoTIkphcGFuIENl -cnRpZmljYXRpb24gU2VydmljZXMsIEluYy4xHDAaBgNVBAMTE1NlY3VyZVNpZ24gUm9vdENB -MTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD9d6qlHJAFO8tMmzOLWhRFpOeQ -FtHfV9IhEKQX/d+s1h+n5Nt89+zfuAPalFj9XXJ8jD9fAWd0FZbjAjyH267LAY7C82bGhUX0 -AsY6tWKyr/qcv6Tm1IAwmPMNtpOPqdTYNvKw/IrKLKEVM5Ux2sAb8u5imYZjP7/dkyqDqHa5 -Ex+3zk5ChY8i5y4a8pUJsgW1RE53oSC9qfJOCn1QrfUFDUVPRnH9KD5T+wTYLddlHUob+s87 -sDGaNW7IiwbTAJHylAhlTLE0BgB6ieLwxwNZz9XW6Kcys+aYQIbFzScSi8x7zrcRPGJgByM+ -K0BulIAJbbazb3dvNQhQ+wKHxT6JAgMBAAGjQjBAMB0GA1UdDgQWBBRb+E1PsqWG1DrS8WOa -oL4J9le33jAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUF -AAOCAQEAoKE4FmYup1YfIZwG+h3tuSLFOCbYTk/so3953kYhoYd3jwcImrKkxa8PMpgLfGYp -tpt9JVJJQ6tMLituenCvFg7jAmz7QuYYnUXYVcjoO93n4fQuCxw0XGxYSvuMiFBflRy/7asi -tWWzhbqeD7it5XobilA6Hb0NvHtUUAu5Qq9VoBiBrWWZ777knL/EhatBslRv3CXN7XjijgyN -CUndY3taaZYCIai9UlnpfTXLyFLKf4H+2WvT9xHtJd/45/mk+nKXhFMNpdAyGFF2WRRsD+vs -X4CMdUODw4WY/0yeLQ3kd4OTTrWWB4soE5uMGY1BJ0lA7t7mI0Q53KEi1roD8gAAAAIAEmFm -ZmlybXRydXN0cHJlbWl1bQAAAXwQWa1IAAVYLjUwOQAABUowggVGMIIDLqADAgECAghtjBRG -saYK7jANBgkqhkiG9w0BAQwFADBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1 -c3QxHDAaBgNVBAMME0FmZmlybVRydXN0IFByZW1pdW0wHhcNMTAwMTI5MTQxMDM2WhcNNDAx -MjMxMTQxMDM2WjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLQWZmaXJtVHJ1c3QxHDAaBgNV -BAMME0FmZmlybVRydXN0IFByZW1pdW0wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQDEEt+pX/5B3d31n4rj9qzhPHiavNjwf3qgMyrcjSBbri1v55PZNnBqaM+OUaOFW2cEoBAk -b10ogsGXV9hIKRO24b6RTd+FDFMYmh4kok+P8KKFC8v0KX/SpFjuJk3Jqqh7mtn6ON5EVxXl -+IzI2UjiDRYnHR7Ig4Ult7qqVUHMAyJLLZGNi+aJr2bH6f8r6Tys2tKzw+FonIn4egBW3vRV -lWz7umTdYovfC3cy62LMJpqbu6pig0y0BnowyCm/7QZNl7kcxDEr1V+8UxIXnJlXKWZ3YSEx -By4lSZ0Y8u7zK3GMtbo5B0l3/O8ukpAFjS0vd3vvQ781u5rY+XOnLPLQV+4oTiZfj5BoCS+4 -+NwG6S6aPlGn0SLECqc4SGyz+f99q4ZX47rWhXh3ukPqSH/22L4jbR6/0TZsWFzx7qQZVBr1 -A9J25uGMvTyz00hL4sj4f5KodkacQmU+pB7BBwNaRi24l/O31bJVIe+63EwAl/sUlSczv+hD -R0bSCJkWYDuaftLm7Tjq7AEePEhWSQnHTDcAnogOwHPhb2bpckcwPhDlCwPJmkIAbMWUfmHE -it9/ghoLWcRZMnezvGBpVjn9tAZ7LNZkNtm9SO2EH36lIo8quEL0grfUU5B4Ti0a/YFvRNc7 -AXSWQuAA4i5r6sXucqy7v/7qqqj43PayeYq2ZwIDAQABo0IwQDAdBgNVHQ4EFgQUncBnpgwi -2Sb1RaumZVIRJ9hFrGMwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZI -hvcNAQEMBQADggIBALNXTRBiTjrkrOq4HK8yI8izSVpRnHYojXmqV0YX1fVS9rdE6AhEvxiE -0guAzcUS/QBVBWGHQdy1JJ48xNjI+3CeL3iWgyA23nwPaROIpXU2mAimxt+szuNY1rc+3rrz -6zRA2KKB9Xg/L9Wl/Nmi1F4EDhet/kHw5bJy+kSCM0LoLVj3VoxiP7pCsJwMXH4uZSZcU08A -snh+oQ2ZLY24HY6ixLD9YNAwpI7IBGKpxO013nqX7Q44XpIvk3ClqZxvp30THX7GCEixXmfr -UQgl6eYla1IpkZzSOXMIV96ZBrRbnRAG4cIAqLgcSgIKFNDBQcr7jDUhfYI48qlUkRk1k5Rt -ajrFstC7iYaT6JvJDzqnerih8HhG+vw3L+WKhPPf/gTZoWigLyTiCZUG1ZXK4SSW63z2kwW7 -7XPpLdF1OdfnJNvYTl9Dj57QFDm/VXBImVcxtJzuSpgDljAfYAbuGyP+gWAjGkdihaXMGTSA -b7OsGuOf8HtIrdUB2We2qXKT6i1mtbK45D08su9MjOrrB7+rNZpVhrwYprWoXrSDbGtpQNOf -3PHDaWu54W0J9PGqUHYKen16F6FVlkKZMQndYBGNBTB+5o5G0Z0U2scX5AWWjMQktRvPFAey -QPijnkGGvATQa5bIKoA0/b/vBqPdWMWFPT6P/p4p4La4CWgZHBhDAAAAAgAQZ2xvYmFsc2ln -bnJvb3RjYQAAAXwQWa1IAAVYLjUwOQAAA3kwggN1MIICXaADAgECAgsEAAAAAAEVS1rDlDAN -BgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1z -YTEQMA4GA1UECxMHUm9vdCBDQTEbMBkGA1UEAxMSR2xvYmFsU2lnbiBSb290IENBMB4XDTk4 -MDkwMTEyMDAwMFoXDTI4MDEyODEyMDAwMFowVzELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEds -b2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24g -Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANoO5pmNzqPjT4p++/GL -gyVr6kgf8SqwuZURBL3wY9HiZ2bPHN3PG0gr7o2JjpqvKYBlq+nHLRLLqxxMcAehPQowzRWN -T/jd1IxQFRzvUO7ELvf86VLykX3gbdU1MI5eQ3PyQenVauOyiTpWOThvBjyIaVsqTcWnVLhs -icyb+TzK5f2J9RI8kniW1tx0bpNEYdGNx0aydQ6G6BmK1W1s1XgWlaLpyAo46/IkE09zVJMT -hTobvB40tYsFjLl3i7HbHyCRqwlTbpDOezd0uXBHkSJRYxZ5rrGuQSYIyBkr0UaqSNZkKteD -NP8sKsFsGUNKB4Xn03z2IWjv6vJSn3+TkM8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8G -A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3 -DQEBBQUAA4IBAQDWc+d8T3bQjb/suqK+NMUoMrV8/GycLCu9CZ5Tv2teqhFItuUIo7PKPWFN -00YJsz7DoONjVRvyuu+tOeFDuTij5i+KJjvvoFBW+cYK/TjNxAtwUZSXmATfw1+U1RXJFEGc -xF11ZBUN/1Uw7IaP/w3vLLljRvaq/N+8af0uEkhkmuCV8KbvKY8BsRW1DB2l/mksaSR4HrOn -HHFi7srIl6wXXYrC+EeGbirEVjGV0GeJhSv5bKZdRp0MqoLkmVHdcLfbVj1h5GrhXNb2/j3e -QcwHrmNSv1NT9Cvpx/2294JfhdJBGNuBswQcxR+kgG8VIMneDIgKHdZmVeL8SMkpJmngAAAA -AgARcXVvdmFkaXNyb290Y2EyZzMAAAF8EFmtSAAFWC41MDkAAAVkMIIFYDCCA0igAwIBAgIU -RFc0JFuBiZs18s64KztbpybwdSgwDQYJKoZIhvcNAQELBQAwSDELMAkGA1UEBhMCQk0xGTAX -BgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAcBgNVBAMTFVF1b1ZhZGlzIFJvb3QgQ0EgMiBH -MzAeFw0xMjAxMTIxODU5MzJaFw00MjAxMTIxODU5MzJaMEgxCzAJBgNVBAYTAkJNMRkwFwYD -VQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9WYWRpcyBSb290IENBIDIgRzMw -ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQChriWyARjcV4g/Ruv5r+LrI3HimtFh -ZiFfqq8nUeVuGxbULX1QsFN3vXg6YOJkApt8hpvWGo6t/x8Vf9WVHhLL5hSEBMHfNrMWn4rj -yduYNM7YMxcoRvynyfDStNVNCXJJ+fKH46nafaF9a7I6JaltUkSs+L5u+9ymc5GQYaYDFCDy -54ejiK2toIz/pgslUiXnFgHVy7g1gQyjO/Dh4fxaXc6AcW34Sas+O7q414AB+6XrW7PFXmAq -MaCvN+ggOp+oMiwMzAkd056OXbxMmO7FGmh77FOm6RQ1o9/NgJ8MSPsc9PG/Srj61YxxSscf -rf5BmrODXfKEVu+lV0POKa2Mq1W/xPtbAd0jIaFYAI7D0GoT7RPjEiuA3GfmlbLNHiJuKvhB -1PLKFAeNilUSxmn1uIZoL1NesNKqIcGY5jDjZ1XHm26sGahVpkUG0CM62+tlXSoREfA7T8pt -9DTEceT/AFr2XK4jYIVz8eQQsSWu1ZK7E8EM4DnatDlXtas1qnIhO4M15zHfeiFuuDIIfR0y -kRVKYnLP43ehvNURG3YBZwjgQQvD6xVu+KQZ2aKrr+InUlYrAoosFCT5v0ICvybIxo/gbjh9 -Uy3l7ZizlWNof/k19N+IxWA1ksB8aRxhlRbQ694Lrz4EEEVlWFA4r0jyWbYW8jwNkALGcC4B -rTwV1wIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E -FgQU7edvdlq/YOxJW8ald7tyFnGbxD0wDQYJKoZIhvcNAQELBQADggIBAJHfgD9DCX5xwvfr -s4iP4VGyvD11+ShdyLyZm3tdquXK4Qr36LLTn91nMX66AarHakE7kNQIXLJgapDwyM4DYvmL -7ftuKtwGTTwpD4kWilhMSA/ohGHqPHKmd+RCroijQ1h5fq7KpVMNqT1wvSAZYaRsOPxDMuHB -R//47PERIjKWnML2W2mWeyAMQ0GaW/ZZGYjeVYg3UQt4XAoeo0L9x52ID8DyeAIkVJOviYeI -yUqAHerQbj5hLja7NQ4nlv1mNDthcnPxFlxHBlRJAHpYErAK74X9sbgzdWqTHBLmYF5vHX/J -HyPLhGGfHoJE+V+tYlUkmlKY7VHnoX6XOuYvHxHaU4AshZ6rNRDbIl9qxV6XU/IyAgkwo1jw -DQHVcsaxfGl7w/U2Rcxhbl5MlMVerugOXou/983g7aEOGzPuVBj+D77vfoRrQ+NwmNtddbIN -WQeFFSM51vHfqSYP1kjHs6Yi9TM3WpVHn3u6GBVv/9YUZINJ0gpnIdsPNWNgKCLjsZWDzYWm -3S8P52dSbrsvhXz1SnPnxT7AvSESBT/8twNJAlvIJebiVDj1eYeMHVOyToV7BjjHLPj4sHKN -JeV3UvQDHEimUF+IIDBu8oJDqz2XhOdT+yHBTw8imoa4WSr2Rz0ZiC3oheGe7IUIarFsNMkd -7EgrO3jtZsSOeWmD3n+MAAAAAgAVYWZmaXJtdHJ1c3RwcmVtaXVtZWNjAAABfBBZrUgABVgu -NTA5AAACAjCCAf4wggGFoAMCAQICCHSXJYrHP3pUMAoGCCqGSM49BAMDMEUxCzAJBgNVBAYT -AlVTMRQwEgYDVQQKDAtBZmZpcm1UcnVzdDEgMB4GA1UEAwwXQWZmaXJtVHJ1c3QgUHJlbWl1 -bSBFQ0MwHhcNMTAwMTI5MTQyMDI0WhcNNDAxMjMxMTQyMDI0WjBFMQswCQYDVQQGEwJVUzEU -MBIGA1UECgwLQWZmaXJtVHJ1c3QxIDAeBgNVBAMMF0FmZmlybVRydXN0IFByZW1pdW0gRUND -MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEDTBeGxWdA9CheTW3OjySesoVHM1i85wmXAc95VT6 -o9bMEur0FF/ojhmrLy5I5qwYQ3is0DfDvbLNLOZH4hrmY7g9Li94xE/b9A+kaExVcmuVHU4Y -QpV4zDc8keKbZSspo0IwQDAdBgNVHQ4EFgQUmq8pesARNTUmUTAAw2r+QNWu1jwwDwYDVR0T -AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDZwAwZAIwFwnzh4hQWq/I -wEK/R1/1bGqG4MQndOQ4U9cFfxs048Yvs8oJPDed1+e4RvH9oeJxAjBCWYdD1FHfutMJMlrO -iH5XPZxfQmv1By218IKT+VlvrmT6WOWLHuNjvrWBzW8CjHkAAAACABNob25na29uZ3Bvc3Ry -b290Y2EzAAABfBBZrUgABVguNTA5AAAF0zCCBc8wggO3oAMCAQICFAgWX4pMpewAyZNA38TG -riO4HFqkMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAkhLMRIwEAYDVQQIEwlIb25nIEtv -bmcxEjAQBgNVBAcTCUhvbmcgS29uZzEWMBQGA1UEChMNSG9uZ2tvbmcgUG9zdDEgMB4GA1UE -AxMXSG9uZ2tvbmcgUG9zdCBSb290IENBIDMwHhcNMTcwNjAzMDIyOTQ2WhcNNDIwNjAzMDIy -OTQ2WjBvMQswCQYDVQQGEwJISzESMBAGA1UECBMJSG9uZyBLb25nMRIwEAYDVQQHEwlIb25n -IEtvbmcxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3Qg -Um9vdCBDQSAzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs4jX6s4PIE6+5tYD -be5Z/MJX3ylooYMOPmjHaFicHGBLiUMMudQVsu7BTnXptafv5ek1meTMHOdLX40zMCAzU9mm -u9U+E47pH4dJrVAtUMoYvgFYohNwlruJiFaAXPi9LDzhTFeIu9O5le/Lx/baMXQopuZUifVB -McrlJhrNguBw2jspu9UD9Zm6VfVk0WAOs4lJuIovBdKERSh8j2hQEnj8C7VTy8KYHISjnrC+ -I6Ta3MgrHtpuRR6JmNr5AC4G6Qw7cNVQJYiZy81zYPfV/zVnxaG8XqvNSrhF68hoHg0NFEYS -49JkYopCmLy0xggI+P2oTGScdgG9L6lsMw/YPyi4PGkBQoZ+acHJBsrlekZl6cLWUEEuP7fk -7WzXvyYBEaIWKUprNAaQ7BPStvtqdtI87fDWLd3hFeyjmy8syT4r5Gk7/3IlsTaGW8d/a4tV -G0rFIGE9rstQ4Qg6vrCPY0FTMAhZPJgdd7pjkXrKEFBgv/DXvJWHj5fF/pdqAZSjfFuFHSo5 -OtBUodE5cZ39Ifm1e/Di4AKPbpYkJSygHiyoxImn7+2ZBi+2CkxP26LMNxqvR4Util/ENDRM -AP0Yk2cT0TfmSLSLBsVXexmGCnnLAMlSr0L/N4/hox56PVCrYwbnFbU/tkU3lDexfvJIw3/F -df6XjUWPGqcacigaQA8CAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHwYDVR0jBBgwFoAUF53NHovWOStw01zUoLgfsAD8xWEwHQYDVR0OBBYEFBedzR6L1jkr -cNNc1KC4H7AA/MVhMA0GCSqGSIb3DQEBCwUAA4ICAQBW1Xtu5iIB0kKbGNUO12YjXOP+oMeS -0umUrUuixuwSfHTVSNJZFJnA67nR6/RIMFutp1dzmanT5bfRLlkkWNxoLi5i2GrkcAstIFAg -pDKV0QCYu9P99zLySa7GeuBHvm7Oy6NyOi1pXcvI6EU51PpCwRFMd12S+2r/WETl64Ger6CZ -rb6pAWbLOB0830Mf9E1utLoXRvx9/YeBeWoNMw/6L/gUuYCzXU2ql+H55BjF+NU4jCY8/fIo -4u5aSYgs33k9jp6QPL1BSjrdW/aatM4/JTB/Mn2iA5TQ3HqhUt5uk40YJv1VrL2Pm9LPr+eG -LMsfCW+jb6mE1HO/TaF0G04jYPLMDqp/pJxMJaiyZjs4/9mUMPZyhL5oVRAPxnMsFmmTB/6x -Re27olVqsNq1SgIlJ4XXt7eGRBaJbIArPpepnNV+VUzG3kUQHOrpO58DU+7uegECFnjU6MK+ -RnaIEz8iu0gSHVIAtAJ+IRoenCX08z1eHtIc+bMttvc3XMbLIU6w95lHGIXBK7pVrgbq0Aey -3KvQgpZ1ztJQ/pnnzy+f53bRYSr7Ibsx0KqfR6SyIsoWOlBXxFtDZ8VlYgNJAetD2dj4nq3P -sWMORfSgWiybLcWmwK2oR/QnTDgNLhtJO1L06IiDK1Qo1PI1UrQyg2JpZAyRnJ+X6nQW/R8R -Bpqb9AAAAAIAEmUtc3ppZ25vcm9vdGNhMjAxNwAAAXwQWa1IAAVYLjUwOQAAAkQwggJAMIIB -5aADAgECAgwBVEjvIf2XWQ31BAowCgYIKoZIzj0EAwIwcTELMAkGA1UEBhMCSFUxETAPBgNV -BAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMRcwFQYDVQRhDA5WQVRIVS0y -MzU4NDQ5NzEeMBwGA1UEAwwVZS1Temlnbm8gUm9vdCBDQSAyMDE3MB4XDTE3MDgyMjEyMDcw -NloXDTQyMDgyMjEyMDcwNlowcTELMAkGA1UEBhMCSFUxETAPBgNVBAcMCEJ1ZGFwZXN0MRYw -FAYDVQQKDA1NaWNyb3NlYyBMdGQuMRcwFQYDVQRhDA5WQVRIVS0yMzU4NDQ5NzEeMBwGA1UE -AwwVZS1Temlnbm8gUm9vdCBDQSAyMDE3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEltw9 -itiwe2/GJ75EkLGzVhV7jkMkfRqEWe5jaLLGXofQFUgeqJCtvVOi2t46kKZgX2gytYZB34db -LHvF/nx62qNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE -FIcRFQjRqsF4DLGvzsbJkO+/MATAMB8GA1UdIwQYMBaAFIcRFQjRqsF4DLGvzsbJkO+/MATA -MAoGCCqGSM49BAMCA0kAMEYCIQC1V93XilULNuGGRPrU2WiNuNwjiooN1C996nPsv01sqAIh -AMultBL657Xoz36T/PM1j29OWny0vE6y/HKqW1n559wxAAAAAgAfYWNyYWl6Zm5tdC1yY21z -ZXJ2aWRvcmVzc2VndXJvcwAAAXwQWa1IAAVYLjUwOQAAAnIwggJuMIIB86ADAgECAhBi9jJs -5cTjaFwbYt2cLp2VMAoGCCqGSM49BAMDMHgxCzAJBgNVBAYTAkVTMREwDwYDVQQKDAhGTk1U -LVJDTTEOMAwGA1UECwwFQ2VyZXMxGDAWBgNVBGEMD1ZBVEVTLVEyODI2MDA0SjEsMCoGA1UE -AwwjQUMgUkFJWiBGTk1ULVJDTSBTRVJWSURPUkVTIFNFR1VST1MwHhcNMTgxMjIwMDkzNzMz -WhcNNDMxMjIwMDkzNzMzWjB4MQswCQYDVQQGEwJFUzERMA8GA1UECgwIRk5NVC1SQ00xDjAM -BgNVBAsMBUNlcmVzMRgwFgYDVQRhDA9WQVRFUy1RMjgyNjAwNEoxLDAqBgNVBAMMI0FDIFJB -SVogRk5NVC1SQ00gU0VSVklET1JFUyBTRUdVUk9TMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE -9rpXU8jKq982SlIh5JfSg2ee8GVR0F6Hx0exWfJXR5sAApNEF2nbQsexsjoYDrRdjLNmXaE0 -+TYsSdvzRvyzRGlEE2b918X9rzZNzgNNB3HPr2oF0qJDWgpSbwEDTo6Lo0IwQDAPBgNVHRMB -Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUAbkv778RhmDyT9BBbqtzH+fS -bkkwCgYIKoZIzj0EAwMDaQAwZgIxAK5K4ytAw3QR8pWtFiPeTgwa5l2lJF5rRHv8OOJPy5xF -FxFMFCcmVTl1SgPME5CfkgIxAPpKbGCIc/PuuJhiqc4rwtmKpnAxHa+wlEzrT8bj0fNipzz/ -ky4HXEkBZ2kSAnK/5wAAAAIAEXF1b3ZhZGlzcm9vdGNhMWczAAABfBBZrUgABVguNTA5AAAF -ZDCCBWAwggNIoAMCAQICFHhYXy6tLBlL4zcHNTQTKLWW1GWTMA0GCSqGSIb3DQEBCwUAMEgx -CzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW1pdGVkMR4wHAYDVQQDExVRdW9W -YWRpcyBSb290IENBIDEgRzMwHhcNMTIwMTEyMTcyNzQ0WhcNNDIwMTEyMTcyNzQ0WjBIMQsw -CQYDVQQGEwJCTTEZMBcGA1UEChMQUXVvVmFkaXMgTGltaXRlZDEeMBwGA1UEAxMVUXVvVmFk -aXMgUm9vdCBDQSAxIEczMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoL5QEI7p -8mxAtASchbkxytwt5BGpBDwbVcHnWDAdJLTD74XejCzhwT3fguZPrUeHbOxbScFK1buP7Ies -f4Kahuw9A5lSAdI1nqza8FPJZjzUrAIB2iTTO6gCRq+kHOP4c1h2t/YOkA218M/M+vnGTOXD -hjAKjRd+NevF37sOnMCNh+OIOIVn+j7Hq+ATnAUYmM+T9bGStPwj08/VxCdJ4J48mwiji10q -IeD8OapT2n1+zxoJU7xdBQTPoUqPi3aCDaH40scUd1uQNgeBmz4G+lJeY8WmAP6l6VIbUrWS -OXIDCWK9sGAWbqbdJcIDZt3zBNFA4k6LhvRv5YOgJ4ReBMH1kL0wPcTvqGm8OJukpJbRYtpp -wAGWrsvEUTTqDKr/IY5Zj0pc5GGap9LpKniNUT06Fe6iWY6pXN7F+ZAi5YhFcd2RmWx6nz09 -mHxe9r4WaKBergsj/FoPqiJ2LcmhEB3k00QjkIifxirm1/Was1geLzCJCBtUorWYI+wIdxyV -XWHRy4mcX6JKkZrvIapJFgiovWEoMcl0rYX22cWxi9HlEDJNX4sgOjxJHzOFWQ3bywl1Q2lz -+2txffDfxEx9xqMuyJV5y3Oijk5NJPte5AS+chumJy1JWpl611wJILd/lLlP8Q0cXohCGxG3 -55Hbnmz0at+MBpgDrcwo76VH81MCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B -Af8EBAMCAQYwHQYDVR0OBBYEFKOX1vNeohDhq0WfPBdkPO4BcJzMMA0GCSqGSIb3DQEBCwUA -A4ICAQAY+lt1/D56x193x8rfz1/DEsRAXdQyqrhq19UVFUaYI6XmkFsYmUzjrUKjgjE2iM3p -+8QElkiLAceNAc9bMwaWRmZ0HU/twba5tA1hzGN+1y53jJYcKiNoa4VXdnAzE/7hT6Yjdxj6 -GozovWXJzz/0yRfc68e8wAQuLUYvaWbDG4/+7D7TypS/dgolDal7Ahyp0DtfC8CBOj1k4b+n -LU69TcTYKcYiGNDFrHICgj+qOqI6Ipcx3Qhjw3UUuWAoLVto4BapZoIjUfXrU9gxm3vpt51L -64gWz/ldOIpJMI/t8esZ9HcaMRhNZ1RsL29l+ds97CHsXvT0i8pgZVTRcWT0+aajgTM2M3Hw -pHhfTq2DId40SY3oWayd8nZaNvIT9K/gCcdhKmz34J2uu4ZKKG8u7rR5zZAzw7N2+vXwbJ0B -kPqekPaccs9H2sMf5DUgU/JU0d9hg6YC4iU43oUyLV5zkFJdQsTOPUvh+RmEHdWiUMxB+0EU -w73WyVqjY2YCgL0FOjtHnOwAJkz1iFG/qCN/GAewC+2LJqFk02FK61yf3rOvZwOzH91tXWlo -aateOux8abzHO4VOnhW5tBVPw5V6WNfJbOlsufMpY160LPAtPe1aZeCpW0DCSJmBbZ4fBio8 -ErSLD5uiJPCmjdZ64Eu2ZJZjlYTCSs0cLiSHM2DlwwAAAAIAE2hvbmdrb25ncG9zdHJvb3Rj -YTEAAAF8EFmtSAAFWC41MDkAAAM0MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAw -RzELMAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdr -b25nIFBvc3QgUm9vdCBDQSAxMB4XDTAzMDUxNTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzEL -MAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25n -IFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArP84tulm -AknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1ApzQjVrhVcNQhrkpJsLj2aDx -aQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEnPzlTCeqrauh0ssJlXI6/fMN4hM2e -Fvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjhZY4bXSNmO7ilMlHIhqqhqZ5/dpTCpmy3QfDV -yAY45tQM4vM7TG1QjMSDJ8EThFk9nnV0ttgCXjqQesBCNnLsak3c78QA3xMYV18meMjWCnl3 -v/evt3a5pQuEF10Q6m/hq5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNVHRMBAf8E -CDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7ih9le -gYsCmEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI37pio -l7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clBoiMBdDhViw+5 -LmeiIAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJsEhTkYY2sEJCehFC78JZv -RZ+K88psT/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpOfMGx+6fWtScvl6tu4B3i0RwsH0Ti -/L6RoZz71ilTc4afU9hDDl3WY4JxHYB0yvbiAmvZWgAAAAIAInVzZXJ0cnVzdGVjY2NlcnRp -ZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAKTMIICjzCCAhWgAwIBAgIQXIuZ -xVqUxdJxVt7NiYDMJjAKBggqhkjOPQQDAzCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5l -dyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNU -IE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlvbiBBdXRob3Jp -dHkwHhcNMTAwMjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzAR -BgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUg -VVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBFQ0MgQ2VydGlmaWNhdGlv -biBBdXRob3JpdHkwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQarFRaqfloI+d61SRvU8Za2Eur -xtW20eZzca7dnNYMYf3boIkDuAUU7FfO7l0/4iGzzvfUinngo4N+LZfQYcTxmdwlkWOrfzCj -tHDix6EznPO/LlxTsV+zfTJ/ijTjeXmjQjBAMB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1 -xmNjmjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBl -AjA2Z6EWCNzklwBBHU6+4WMBzzuqQhFkoJ2UOQIReVx7Hfpkue4WQrO/isIJxOzksU0CMQDp -KmFHjFJKS04YcPbWRNZu9YO6bVi9JNlWSOrvxKJGgYhqOkbRqZtNyWHa0V1XahgAAAACABRj -eWJlcnRydXN0Z2xvYmFscm9vdAAAAXwQWa1IAAVYLjUwOQAAA6UwggOhMIICiaADAgECAgsE -AAAAAAEPhaotSDANBgkqhkiG9w0BAQUFADA7MRgwFgYDVQQKEw9DeWJlcnRydXN0LCBJbmMx -HzAdBgNVBAMTFkN5YmVydHJ1c3QgR2xvYmFsIFJvb3QwHhcNMDYxMjE1MDgwMDAwWhcNMjEx -MjE1MDgwMDAwWjA7MRgwFgYDVQQKEw9DeWJlcnRydXN0LCBJbmMxHzAdBgNVBAMTFkN5YmVy -dHJ1c3QgR2xvYmFsIFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD4yLy9 -FFBmE//w03nsI/K3GseOhfESc6YZqhDbnKJldFp3PlF9VvbcI7bU7V9YsTdN1UkObvVqh9bS -jNInxuL/Np+YZaATTsYqZJvVkBLPFAb0O+PUKL7oDvirTkiUbY6VMRBc7aItvdU6bbIcu2DA -RksB9UmufkaK0HSNoQwCzu7854+4a2bzf0QAv2YlFCvdEDAdB5Y/TfZruI+3ewylOOveR9vV -XTn8iKfz1yp08ehaojufULqmjEU1wlBlldxjgu/dv3dNnGLJY3MW0CkPSalI8LOqt2zFpzA5 -QF2uxOJdJlPwzhwjCGGolBm6BGJA7B84cHcSBnGnMBhdJSelAgMBAAGjgaUwgaIwDgYDVR0P -AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLYIew16zKwgTIZWMl7Pq26F -LXBXMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly93d3cyLnB1YmxpYy10cnVzdC5jb20vY3Js -L2N0L2N0cm9vdC5jcmwwHwYDVR0jBBgwFoAUtgh7DXrMrCBMhlYyXs+rboUtcFcwDQYJKoZI -hvcNAQEFBQADggEBAFbvCiOgVE6Vl8n4idpFwdSjACX0HxOrt6OFWGnCMK3YFYot48nNgVr4 -cyNap3wF8/0iOw7RBsTbNkxzBI7lsCLkxfMupdkj47hOSiCnbgIknyJgZ3uLHXIJxTFc6Xmf -gEc9raELBxQ9R/8DaRoMC0TnYyWnf7LJuHaE7SP2fQerRX7T37O/6Yq2zaiiZytS1bdl8DlM -Y6CReZNSD1Tdg7uf0Y+nU3PDy/8w7HwEuNhEH5NfcQkit24+6hwDTp0aIGH7gTfsXvwKRavX -5xdV0KDqYJum9uOMWynCBmAUnS2XTKmTFZ1hxAFfSNZYvVYxEk4RyCHgsxGRZdu0pog4zlUA -AAACAChtaWNyb3NvZnRyc2Fyb290Y2VydGlmaWNhdGVhdXRob3JpdHkyMDE3AAABfBBZrUgA -BVguNTA5AAAFrDCCBagwggOQoAMCAQICEB7Tlwlf2LSzR3Aeqr5/RbMwDQYJKoZIhvcNAQEM -BQAwZTELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQG -A1UEAxMtTWljcm9zb2Z0IFJTQSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MB4X -DTE5MTIxODIyNTEyMloXDTQyMDcxODIzMDAyM1owZTELMAkGA1UEBhMCVVMxHjAcBgNVBAoT -FU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQGA1UEAxMtTWljcm9zb2Z0IFJTQSBSb290IENl -cnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC -AgEAylu+lDOMKZWRFgqVvUdiwYnzmTbfRpDJpe14am9HkWj4J2dQMx2hpvvg5UOjhAJXAV2c -SECCUxC8v8c7aJC2gi3l9GXQzG0ZzJX5e6xKlK0O3ktDHYcHkhOQgINkNTkE/OXpbLO2H1CU -OGVQXBdGubaFtRy1F+jWRZ3YsiawysRwSq5gpN2z2ez8O9VXcrw/yMmy3ktr+CNsA8AFvZXH -zXM7ZoBk4xqsLvlHBfIGtptz9XgzW8eh+ycqobSakYyR0zqCPnZAtM1SYVFwKD/FxVryyYxJ -uxRbTcj/Z01MEpat9f54qJeH1/1eIIDcoUsi+9SJrbrOR5dHVXuPRchnKISVHGgw7+9J4DV7 -ZOeYsJTaTYU7PlXEKK9X854T20Ynnx6iXkSDpKXK1ROzSz/E48LmhmGkUjC5eiBPbw84U8sz -DBMrj9aavSrILbEcfUtRykfRSCdyXYfr1UXmSGWdr1KQuluiGGVXEp9oudQVa5TEaSKY9DPg -7flRjkFQyTRPdpCs/DjB2OF7uePjlOFGacsOClBrE7qsDzdatxK1kIEeVq5XIobZydLR11Hj -qzvGVf0eDtN0CtHaquppuJcoj0jEB/hSQzr0ylU1LLCmasCc+fKB4RJqwEXZZ7PO/yOiiQpU -1BS5KqjX7PmrzSVYMnmPkFuYOcQIBsGsfw49AKUCAwEAAaNUMFIwDgYDVR0PAQH/BAQDAgGG -MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAnLWX+GsnCPGsM548DZ6b+7TbIjMBAGCSsG -AQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBDAUAA4ICAQCsrz5dwhGWiY6j55LWlxW4E6KmQi4C -zRYFWSfKIOi6uOga7E2ol1auZUOxjwCbUs1VzVM5bWJMiw1bfC5Ev4MQj/NTgoDDTzrHbhE/ -5uMWkYT7bYR/NHStiafOudfXn4Rkkr6Voa0JUzPd7grqSlGOb1WrurWURq6Mf9iiUCVlYIBG -2zMErmy1mHRUJdyT5PjjVRU9uG3DCqQSwWmFbt9k8VOZ4Up1IJ2VD+TW3APxWRjoR4myV1qU -tqnYFysXSeV2y8FWmTo3sf9pLJGRk+HfTKM3dk2hn/htHh3T+uz79EUdE23P91nlIidyK4bz -V7sw7SRN3H1Wu6Oz+DR5icHg8gJh96b8D7scFwuuQdl8vSej/S460ZOUsXMdJIuvWyCJrbdn -Znn1OsamljP+U5LIRrERkcaZf4/J1mYxIEEQhy0M1sGvNJjKZIP7E1fRwfA8eoylwf2VIaBx -wZNncRLqj4gKaRlkmSNW+6wqLnC+ZsQMhO/li/OTAfhqkJNnS7Joo7Vij+k/jHo7Xg/njLjG -fO83/XTiyE8zcuGUOW29Eq++DE5wfBtvjbMyk3NEFm3o9PfglYCPll04pPSr3gowh5PYTQBx -YkUnSzpChFt/ZbdnNFItnBZrqqjYe6NCTHHHDMo+g+Sm77cBMF5Ro3n1cGmmQUQPhrAskcY9 -6q4PhAAAAAIAD2dvZGFkZHljbGFzczJjYQAAAXwQWa1IAAVYLjUwOQAABAQwggQAMIIC6KAD -AgECAgEAMA0GCSqGSIb3DQEBBQUAMGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28g -RGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaWNh -dGlvbiBBdXRob3JpdHkwHhcNMDQwNjI5MTcwNjIwWhcNMzQwNjI5MTcwNjIwWjBjMQswCQYD -VQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhH -byBEYWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIDANBgkqhkiG9w0B -AQEFAAOCAQ0AMIIBCAKCAQEA3p3X6lcYSaFb69dfSIbqvt3/5O9nHPRlaLNXcaBed7vtm0np -cIA9VhhjCG/a8szQP38CVCJUENiygdTAdT1Lf8d3wz54qxoDtSBrL2orscWIfsS7HrDB2EUn -b6o3WPeHJtfYLfapF7cfcjZOphc/ZZiS2ypuXaL+iOAL3n/ljRXh68s61eISohMt2I6vXxI9 -oAgFCLZcpWU4BEWZHqNgYHTFQaVyYhtixR9vXxpCvgJRZaiuIxhq/HgDqU1/gMP6q1r8oUCk -yhkW/rLI715zDe53vZr2eZi8sQdnohUN3aBYxkR7Cj5iKF+6QQdTWM8Rfjh0xfj/tWmQj4R0 -6pcbrwIBA6OBwDCBvTAdBgNVHQ4EFgQU0sSw0pHUTBFxs2HLPaH+3ahq1OMwgY0GA1UdIwSB -hTCBgoAU0sSw0pHUTBFxs2HLPaH+3ahq1OOhZ6RlMGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQK -ExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIg -Q2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF -AAOCAQEAMkvzsso+kfwSxqEHjI53oDMGFFyQHhj3CKY9Chn5h4ARbmnklhcw/zSRY3I47swc -AaMdlCikMfZ6xFTX9uUxWAOizM5i25RFc7W/RckktdWCAq0jeWmNuLZNzs9MyjMj6ByIqp2L -QW4WySDliZ7NO9pw936ZJiAUVCWrbnOF5pshnQpsgg6o+MIM+hAebJbvhw3ED2GLre6DK5X4 -jpKEcjnrIOqD7YPNl24IvOtOJrZzK+TT9kz+JnHiYRF0Sv9XGocPdUguz1FpF6ACEmGV1dFA -shBM7sSsEEOmpZ4K1ZVimg3PiILFMgzkK59F5g2fKJyxuSpaV603D68df9u9nwAAAAIAGm1p -Y3Jvc2VjZS1zemlnbm9yb290Y2EyMDA5AAABfBBZrUgABVguNTA5AAAEDjCCBAowggLyoAMC -AQICCQDCfkMETkc/GTANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCSFUxETAPBgNVBAcM -CEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMScwJQYDVQQDDB5NaWNyb3NlYyBl -LVN6aWdubyBSb290IENBIDIwMDkxHzAdBgkqhkiG9w0BCQEWEGluZm9AZS1zemlnbm8uaHUw -HhcNMDkwNjE2MTEzMDE4WhcNMjkxMjMwMTEzMDE4WjCBgjELMAkGA1UEBhMCSFUxETAPBgNV -BAcMCEJ1ZGFwZXN0MRYwFAYDVQQKDA1NaWNyb3NlYyBMdGQuMScwJQYDVQQDDB5NaWNyb3Nl -YyBlLVN6aWdubyBSb290IENBIDIwMDkxHzAdBgkqhkiG9w0BCQEWEGluZm9AZS1zemlnbm8u -aHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDp+I/zY63ahtin4EL7z5Hepib4 -maVjcK2brsozQH1tlm6hDkTu4ROdlEJSmr11hXQsqA4dk7YYt4wsqM/7XHG52uz+6H6P5C8d -sqh1h9i3oeU7z5lKRtCDGX3AoRIclW1K9NjHpU0zLoU5QHV+FHyAEphQx0FnuKCAYVSmbE4f -4J0OB+nJujPn/sBVKCwCgKcZ9Z7cVVMDl3sHSP+Z+zeKJMRZzFAQY46qqRqwhBqG+V+7sVBu -pNEKzNVxfh+nG3z1U24iX8sr5tR8Xa7WwsZM5QUB2e1X/MEjefz6yCSDlfO1alEB0HfW6RKh -+RqD+4IbubCX9HYGM0NJoP8Ltfq1AgMBAAGjgYAwfjAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQUyw/G30JDzD3LtUgjoRp6piq7NGgwHwYDVR0jBBgwFoAU -yw/G30JDzD3LtUgjoRp6piq7NGgwGwYDVR0RBBQwEoEQaW5mb0BlLXN6aWduby5odTANBgkq -hkiG9w0BAQsFAAOCAQEAydEOXi7VzLN8Psv8Pf8NKJWTBMi/2s15uEOQ8KS+7/LvIZi81NRd -BvbuQuwwbKCqqcrxr4r6Pwtzaj7qLkB+H65UYXnrLgg31yPzjJ++HbHhpHXboOJUFLG6HCmk -GPYSuqIUFOMxNchA/7fgBXZXwRxZ8vi/5O0lYlyE8H5+H7O++bchEcwDAVZwpxCSHhs0gR6t -nBrDBDztAmHWHgbzXzqH8ivxRYflPazRx1eEvWuu3Nj5thticAs9NslC8jLXemHm0ts9z8ip -yZvc21hE1284r39406OtGnW6HME2fI8ebRzDdUauNQWm9lw9Ie5W8MmCIi16VKtww30iZYJw -lgAAAAIAMWhlbGxlbmljYWNhZGVtaWNhbmRyZXNlYXJjaGluc3RpdHV0aW9uc3Jvb3RjYTIw -MTUAAAF8EFmtSAAFWC41MDkAAAYPMIIGCzCCA/OgAwIBAgIBADANBgkqhkiG9w0BAQsFADCB -pjELMAkGA1UEBhMCR1IxDzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNh -ZGVtaWMgYW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNV -BAMTN0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENB -IDIwMTUwHhcNMTUwNzA3MTAxMTIxWhcNNDAwNjMwMTAxMTIxWjCBpjELMAkGA1UEBhMCR1Ix -DzANBgNVBAcTBkF0aGVuczFEMEIGA1UEChM7SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh -cmNoIEluc3RpdHV0aW9ucyBDZXJ0LiBBdXRob3JpdHkxQDA+BgNVBAMTN0hlbGxlbmljIEFj -YWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgUm9vdENBIDIwMTUwggIiMA0GCSqG -SIb3DQEBAQUAA4ICDwAwggIKAoICAQDC+Kk/G4n8PDwEXT2QNrCROnk8ZlrvbTkBSRq0t89/ -TSNTt5AA4xMqKKYx8ZEA4yjsriFBzh/a/X0SWwGDD7mwX5nh8hKDgE0GPt+sr+ehiGsxr/CL -0BgzuNtFajT0AoAkKAoCFZVedioNmToUW/bLy1O8E00BiDeUJRtCvCLYjqOWXjrZMts+6PAQ -Ze104S+nfK8nNLspfZu2zwnI5dMK/IhlZXQK3HMcXM1AsRzUtoSMTFDPaI6oWa7CJ06CojXd -FPQf/7J31Ycvqm59JCfnxssm5uX+Zwdj2EUN3TpZZTlYepKZcj2chF6IIbjV9Cz82XBST3i4 -vTwri5WY9bPRaM8gFH5MXF/ni+X1NYEZN9cRCLdmvtNKzoNXADrDgfgXy5I2XdGj2HUb4Ysn -6npIQf1FGQatJ5lOwXBH3bWfgVMS5bGMSF0xQxfjjMZ6Y5ZLKTBOhE5iGV48zpeQpX8B653g -+IuJ3SWYPZK2fu/Z8VFRfS0myGlZYeCsargqNhEEelC9MoS+L9xy1dcdFkfkR2YgP/SWxa+O -AXqlD3pk9Q0Yh9muiNX6hME6wGkoLfINaFGq46V3xqSQDqE3izEjR8EJCOtu93ib14L8hCCZ -SRm2Ekax+0VVFqmjZaycBw/qa9wfLgZy7IaIEuQt218FL+TwA9MmM+eAws1CoRc0CwIDAQAB -o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUcRVnyMjJ -vXVdctA4GGqd83EkVAswDQYJKoZIhvcNAQELBQADggIBAHW7bVRLqhBYRjTyYtcWNl0IXtVs -yIe9tC5G8jH4fOpCtZMWVdyhDBKg2mF+D1hYc2Ryx+hFjtyp8iY/xnmMsVMIM4GwVhO+5lFc -2JsKT0ucVlMC6U/2DWDqTUJV6HwbISHTGzrMd/K4kPFox/la/vot9L/J9UUbzjgQKjeKeaO0 -4wlshYaT/4mWJ3iBj2fjRnRUjtkNaeJK9E10A/+yd+2VZ5fkscWrv2oj6NSU4kQoYsRL4vDY -4ilrGnB+JGGTe08DMiUNRSQrlrRGar9KC/eaj8GsGsVn82800vpzY4zvFrCopEYq+OsS7HK0 -7/grfoxSwIuEVPkvPuNVqNxmsdnhX9izjFk0WaSrT2y7HxjbdavYy5LNlDhhDgcGH0tGEPEV -vo2FXDtKK4F5D7Rpn0lQl033DlZdwJVqwjbDG2jJ9SrcR5q+ss7FJej6A7na+RZukYT1HCjI -/CbM1xyQVqdfbzoEvM14iQuODy+jqk+iGxI9FghAD/FGTNeqewjBCvVtJ94Cj8rDtSvK6evI -IVM4pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHKe7iG -2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0vm9qp/UsQu0y -rbYhnr68AAAAAgAobWljcm9zb2Z0ZWNjcm9vdGNlcnRpZmljYXRlYXV0aG9yaXR5MjAxNwAA -AXwQWa1IAAVYLjUwOQAAAl0wggJZMIIB36ADAgECAhBm8j2vh96LsUrqDFcxAcLsMAoGCCqG -SM49BAMDMGUxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24x -NjA0BgNVBAMTLU1pY3Jvc29mdCBFQ0MgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAx -NzAeFw0xOTEyMTgyMzA2NDVaFw00MjA3MTgyMzE2MDRaMGUxCzAJBgNVBAYTAlVTMR4wHAYD -VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xNjA0BgNVBAMTLU1pY3Jvc29mdCBFQ0MgUm9v -dCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxNzB2MBAGByqGSM49AgEGBSuBBAAiA2IABNS8 -PQJCdUETI82ABIYCUS9qqIFiC2XM9sqdHm9KZlGiA9mdkfq2FrGMbt58zdt5pi/Ou85xL+Wl -qyjsYwRmmfj68pMQBeGBKELjxmj05huEYEqJr+15DzvO8fZE9QF4wKNUMFIwDgYDVR0PAQH/ -BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMjLmXJwUgz45r6yBFcpKs9CEO01 -MBAGCSsGAQQBgjcVAQQDAgEAMAoGCCqGSM49BAMDA2gAMGUCMFjyTeoM+V9e7mApyzry29Yy -hBk/fNUvwrHMk65Quwkyxsbtfsk2lBLkaIUGohvQLwIxAJnpFrQO+lZI1KQwFpF421SMZQGK -51BmwjG3Obq4GiIHTvxrVBYg/yu150wMTaZPcwAAAAIAMWhlbGxlbmljYWNhZGVtaWNhbmRy -ZXNlYXJjaGluc3RpdHV0aW9uc3Jvb3RjYTIwMTEAAAF8EFmtSAAFWC41MDkAAAQ1MIIEMTCC -AxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1IxRDBCBgNVBAoTO0hl -bGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1dGlvbnMgQ2VydC4gQXV0aG9y -aXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRp -b25zIFJvb3RDQSAyMDExMB4XDTExMTIwNjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJ -BgNVBAYTAkdSMUQwQgYDVQQKEztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5z -dGl0dXRpb25zIENlcnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMg -YW5kIFJlc2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPzdYmNUeTD -N9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJfel3r+0ae50X+bOd -OFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEnsbgzImjeN9/E2YEsmLIKe0Hjz -DQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD75O6aRXxYp2fmTmCobd0LovUxQt7L/DI -Cto9eQqakxylKHJzkUOap9FNhYS5qXSPFEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyN -h+UCAwEAAaOBiTCBhjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU -ppFC/RNhSiOeCKQp5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVk -dTAGggQub3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA -A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p6z0GW5k6 -x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8TqBTnbI6nOulnJEW -tk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7dIsXRSZMFpGD/md9zU1jZ/rz -AxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8AcysNnq/onN694/BtZqhFLKPM58N7yLcZnuE -vUUXBj08yrl3NI/K6s8/MT7jiOOASSXIl7WdmplNsDz4SgCbZN2fOUvRJ9e4AAAAAgAiZ29k -YWRkeXJvb3RjZXJ0aWZpY2F0ZWF1dGhvcml0eS1nMgAAAXwQWa1IAAVYLjUwOQAAA8kwggPF -MIICraADAgECAgEAMA0GCSqGSIb3DQEBCwUAMIGDMQswCQYDVQQGEwJVUzEQMA4GA1UECBMH -QXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIElu -Yy4xMTAvBgNVBAMTKEdvIERhZGR5IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIw -HhcNMDkwOTAxMDAwMDAwWhcNMzcxMjMxMjM1OTU5WjCBgzELMAkGA1UEBhMCVVMxEDAOBgNV -BAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29t -LCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAt -IEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3FiCPH6WTT3G8kYo/eASVjp -IoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4HTu70+k8vWTAi56sZVmvigAf88xZ1 -gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02 -jBEYt9OyHGC0OPoCjM7T3UYH3go+6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4p -xRyp6V0etp6eMAo5zvGIgPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s -51iruF9G/M7EGwM8CetJMVxpRrPgRwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud -DwEB/wQEAwIBBjAdBgNVHQ4EFgQUOpqFBxBnKLbv9r0FQW4gwZTaD94wDQYJKoZIhvcNAQEL -BQADggEBAJnbXXnV+ZdZZwNh8X47BjF1LaEgjk9lh7T3ppy82Okv0Nta7s90jHO0OELaBXv4 -AnW4/aWx1672194Ty1MQfopG0Zf6ty4rEauQsCeA+eifWuk3n6vk32yzhRedPdkkT3mRNdZf -BOuAg6uaAi21EPTYkMcEc0DtciWgqZ/snqtoEplXxo8SOgmkvUT9BhU3wZvkMqPtOOjYZPMs -fhT8Auqfzf8HaBfbIpA4LXqN0VTxaeNfM8p6PXsK48p/Xznl4nW6xXYYM84s8C9Mrfex585P -qMSbSlQGxX991QgP4hz+fhe4rF721BayQwkMTfana7SZhGXKeoji4kS+XPfqHPUAAAACAB5l -cGtpcm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHkAAAF8EFmtSAAFWC41MDkAAAW0MIIFsDCC -A5igAwIBAgIQFci9ZUdcr7iXAF7kBtK8nTANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJU -VzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0ZC4xKjAoBgNVBAsMIWVQS0kg -Um9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNDEyMjAwMjMxMjdaFw0zNDEyMjAw -MjMxMjdaMF4xCzAJBgNVBAYTAlRXMSMwIQYDVQQKDBpDaHVuZ2h3YSBUZWxlY29tIENvLiwg -THRkLjEqMCgGA1UECwwhZVBLSSBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN -BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4SUP7o3biDN1Z82tH306Tm2d0y8U82N0ywEh -ajfqhFAHSyZbCUNsIZ5qyNUD9WBpj8zwIuQf5/dqIjG3LBXy4P4AakP/h2XGtRrBp0xtInAh -ijHyl3SJCRImHJ7K2RKilTza6We/CKBk49ZCt0Xvl/T29de1ShUCWH2YWEtgvM3XDZoTM1PR -Yfl61dd4s5oz9wCGzh1NlDivqOx4UXCKXBCDUSH3ET00hl7lSM2XgYI1TBnsZfZrxQWh7kcT -1rMhJ5QQCtkkO7q+RBNGMD+XPNjX12ruOzjjK9SXDrkb5wdJfzcq+Xd4z1TtW0ado4AOkUPB -1ltfFLqfpo0kR0BZv3I4sjZsN/+Z0V0OWQqraffAsgRFelQArr5T9rXn4fg8ozHSqf4hUmTF -pmfwdQcGlBSBVcYn5AGPF8Fqcde+S/uUWH1+ETOxQvdibBjWzwloPn9s9h6PYq2lY9sJpx8i -QkEeb5mKPtf5P0B6ebClAZLSnT0IFaUQAS2zMnaolQ2zepr7BxB4EW/hj8e6DyUadCrlHJhB -md8hh+iVBmoKs2pHdmX2Os+PYhcZewoozRrSgx4hxyy/vv9haLdnG7t4TY3OZ+XkwY63I2bi -nZB1NJipNiuKmpS5nezMirH4JYlcWrYvjB9teSSnUmjDhDXiZo1jDiVN1Rmy5nk3pyKdVDEC -AwEAAaNqMGgwHQYDVR0OBBYEFB4M97Zn8uGSJglFwFU5Lnc/QkqiMAwGA1UdEwQFMAMBAf8w -OQYEZyoHAAQxMC8wLQIBADAJBgUrDgMCGgUAMAcGBWcqAwAABBRFsMLHClZ87lt4DJX5GFPB -phzYEDANBgkqhkiG9w0BAQUFAAOCAgEACbODU1kBPpVJufGBuvl2ICO1J2B01GqZNF5sAFPZ -n/KmsSQHRGoqxqWOeBLoR9lYGxMqXnmbnwoqZ6YlPwZpVnPDimZI+ymBV3QGypzqKOg4ZyYr -8dW1P2WT+DZdjo2NQCCHGervJ8A9tDkPJXtoUHRVnAxZfVo9QZQlUgjgRywVMRnVvwdVxrsS -tZf0X4OFunHB2WyBEXYKCrC/gpf36j36+uwtqSiUO1bd0lEursC9CBWMd1I0ltabrNMdjmEP -NXubrjlpC2JgQCA2j6/7Nu4tCEoduL+bXPjqpRugc6bY+G7gMwRfaKonh+3ZwZCc7b3jajWv -Y9+rGNm65ulK6lCKD2GTHuItGeIwlDWSXQ62B68ZgI9HkFFLLk3dheLSClIKF5r8GrBQAuUB -o2M3IUxExJtRmREOc5wGj1QupyheRDmHVi03vYVElOEMSyycw5KFNGHLD7ibSkNS/jQ6fbjp -Kdx2qcgw+BRxgMYeNkh0IkFch4LoGHGLQYlE535YW6i4jRPpp2zDR+2zGp1iro2C6pSe3VkQ -w63d4k3jMdXH7OjysP6SHhYKGvzZ8/gntsm+HbRsZJB/9OTEW9c3rkIO3aQab3yIVMUWbuF6 -aC74Or8NpDyJO3inTmODBCEIZ43ygknQW/2xzQ+DhNQ+IIX3Sj0rnP0qCglN6oH4EZwAAAAC -ACx0cnVzdHdhdmVnbG9iYWxlY2NwMzg0Y2VydGlmaWNhdGlvbmF1dGhvcml0eQAAAXwQWa1I -AAVYLjUwOQAAAqEwggKdMIICJKADAgECAgwIvYWXbJknpIBoRzswCgYIKoZIzj0EAwMwgZEx -CzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4GA1UEBxMHQ2hpY2FnbzEhMB8G -A1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMTowOAYDVQQDEzFUcnVzdHdhdmUgR2xv -YmFsIEVDQyBQMzg0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE3MDgyMzE5MzY0M1oX -DTQyMDgyMzE5MzY0M1owgZExCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhJbGxpbm9pczEQMA4G -A1UEBxMHQ2hpY2FnbzEhMB8GA1UEChMYVHJ1c3R3YXZlIEhvbGRpbmdzLCBJbmMuMTowOAYD -VQQDEzFUcnVzdHdhdmUgR2xvYmFsIEVDQyBQMzg0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEa9oNdTUIMUcFrkWZVfEREy5K+BAxI6N+g9N/KAg6 -Jho6z5eCH4C3JwmP0Y4wxAqbDqxYBKv3Nn2UI6SbCoqLq+v9OSVm8V7+jK6NQXmdCWDOKKnT -im3z1kXU8piEOGWgo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYD -VR0OBBYEFFWphInSwTK9GMtspgdOyOedvoKQMAoGCCqGSM49BAMDA2cAMGQCMDcBkpdFEn6g -8z6tGTpy3fRQkwMSvkTST0GkjJydH6P2wpLnSBT+TpulkVeuxjdyuwIwZyUKsQxe7qljkm/l -kAv+ZiLKR/2KMfeD/nq/EL4YKx6P9ikelFnvjiE3y1GYpW5LAAAAAgARZ2xvYmFsc2lnbnJv -b3RlNDYAAAF8EFmtSAAFWC41MDkAAAIPMIICCzCCAZGgAwIBAgISEdK7ujNu1LzmJGjFDYQd -mOhDMAoGCCqGSM49BAMDMEYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 -LXNhMRwwGgYDVQQDExNHbG9iYWxTaWduIFJvb3QgRTQ2MB4XDTE5MDMyMDAwMDAwMFoXDTQ2 -MDMyMDAwMDAwMFowRjELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2Ex -HDAaBgNVBAMTE0dsb2JhbFNpZ24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASc -DrHPt+ieUnd1NPqlRqetMhkytAepJ8qUuwzSChDH2omwlwxwEwkBjtjqR+q+soArzfwoDdus -vKSGN+1wCAB16pMLey5SnCNoIwZD7JIvU4Tb+0cUB+hflGddyXqBPCCjQjBAMA4GA1UdDwEB -/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQxCpCPtsad0kRLgLWi5h+xEk8b -lTAKBggqhkjOPQQDAwNoADBlAjEA31SQ7Zvvi5QCkxeCmb6zniz2C5GMn0oUsfZkvLtoURMM -A/cVi4RguYv/Uo7njLwcAjA8+RHUjE7AwWHCFUyqqx0LMV87HOIAl0Qx5v5zli/altP+CAez -NIm8BZ/3Hobui3AAAAACACRzdGFyZmllbGRyb290Y2VydGlmaWNhdGVhdXRob3JpdHktZzIA -AAF8EFmtSAAFWC41MDkAAAPhMIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQsFADCBjzEL -MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAj -BgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs -ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3 -MTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH -EwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw -MAYDVQQDEylTdGFyZmllbGQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3twQP89o/8ArFvW59I2Z154qK3A2FWGMNH -ttfKPTUuiUP3oWmb3ooa/RMgnLRJdzIpVv257IzdIvpy3Cdhl+72WoTsbhm5iSzchFvVdPtr -X8WJpRBSiUZV9Lh1HOZ/5FSuS/hVclcCGfgXcVnrHigHdMWdSL5stPSksPNkN3mSwOxGXn/h -bVNMYq/NHwtjuzqd+/x5AJhhdM8mgkBj87JyahkNmcrUDnXMN/uLicFZ8WJ/X7NfZTD4p7dN -dloedl40wOiWVpmKs/B/pM293DIxfJHP4F8R+GuqSVzRmZTRouNjWwl2tVZi4Ut0HZbUJtQI -BFnQmA4O5t78w+wfkPECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AQYwHQYDVR0OBBYEFHwMMh+n2TB/xH1oo2Kooc6rB1snMA0GCSqGSIb3DQEBCwUAA4IBAQAR -WfolTwNvlJk7mh+ChTnUdgWUXuEok21iXQnCoKjUsHU48TRqneSfioYmUeYs0cYtbpUgSpIB -7LiKZ3sx4mcujJUDJi5DnUox9g61DLu34jd/IroAow57UvtruzvE03lRTs2Q9GcHGcg8RnoN -AX3FWOdt5oUwF5okxBDgBPfg8n/Uqgr/Qh037ZTlZFkSIHc40zI+OIF1lnP6aI+xy84fxez6 -nH7PfrHxBy22/L/KpL/QlwVKvOoYKAKQvVR4CSFx09F9HdkWsKlhPdAKACL8x3vLCWRFCztA -gfd9fDL1mMpYjn0q7pBZc2T5NnReJaH1ZgUufzkVqSr7UIuOhWn0AAAAAgAoc3NsLmNvbWV2 -cm9vdGNlcnRpZmljYXRpb25hdXRob3JpdHlyc2FyMgAAAXwQWa1IAAVYLjUwOQAABe8wggXr -MIID06ADAgECAghWtinNNLx49jANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCVVMxDjAM -BgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9yYXRp -b24xNzA1BgNVBAMMLlNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBS -U0EgUjIwHhcNMTcwNTMxMTgxNDM3WhcNNDIwNTMwMTgxNDM3WjCBgjELMAkGA1UEBhMCVVMx -DjAMBgNVBAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9y -YXRpb24xNzA1BgNVBAMMLlNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -eSBSU0EgUjIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCPNmVA4dZNwNe06Uba -a+ozR81M+X19vr0tPfDbeOGGpdm6CVdo7Vc+oNAIQYPnKEEkH+NyFdABGvtecCOyy58548/F -TsaSbSbGe7uz2iedCobpgTcF/vBxcezDHOljohcUne8bZ9OFVQIC1knJzFrhsfdvMp/J1DuI -Qaicvcur2217CR+iTHKQ2isI/M88VM5nD6jPXZYZC8Tjcuut0X0dJ++S6xC/W+s7r8+A3cHS -lgRben6kqTw4dqRijqA5Xup3z10AWY9mLD4HoqMFJhFpl+qFtw+WC0vIQOFQui6Ky/cPmiLn -f5o3E83yTRNrIdHAzCLyoUb2RGmcymE1BwBv1mEIEeq6uPbps2DlTbnsnxRmyVdY282HafiK -hhIDR79mE3asd300JIWDzdeqnJAanyEsf3i3ZLjY6Kb0eLNVy4TSMsR4rqOPYd3OCFOt7Ij8 -FeSaDeafGnfOTI+4FBU9YpyGOAYAZhLkWXZaU8ACmKIQK2hEe455zjNKdqpbgRYbtYrY0AB7 -XmK0CdaGYw6mBZVJuiiLiJOyNBzYpFVutxzQ3plVOyP0IuD5KWYm7CBQd9tKC4++5QJgcEFe -1K5QOSIUJsuyO3N0VUcHeYE5qDATROUEiq6WEyVCD7lTxJv8zeQc3jz6q9YGSh9nppgwHN0s -29wYlVdmxv9ci1b1dwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFPlg -u9Tj1TT2uPUGgCWnc9tGaaieMB0GA1UdDgQWBBT5YLvU49U09rj1BoAlp3PbRmmonjAOBgNV -HQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFazjssKnUmOv6TEkbtmFwVRmHX75VAs -ep7xFPqr04o+/5Epj2OL2LSpVAENvpOGL/lKbcde9Vf5ylUcEr5HDzbF32q323XCRyV/ufFj -+GgtVQTR8o2wpM+8PF4feOeloCBwsATFt/dyp94iDb0zJUaMZJIm4z4uY5bam4w9+BgJ1wPM -fYaC4MoEB1FQ1/+S1Qzv2oafmdfrt69o4jkmlLpot7+D0+p6Zz1iZ64l5XLo4uTsrhL2Sys8 -n+mwQPM4VLP9t2jI2saPUTyy+5HcHOebneG3DXKP4qTEqXj56xSsxkMFwmU5KBgCw4KynQW+ -Ze2WX2V0PPsJNS57nBP9Gw9dx22BOlYPzDvhrwIvIqxGykY8oBxM1kS0Xi5cFWYJ4SYp/sZS -Ybqxc//DDJzlbGqUPxTKQBaVhPNZqaxfTGGTbdE7zKKVDCKmZ2dELrnZ0opBs2YLWvt9I6Xy -GrD/3puDlC7RP9+St5GvBTtlx6Bssc1iEsOQG+MlzjS8b3d2sRDD9wUawNavdGJIF3eSaZBh -HN6VgHRUjxgcw/MD0L+kQ3WGUxh6Ci4JHDafkf2CiiJL0Q5QJd3LAwwXyYMACE41TYqL7fAC -lGYsRH/LlSeWF60JMKy2cRduixf2HAnULTuYpXHTVBPZYPP1S2ZP+vHuIBKNtKxXsUVjoax2 -qcL7CnxeFrtkDGW4gmo4NgQZjJ1bHLk= diff --git a/kubernetes/common/cert-wrapper/templates/configmap.yaml b/kubernetes/common/cert-wrapper/templates/configmap.yaml deleted file mode 100644 index 117a4ab718..0000000000 --- a/kubernetes/common/cert-wrapper/templates/configmap.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -{{- $suffix := "certs" }} -metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . ) | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/cert-wrapper/values.yaml b/kubernetes/common/cert-wrapper/values.yaml deleted file mode 100644 index fcece0e3f5..0000000000 --- a/kubernetes/common/cert-wrapper/values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -certInitializer: - nameOverride: cert-initializer - createCertsCM: true diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml deleted file mode 100644 index 6b4e0dfdce..0000000000 --- a/kubernetes/common/certInitializer/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Template used to obtain certificates in onap -name: certInitializer -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: readinessCheck - version: ~12.x-0 - repository: 'file://../readinessCheck' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh deleted file mode 100644 index 9cc5ec580e..0000000000 --- a/kubernetes/common/certInitializer/resources/ingress/onboard.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/ -}} - -echo "*** retrieving certificates and keys" -export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0) -export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0) -export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0) -echo "*** creating tls secret" -cat </config/${PFILE}; done - env: - {{- range $cred := $dot.Values.credentials }} - - name: {{ $cred.name }} - {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" $cred.uid "key" $cred.key) | nindent 4 }} - {{- end }} - volumeMounts: - - mountPath: /opt/app/config/cache - name: dbc-response-cache - - mountPath: /config-input - name: app-config-input - - mountPath: /config - name: app-config - resources: - limits: - cpu: 200m - memory: 250Mi - requests: - cpu: 100m - memory: 200Mi + resources: {{ include "common.resources" $dot | nindent 4 }} +{{- end -}} {{- end -}} -{{- end -}} \ No newline at end of file diff --git a/kubernetes/common/common/templates/_images.tpl b/kubernetes/common/common/templates/_images.tpl new file mode 100644 index 0000000000..3bbaabc006 --- /dev/null +++ b/kubernetes/common/common/templates/_images.tpl @@ -0,0 +1,121 @@ +{{/* +# Copyright © Original (https://github.com/bitnami/charts) VMware, Inc. +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Docker Image Registry Secret Names +Original, if common way of image definition: +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image) "context" $) -}} +*/}} +{{- define "common.imagePullSecrets" -}} +{{- $images := list }} +{{- if .Values.image }} + {{- if kindIs "map" .Values.image -}} + {{- $images = append $images ".Values.image" -}} + {{- end -}} +{{- end -}} +{{- if .Values.metrics }} + {{- if .Values.metrics.image }} + {{- if kindIs "map" .Values.metrics.image -}} + {{- $images = append $images ".Values.metrics.image" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- include "common.images._renderPullSecrets" (dict "images" $images "context" $) -}} +{{- end -}} + +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images._renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + {{- $images := .images }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues._render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues._render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- range $image := $images -}} + {{- if contains "pullSecret" $image -}} + {{- range $pullSecret := $image.pullSecrets -}} + {{- if kindIs "map" $pullSecret -}} + {{- $pullSecrets = append $pullSecrets $pullSecret.name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets $pullSecret -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- else -}} +imagePullSecrets: [] + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images._version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index d8a944712a..4d762c72f5 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -14,6 +14,186 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} +{{/* + Helper function to check, if Ingress is globally enabled +*/}} +{{- define "common.ingressEnabled" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to check, if Ingress is enabled +*/}} +{{- define "common.ingress._enabled" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.ingress -}} +{{- if $dot.Values.global.ingress -}} +{{- if (default false $dot.Values.global.ingress.enabled) -}} +{{- if (default false $dot.Values.global.ingress.enable_all) -}} +true +{{- else -}} +{{- if $dot.Values.ingress.enabled -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to check, if TLS redirect is enabled +*/}} +{{- define "common.ingress._tlsRedirect" -}} +{{- $dot := default . .dot -}} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Provider (default is "ingress") +*/}} +{{- define "common.ingress._provider" -}} +{{- $dot := default . .dot -}} +{{- $provider := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.provider -}} +{{- if ne $dot.Values.global.ingress.provider "" -}} +{{ $provider = $dot.Values.global.ingress.provider }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $provider -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Class (default is "nginx") +*/}} +{{- define "common.ingress._class" -}} +{{- $dot := default . .dot -}} +{{- $class := "nginx" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressClass -}} +{{- if ne $dot.Values.global.ingress.ingressClass "" -}} +{{ $class = $dot.Values.global.ingress.ingressClass }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $class -}} +{{- end -}} + +{{/* + Helper function to get the Ingress Selector (default is "ingress") +*/}} +{{- define "common.ingress._selector" -}} +{{- $dot := default . .dot -}} +{{- $selector := "ingress" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.ingressSelector -}} +{{- if ne $dot.Values.global.ingress.ingressSelector "" -}} +{{ $selector = $dot.Values.global.ingress.ingressSelector }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $selector -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway, if exists +*/}} +{{- define "common.ingress._commonGateway" -}} +{{- $dot := default . .dot -}} +{{- $gateway := "-" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $gateway = $dot.Values.global.ingress.commonGateway.name }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $gateway -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTP Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "http-80" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to get the common Gateway HTTPS Listener name, if exists +*/}} +{{- define "common.ingress._gatewayHTTPSListener" -}} +{{- $dot := default . .dot -}} +{{- $listener := "https-443" -}} +{{- if $dot.Values.global.ingress -}} +{{- if $dot.Values.global.ingress.commonGateway -}} +{{- if $dot.Values.global.ingress.commonGateway.name -}} +{{ $listener = $dot.Values.global.ingress.commonGateway.httpsListener }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $listener -}} +{{- end -}} + +{{/* + Helper function to check the existance of an override value +*/}} +{{- define "common.ingress._overrideIfDefined" -}} + {{- $currValue := .currVal }} + {{- $parent := .parent }} + {{- $var := .var }} + {{- if $parent -}} + {{- if hasKey $parent $var }} + {{- default "" (index $parent $var) }} + {{- else -}} + {{- default "" $currValue -}} + {{- end -}} + {{- else -}} + {{- default "" $currValue }} + {{- end -}} +{{- end -}} + +{{/* + Helper function to get the protocol of the service +*/}} +{{- define "common.ingress._protocol" -}} +{{- $dot := default . .dot -}} +{{- $protocol := "http" -}} +{{- if $dot.tcpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.udpRoutes }} +{{- $protocol = "tcp" -}} +{{- end -}} +{{- if $dot.protocol }} +{{- $protocol = (lower $dot.protocol) -}} +{{- end -}} +{{- $protocol -}} +{{- end -}} + {{/* Create the hostname as concatination . - baseaddr: from component values: ingress.service.baseaddr @@ -23,50 +203,109 @@ {{- define "ingress.config.host" -}} {{- $dot := default . .dot -}} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $preaddr := default "" $dot.Values.global.ingress.virtualhost.preaddr -}} +{{- $preaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $preaddr "parent" (default (dict) $dot.Values.ingress) "var" "preaddrOverride") -}} +{{- $postaddr := default "" $dot.Values.global.ingress.virtualhost.postaddr -}} +{{- $postaddr := include "common.ingress._overrideIfDefined" (dict "currVal" $postaddr "parent" (default (dict) $dot.Values.ingress) "var" "postaddrOverride") -}} {{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} {{- $burl := include "common.ingress._overrideIfDefined" (dict "currVal" $burl "parent" (default (dict) $dot.Values.ingress) "var" "baseurlOverride") -}} -{{ printf "%s.%s" $baseaddr $burl }} +{{ printf "%s%s%s.%s" $preaddr $baseaddr $postaddr $burl }} {{- end -}} {{/* - Helper function to add the tls route + Istio Helper function to add the tls route */}} -{{- define "ingress.config.tls" -}} +{{- define "istio.config.tls_simple" -}} {{- $dot := default . .dot -}} -{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} + tls: {{- if $dot.Values.global.ingress.config }} -{{- if $dot.Values.global.ingress.config.ssl }} -{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} +{{- if $dot.Values.global.ingress.config.tls }} + credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} +{{- else }} + credentialName: "ingress-tls-secret" +{{- end }} + mode: SIMPLE +{{- end -}} + +{{/* + Istio Helper function to add the tls route +*/}} +{{- define "istio.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $service.exposedPort }} +{{- if $service.exposedProtocol }} +{{- if eq $service.exposedProtocol "TLS" }} + {{ include "istio.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- else }} +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.ssl }} +{{- if eq $dot.Values.global.ingress.config.ssl "redirect" }} tls: httpsRedirect: true - port: number: 443 name: https protocol: HTTPS - tls: -{{- if $dot.Values.global.ingress.config }} -{{- if $dot.Values.global.ingress.config.tls }} - credentialName: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} -{{- else }} - credentialName: "ingress-tls-secret" -{{- end }} -{{- else }} - credentialName: "ingress-tls-secret" -{{- end }} - mode: SIMPLE + {{ include "istio.config.tls_simple" (dict "dot" $dot ) }} hosts: - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} +{{- end }} {{- end }} {{- end }} {{- end }} {{- end -}} +{{/* + Istio Helper function to add the external port of the service +*/}} +{{- define "istio.config.port" -}} +{{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the name of the port, is required." .protocol) -}} +{{- if $dot.exposedPort }} + number: {{ $dot.exposedPort }} +{{- if $dot.exposedProtocol }} + name: {{ $protocol }}-{{ $dot.exposedPort }} + protocol: {{ $dot.exposedProtocol }} +{{- else }} + name: {{ $protocol }} + protocol: HTTP +{{- end -}} +{{- else }} + number: 80 + name: {{ $protocol }} + protocol: HTTP +{{- end -}} +{{- end -}} + +{{/* + Create Port entry in the Gateway resource +*/}} +{{- define "istio.config.gatewayPort" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} + - port: + {{- include "istio.config.port" (dict "dot" $service "baseaddr" $baseaddr "protocol" $protocol) }} + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- include "istio.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + {{/* Helper function to add the route to the service */}} {{- define "ingress.config.port" -}} {{- $dot := default . .dot -}} -{{ range .Values.ingress.service }} +{{ range $dot.Values.ingress.service }} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} http: @@ -88,44 +327,67 @@ {{- end -}} {{/* - Helper function to add the route to the service + Istio Helper function to add the route to the service */}} {{- define "istio.config.route" -}} -{{- $dot := default . .dot -}} - http: +{{- $dot := default . .dot -}} +{{- $protocol := (required "'protocol' param, is required." .protocol) -}} +{{- if eq $protocol "tcp" }} + - match: + - port: {{ $dot.exposedPort }} + route: + - destination: + port: + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} + {{- else }} + number: {{ $dot.plain_port }} + {{- end }} + {{- else }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} + {{- else }} + number: {{ $dot.port }} + {{- end }} + {{- end }} + host: {{ $dot.name }} +{{- else if eq $protocol "http" }} - route: - destination: port: - {{- if .plain_port }} - {{- if kindIs "string" .plain_port }} - name: {{ .plain_port }} + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} {{- else }} - number: {{ .plain_port }} + number: {{ $dot.plain_port }} {{- end }} {{- else }} - {{- if kindIs "string" .port }} - name: {{ .port }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} {{- else }} - number: {{ .port }} + number: {{ $dot.port }} {{- end }} {{- end }} - host: {{ .name }} + host: {{ $dot.name }} +{{- end -}} {{- end -}} {{/* Helper function to add ssl annotations */}} {{- define "ingress.config.annotations.ssl" -}} +{{- $class := include "common.ingress._class" (dict "dot" .) }} {{- if .Values.ingress.config -}} {{- if .Values.ingress.config.ssl -}} {{- if eq .Values.ingress.config.ssl "redirect" -}} -kubernetes.io/ingress.class: nginx -nginx.ingress.kubernetes.io/ssl-passthrough: "true" -nginx.ingress.kubernetes.io/ssl-redirect: "true" +kubernetes.io/ingress.class: {{ $class }} +{{ $class }}.ingress.kubernetes.io/ssl-passthrough: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "native" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "true" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "true" {{- else if eq .Values.ingress.config.ssl "none" -}} -nginx.ingress.kubernetes.io/ssl-redirect: "false" +{{ $class }}.ingress.kubernetes.io/ssl-redirect: "false" {{- end -}} {{- end -}} {{- end -}} @@ -144,51 +406,17 @@ nginx.ingress.kubernetes.io/ssl-redirect: "false" {{ include "ingress.config.annotations.ssl" . | indent 4 | trim }} {{- end -}} -{{/* - Helper function to check the existance of an override value -*/}} -{{- define "common.ingress._overrideIfDefined" -}} - {{- $currValue := .currVal }} - {{- $parent := .parent }} - {{- $var := .var }} - {{- if $parent -}} - {{- if hasKey $parent $var }} - {{- default "" (index $parent $var) }} - {{- else -}} - {{- default "" $currValue -}} - {{- end -}} - {{- else -}} - {{- default "" $currValue }} - {{- end -}} -{{- end -}} - -{{/* - Helper function to check, if Ingress is enabled -*/}} -{{- define "common.ingress._enabled" -}} -{{- $dot := default . .dot -}} -{{- if $dot.Values.ingress -}} -{{- if $dot.Values.global.ingress -}} -{{- if (default false $dot.Values.global.ingress.enabled) -}} -{{- if (default false $dot.Values.global.ingress.enable_all) -}} -true -{{- else -}} -{{- if $dot.Values.ingress.enabled -}} -true -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} - {{/* Create Istio Ingress resources per defined service */}} {{- define "common.istioIngress" -}} -{{- $dot := default . .dot -}} -{{ range $dot.Values.ingress.service }} -{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} +{{ range $dot.Values.ingress.service }} +{{ if or ( eq (include "common.ingress._protocol" (dict "dot" .)) "http" ) ( eq (include "common.ingress._protocol" (dict "dot" .)) "tcp" )}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway @@ -196,15 +424,20 @@ metadata: name: {{ $baseaddr }}-gateway spec: selector: - istio: ingressgateway # use Istio default gateway implementation + istio: {{ $selector }} servers: - - port: - number: 80 - name: http - protocol: HTTP - hosts: - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{ include "ingress.config.tls" (dict "dot" $dot "baseaddr" $baseaddr) }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" .protocol) | trim }} + {{- else }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} + {{ end }} +{{ end }} +{{ end }} --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService @@ -214,9 +447,287 @@ spec: hosts: - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} gateways: +{{- if eq $gateway "-" }} - {{ $baseaddr }}-gateway - {{ include "istio.config.route" . | trim }} -{{- end -}} +{{- else }} + - {{ $gateway }} +{{- end }} +{{- if .tcpRoutes }} + tcp: +{{ range .tcpRoutes }} + {{ include "istio.config.route" (dict "dot" . "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ .protocol }}: + {{ include "istio.config.route" (dict "dot" . "protocol" .protocol) | trim }} + {{- else }} + http: + {{ include "istio.config.route" (dict "dot" . "protocol" "http") | trim }} + {{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls_simple" -}} +{{- $dot := default . .dot -}} + tls: +{{- if $dot.Values.global.ingress.config }} +{{- if $dot.Values.global.ingress.config.tls }} + certificateRefs: + - kind: Secret + group: "" + name: {{ default "ingress-tls-secret" $dot.Values.global.ingress.config.tls.secret }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} +{{- else }} + certificateRefs: + - kind: Secret + group: "" + name: "ingress-tls-secret" +{{- end }} + mode: Terminate +{{- end -}} + +{{/* + GW-API Helper function to add the tls route +*/}} +{{- define "gwapi.config.tls" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- if $service.exposedPort }} +{{- if $service.exposedProtocol }} +{{- if eq $service.exposedProtocol "TLS" }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- else }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + - name: HTTPS-443 + port: 443 + protocol: HTTPS + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{ include "gwapi.config.tls_simple" (dict "dot" $dot ) }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create Listener entry in the Gateway resource +*/}} +{{- define "gwapi.config.listener" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $port := default 80 $service.exposedPort -}} + - name: {{ $protocol }}-{{ $port }} + port: {{ $port }} +{{- if $service.exposedProtocol }} + protocol: {{ upper $service.exposedProtocol }} +{{- else }} + protocol: HTTP +{{- end }} + hostname: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + allowedRoutes: + namespaces: + from: All +{{- if eq $service.protocol "tcp" }} + kinds: + - kind: TCPRoute +{{- else if eq $service.protocol "tcp" }} + kinds: + - kind: UDPRoute +{{- end }} + {{- include "gwapi.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + +{{/* + Create *Route entry for the Gateway-API +*/}} +{{- define "gwapi.config.route" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) -}} +{{- $namespace := default "istio-ingress" $dot.Values.global.ingress.namespace -}} +{{- $path := default "/" $service.path -}} +{{- if eq $protocol "udp" -}} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: UDPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: udp-{{ $service.exposedPort }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 +{{- else if eq $protocol "tcp" }} +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TCPRoute +metadata: + name: {{ $baseaddr }}-{{ $service.exposedPort }}-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: tcp-{{ $service.exposedPort }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 +{{- else if eq $protocol "http" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-http-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} + sectionName: {{ include "common.ingress._gatewayHTTPSListener" (dict "dot" $dot) }} +{{- else }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} +{{- end }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - backendRefs: + - group: '' + kind: Service + name: {{ $service.name }} + port: {{ $service.port }} + weight: 1 + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- if (include "common.ingress._tlsRedirect" (dict "dot" $dot)) }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: HTTPRoute +metadata: + name: {{ $baseaddr }}-redirect-route +spec: + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway +{{- if eq $gateway "-" }} + name: {{ $baseaddr }}-gateway +{{- else }} + name: {{ $gateway }} +{{- end }} + namespace: {{ $namespace }} + sectionName: {{ include "common.ingress._gatewayHTTPListener" (dict "dot" $dot) }} + hostnames: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + port: 443 + matches: + - path: + type: PathPrefix + value: {{ $path }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Create GW-API Ingress resources per defined service +*/}} +{{- define "common.gwapiIngress" -}} +{{- $dot := default . .dot -}} +{{- $selector := include "common.ingress._selector" (dict "dot" $dot) }} +{{- $gateway := include "common.ingress._commonGateway" (dict "dot" $dot) }} +{{ range $dot.Values.ingress.service }} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- if eq $gateway "-" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: Gateway +metadata: + name: {{ $baseaddr }}-gateway +spec: + gatewayClassName: {{ $dot.Values.global.serviceMesh.engine }} + listeners: +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} + {{ include "gwapi.config.listener" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{- end -}} +{{- else if .udpRoutes }} +{{ range .udpRoutes }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "udp") | trim }} +{{- end -}} +{{- else }} +{{- if .protocol }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" (lower .protocol)) | trim }} +{{- else }} +{{ include "gwapi.config.route" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} {{/* @@ -224,34 +735,33 @@ spec: */}} {{- define "common.nginxIngress" -}} {{- $dot := default . .dot -}} +{{ range $dot.Values.ingress.service }} +{{ if eq (include "common.ingress._protocol" (dict "dot" $dot)) "http" }} +{{ $baseaddr := required "baseaddr" .baseaddr }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: {{ include "common.fullname" $dot }}-ingress annotations: {{ include "ingress.config.annotations" $dot }} - labels: - app: {{ $dot.Chart.Name }} - chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $dot }} - heritage: {{ $dot.Release.Service }} + labels: {{- include "common.labels" $dot | nindent 4 }} spec: rules: {{ include "ingress.config.port" $dot | trim }} -{{- if $dot.Values.ingress.tls }} +{{- if $dot.Values.ingress.tls }} tls: {{ toYaml $dot.Values.ingress.tls | indent 4 }} -{{- end -}} -{{- if $dot.Values.ingress.config -}} -{{- if $dot.Values.ingress.config.tls -}} +{{- end -}} +{{- if $dot.Values.ingress.config -}} +{{- if $dot.Values.ingress.config.tls }} tls: - hosts: - {{- range $dot.Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} secretName: {{ required "secret" (tpl (default "" $dot.Values.ingress.config.tls.secret) $dot) }} -{{- end -}} -{{- end -}} +{{- end }} +{{- end }} +{{- end }} +{{- end }} {{- end -}} {{/* @@ -268,22 +778,29 @@ spec: | true | true | any | ingress | | true | false | true | ingress | - If ServiceMesh (Istio) is enabled the respective resources are created: - - Gateway + If ServiceMesh (Ingress-Provider: Istio) is enabled the respective resources + are created: + - Gateway (optional) - VirtualService + If ServiceMesh (Ingress-Provider: GatewayAPI) is enabled the respective resources + are created: + - Gateway (optional) + - HTTPRoute, TCPRoute, UDPRoute (depending) + If ServiceMesh is disabled the standard Ingress resource is creates: - Ingress */}} {{- define "common.ingress" -}} {{- $dot := default . .dot -}} +{{- $provider := include "common.ingress._provider" (dict "dot" $dot) -}} {{- if (include "common.ingress._enabled" (dict "dot" $dot)) }} -{{- if (include "common.onServiceMesh" .) }} -{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} -{{ include "common.istioIngress" (dict "dot" $dot) }} -{{- end -}} -{{- else -}} +{{- if eq $provider "ingress" -}} {{ include "common.nginxIngress" (dict "dot" $dot) }} +{{- else if eq $provider "istio" -}} +{{ include "common.istioIngress" (dict "dot" $dot) }} +{{- else if eq $provider "gw-api" -}} +{{ include "common.gwapiIngress" (dict "dot" $dot) }} {{- end -}} {{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_labels.tpl b/kubernetes/common/common/templates/_labels.tpl index 993fb7dfac..97e2e7f123 100644 --- a/kubernetes/common/common/templates/_labels.tpl +++ b/kubernetes/common/common/templates/_labels.tpl @@ -1,6 +1,7 @@ {{/* # Copyright © 2019 Orange -# Modifications Copyright (C) 2022 Bell Canada +# Modifications Copyright © 2022 Bell Canada +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,10 +23,20 @@ Common labels The function takes several arguments (inside a dictionary): - .dot : environment (.) - .labels : labels to add (dict) + - .suffix : name suffix + - .prefix : name prefix */}} {{- define "common.labels" -}} {{- $dot := default . .dot -}} -app.kubernetes.io/name: {{ include "common.name" $dot }} +{{- $suffix := default "" .suffix -}} +{{- $prefix := default "" .prefix -}} +app.kubernetes.io/name: {{ include "common.name" (dict "dot" $dot "suffix" $suffix "prefix" $prefix) }} +app: {{ include "common.name" (dict "dot" $dot "suffix" $suffix "prefix" $prefix) }} +{{- if $dot.Chart.AppVersion }} +version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" +{{- else }} +version: "{{ $dot.Chart.Version | replace "+" "_" }}" +{{- end }} {{ if not .ignoreHelmChart }} helm.sh/chart: {{ include "common.chart" $dot }} {{- end }} @@ -68,7 +79,12 @@ app.kubernetes.io/instance: {{ include "common.release" $dot }} {{- $suffix := default "" .suffix -}} {{- $labels := default (dict) .labels -}} {{- $annotations := default (dict) .annotations -}} +{{- $includeFullname := default "true" .includeFullname -}} +{{- if eq ($includeFullname | lower) "true" -}} name: {{ include "common.fullname" (dict "suffix" $suffix "dot" $dot )}} +{{- else -}} +name: {{ include "common.name" (dict "suffix" $suffix "dot" $dot )}} +{{- end }} namespace: {{ include "common.namespace" $dot }} labels: {{- include "common.labels" (dict "labels" $labels "ignoreHelmChart" .ignoreHelmChart "dot" $dot ) | nindent 2 }} {{- if $annotations }} @@ -93,13 +109,16 @@ matchLabels: {{- include "common.matchLabels" (dict "matchLabels" $matchLabels " The function takes several arguments (inside a dictionary) - .dot : environment (.) - .labels: labels to add (dict) + - .annotations: annotation to add (dict) */}} {{- define "common.templateMetadata" -}} {{- $dot := default . .dot -}} {{- $labels := default (dict) .labels -}} -{{- if $dot.Values.podAnnotations }} -annotations: {{- include "common.tplValue" (dict "value" $dot.Values.podAnnotations "context" $dot) | nindent 2 }} +{{- $suffix := default "" .suffix -}} +{{- $annotations := default $dot.Values.podAnnotations .annotations -}} +{{- if $annotations}} +annotations: {{- include "common.tplValue" (dict "value" $annotations "context" $dot) | nindent 2 }} {{- end }} labels: {{- include "common.labels" (dict "labels" $labels "ignoreHelmChart" .ignoreHelmChart "dot" $dot) | nindent 2 }} -name: {{ include "common.name" $dot }} +name: {{ include "common.name" (dict "suffix" $suffix "dot" $dot )}} {{- end -}} diff --git a/kubernetes/common/common/templates/_log.tpl b/kubernetes/common/common/templates/_log.tpl index 369c25b254..ca5eb11992 100644 --- a/kubernetes/common/common/templates/_log.tpl +++ b/kubernetes/common/common/templates/_log.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modification Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,17 +24,17 @@ - name: filebeat-conf mountPath: /usr/share/filebeat/filebeat.yml subPath: filebeat.yml - - name: logs + - name: sidecar-logs mountPath: {{ .Values.log.path }} - name: filebeat-data mountPath: /usr/share/filebeat/data resources: requests: - memory: "5Mi" cpu: "10m" + memory: "5Mi" limits: - memory: "20Mi" cpu: "100m" + memory: "20Mi" {{- end -}} {{- end -}} @@ -45,7 +46,11 @@ configMap: name: {{ $configMapName }} - name: filebeat-data - emptyDir: {} + emptyDir: + sizeLimit: {{ $dot.Values.log.dataSizeLimit }} +- name: sidecar-logs + emptyDir: + sizeLimit: {{ $dot.Values.log.sizeLimit }} {{- end -}} {{- end -}} @@ -59,4 +64,3 @@ data: {{ tpl (.Files.Glob "resources/config/log/filebeat/*").AsConfig . | indent 2 }} {{- end }} {{- end -}} - diff --git a/kubernetes/common/common/templates/_mariadb.tpl b/kubernetes/common/common/templates/_mariadb.tpl index 5021c500b0..f2a4a0c09e 100644 --- a/kubernetes/common/common/templates/_mariadb.tpl +++ b/kubernetes/common/common/templates/_mariadb.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2019 Orange +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,12 +59,27 @@ {{- include "common.mariadb.secret._secretName" (set . "uidTemplate" "common.mariadb.secret.userCredentialsUID") }} {{- end -}} +{{/* + Choose the name of the mariadb app label to use. +*/}} +{{- define "common.mariadbAppName" -}} + {{- if .Values.global.mariadbGalera.localCluster -}} + {{- index .Values "mariadb-galera" "nameOverride" -}} + {{- else -}} + {{- .Values.global.mariadbGalera.nameOverride -}} + {{- end -}} +{{- end -}} + {{/* Choose the name of the mariadb service to use. */}} {{- define "common.mariadbService" -}} {{- if .Values.global.mariadbGalera.localCluster -}} + {{- if and .Values.global.mariadbGalera.useOperator (index .Values "mariadb-galera" "mariadbOperator" "galera" "enabled") }} + {{- printf "%s-primary" (index .Values "mariadb-galera" "nameOverride") -}} + {{- else }} {{- index .Values "mariadb-galera" "nameOverride" -}} + {{- end }} {{- else -}} {{- .Values.global.mariadbGalera.service -}} {{- end -}} @@ -97,3 +113,339 @@ {{- define "common.mariadbSecretParam" -}} {{ printf "password" -}} {{- end -}} + +{{/* + Create MariaDB Database via mariadb-operator +*/}} +{{- define "common.mariadbOpDatabase" -}} +{{- $dot := default . .dot -}} +{{- $dbname := (required "'dbame' param, is required." .dbname) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Database +metadata: + name: {{ $dbinst }}-{{ $dbname }} +spec: + name: {{ $dbname }} + mariaDbRef: + name: {{ $dbinst }} + characterSet: utf8 + collate: utf8_general_ci + retryInterval: 5s +{{- end -}} + +{{/* + Create MariaDB User via mariadb-operator +*/}} +{{- define "common.mariadbOpUser" -}} +{{- $dot := default . .dot -}} +{{- $dbuser := (required "'dbuser' param, is required." .dbuser) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +{{- $dbsecret := (required "'dbsecret' param, is required." .dbsecret) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: User +metadata: + name: {{ $dbinst }}-{{ $dbuser }} +spec: + name: {{ $dbuser }} + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + passwordSecretKeyRef: + name: {{ $dbsecret }} + key: password + # This field is immutable and defaults to 10 + maxUserConnections: 100 + retryInterval: 5s +{{- end -}} + +{{/* + Grant rights to a MariaDB User via mariadb-operator +*/}} +{{- define "common.mariadbOpGrants" -}} +{{- $dot := default . .dot -}} +{{- $dbuser := (required "'dbuser' param, is required." .dbuser) -}} +{{- $dbname := (required "'dbame' param, is required." .dbname) -}} +{{- $dbinst := (required "'dbinst' param, is required." .dbinst) -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Grant +metadata: + name: {{ $dbuser }}-{{ $dbname }}-{{ $dbinst }} +spec: + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + privileges: + - "ALL" + database: {{ $dbname }} + table: "*" + username: {{ $dbuser }} + retryInterval: 5s + grantOption: true +{{- end -}} + +{{/* + MariaDB Backup via mariadb-operator +*/}} +{{- define "common.mariadbOpBackup" -}} +{{- $dot := default . .dot -}} +{{- $dbinst := include "common.name" $dot -}} +{{- $name := default $dbinst $dot.Values.backup.nameOverride -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: Backup +metadata: + name: {{ $name }} +spec: + inheritMetadata: + labels: + sidecar.istio.io/inject: 'false' + backoffLimit: 5 + logLevel: info + mariaDbRef: + name: {{ $dbinst }} + waitForIt: true + schedule: + cron: {{ $dot.Values.backup.cron }} + suspend: false + maxRetention: {{ $dot.Values.backup.maxRetention }} + storage: + {{- if eq $dot.Values.backup.storageType "PVC" }} + persistentVolumeClaim: + resources: + requests: + storage: {{ $dot.Values.backup.persistence.size }} + {{- if $dot.Values.mariadbOperator.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.storageClassName }} + {{- end }} + accessModes: + - {{ $dot.Values.backup.persistence.accessMode }} + {{- end }} + {{- if eq $dot.Values.backup.storageType "S3" }} + s3: {{- include "common.tplValue" ( dict "value" .Values.backup.s3 "context" $) | nindent 6 }} + {{- end }} + {{- if eq $dot.Values.backup.storageType "volume" }} + volume: {{- include "common.tplValue" ( dict "value" .Values.backup.volume "context" $) | nindent 6 }} + {{- end }} + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + cpu: "300m" + memory: "500Mi" +{{- end -}} + +{{/* + Create a MariaDB instance via mariadb-operator +*/}} +{{- define "common.mariadbOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +{{- $dbrootsecret := tpl (default (include "common.mariadb.secret.rootPassSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.rootUser.externalSecret) $dot -}} +{{- $dbusersecret := tpl (default (include "common.mariadb.secret.userCredentialsSecretName" (dict "dot" $dot "chartName" "")) $dot.Values.db.externalSecret) $dot -}} +--- +apiVersion: k8s.mariadb.com/v1alpha1 +kind: MariaDB +metadata: + name: {{ $dbinst }} +spec: + resources: {{ include "common.resources" . | nindent 4 }} + podSecurityContext: + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + volumes: + - name: run + emptyDir: + sizeLimit: 64Mi + - name: tmp + emptyDir: + sizeLimit: 64Mi + volumeMounts: + - name: run + mountPath: /run/mysqld + - name: tmp + mountPath: /tmp + inheritMetadata: + {{ if .Values.podAnnotations -}} + annotations: {{ toYaml .Values.podAnnotations | nindent 6 }} + {{- end }} + labels: + # temporarily test mariaDB without sidecar (fix initial Job, Backup and Metrics) + # will be obsolete with "native-sidecars" feature in K8S and Istio + sidecar.istio.io/inject: "false" + app: {{ $dbinst }} + version: {{ .Values.mariadbOperator.appVersion }} + rootPasswordSecretKeyRef: + name: {{ $dbrootsecret }} + key: password + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbOperator.image }}:{{ $dot.Values.mariadbOperator.appVersion }} + imagePullPolicy: IfNotPresent + {{- include "common.imagePullSecrets" . | nindent 2 }} + port: 3306 + replicas: {{ $dot.Values.replicaCount }} + {{- if $dot.Values.mariadbOperator.galera.enabled }} + galera: + enabled: true + sst: mariabackup + replicaThreads: 1 + agent: + image: {{ include "repositoryGenerator.mariadbContainerRegistry" . }}/{{ .Values.mariadbOperator.galera.agentImage }}:{{ $dot.Values.mariadbOperator.galera.agentVersion }} + imagePullPolicy: IfNotPresent + port: 5555 + kubernetesAuth: + enabled: true + authDelegatorRoleName: {{ $dbinst }}-auth + gracefulShutdownTimeout: 5s + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + runAsNonRoot: true + runAsUser: 10001 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + primary: + automaticFailover: true + recovery: + enabled: true + clusterHealthyTimeout: 30s + clusterBootstrapTimeout: 10m0s + minClusterSize: 50% + podRecoveryTimeout: 3m0s + podSyncTimeout: 3m0s + initContainer: + image: {{ include "repositoryGenerator.mariadbContainerRegistry" . }}/{{ $dot.Values.mariadbOperator.galera.initImage }}:{{ $dot.Values.mariadbOperator.galera.initVersion }} + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + runAsNonRoot: true + runAsUser: 10001 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + config: + reuseStorageVolume: false + volumeClaimTemplate: + {{- if .Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ .Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + resources: + requests: + storage: 50Mi + accessModes: + - ReadWriteOnce + {{- end }} + livenessProbe: + exec: + command: + - bash + - '-c' + - mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;" + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - bash + - '-c' + - mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;" + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + {{- if default false $dot.Values.global.metrics.enabled }} + metrics: + enabled: true + exporter: + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/prom/mysqld-exporter:v0.15.1 + port: 9104 + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsUser: 10001 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + {{- end }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + tolerations: + - key: k8s.mariadb.com/ha + operator: Exists + effect: NoSchedule + podDisruptionBudget: + maxUnavailable: 50% + updateStrategy: + type: RollingUpdate + + myCnfConfigMapKeyRef: + key: my.cnf + name: {{ printf "%s-configuration" (include "common.fullname" $dot) }} + resources: {{ include "common.resources" . | nindent 4 }} + storage: + {{- if $dot.Values.mariadbOperator.persistence.storageClassName }} + storageClassName: {{ $dot.Values.mariadbOperator.persistence.storageClassName }} + {{- end }} + size: {{ $dot.Values.mariadbOperator.persistence.size | quote }} +{{- if $dot.Values.db.user }} +{{ include "common.mariadbOpUser" (dict "dot" . "dbuser" $dot.Values.db.user "dbinst" $dbinst "dbsecret" $dbusersecret) }} +{{- end }} +{{- if $dot.Values.db.name }} +{{ include "common.mariadbOpDatabase" (dict "dot" . "dbname" $dot.Values.db.name "dbinst" $dbinst) }} +{{- end }} +{{- if and $dot.Values.db.user $dot.Values.db.name }} +{{ include "common.mariadbOpGrants" (dict "dot" . "dbuser" $dot.Values.db.user "dbname" $dot.Values.db.name "dbinst" $dbinst) }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_mongodb.tpl b/kubernetes/common/common/templates/_mongodb.tpl new file mode 100644 index 0000000000..80d8d72194 --- /dev/null +++ b/kubernetes/common/common/templates/_mongodb.tpl @@ -0,0 +1,165 @@ +{{/* +# Copyright © 2019 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{/* + UID of mongodb root password +*/}} +{{- define "common.mongodb.secret.rootPassUID" -}} + {{- printf "db-root-password" }} +{{- end -}} + +{{/* + Name of mongodb secret +*/}} +{{- define "common.mongodb.secret._secretName" -}} + {{- $global := .dot }} + {{- $chartName := tpl .chartName $global -}} + {{- include "common.secret.genName" (dict "global" $global "uid" (include .uidTemplate $global) "chartName" $chartName) }} +{{- end -}} + +{{/* + Name of mongodb root password secret +*/}} +{{- define "common.mongodb.secret.rootPassSecretName" -}} + {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.rootPassUID") }} +{{- end -}} + +{{/* + UID of mongodb user credentials +*/}} +{{- define "common.mongodb.secret.userCredentialsUID" -}} + {{- printf "db-user-credentials" }} +{{- end -}} + +{{/* + Name of mongodb user credentials secret +*/}} +{{- define "common.mongodb.secret.userCredentialsSecretName" -}} + {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.userCredentialsUID") }} +{{- end -}} + +{{/* + UID of mongodb primary password +*/}} +{{- define "common.mongodb.secret.primaryPasswordUID" -}} + {{- printf "primary-password" }} +{{- end -}} + +{{/* + Name of mongodb user credentials secret +*/}} +{{- define "common.mongodb.secret.primaryPasswordSecretName" -}} + {{- include "common.mongodb.secret._secretName" (set . "uidTemplate" "common.mongodb.secret.primaryPasswordUID") }} +{{- end -}} + +{{/* + Choose the name of the mongodb app label to use. +*/}} +{{- define "common.mongodbAppName" -}} + {{- if .Values.global.mongodb.localCluster -}} + {{- index .Values "mongodb" "nameOverride" -}} + {{- else -}} + {{- .Values.global.mongodb.nameOverride -}} + {{- end -}} +{{- end -}} + +#Not edited yet +{{/* + Create mongodb cluster via mongodb percona-operator +*/}} +{{- define "common.mongodbOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +--- + +apiVersion: psmdb.percona.com/v1 +kind: PerconaServerMongoDB +metadata: + name: {{ $dbinst }} + labels: + app: {{ $dbinst }} + version: "5.5" +spec: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.mongodbOperator.imageMongo }} + image: {{ .Values.mongodbOperator.imageMongo | quote }} + {{- end }} + imagePullSecrets: + - name: {{ include "common.namespace" . }}-docker-registry-key + mongodbVersion: {{ $dot.Values.mongodbOperator.mongodbVersion }} + instances: + - name: {{ default "instance1" .Values.mongodbOperator.instanceName | quote }} + replicas: {{ default 2 .Values.mongodbOperator.instanceReplicas }} + dataVolumeClaimSpec: + {{- if .Values.instanceStorageClassName }} + storageClassName: {{ .Values.mongodbOperator.instanceStorageClassName | quote }} + {{- end }} + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ default "1Gi" .Values.mongodbOperator.instanceSize | quote }} + {{- if or .Values.instanceMemory .Values.mongodbOperator.instanceCPU }} + resources: + limits: + cpu: {{ default "" .Values.mongodbOperator.instanceCPU | quote }} + memory: {{ default "" .Values.mongodbOperator.instanceMemory | quote }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + mongodb-operator.crunchydata.com/cluster: {{ $dbinst }} + mongodb-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.mongodbOperator.instanceName | quote }} + proxy: + pgBouncer: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.mongodbOperator.imagePgBouncer }} + image: {{ .Values.mongodbOperator.imagePgBouncer | quote }} + {{- end }} + replicas: {{ default 2 .Values.mongodbOperator.bouncerReplicas }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + mongodb-operator.crunchydata.com/cluster: {{ $dbinst }} + mongodb-operator.crunchydata.com/role: pgbouncer + {{- if .Values.mongodbOperator.monitoring }} + monitoring: + pgmonitor: + exporter: + image: {{ default "" .Values.mongodbOperator.imageExporter | quote }} + {{- if .Values.mongodbOperator.monitoringConfig }} +{{ toYaml .Values.monitoringConfig | indent 8 }} + {{- end }} + {{- end }} + users: + - name: mongodb +{{- end -}} diff --git a/kubernetes/common/common/templates/_name.tpl b/kubernetes/common/common/templates/_name.tpl index 793fb3e07b..39f50bc728 100644 --- a/kubernetes/common/common/templates/_name.tpl +++ b/kubernetes/common/common/templates/_name.tpl @@ -23,7 +23,8 @@ {{- define "common.name" -}} {{- $dot := default . .dot -}} {{- $suffix := .suffix -}} - {{- default $dot.Chart.Name $dot.Values.nameOverride | trunc 63 | trimSuffix "-" -}}{{ if $suffix }}{{ print "-" $suffix }}{{ end }} + {{- $prefix := .prefix -}} + {{ if $prefix }}{{ print $prefix "-" }}{{ end }}{{- default $dot.Chart.Name $dot.Values.nameOverride | trunc 63 | trimSuffix "-" -}}{{ if $suffix }}{{ print "-" $suffix }}{{ end }} {{- end -}} {{/* @@ -34,7 +35,8 @@ {{- $dot := .dot }} {{- $name := .chartName }} {{- $suffix := default "" .suffix -}} - {{- printf "%s-%s-%s" (include "common.release" $dot) $name $suffix | trunc 63 | trimSuffix "-" | trimSuffix "-" -}} + {{- $prefix := default "" .prefix -}} + {{- printf "%s-%s-%s-%s" $prefix (include "common.release" $dot) $name $suffix | trunc 63 | trimSuffix "-" | trimSuffix "-" | trimPrefix "-" -}} {{- end -}} {{/* @@ -42,21 +44,23 @@ Truncated at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). Usage: include "common.fullname" . - include "common.fullname" (dict "suffix" "mySuffix" "dot" .) + include "common.fullname" (dict "suffix" "mySuffix" "prefix" "myPrefix" "dot" .) The function takes from one to two arguments: - .dot : environment (.) - .suffix : add a suffix to the fullname + - .prefix : add a prefix to the fullname */}} {{- define "common.fullname" -}} -{{- $dot := default . .dot -}} -{{- $suffix := default "" .suffix -}} + {{- $dot := default . .dot -}} + {{- $suffix := default "" .suffix -}} + {{- $prefix := default "" .prefix -}} {{- $name := default $dot.Chart.Name $dot.Values.nameOverride -}} {{/* when linted, the name must be lower cased. When used from a component, name should be overriden in order to avoid collision so no need to do it */}} {{- if eq (printf "%s/templates" $name) $dot.Template.BasePath -}} {{- $name = lower $name -}} {{- end -}} - {{- include "common.fullnameExplicit" (dict "dot" $dot "chartName" $name "suffix" $suffix) }} + {{- include "common.fullnameExplicit" (dict "dot" $dot "chartName" $name "suffix" $suffix "prefix" $prefix) }} {{- end -}} {{/* diff --git a/kubernetes/common/common/templates/_pod.tpl b/kubernetes/common/common/templates/_pod.tpl index b38a7f1105..6feb91bd0c 100644 --- a/kubernetes/common/common/templates/_pod.tpl +++ b/kubernetes/common/common/templates/_pod.tpl @@ -45,25 +45,68 @@ - containerPort: {{ default $port.plain_port $port.internal_plain_port }} name: {{ $port.name }}-plain {{- end }} +{{- if $port.l4_protocol }} + protocol: {{ $port.l4_protocol }} +{{- end }} {{- end }} {{- end -}} {{/* Generate securityContext for pod + required variables: user_id, group_id + optional variables: fsgroup_id, runAsNonRoot, seccompProfileType + Example in values.yaml + securityContext: + user_id: 70 + group_id: 70 + # fsgroup_id: 70 + # runAsNonRoot: true + # seccompProfileType: "RuntimeDefault" */}} {{- define "common.podSecurityContext" -}} securityContext: runAsUser: {{ .Values.securityContext.user_id }} runAsGroup: {{ .Values.securityContext.group_id }} - fsGroup: {{ .Values.securityContext.group_id }} + fsGroup: {{ default .Values.securityContext.group_id .Values.securityContext.fsgroup_id }} + runAsNonRoot: {{ hasKey .Values.securityContext "runAsNonRoot" | ternary .Values.securityContext.runAsNonRoot true }} + seccompProfile: + type: {{ default "RuntimeDefault" .Values.securityContext.seccompProfileType }} {{- end }} {{/* - Generate securityContext for container + Generate securityContext for container (optional) + predefined variables: capabilities.drop + optional variables: readOnlyRootFilesystem, privileged, allowPrivilegeEscalation + Example in values.yaml + containerSecurityContext: + capabilities: + privileged: false + runAsUser: 1337 + runAsGroup: 1337 + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false */}} {{- define "common.containerSecurityContext" -}} securityContext: +{{- if not .Values.containerSecurityContext }} readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false +{{- else }} + readOnlyRootFilesystem: {{ hasKey .Values.containerSecurityContext "readOnlyRootFilesystem" | ternary .Values.containerSecurityContext.readOnlyRootFilesystem false }} + privileged: {{ hasKey .Values.containerSecurityContext "privileged" | ternary .Values.containerSecurityContext.privileged false }} + allowPrivilegeEscalation: {{ hasKey .Values.containerSecurityContext "allowPrivilegeEscalation" | ternary .Values.containerSecurityContext.allowPrivilegeEscalation false }} + runAsNonRoot: {{ hasKey .Values.containerSecurityContext "runAsNonRoot" | ternary .Values.containerSecurityContext.runAsNonRoot true }} +{{- if hasKey .Values.containerSecurityContext "runAsUser" }} + runAsUser: {{ .Values.containerSecurityContext.runAsUser }} +{{- end }} +{{- if hasKey .Values.containerSecurityContext "runAsGroup" }} + runAsGroup: {{ .Values.containerSecurityContext.runAsGroup }} +{{- end }} +{{- end }} + capabilities: + drop: + - ALL + - CAP_NET_RAW {{- end }} diff --git a/kubernetes/common/common/templates/_postgres.tpl b/kubernetes/common/common/templates/_postgres.tpl index 45d903e574..dcd17c0312 100644 --- a/kubernetes/common/common/templates/_postgres.tpl +++ b/kubernetes/common/common/templates/_postgres.tpl @@ -63,3 +63,89 @@ {{- define "common.postgres.secret.primaryPasswordSecretName" -}} {{- include "common.postgres.secret._secretName" (set . "uidTemplate" "common.postgres.secret.primaryPasswordUID") }} {{- end -}} + +{{/* + Create postgres cluster via postgres crunchydata-operator +*/}} +{{- define "common.postgresOpInstance" -}} +{{- $dot := default . .dot -}} +{{- $global := $dot.Values.global -}} +{{- $dbinst := include "common.name" $dot -}} +--- +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: {{ $dbinst }} + labels: + app: {{ $dbinst }} + version: "5.5" +spec: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.postgresOperator.imagePostgres }} + image: {{ .Values.postgresOperator.imagePostgres | quote }} + {{- end }} + {{- include "common.imagePullSecrets" . | nindent 2 }} + postgresVersion: {{ $dot.Values.postgresOperator.postgresVersion }} + instances: + - name: {{ default "instance1" .Values.postgresOperator.instanceName | quote }} + replicas: {{ default 2 .Values.postgresOperator.instanceReplicas }} + dataVolumeClaimSpec: + {{- if .Values.instanceStorageClassName }} + storageClassName: {{ .Values.postgresOperator.instanceStorageClassName | quote }} + {{- end }} + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: {{ default "1Gi" .Values.postgresOperator.instanceSize | quote }} + {{- if or .Values.instanceMemory .Values.postgresOperator.instanceCPU }} + resources: + limits: + cpu: {{ default "" .Values.postgresOperator.instanceCPU | quote }} + memory: {{ default "" .Values.postgresOperator.instanceMemory | quote }} + {{- end }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: {{ $dbinst }} + postgres-operator.crunchydata.com/instance-set: {{ default "instance1" .Values.postgresOperator.instanceName | quote }} + proxy: + pgBouncer: + metadata: + labels: + app: {{ $dbinst }} + version: "5.5" + {{- if .Values.postgresOperator.imagePgBouncer }} + image: {{ .Values.postgresOperator.imagePgBouncer | quote }} + {{- end }} + replicas: {{ default 2 .Values.postgresOperator.bouncerReplicas }} + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + podAffinityTerm: + topologyKey: kubernetes.io/hostname + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: {{ $dbinst }} + postgres-operator.crunchydata.com/role: pgbouncer + {{- if .Values.postgresOperator.monitoring }} + monitoring: + pgmonitor: + exporter: + image: {{ default "" .Values.postgresOperator.imageExporter | quote }} + {{- if .Values.postgresOperator.monitoringConfig }} +{{ toYaml .Values.monitoringConfig | indent 8 }} + {{- end }} + {{- end }} + users: + - name: postgres +{{- end -}} diff --git a/kubernetes/common/common/templates/_resources.tpl b/kubernetes/common/common/templates/_resources.tpl index fae77435a3..11177c76fb 100644 --- a/kubernetes/common/common/templates/_resources.tpl +++ b/kubernetes/common/common/templates/_resources.tpl @@ -39,21 +39,21 @@ e.g: resources: small: limits: - cpu: 200m - memory: 4Gi + cpu: "200m" + memory: "4Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 400m - memory: 8Gi + cpu: "400m" + memory: "8Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "200m" + memory: "2Gi" unlimited: {} */ -}} {{- define "common.resources" -}} {{- $flavor := include "common.flavor" . -}} -{{- toYaml (pluck $flavor .Values.resources | first) | indent 12 -}} +{{- toYaml (pluck $flavor .Values.resources | first) -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_secret.tpl b/kubernetes/common/common/templates/_secret.tpl index 9d284de500..9eb47d7093 100644 --- a/kubernetes/common/common/templates/_secret.tpl +++ b/kubernetes/common/common/templates/_secret.tpl @@ -19,7 +19,7 @@ Generates a secret header with given name and desired labels. - The template takes two arguments: + The template takes three arguments: - .global: environment (.) - .name: name of the secret - .annotations: annotations which should be used @@ -29,17 +29,14 @@ */}} {{- define "common.secret._header" -}} {{- $global := .global }} + {{- $name := .name }} apiVersion: v1 kind: Secret metadata: name: {{ $name }} namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.name" $global }} - chart: {{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }} - release: {{ include "common.release" $global }} - heritage: {{ $global.Release.Service }} + labels: {{- include "common.labels" $global | nindent 4 }} {{- if .annotations }} annotations: {{- include "common.tplValue" (dict "value" .annotations "context" $global) | nindent 4 }} {{- end }} diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index 7b88af02aa..3db01396ca 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -126,14 +126,14 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} protocol: TCP {{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%ss-%s" $port.port_protocol $port.name }} {{- else }} name: {{ $port.name }} {{- end }} -{{- if (eq $serviceType "NodePort") }} - nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} -{{- end }} {{- else }} - port: {{ default $port.port $port.plain_port }} targetPort: {{ $port.name }} @@ -142,20 +142,29 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent {{- else }} protocol: {{ default "TCP" $port.l4_protocol }} {{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} +{{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} {{- else }} name: {{ $port.name }} {{- end }} {{- end }} +{{- if (eq $serviceType "NodePort") }} + nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} +{{- end }} {{- if (and (and (include "common.needTLS" $dot) $add_plain_port) $port.plain_port) }} {{- if (eq $serviceType "ClusterIP") }} - port: {{ $port.plain_port }} targetPort: {{ $port.name }}-plain -{{- if $port.plain_l4_port_protocol }} +{{- if $port.plain_l4_port_protocol }} protocol: {{ $port.plain_port_l4_protocol }} -{{- else }} +{{- else }} protocol: {{ default "TCP" $port.l4_protocol }} +{{- end }} +{{- if $port.app_protocol }} + appProtocol: {{ $port.app_protocol }} {{- end }} {{- if $port.port_protocol }} name: {{ printf "%s-%s" $port.port_protocol $port.name }} @@ -241,7 +250,7 @@ spec: {{- $both_tls_and_plain:= default false $dot.Values.service.both_tls_and_plain }} {{- $labels := default (dict) .labels -}} {{- $matchLabels := default (dict) .matchLabels -}} -{{- if and (include "common.onServiceMesh" $dot) (eq $serviceType "NodePort") }} +{{- if and (include "common.ingressEnabled" $dot) (eq $serviceType "NodePort") -}} {{- $serviceType = "ClusterIP" }} {{- end }} diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index a685a73627..638db8cab1 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Amdocs, Bell Canada, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,15 +26,28 @@ true {{- end -}} {{- end -}} +{{/* + Calculate if we require a sidecar killer. +*/}} +{{- define "common.requireSidecarKiller" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if eq .Values.global.serviceMesh.engine "istio" }} +{{- if not (default false .Values.global.serviceMesh.nativeSidecars) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Kills the sidecar proxy associated with a pod. */}} {{- define "common.serviceMesh.killSidecar" -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} RCODE="$?"; echo "*** script finished with exit code $RCODE" ; echo "*** killing service mesh sidecar" ; -curl -sf -X POST http://127.0.0.1:15020/quitquitquit ; +wget --quiet --post-data '' --output-document=- http://127.0.0.1:15020/quitquitquit || exit $? ; echo "" ; echo "*** exiting with script exit code" ; exit "$RCODE" @@ -46,7 +60,7 @@ exit "$RCODE" {{- define "common.waitForJobContainer" -}} {{- $dot := default . .dot -}} {{- $wait_for_job_container := default $dot.Values.wait_for_job_container .wait_for_job_container -}} -{{- if (include "common.onServiceMesh" .) }} +{{- if (include "common.requireSidecarKiller" .) }} - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $wait_for_job_container.name) (empty $wait_for_job_container.name) }}-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -64,5 +78,100 @@ exit "$RCODE" fieldRef: apiVersion: v1 fieldPath: metadata.namespace + securityContext: + capabilities: + drop: + - ALL + - CAP_NET_RAW + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 100 + runAsGroup: 65533 + resources: + limits: + cpu: 100m + memory: 500Mi + requests: + cpu: 10m + memory: 10Mi {{- end }} {{- end }} + +{{/* + Use Authorization Policies or not. +*/}} +{{- define "common.useAuthorizationPolicies" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if .Values.global.authorizationPolicies -}} +{{- if (default false .Values.global.authorizationPolicies.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Authorization Policy template. + If common.useAuthorizationPolicies returns true: + Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals + in the format: + authorizedPrincipals: + - serviceAccount: (Mandatory) + namespace: (Optional, will default to onap) + allowedOperationMethods: ("app" corresponds to a key defined in "common.labels", which is included in "common.service") + + If common.useAuthorizationPolicies returns false: + Will not create an authorization policy +*/}} +{{- define "common.authorizationPolicy" -}} +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_serviceMonitor.tpl b/kubernetes/common/common/templates/_serviceMonitor.tpl index 907d9c6a9c..ccb1fbb1e3 100644 --- a/kubernetes/common/common/templates/_serviceMonitor.tpl +++ b/kubernetes/common/common/templates/_serviceMonitor.tpl @@ -52,11 +52,7 @@ ## ServiceMonitor selector labels ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration ## - selector: - app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + selector: {{- include "common.matchLabels" . | nindent 4 }} ## RelabelConfigs to apply to samples before scraping ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig @@ -182,6 +178,6 @@ spec: {{- if $dot.Values.metrics.serviceMonitor.selector }} matchLabels: {{- include "common.tplValue" ( dict "value" $dot.Values.metrics.serviceMonitor.selector "context" $dot) | nindent 6 }} {{- else }} - matchLabels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent 6 }} + matchLabels: {{- include "common.matchLabels" (dict "labels" $labels "dot" $dot) | nindent 6 }} {{- end }} {{- end -}} diff --git a/kubernetes/common/common/templates/_strimzikafka.tpl b/kubernetes/common/common/templates/_strimzikafka.tpl new file mode 100644 index 0000000000..c3c4cc7d92 --- /dev/null +++ b/kubernetes/common/common/templates/_strimzikafka.tpl @@ -0,0 +1,137 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* + Create a Strimzi KafkaUser. + Usage: + include "common.kafkauser" . + + Strimzi kafka provides cluster access via its custom resource definition KafkaUser + which is deployed using its User Operator component. + See more info here - https://github.com/strimzi/strimzi-kafka-operator/blob/main/helm-charts/helm3/strimzi-kafka-operator/crds/044-Crd-kafkauser.yaml + This allows fine grained access control per user towards the kafka cluster. + See more info here - https://strimzi.io/docs/operators/latest/configuring.html#proc-configuring-kafka-user-str + + The kafka user definition is defined as part of .Values per component. + For general use by OOM components, the following list of acl types should suffice: + type: group (Used by the client app to be added to a particular kafka consumer group) + type: topic (1 or more kafka topics that the client needs to access. Commonly [Read,Write]) + + Note: The template will use the following default values. + + spec.authentication.type: scram-sha-512 (dictated by the available broker listeners on the kafka cluster) + spec.authorization.type: simple (Only type supported by strimzi at present) + spec.authorization.acls.resource.patternType: literal + + Example: + + kafkaUser: + acls: + - name: sdc (mandatory) + suffix: mysuffix (optional. Will be appended (with a hyphen) to the "name" entry. ie "sdc-mysuffix") + type: group (mandatory. Type "group" is used by the client as it's kafka consumer group) + operations: [Read] (mandatory. List of at least 1) + - name: SDC-DISTR + type: topic + patternType: prefix (optional. In this example, the user will be provided Read and Write access to all topics named "SDC-DISTR*") + operations: [Read, Write] +*/}} +{{- define "common.kafkauser" -}} +{{- $global := .global }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaUser +metadata: + name: {{ include "common.name" . }}-ku + labels: + {{- include "common.labels" $ | nindent 4 }} + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + authentication: + type: {{ .Values.kafkaUser.authenticationType | default "scram-sha-512" }} + authorization: + type: {{ .Values.kafkaUser.authorizationType | default "simple" }} + acls: + {{- range $acl := .Values.kafkaUser.acls }} + - resource: + type: {{ $acl.type }} + patternType: {{ $acl.patternType | default "literal" }} + name: {{ ternary (printf "%s-%s" $acl.name $acl.suffix) $acl.name (hasKey $acl "suffix") }} + operations: + {{- range $operation := $acl.operations }} + - {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* + Create a Strimzi KafkaTopic. + Usage: + include "common.kafkatopic" . + + Strimzi kafka provides kafka topic management via its custom resource definition KafkaTopic + which is deployed using its Topic Operator component. + See more info here - https://github.com/strimzi/strimzi-kafka-operator/blob/main/helm-charts/helm3/strimzi-kafka-operator/crds/043-Crd-kafkatopic.yaml + + Note: KafkaTopic names should adhere to kubernetes object naming conventions - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/ + maximum length of 253 characters and consist of lower case alphanumeric characters, -, and . + + Note: The template will use the following default values. + + spec.config.retention.ms: 7200000 (defaults to 2 hrs retention for kafka topic logs) + spec.config.segment.bytes: 1073741824 (defaults to 1gb) + spec.partitions: 6 (defaults to (2 * (default.replication.factor)) defined by the strimzi broker conf) + spec.replicas: 3 (defaults to default.replication.factor defined by the strimzi broker conf. Must be > 0 and <= (num of broker replicas)) + + The kafka topic definition is defined as part of .Values per component. + + Example: + + kafkaTopic: + - name: my-new-topic (mandatory) + retentionMs: 7200000 (optional. Defaults to 2hrs) + segmentBytes: 1073741824 (optional. Defaults to 1gb) + suffix: my-suffix (optional. Will be appended (with a hyphen) to the "name" value. ie "my-new-topic-my-suffix") + - name: my.other.topic + suffix: some.other-suffix +*/}} +{{- define "common.kafkatopic" -}} +{{- $global := .global }} +{{- range $topic := .Values.kafkaTopic }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + {{- if (hasKey $topic "strimziTopicName") }} + name: {{ ($topic.strimziTopicName) }}-kt + {{- else }} + name: {{ ($topic.name) | lower }}-kt + {{- end }} + labels: + {{- include "common.labels" $ | nindent 4 }} + strimzi.io/cluster: {{ include "common.release" $ }}-strimzi +spec: + {{- if (hasKey $topic "partitions") }} + partitions: {{ $topic.partitions }} + {{- end }} + {{- if (hasKey $topic "replicas") }} + replicas: {{ $topic.replicas }} + {{- end }} + topicName: {{ ternary (printf "%s-%s" $topic.name $topic.suffix) $topic.name (hasKey $topic "suffix") }} + config: + retention.ms: {{ $topic.retentionMs | default "7200000" }} + segment.bytes: {{ $topic.segmentBytes | default "1073741824"}} +--- +{{- end }} +{{- end -}} diff --git a/kubernetes/common/common/templates/_tplvalues.tpl b/kubernetes/common/common/templates/_tplvalues.tpl new file mode 100644 index 0000000000..0c6dbec859 --- /dev/null +++ b/kubernetes/common/common/templates/_tplvalues.tpl @@ -0,0 +1,49 @@ +{{/* +# Copyright © Original (https://github.com/bitnami/charts) VMware, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues._render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues._render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues._render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues._merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues._merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues._render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/kubernetes/common/dgbuilder/Chart.yaml b/kubernetes/common/dgbuilder/Chart.yaml deleted file mode 100644 index 5884211147..0000000000 --- a/kubernetes/common/dgbuilder/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: D.G. Builder application -name: dgbuilder -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' - - name: serviceAccount - version: ~12.x-0 - repository: 'file://../serviceAccount' diff --git a/kubernetes/common/dgbuilder/resources/config/customSettings.js b/kubernetes/common/dgbuilder/resources/config/customSettings.js deleted file mode 100644 index b6a1a8636a..0000000000 --- a/kubernetes/common/dgbuilder/resources/config/customSettings.js +++ /dev/null @@ -1,61 +0,0 @@ -/* Copyright © 2017 AT&T, Amdocs, Bell Canada -* -* Licensed under the Apache License, Version 2.0 (the "License"); -* you may not use this file except in compliance with the License. -* You may obtain a copy of the License at -* -* http://www.apache.org/licenses/LICENSE-2.0 -* -* Unless required by applicable law or agreed to in writing, software -* distributed under the License is distributed on an "AS IS" BASIS, -* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -* See the License for the specific language governing permissions and -* limitations under the License. -*/ - -module.exports={ - "name": "Release sdnc1.0", - "emailAddress": "dguser@onap.org", - "uiPort": 3100, - "mqttReconnectTime": 15000, - "serialReconnectTime": 15000, - "debugMaxLength": 1000, - "htmlPath": "releases/sdnc1.0/html/", - "xmlPath": "releases/sdnc1.0/xml/", - "flowFile": "releases/sdnc1.0/flows/flows.json", - "sharedDir": "releases/sdnc1.0/flows/shared", - "userDir": "releases/sdnc1.0", - "httpAuth": { - "user": "${HTTP_USER}", - "pass": "${HTTP_PASSWORD}" - }, - "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", - "dbPort": "3306", - "dbName": "{{.Values.config.db.dbName}}", - "dbUser": "${DB_USER}", - "dbPassword": "${DB_PASSWORD}", - "gitLocalRepository": "", - "restConfUrl": "http://localhost:8181/restconf/operations/SLI-API:execute-graph", - "restConfUser": "${REST_CONF_USER}", - "restConfPassword": "${REST_CONF_PASSWORD}", - "formatXML": "Y", - "formatJSON": "Y", - "httpRoot": "/", - "disableEditor": false, - "httpAdminRoot": "/", - "httpAdminAuth": { - "user": "${HTTP_ADMIN_USER}", - "pass": "${HTTP_ADMIN_PASSWORD}" - }, - "httpNodeRoot": "/", - "httpNodeAuth": { - "user": "${HTTP_NODE_USER}", - "pass": "${HTTP_NODE_PASSWORD}" - }, - "uiHost": "0.0.0.0", - "version": "0.9.1", - {{ if .Values.global.aafEnabled }} - "enableHttps" : true, - {{ end }} - "performGitPull": "N" -} diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml deleted file mode 100644 index 6538ad0836..0000000000 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ /dev/null @@ -1,144 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} - - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} - - name: HTTP_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} - - name: HTTP_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} - - name: HTTP_ADMIN_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} - - name: HTTP_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} - - name: HTTP_NODE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} - - name: HTTP_NODE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} - - name: REST_CONF_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} - - name: REST_CONF_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: config-input - - mountPath: /config - name: config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} - - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.config.dbPodName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && {{ if .Values.global.aafEnabled}} cp /opt/app/osaaf/local/node-*.pem certs && {{end}}./start.sh sdnc1.0 && wait"] - ports: - - containerPort: {{ .Values.service.internalPort }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: SDNC_CONFIG_DIR - value: /opt/onap/sdnc/data/properties - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: config - mountPath: /opt/app/application.properties - subPath: application.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/conf/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties - subPath: svclogic.properties - - name: config - mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js - subPath: customSettings.js - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: config-input - configMap: - name: {{ include "common.fullname" . }}-config - - name: config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/dgbuilder/templates/service.yaml b/kubernetes/common/dgbuilder/templates/service.yaml deleted file mode 100644 index bfe8b0aeb5..0000000000 --- a/kubernetes/common/dgbuilder/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml deleted file mode 100644 index b295026ae9..0000000000 --- a/kubernetes/common/dgbuilder/values.yaml +++ /dev/null @@ -1,193 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: Always - - # default mount path root directory referenced - # by persistent volumes and log files - persistence: - mountPath: /dockerdata-nfs - - # flag to enable debugging - application support required - debugEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: 'db-root-password' - type: password - externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' - password: '{{ .Values.config.db.rootPassword }}' - - uid: 'db-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: 'http-user-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' - login: '{{ .Values.config.httpUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'admin-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' - login: '{{ .Values.config.adminUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'node-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' - login: '{{ .Values.config.nodeUser }}' - password: '{{ .Values.config.dgUserPassword }}' - - uid: 'restconf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' - login: '{{ .Values.config.restconfUser }}' - password: '{{ .Values.config.restconfPassword }}' - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-dgbuilder-image:1.4.1 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - db: - dbName: sdnctl - # unused for now to preserve the API - rootPassword: openECOMP1.0 - # rootPasswordExternalSecret: some secret - userName: sdnctl - # unused for now to preserve the API - userPassword: gamma - # userCredentialsExternalSecret: some secret - httpUser: dguser - # unused for now to preserve the API - httpPassword: cc03e747a6afbbcbf8be7668acfebee5 - # httpCredsExternalSecret: some secret - adminUser: dguser - # unused for now to preserve the API - adminPassword: cc03e747a6afbbcbf8be7668acfebee5 - # adminCredsExternalSecret: some secret - nodeUser: dguser - # unused for now to preserve the API - nodePassword: cc03e747a6afbbcbf8be7668acfebee5 - # nodeCredsExternalSecret: some secret - restconfUser: admin - # unused for now to preserve the API - restconfPassword: admin - # restconfCredsExternalSecret: some secret - - dbPodName: mysql-db - dbServiceName: sdnc-dbhost - # MD5 hash of dguser password ( default: test123 ) - dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: dgbuilder - portName: http - externalPort: 3000 - internalPort: 3100 - nodePort: 28 - -ingress: - enabled: false - service: - - baseaddr: "dgbuilder" - name: "dgbuilder" - port: 3000 - config: - ssl: "redirect" - - # dependency / sub-chart configuration -certInitializer: - nameOverride: dgbuilder-cert-initializer - truststoreMountpath: /opt/onap/ccsdk/dgbuilder/certs - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: org.onap.sdnc - public_fqdn: "dgbuilder.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd /opt/app/osaaf/local; - /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1 ; - cp {{ .Values.fqi_namespace }}.crt node-cert.pem; - cp {{ .Values.fqi_namespace }}.key node-key.pem; - chmod go+r node-*.pem - -#Resource Limit flavor -By Default using small -flavor: small -#segregation for different envionment (Small and Large) - -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dgbuilder - roles: - - read diff --git a/kubernetes/common/elasticsearch/.helmignore b/kubernetes/common/elasticsearch/.helmignore index 68ffb32406..569baddc3a 100644 --- a/kubernetes/common/elasticsearch/.helmignore +++ b/kubernetes/common/elasticsearch/.helmignore @@ -1 +1,40 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store + +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ + +# Common backup files +*.swp +*.bak +*.tmp +*~ + +# Various IDEs +.project +.idea/ +.vscode/ +*.tmproj + +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.gitignore +.dockerignore + +# Helm build files +.helmignore +.cache/ +.config/ +.local/ + +# OOM specific dirs components/ diff --git a/kubernetes/common/elasticsearch/Chart.yaml b/kubernetes/common/elasticsearch/Chart.yaml index cc0271165d..cb43539ba2 100644 --- a/kubernetes/common/elasticsearch/Chart.yaml +++ b/kubernetes/common/elasticsearch/Chart.yaml @@ -18,26 +18,23 @@ apiVersion: v2 description: ONAP elasticsearch name: elasticsearch -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' - name: master - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/master' - name: data - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/data' condition: elasticsearch.data.enabled,data.enabled - name: curator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/curator' condition: elasticsearch.curator.enabled,curator.enabled - - name: certInitializer - version: ~12.x-0 - repository: 'file://../certInitializer' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/elasticsearch/components/curator/Chart.yaml b/kubernetes/common/elasticsearch/components/curator/Chart.yaml index 96f75a1c5d..85bbd67a77 100644 --- a/kubernetes/common/elasticsearch/components/curator/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/curator/Chart.yaml @@ -18,12 +18,12 @@ apiVersion: v2 description: ONAP elasticsearch curator name: curator -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../../../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../../../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/elasticsearch/components/curator/templates/cronjob.yaml b/kubernetes/common/elasticsearch/components/curator/templates/cronjob.yaml index ff63cf00b1..a27fbb39ca 100644 --- a/kubernetes/common/elasticsearch/components/curator/templates/cronjob.yaml +++ b/kubernetes/common/elasticsearch/components/curator/templates/cronjob.yaml @@ -51,7 +51,8 @@ spec: {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName | quote }} {{- end }} -{{- include "elasticsearch.imagePullSecrets" . | indent 10 }} + {{- include "elasticsearch.imagePullSecrets" . | indent 10 }} + {{ include "common.podSecurityContext" . | indent 10 | trim }} {{- if .Values.extraInitContainers }} initContainers: {{- range $key, $value := .Values.extraInitContainers }} @@ -71,13 +72,11 @@ spec: {{- if .Values.tolerations }} tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 12 }} {{- end }} - {{- if .Values.securityContext }} - securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - {{- end }} containers: - name: {{ template "common.fullname" . }}-curator image: {{printf "%s/%s" (include "repositoryGenerator.repository" .) .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 14 | trim }} volumeMounts: - name: config-volume mountPath: /etc/es-curator diff --git a/kubernetes/common/elasticsearch/components/curator/values.yaml b/kubernetes/common/elasticsearch/components/curator/values.yaml index 62964ff973..40078be0df 100644 --- a/kubernetes/common/elasticsearch/components/curator/values.yaml +++ b/kubernetes/common/elasticsearch/components/curator/values.yaml @@ -123,11 +123,11 @@ resources: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" priorityClassName: "" # extraVolumes and extraVolumeMounts allows you to mount other volumes # Example Use Case: mount ssl certificates when elasticsearch has tls enabled @@ -175,4 +175,6 @@ extraInitContainers: {} # "storage_class": "${S3_STORAGE_CLASS}" # } # } - +securityContext: + user_id: 1000 + group_id: 1000 diff --git a/kubernetes/common/elasticsearch/components/data/Chart.yaml b/kubernetes/common/elasticsearch/components/data/Chart.yaml index 1b42a19078..82858cedb9 100644 --- a/kubernetes/common/elasticsearch/components/data/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/data/Chart.yaml @@ -18,12 +18,12 @@ apiVersion: v2 description: ONAP elasticsearch data name: data -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../../../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../../../repositoryGenerator' + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml index a7278ba104..dc8562b8fc 100644 --- a/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml +++ b/kubernetes/common/elasticsearch/components/data/templates/statefulset.yaml @@ -34,8 +34,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} @@ -45,17 +44,21 @@ spec: {{- if .Values.tolerations }} tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }} {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- if or .Values.sysctlImage.enabled (and .Values.volumePermissions.enabled .Values.persistence.enabled) }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: {{- if .Values.sysctlImage.enabled }} ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) - name: sysctl image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: + limits: + cpu: 20m + memory: 50Mi + requests: + cpu: 5m + memory: 20Mi command: - /bin/sh - -c @@ -63,37 +66,35 @@ spec: set -o errexit set -o pipefail set -o nounset - sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536 - securityContext: - privileged: true + volumeMounts: + - mountPath: /etc/sysctl.conf + name: config + subPath: sysctl.conf {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} + - name: {{ include "common.name" . }}-config-copy + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: + limits: + cpu: 20m + memory: 50Mi + requests: + cpu: 5m + memory: 20Mi command: - /bin/sh - -c - | - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //bitnami/elasticsearch/data - securityContext: - runAsUser: 0 - {{- if .Values.volumePermissions.resource }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} + cp -R /opt/bitnami/elasticsearch/config/. /opt/bitnami/elasticsearch/config_rw volumeMounts: - - name: data - mountPath: "/bitnami/elasticsearch/data" - {{- end }} - {{- end }} + - mountPath: /opt/bitnami/elasticsearch/config_rw + name: bitnami-config containers: - name: {{ include "common.name" . }}-data - image: {{ printf "%s/%s" (include "repositoryGenerator.dockerHubRepository" .) .Values.image }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} env: - name: BITNAMI_DEBUG value: {{ ternary "true" "false" .Values.debug | quote }} @@ -144,28 +145,52 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /opt/bitnami/elasticsearch/logs + name: bitnami-logs + - mountPath: /opt/bitnami/elasticsearch/tmp + name: bitnami-tmp + - mountPath: /opt/bitnami/elasticsearch/config + name: bitnami-config {{- if .Values.config }} - mountPath: /opt/bitnami/elasticsearch/config/elasticsearch.yml name: "config" subPath: elasticsearch.yml {{- end }} + {{- if .Values.sysctlImage.enabled }} + - mountPath: /etc/sysctl.conf + name: config + subPath: sysctl.conf + {{- end }} - name: "data" mountPath: "/bitnami/elasticsearch/data" {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} volumes: - {{- if .Values.config }} - name: "config" configMap: name: {{ template "common.fullname" . }} - {{- end }} + - emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + name: tmp + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiLogsSizeLimit }} + name: bitnami-logs + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiTmpSizeLimit }} + name: bitnami-tmp + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiConfigSizeLimit }} + name: bitnami-config {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }} {{- if not .Values.persistence.enabled }} - name: "data" - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.dataSizeLimit }} {{- else }} volumeClaimTemplates: - metadata: diff --git a/kubernetes/common/elasticsearch/components/data/values.yaml b/kubernetes/common/elasticsearch/components/data/values.yaml index 1dc9ab8588..25dc7e7911 100644 --- a/kubernetes/common/elasticsearch/components/data/values.yaml +++ b/kubernetes/common/elasticsearch/components/data/values.yaml @@ -82,9 +82,8 @@ podAnnotations: {} ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 + user_id: 1001 + group_id: 1001 ## Affinity for pod assignment. ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## @@ -105,11 +104,11 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: {} - # cpu: 100m - # memory: 128Mi + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 25m - memory: 1152Mi + cpu: "25m" + memory: "1.1Gi" ## Elasticsearch data container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -170,3 +169,9 @@ serviceAccount: ## If not set and create is true, a name is generated using the fullname template ## # name: +volumes: + logSizeLimit: 300Mi + tmpSizeLimit: 100Mi + bitnamiLogsSizeLimit: 200Mi + bitnamiTmpSizeLimit: 100Mi + bitnamiConfigSizeLimit: 50Mi diff --git a/kubernetes/common/elasticsearch/components/master/Chart.yaml b/kubernetes/common/elasticsearch/components/master/Chart.yaml index 5ff277d12b..30802dafbf 100644 --- a/kubernetes/common/elasticsearch/components/master/Chart.yaml +++ b/kubernetes/common/elasticsearch/components/master/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP elasticsearch master name: master -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../../../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../../../repositoryGenerator' + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml index 85ea2bbc54..54b427c80d 100644 --- a/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml +++ b/kubernetes/common/elasticsearch/components/master/templates/statefulset.yaml @@ -32,8 +32,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} @@ -43,17 +42,21 @@ spec: {{- if .Values.tolerations }} tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }} {{- end }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - {{- if or .Values.sysctlImage.enabled (and .Values.volumePermissions.enabled .Values.persistence.enabled) }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: {{- if .Values.sysctlImage.enabled }} ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) - name: sysctl image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: + limits: + cpu: 20m + memory: 50Mi + requests: + cpu: 5m + memory: 20Mi command: - /bin/sh - -c @@ -61,37 +64,35 @@ spec: set -o errexit set -o pipefail set -o nounset - sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536 - securityContext: - privileged: true + volumeMounts: + - mountPath: /etc/sysctl.conf + name: config + subPath: sysctl.conf {{- end }} - {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} + - name: {{ include "common.name" . }}-config-copy + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: + limits: + cpu: 20m + memory: 50Mi + requests: + cpu: 5m + memory: 20Mi command: - /bin/sh - -c - | - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //bitnami/elasticsearch/data - securityContext: - runAsUser: 0 - {{- if .Values.volumePermissions.resource }} - resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} - {{- end }} + cp -R /opt/bitnami/elasticsearch/config/. /opt/bitnami/elasticsearch/config_rw volumeMounts: - - name: data - mountPath: "/bitnami/elasticsearch/data" - {{- end }} - {{- end }} + - mountPath: /opt/bitnami/elasticsearch/config_rw + name: bitnami-config containers: - name: {{ include "common.name" . }}-master - image: {{ printf "%s/%s" (include "repositoryGenerator.dockerHubRepository" .) .Values.image }} + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.securityContext.enabled }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} env: - name: BITNAMI_DEBUG value: {{ ternary "true" "false" .Values.debug | quote }} @@ -148,6 +149,14 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /opt/bitnami/elasticsearch/logs + name: bitnami-logs + - mountPath: /opt/bitnami/elasticsearch/tmp + name: bitnami-tmp + - mountPath: /opt/bitnami/elasticsearch/config + name: bitnami-config {{- if .Values.config }} - mountPath: /opt/bitnami/elasticsearch/config/elasticsearch.yml name: config @@ -159,17 +168,28 @@ spec: {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} volumes: - {{- if .Values.config }} - name: config configMap: name: {{ include "common.fullname" . }} - {{- end }} + - emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + name: tmp + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiLogsSizeLimit }} + name: bitnami-logs + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiTmpSizeLimit }} + name: bitnami-tmp + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiConfigSizeLimit }} + name: bitnami-config {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }} {{- if not .Values.persistence.enabled }} - name: "data" - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.dataSizeLimit }} {{- else }} volumeClaimTemplates: - metadata: diff --git a/kubernetes/common/elasticsearch/components/master/values.yaml b/kubernetes/common/elasticsearch/components/master/values.yaml index a2ec7b92db..0837132db4 100644 --- a/kubernetes/common/elasticsearch/components/master/values.yaml +++ b/kubernetes/common/elasticsearch/components/master/values.yaml @@ -85,9 +85,8 @@ podAnnotations: {} ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 + user_id: 1001 + group_id: 1001 ## Affinity for pod assignment. ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## @@ -108,13 +107,13 @@ resources: ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. limits: - cpu: 250m - memory: 1536Mi - # cpu: 100m - # memory: 128Mi + cpu: "250m" + memory: "1.5Gi" + # cpu: "100m" + # memory: "100Mi" requests: - cpu: 5m - memory: 310Mi + cpu: "5m" + memory: "300Mi" ## Elasticsearch master-eligible container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -202,3 +201,10 @@ serviceAccount: ## Elasticsearch cluster name ## clusterName: elastic-cluster + +volumes: + logSizeLimit: 300Mi + tmpSizeLimit: 100Mi + bitnamiLogsSizeLimit: 200Mi + bitnamiTmpSizeLimit: 100Mi + bitnamiConfigSizeLimit: 50Mi diff --git a/kubernetes/common/elasticsearch/templates/_helpers.tpl b/kubernetes/common/elasticsearch/templates/_helpers.tpl index 1de2599af9..34663e14f1 100644 --- a/kubernetes/common/elasticsearch/templates/_helpers.tpl +++ b/kubernetes/common/elasticsearch/templates/_helpers.tpl @@ -69,5 +69,3 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{ default "default" .Values.serviceAccount.name }} {{- end -}} {{- end -}} - - diff --git a/kubernetes/common/elasticsearch/templates/configmap-es.yaml b/kubernetes/common/elasticsearch/templates/configmap-es.yaml index 7138e4e094..d844d08240 100644 --- a/kubernetes/common/elasticsearch/templates/configmap-es.yaml +++ b/kubernetes/common/elasticsearch/templates/configmap-es.yaml @@ -13,10 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.config }} apiVersion: v1 kind: ConfigMap metadata: {{- include "common.resourceMetadata" . | nindent 2 }} data: + {{- if .Values.config }} elasticsearch.yml: |- {{- toYaml .Values.config | nindent 4 }} -{{- end }} + {{- end }} + sysctl.conf: |- {{- toYaml .Values.sysctl_conf | nindent 4 }} diff --git a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml index 49ce0ef76a..e7520aeed6 100644 --- a/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml +++ b/kubernetes/common/elasticsearch/templates/configmap-server-block.yaml @@ -21,11 +21,5 @@ kind: ConfigMap metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} data: server-block.conf: |- -{{ if .Values.global.aafEnabled }} -{{ .Values.nginx.serverBlock.https | indent 4 }} -{{ else }} {{ .Values.nginx.serverBlock.http | indent 4 }} - - -{{ end }} {{- end -}} diff --git a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml index 05e09cb696..08c93031fb 100644 --- a/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml +++ b/kubernetes/common/elasticsearch/templates/coordinating-deploy.yaml @@ -30,8 +30,7 @@ spec: template: metadata: {{- include "common.templateMetadata" (dict "labels" $labels "dot" .) | nindent 6 }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.affinity }} affinity: {{- include "common.tplValue" (dict "value" .Values.affinity "context" $) | nindent 8 }} {{- end }} @@ -42,17 +41,22 @@ spec: tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" $) | nindent 8 }} {{- end }} serviceAccountName: {{ template "elasticsearch.serviceAccountName" . }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - {{- end }} - + {{ include "common.podSecurityContext" . | indent 6 | trim }} ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) initContainers: - {{- if .Values.sysctlImage.enabled }} + {{- if .Values.sysctlImage.enabled }} + ## Image that performs the sysctl operation to modify Kernel settings (needed sometimes to avoid boot errors) - name: sysctl image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: + limits: + cpu: 20m + memory: 50Mi + requests: + cpu: 5m + memory: 20Mi command: - /bin/sh - -c @@ -60,12 +64,52 @@ spec: set -o errexit set -o pipefail set -o nounset - sysctl -w vm.max_map_count=262144 && sysctl -w fs.file-max=65536 - securityContext: - privileged: true - {{- end }} - {{ include "common.certInitializer.initContainer" . | nindent 8 }} - + volumeMounts: + - mountPath: /etc/sysctl.conf + name: config + subPath: sysctl.conf + {{- end }} + - name: {{ include "common.name" . }}-config-copy + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: + limits: + cpu: 20m + memory: 50Mi + requests: + cpu: 5m + memory: 20Mi + command: + - /bin/sh + - -c + - | + cp -R /opt/bitnami/elasticsearch/config/. /opt/bitnami/elasticsearch/config_rw + volumeMounts: + - mountPath: /opt/bitnami/elasticsearch/config_rw + name: bitnami-config + - name: {{ include "common.name" . }}-nginx-config-copy + image: {{ include "repositoryGenerator.image.nginx" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.nginx.pullPolicy | quote }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: + limits: + cpu: 20m + memory: 50Mi + requests: + cpu: 5m + memory: 20Mi + command: + - /bin/sh + - -c + - | + cp -R /opt/bitnami/nginx/conf/. /opt/bitnami/nginx/conf_rw; + cp -R /opt/bitnami/nginx/logs/. /opt/bitnami/nginx/logs_rw + volumeMounts: + - mountPath: /opt/bitnami/nginx/conf_rw + name: nginx-config + - mountPath: /opt/bitnami/nginx/logs_rw + name: nginx-logs containers: - name: {{ include "common.name" . }}-nginx image: {{ include "repositoryGenerator.image.nginx" . }} @@ -80,20 +124,23 @@ spec: {{- if .Values.nginx.resources }} resources: {{- toYaml .Values.nginx.resources | nindent 12 }} {{- end }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} volumeMounts: + - mountPath: /opt/bitnami/nginx/conf + name: nginx-config + - mountPath: /opt/bitnami/nginx/tmp + name: nginx-tmp + - mountPath: /opt/bitnami/nginx/logs + name: nginx-logs {{- if .Values.nginx.serverBlock }} - name: nginx-server-block mountPath: /opt/bitnami/nginx/conf/server_blocks {{- end }} - {{- include "common.certInitializer.volumeMount" . | nindent 10 }} - name: {{ include "common.name" . }}-elasticsearch image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - {{- if .Values.securityContext.enabled }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} env: - name: BITNAMI_DEBUG value: {{ ternary "true" "false" .Values.debug | quote }} @@ -146,6 +193,14 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} {{- end}} volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /opt/bitnami/elasticsearch/logs + name: bitnami-logs + - mountPath: /opt/bitnami/elasticsearch/tmp + name: bitnami-tmp + - mountPath: /opt/bitnami/elasticsearch/config + name: bitnami-config {{- if .Values.config }} - mountPath: /opt/bitnami/elasticsearch/config/elasticsearch.yml name: config @@ -157,13 +212,33 @@ spec: {{- toYaml .Values.extraVolumeMounts | nindent 12 }} {{- end }} volumes: - {{- if .Values.config }} - name: config configMap: name: {{ include "common.fullname" . }} - {{- end }} + - emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + name: tmp + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiLogsSizeLimit }} + name: bitnami-logs + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiTmpSizeLimit }} + name: bitnami-tmp + - emptyDir: + sizeLimit: {{ .Values.volumes.bitnamiConfigSizeLimit }} + name: bitnami-config + - emptyDir: + sizeLimit: {{ .Values.volumes.nginxLogsSizeLimit }} + name: nginx-logs + - emptyDir: + sizeLimit: {{ .Values.volumes.nginxTmpSizeLimit }} + name: nginx-tmp + - emptyDir: + sizeLimit: {{ .Values.volumes.nginxConfigSizeLimit }} + name: nginx-config - name: data - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.dataSizeLimit }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }} @@ -172,4 +247,3 @@ spec: configMap: name: {{ include "common.fullname" . }}-nginx-server-block {{- end }} - {{ include "common.certInitializer.volumes" . | nindent 8 }} diff --git a/kubernetes/common/elasticsearch/values.yaml b/kubernetes/common/elasticsearch/values.yaml index 6c46f32c96..569adb0c91 100644 --- a/kubernetes/common/elasticsearch/values.yaml +++ b/kubernetes/common/elasticsearch/values.yaml @@ -17,7 +17,6 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 302 clusterName: cluster.local @@ -72,9 +71,9 @@ podAnnotations: {} ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: - enabled: true - fsGroup: 1001 - runAsUser: 1001 + user_id: 1001 + group_id: 1001 + ## Affinity for pod assignment. ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## @@ -94,12 +93,24 @@ resources: ## We usually recommend not to specify default resources and to leave this as a conscious ## choice for the user. This also increases chances charts run on environments with little ## resources, such as Minikube. - limits: {} - # cpu: 100m - # memory: 128Mi + limits: + cpu: "500m" + memory: 4Gi requests: - cpu: 25m - memory: 256Mi + cpu: "25m" + memory: "200Mi" + +volumes: + dataSizeLimit: 200Mi + logSizeLimit: 300Mi + tmpSizeLimit: 100Mi + bitnamiLogsSizeLimit: 200Mi + bitnamiTmpSizeLimit: 100Mi + bitnamiConfigSizeLimit: 50Mi + nginxLogsSizeLimit: 200Mi + nginxTmpSizeLimit: 100Mi + nginxConfigSizeLimit: 50Mi + ## Elasticsearch coordinating-only container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -145,6 +156,13 @@ sysctlImage: # nginx image nginx: pullPolicy: IfNotPresent + resources: + limits: + cpu: "500m" + memory: "400Mi" + requests: + cpu: "25m" + memory: "50Mi" service: name: nginx ports: @@ -261,28 +279,11 @@ service: ## ################################################################# -# Certificate configuration +# system ctl configuration ################################################################# -certInitializer: - nameOverride: elasticsearch-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: "elastic" - app_ns: "org.osaaf.aaf" - fqi_namespace: "org.onap.elastic" - fqi: "elastic@elastic.onap.org" - public_fqdn: "aaf.osaaf.org" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - cd {{ .Values.credsPath }}; - mkdir -p certs; - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password; - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12; - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - chmod -R 755 certs; +sysctl_conf: |- + vm.max_map_count=262144 + fs.file-max=65536 ################################################################# # subcharts configuration defaults. diff --git a/kubernetes/common/etcd-init/Chart.yaml b/kubernetes/common/etcd-init/Chart.yaml index a76d534d59..0ce9c4fc46 100644 --- a/kubernetes/common/etcd-init/Chart.yaml +++ b/kubernetes/common/etcd-init/Chart.yaml @@ -17,12 +17,15 @@ apiVersion: v2 description: Chart for etcd init job name: etcd-init -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/etcd-init/templates/job.yaml b/kubernetes/common/etcd-init/templates/job.yaml index 9d7dcc26da..30e37ea43e 100644 --- a/kubernetes/common/etcd-init/templates/job.yaml +++ b/kubernetes/common/etcd-init/templates/job.yaml @@ -23,10 +23,19 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: {{ .Values.backoffLimit }} template: metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" labels: app: {{ include "common.name" . }} release: {{ include "common.release" . }} @@ -37,8 +46,8 @@ spec: command: - /app/ready.py args: - - --container-name - - {{ .Values.etcd.containerName }} + - --service-name + - {{ .Values.etcd.serviceName }} env: - name: NAMESPACE valueFrom: @@ -47,6 +56,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -86,11 +102,7 @@ spec: value: "{{ .Values.config.appRole }}" - name: KEY_PREFIX value: "{{ .Values.config.keyPrefix }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} @@ -98,10 +110,6 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/etcd-init/values.yaml b/kubernetes/common/etcd-init/values.yaml index 6ccfb3e5d7..2af39ed573 100644 --- a/kubernetes/common/etcd-init/values.yaml +++ b/kubernetes/common/etcd-init/values.yaml @@ -55,24 +55,45 @@ config: appRole: role keyPrefix: key +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" + flavor: small resources: small: limits: - cpu: 100m - memory: 500Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 200m - memory: 500Mi + cpu: "200m" + memory: "500Mi" requests: - cpu: 20m - memory: 20Mi + cpu: "20m" + memory: "20Mi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: etcd-init + roles: + - read + wait_for_job_container: containers: - '{{ include "common.name" . }}' diff --git a/kubernetes/common/etcd/.helmignore b/kubernetes/common/etcd/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/etcd/.helmignore +++ b/kubernetes/common/etcd/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/etcd/Chart.yaml b/kubernetes/common/etcd/Chart.yaml index e038e26a48..72e1ba68e9 100644 --- a/kubernetes/common/etcd/Chart.yaml +++ b/kubernetes/common/etcd/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2019 Intel Corporation # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v2 name: etcd home: https://github.com/coreos/etcd -version: 12.0.0 +version: 13.0.2 appVersion: 2.2.5 description: Distributed reliable key-value store for the most critical data of a distributed system. @@ -27,8 +28,8 @@ sources: dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/etcd/templates/pv.yaml b/kubernetes/common/etcd/templates/pv.yaml index ac5b7b975d..a54850dad3 100644 --- a/kubernetes/common/etcd/templates/pv.yaml +++ b/kubernetes/common/etcd/templates/pv.yaml @@ -24,11 +24,7 @@ kind: PersistentVolume metadata: name: {{ include "common.fullname" $global }}-data-{{ $i }} namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" + labels: {{- include "common.labels" $global | nindent 4 }} name: {{ include "common.fullname" $global }} spec: capacity: diff --git a/kubernetes/common/etcd/templates/service.yaml b/kubernetes/common/etcd/templates/service.yaml index 04fc93af00..c5993934fd 100644 --- a/kubernetes/common/etcd/templates/service.yaml +++ b/kubernetes/common/etcd/templates/service.yaml @@ -19,13 +19,8 @@ kind: Service metadata: annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -metadata: name: {{ include "common.servicename" . }} - labels: - heritage: "{{ .Release.Service }}" - release: "{{ include "common.release" . }}" - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ include "common.name" . }} + labels: {{- include "common.labels" . | nindent 4 }} spec: ports: - name: {{ .Values.service.peerPortName }} @@ -33,7 +28,4 @@ spec: - name: {{ .Values.service.clientPortName }} port: {{ .Values.service.clientInternalPort }} clusterIP: None - selector: - app: {{ include "common.name" . }} - release: "{{ include "common.release" . }}" - + selector: {{- include "common.matchLabels" . | nindent 4 }} diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index ff11da309a..f2e04c992d 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2019 Intel Corporation Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,26 +16,13 @@ */}} apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - labels: - heritage: "{{ .Release.Service }}" - release: "{{ include "common.release" . }}" - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ include "common.name" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - serviceName: {{ include "common.servicename" .}} + selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - heritage: "{{ .Release.Service }}" - release: "{{ include "common.release" . }}" - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{- if .Values.affinity }} affinity: @@ -48,12 +36,13 @@ spec: tolerations: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.googleK8sRepository" . }}/{{ .Values.image }} imagePullPolicy: "{{ .Values.pullPolicy }}" + {{ include "common.containerSecurityContext" . | indent 10 | trim }} ports: - containerPort: {{ .Values.service.peerInternalPort }} name: {{ .Values.service.peerPortName }} @@ -67,8 +56,7 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end -}} - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: INITIAL_CLUSTER_SIZE value: {{ .Values.replicaCount | quote }} @@ -224,11 +212,7 @@ spec: volumeClaimTemplates: - metadata: name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 8 }} spec: accessModes: - "{{ .Values.persistence.accessMode }}" diff --git a/kubernetes/common/etcd/values.yaml b/kubernetes/common/etcd/values.yaml index e2334eadfe..69d533c728 100644 --- a/kubernetes/common/etcd/values.yaml +++ b/kubernetes/common/etcd/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,6 +36,10 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 1000 + group_id: 1000 + # probe configuration parameters liveness: initialDelaySeconds: 90 diff --git a/kubernetes/common/logConfiguration/.helmignore b/kubernetes/common/logConfiguration/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/logConfiguration/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/logConfiguration/Chart.yaml b/kubernetes/common/logConfiguration/Chart.yaml index 8207803af3..7908bfa405 100644 --- a/kubernetes/common/logConfiguration/Chart.yaml +++ b/kubernetes/common/logConfiguration/Chart.yaml @@ -17,9 +17,9 @@ apiVersion: v2 description: Template used to create same STDOUT log configuration name: logConfiguration -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/mariadb-galera/.helmignore b/kubernetes/common/mariadb-galera/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/mariadb-galera/.helmignore +++ b/kubernetes/common/mariadb-galera/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/mariadb-galera/Chart.yaml b/kubernetes/common/mariadb-galera/Chart.yaml index 587fa38302..5efb36b81b 100644 --- a/kubernetes/common/mariadb-galera/Chart.yaml +++ b/kubernetes/common/mariadb-galera/Chart.yaml @@ -18,7 +18,7 @@ apiVersion: v2 description: Chart for MariaDB Galera cluster name: mariadb-galera -version: 12.0.0 +version: 16.0.0 keywords: - mariadb - mysql @@ -29,14 +29,15 @@ keywords: dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' - name: readinessCheck - version: ~12.x-0 - repository: 'file://../readinessCheck' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' + version: ~13.x-0 + repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: 'file://../serviceAccount' \ No newline at end of file + version: ~13.x-0 + repository: '@local' + condition: global.mariadbGalera.enableServiceAccount \ No newline at end of file diff --git a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml index 4248cfe85c..ddff6cddc1 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/cronjob.yaml @@ -15,6 +15,9 @@ # limitations under the License. */}} +{{- if and .Values.backup.enabled .Values.global.mariadbGalera.useOperator }} +{{ include "common.mariadbOpBackup" . }} +{{ else }} {{- if and .Values.backup.enabled .Values.persistence.enabled }} apiVersion: batch/v1beta1 kind: CronJob @@ -29,6 +32,13 @@ spec: jobTemplate: spec: template: + metadata: + annotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} {{ include "common.podSecurityContext" . | indent 10 | trim}} @@ -77,7 +87,7 @@ spec: env: - name: DB_PASS {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mariadb.secret.rootPassUID" .) "key" "password") | indent 18 }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 16 }} volumeMounts: - name: backup-dir mountPath: /backup @@ -148,23 +158,16 @@ spec: ls -tr | grep backup | head -$filestoDelete | xargs rm -rf fi fi - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 16 }} volumeMounts: - mountPath: /bitnami/mariadb/data name: tmp-data - mountPath: /opt/bitnami/mariadb/tmp name: tmp - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: backup-dir mountPath: /backup - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 10 }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: data persistentVolumeClaim: {{- if .Values.persistence.existingClaim }} @@ -176,7 +179,10 @@ spec: persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-backup-data - name: tmp-data - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpDataSizeLimit }} - name: tmp - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} +{{- end }} {{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/backup/pv.yaml b/kubernetes/common/mariadb-galera/templates/backup/pv.yaml index 30eb74b059..d5e26109e7 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/pv.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/pv.yaml @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} + +{{- if not .Values.global.mariadbGalera.useOperator }} {{- if .Values.backup.enabled }} {{- if and .Values.backup.persistence.enabled (not .Values.backup.persistence.existingClaim) -}} {{- if eq "True" (include "common.needPV" .) -}} @@ -41,3 +43,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml index 5dd8a3f52f..05aafb5cc9 100644 --- a/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml +++ b/kubernetes/common/mariadb-galera/templates/backup/pvc.yaml @@ -14,6 +14,8 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} + +{{- if not .Values.global.mariadbGalera.useOperator }} {{- if .Values.backup.enabled }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} --- @@ -45,3 +47,4 @@ spec: {{- end -}} {{- end -}} {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mariadb-galera/templates/configmap.yaml b/kubernetes/common/mariadb-galera/templates/configmap.yaml index c95a234fb7..152d39f4a5 100644 --- a/kubernetes/common/mariadb-galera/templates/configmap.yaml +++ b/kubernetes/common/mariadb-galera/templates/configmap.yaml @@ -15,7 +15,20 @@ # limitations under the License. */}} -{{ if .Values.mariadbConfiguration }} +{{- if .Values.global.mariadbGalera.useOperator }} +{{ if .Values.mariadbOpConfiguration }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "common.fullname" .) }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: + my.cnf: | +{{ .Values.mariadbOpConfiguration | indent 4 }} +{{- end }} +{{- else }} +{{ if .Values.mariadbConfiguration }} apiVersion: v1 kind: ConfigMap metadata: @@ -25,4 +38,5 @@ metadata: data: my.cnf: | {{ .Values.mariadbConfiguration | indent 4 }} -{{- end }} \ No newline at end of file +{{- end }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/mariadb.yaml b/kubernetes/common/mariadb-galera/templates/mariadb.yaml new file mode 100644 index 0000000000..d8ada6fbbb --- /dev/null +++ b/kubernetes/common/mariadb-galera/templates/mariadb.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.mariadbGalera.useOperator }} +{{ include "common.mariadbOpInstance" . }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml index 841aab3e17..e628deea15 100644 --- a/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml +++ b/kubernetes/common/mariadb-galera/templates/metrics-svc.yaml @@ -14,7 +14,9 @@ # limitations under the License. */}} -{{- if default false .Values.global.metrics.enabled }} +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if default false .Values.global.metrics.enabled }} +--- apiVersion: v1 kind: Service metadata: @@ -31,4 +33,5 @@ spec: port: {{ .Values.metrics.service.port }} targetPort: tcp-metrics selector: {{- include "common.matchLabels" . | nindent 4 }} +{{- end }} {{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/pdb.yaml b/kubernetes/common/mariadb-galera/templates/pdb.yaml index 4697934879..da83abc993 100644 --- a/kubernetes/common/mariadb-galera/templates/pdb.yaml +++ b/kubernetes/common/mariadb-galera/templates/pdb.yaml @@ -14,17 +14,19 @@ # limitations under the License. */}} -{{- if .Values.podDisruptionBudget.create }} -apiVersion: policy/v1beta1 +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if .Values.podDisruptionBudget.create }} +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: -{{- if .Values.podDisruptionBudget.minAvailable }} +{{- if .Values.podDisruptionBudget.minAvailable }} minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} -{{- end }} -{{- if .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} -{{- end }} +{{- end }} selector: matchLabels: {{- include "common.matchLabels" . | nindent 6 }} +{{- end }} {{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml b/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml index cf0ab566a4..ee9124f23b 100644 --- a/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml +++ b/kubernetes/common/mariadb-galera/templates/prometheusrules.yaml @@ -28,4 +28,3 @@ spec: rules: {{- toYaml .Values.metrics.prometheusRules.rules | nindent 6 }} {{- end }} - diff --git a/kubernetes/common/mariadb-galera/templates/pv.yaml b/kubernetes/common/mariadb-galera/templates/pv.yaml index 54a02cf2db..267755259d 100644 --- a/kubernetes/common/mariadb-galera/templates/pv.yaml +++ b/kubernetes/common/mariadb-galera/templates/pv.yaml @@ -15,4 +15,6 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} {{ include "common.replicaPV" . }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/secrets.yaml b/kubernetes/common/mariadb-galera/templates/secrets.yaml index 527f41266d..77a8e38e80 100644 --- a/kubernetes/common/mariadb-galera/templates/secrets.yaml +++ b/kubernetes/common/mariadb-galera/templates/secrets.yaml @@ -16,4 +16,4 @@ # limitations under the License. */}} -{{ include "common.secretFast" . }} \ No newline at end of file +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/mariadb-galera/templates/service.yaml b/kubernetes/common/mariadb-galera/templates/service.yaml index 9b4c05ef70..e1a910557f 100644 --- a/kubernetes/common/mariadb-galera/templates/service.yaml +++ b/kubernetes/common/mariadb-galera/templates/service.yaml @@ -15,11 +15,13 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} {{ include "common.service" . }} --- {{ include "common.headlessService" . }} +{{- end }} {{- if (include "common.onServiceMesh" .) }} -{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} +{{- if eq (default "istio" .Values.global.serviceMesh.engine) "istio" }} --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication @@ -29,9 +31,13 @@ metadata: spec: selector: matchLabels: - app.kubernetes.io/name: {{ include "common.servicename" . }} + app: {{ include "common.servicename" . }} portLevelMtls: - {{ .Values.service.internalPort }}: + '{{ .Values.service.internalPort }}': +{{- if .Values.mariadbOperator.galera.enabled }} + mode: STRICT +{{- else }} mode: DISABLE -{{- end}} -{{- end}} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml index 6d1ed40e13..1bffb246f4 100644 --- a/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml +++ b/kubernetes/common/mariadb-galera/templates/servicemonitor.yaml @@ -14,6 +14,8 @@ # limitations under the License. */}} -{{- if .Values.metrics.serviceMonitor.enabled }} +{{- if not .Values.global.mariadbGalera.useOperator }} +{{- if .Values.metrics.serviceMonitor.enabled }} {{ include "common.serviceMonitor" . }} +{{- end }} {{- end }} diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index c95b572465..3011d93e5a 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -18,6 +18,7 @@ # limitations under the License. */}} +{{- if not .Values.global.mariadbGalera.useOperator }} apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} @@ -38,37 +39,24 @@ spec: initContainers: # we shouldn't need this but for unknown reason, it's fsGroup is not # applied - - name: fix-permission + {{- if .Values.mariadbConfiguration }} + - name: copy-config command: - /bin/sh args: - -c - | - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /data - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /bootstrap/ - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /tmp/ - {{- if .Values.mariadbConfiguration }} cp /config/my.cnf /actual/my.cnf - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /actual - {{- end }} image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: 0 + {{ include "common.containerSecurityContext" . | indent 10 | trim }} volumeMounts: - - name: previous-boot - mountPath: /bootstrap - - name: mariadb-tmp-folder - mountPath: /tmp - - name: {{ include "common.fullname" . }} - mountPath: /data - {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-starting-config mountPath: /config/my.cnf subPath: my.cnf - name: mariadb-galera-actual-config mountPath: /actual - {{- end }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} @@ -168,8 +156,11 @@ spec: successThreshold: {{ .Values.startupProbe.successThreshold }} failureThreshold: {{ .Values.startupProbe.failureThreshold }} {{- end }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: + - name: tmp + mountPath: /tmp - name: previous-boot mountPath: /opt/bitnami/mariadb/.bootstrap - name: {{ include "common.fullname" . }} @@ -217,11 +208,10 @@ spec: timeoutSeconds: {{ .Values.metrics.readinessProbe.timeoutSeconds }} successThreshold: {{ .Values.metrics.readinessProbe.successThreshold }} failureThreshold: {{ .Values.metrics.readinessProbe.failureThreshold }} - {{ include "common.containerSecurityContext" . | indent 10 | trim }} + securityContext: {{- toYaml .Values.metrics.securityContext | nindent 12 }} resources: {{- toYaml .Values.metrics.resources | nindent 12 }} {{- end }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- if .Values.schedulerName }} schedulerName: {{ .Values.schedulerName | quote }} {{- end }} @@ -244,13 +234,19 @@ spec: tolerations: {{- include "common.tplValue" (dict "value" .Values.tolerations "context" .) | nindent 8 }} {{- end }} volumes: + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} - name: previous-boot - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.bootSizeLimit }} - name: mariadb-tmp-folder - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.tmpMariaDBSizeLimit }} {{- if .Values.mariadbConfiguration }} - name: mariadb-galera-actual-config - emptyDir: {} + emptyDir: + sizeLimit: {{ .Values.volumes.configSizeLimit }} - name: mariadb-galera-starting-config configMap: name: {{ printf "%s-configuration" (include "common.fullname" .) }} @@ -266,3 +262,4 @@ spec: volumeClaimTemplates: - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence) | indent 6 | trim }} {{- end }} +{{- end }} diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml index e9fe577233..1dfeaeeabd 100644 --- a/kubernetes/common/mariadb-galera/values.yaml +++ b/kubernetes/common/mariadb-galera/values.yaml @@ -15,6 +15,26 @@ # See the License for the specific language governing permissions and # limitations under the License. +################################################################# +# Global configuration defaults. +################################################################# +global: + nodePortPrefix: 302 + mariadbContainerRegistry: docker-registry3.mariadb.com + persistence: + mountPath: /dockerdata-nfs + backup: + mountPath: /dockerdata-nfs/backup + clusterDomain: cluster.local + metrics: {} + mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + nameOverride: mariadb-galera + service: mariadb-galera ################################################################# # Secrets metaconfig @@ -35,21 +55,111 @@ secrets: login: '{{ .Values.galera.mariabackup.user }}' password: '{{ .Values.galera.mariabackup.password }}' +mariadbOperator: + image: mariadb + appVersion: 11.7.2 + persistence: + #storageClassName: default + size: 3Gi + galera: + enabled: true + agentImage: mariadb-operator/mariadb-operator + agentVersion: 0.38.1 + initImage: mariadb-operator/mariadb-operator + initVersion: 0.38.1 + +## String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: mariadb-galera + +## Custom db configuration +## +db: + ## MariaDB username and password + ## Password is ignored if externalSecret is specified. + ## If not set, password will be "randomly" generated + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run + ## + user: my-user + # password: + # externalSecret: + ## Database to create + ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run + ## + # name: my_database + +## Desired number of cluster nodes +## +replicaCount: 3 + +## Additional pod annotations for MariaDB Galera pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## -> here required to enable mariadb-galera in istio +## +podAnnotations: + # sidecar.istio.io/inject: "false" + traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" + traffic.sidecar.istio.io/includeInboundPorts: '*' + traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568,443" + +mariadbOpConfiguration: |- + [mysqld] + max_allowed_packet=256M + lower_case_table_names = 1 + + ## Character set + collation_server=utf8_unicode_ci + init_connect='SET NAMES utf8' + character_set_server=utf8 + + ## MyISAM + key_buffer_size=32M + myisam_recover_options=FORCE,BACKUP + + ## Safety + skip_host_cache + skip_name_resolve + max_allowed_packet=16M + max_connect_errors=1000000 + sql_mode=STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_AUTO_VALUE_ON_ZERO,NO_ENGINE_SUBSTITUTION,NO_ZERO_DATE,NO_ZERO_IN_DATE,ONLY_FULL_GROUP_BY + sysdate_is_now=1 + + ## Caches and Limits + tmp_table_size=32M + max_heap_table_size=32M + # Re-enabling as now works with Maria 10.1.2 + query_cache_type=1 + query_cache_limit=4M + query_cache_size=256M + max_connections=500 + thread_cache_size=50 + open_files_limit=65535 + table_definition_cache=4096 + table_open_cache=4096 + + ## InnoDB + innodb=FORCE + innodb_strict_mode=1 + # Mandatory per https://github.com/codership/documentation/issues/25 + innodb_autoinc_lock_mode=2 + # Per https://www.percona.com/blog/2006/08/04/innodb-double-write/ + innodb_doublewrite=1 + innodb_flush_method=O_DIRECT + innodb_log_files_in_group=2 + innodb_log_file_size=128M + innodb_flush_log_at_trx_commit=1 + innodb_file_per_table=1 + # 80% Memory is default reco. + # Need to re-evaluate when DB size grows + innodb_buffer_pool_size=2G + innodb_file_format=Barracuda + +########################################################################################## +# !!! the following configuration entries are ignored, when mariadbOperator is enabled !!! +########################################################################################## # bitnami image doesn't support well single quote in password passwordStrengthOverride: basic -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: - mountPath: /dockerdata-nfs - backup: - mountPath: /dockerdata-nfs/backup - clusterDomain: cluster.local - metrics: {} - image: bitnami/mariadb-galera:10.5.8 ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -66,10 +176,6 @@ debug: true ## actions performed on the databases are tried to be done before actual start. init_sleep_time: 5 -## String to partially override common.names.fullname template (will maintain the release name) -## -nameOverride: mariadb-galera - ## Use an alternate scheduler, e.g. "stork". ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ## @@ -112,10 +218,13 @@ serviceAccount: ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## securityContext: - enabled: true user_id: 10001 group_id: 10001 +# Old Bitnami Chart does not work without Filesystem access +containerSecurityContext: + readOnlyFileSystem: false + ## Database credentials for root (admin) user ## rootUser: @@ -129,22 +238,6 @@ rootUser: # password: # externalSecret: -## Custom db configuration -## -db: - ## MariaDB username and password - ## Password is ignored if externalSecret is specified. - ## If not set, password will be "randomly" generated - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-user-on-first-run - ## - user: my-user - # password: - # externalSecret: - ## Database to create - ## ref: https://github.com/bitnami/bitnami-docker-mariadb-galera#creating-a-database-on-first-run - ## - # name: my_database - ## Galera configuration ## galera: @@ -178,8 +271,16 @@ galera: ## For this reason the db data pvc needs to have accessMode: ReadWriteMany. backup: enabled: false + # used in the mariadb-operator to override the backup name (default is DBName) + # nameOverride: + # defines the backup job execution period cron: "00 00 * * *" + # used by mariadb-operator to set the max retention time + maxRetention: 720h retentionPeriod: 3 + # used by mariadb-operator to set the backup storage type (PVC, S3, volume) + storageType: PVC + # configuration used for PVC backup storage persistence: ## If true, use a Persistent Volume Claim, If false, use emptyDir ## @@ -208,11 +309,32 @@ backup: ## Persistent Volume size ## size: 2Gi - + # requires mariadb-operator v0.24.0 + # configuration used for S3 backup storage + # see: https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/BACKUP.md + s3: + bucket: backups + endpoint: minio.minio.svc.cluster.local:9000 + #region: us-east-1 + accessKeyIdSecretKeyRef: + name: minio + key: access-key-id + secretAccessKeySecretKeyRef: + name: minio + key: secret-access-key + tls: + enabled: false + caSecretKeyRef: + name: minio-ca + key: ca.crt + # configuration used for kubernetes volumes as backup storage + # see: https://github.com/mariadb-operator/mariadb-operator/blob/main/docs/BACKUP.md + volume: {} readinessCheck: wait_for: - - '{{ include "common.name" . }}' + services: + - '{{ include "common.servicename" . }}' ## TLS configuration ## @@ -368,26 +490,12 @@ mariadbConfiguration: |- ## ## extraFlags: "--max-connect-errors=1000 --max_connections=155" -## Desired number of cluster nodes -## -replicaCount: 3 - ## updateStrategy for MariaDB Master StatefulSet ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies ## updateStrategy: type: RollingUpdate -## Additional pod annotations for MariaDB Galera pods -## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ -## -> here required to enable mariadb-galera in istio -## -podAnnotations: - # sidecar.istio.io/inject: "false" - traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568" - traffic.sidecar.istio.io/includeInboundPorts: '*' - traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568" - ## Pod affinity preset ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard @@ -488,20 +596,27 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 500m - memory: 2Gi + cpu: "500m" + memory: "2Gi" large: limits: - cpu: 2 - memory: 6Gi + cpu: "2" + memory: "6Gi" requests: - cpu: 1 - memory: 3Gi + cpu: "1" + memory: "3Gi" unlimited: {} +volumes: + tmpDataSizeLimit: 500Mi + bootSizeLimit: 50Mi + tmpSizeLimit: 200Mi + configSizeLimit: 50Mi + tmpMariaDBSizeLimit: 100Mi + ## MariaDB Galera containers' liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## @@ -555,6 +670,19 @@ metrics: ## - --collect.binlog_size ## extraFlags: [] + securityContext: + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault ## MySQL Prometheus exporter containers' resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## @@ -564,11 +692,12 @@ metrics: # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: - cpu: 0.5 - memory: 256Mi + cpu: "0.5" + memory: "200Mi" requests: - cpu: 0.5 - memory: 256Mi + cpu: "0.5" + memory: "200Mi" + ## MariaDB Galera metrics container's liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## diff --git a/kubernetes/common/mariadb-init/.helmignore b/kubernetes/common/mariadb-init/.helmignore index dadf202953..f4d0b92f20 100644 --- a/kubernetes/common/mariadb-init/.helmignore +++ b/kubernetes/common/mariadb-init/.helmignore @@ -21,3 +21,14 @@ *.tmproj tests +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/mariadb-init/Chart.yaml b/kubernetes/common/mariadb-init/Chart.yaml index 32e6762b63..f1acef604d 100644 --- a/kubernetes/common/mariadb-init/Chart.yaml +++ b/kubernetes/common/mariadb-init/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,16 +14,22 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - +--- apiVersion: v2 description: Chart for MariaDB Galera init job name: mariadb-init -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/mariadb-init/resources/config/db_init.sh b/kubernetes/common/mariadb-init/resources/config/db_init.sh index 8f7e7ce44b..f55da7a3a8 100755 --- a/kubernetes/common/mariadb-init/resources/config/db_init.sh +++ b/kubernetes/common/mariadb-init/resources/config/db_init.sh @@ -36,9 +36,9 @@ while read DB ; do echo "Creating database ${DB} and user ${USER}..." - mysql $MYSQL_OPTS -e "CREATE OR REPLACE USER '${USER}'@'%' IDENTIFIED BY '${PASS}'" - mysql $MYSQL_OPTS -e "CREATE DATABASE IF NOT EXISTS ${DB}" - mysql $MYSQL_OPTS -e "GRANT ALL PRIVILEGES ON ${DB}.* TO '${USER}'@'%'" + mariadb $MYSQL_OPTS -e "CREATE OR REPLACE USER '${USER}'@'%' IDENTIFIED BY '${PASS}'" + mariadb $MYSQL_OPTS -e "CREATE DATABASE IF NOT EXISTS ${DB}" + mariadb $MYSQL_OPTS -e "GRANT ALL PRIVILEGES ON ${DB}.* TO '${USER}'@'%'" echo "Created database ${DB} and user ${USER}." done < - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: "mongo/data" - -service: - name: mongo - portName: mongo - internalPort: 27017 - # nfs provisioner ports - nfsPort: 2049 - mountdPort: 20048 - rpcbindPort: 111 - rpcbindUdpPort: 111 - -securityContext: - user_id: 999 - group_id: 999 - -ingress: - enabled: false - - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 100m - memory: 200Mi - requests: - cpu: 10m - memory: 50Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -sdnctlPrefix: mongo - -geoEnabled: false -geoSiteId: 1 diff --git a/kubernetes/common/mongodb-init/.helmignore b/kubernetes/common/mongodb-init/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/mongodb-init/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/mongodb-init/Chart.yaml b/kubernetes/common/mongodb-init/Chart.yaml new file mode 100644 index 0000000000..93ffddf625 --- /dev/null +++ b/kubernetes/common/mongodb-init/Chart.yaml @@ -0,0 +1,32 @@ +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: Chart for MongoDB init job +name: mongodb-init +version: 13.0.6 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/mongodb-init/README.md b/kubernetes/common/mongodb-init/README.md new file mode 100644 index 0000000000..aa6c735744 --- /dev/null +++ b/kubernetes/common/mongodb-init/README.md @@ -0,0 +1,16 @@ +# mongodb-init + +## Introduction + +Initialization scripts for mongo database. + +- not part of ONAP OOM yet + +## Requirements + +mongodb-init needs the following ONAP projects to work: + +- common/common +- common/repositoryGenerator +- common/serviceAccount +- common/readinessCheck diff --git a/kubernetes/common/mongodb-init/resources/config/setup.sql b/kubernetes/common/mongodb-init/resources/config/setup.sql new file mode 100644 index 0000000000..452ee187df --- /dev/null +++ b/kubernetes/common/mongodb-init/resources/config/setup.sql @@ -0,0 +1,11 @@ +// Database Setup +use ${MONGO_DATABASE} + +// UserCreation Setup +db.createUser( + { + user: "${MONGODB_USER}", + pwd: "${MONGODB_PASSWORD}", + roles: [ { role: "readWrite", db: "${MONGO_DATABASE}" } ] + } +) diff --git a/kubernetes/common/mongodb-init/templates/configmap.yaml b/kubernetes/common/mongodb-init/templates/configmap.yaml new file mode 100644 index 0000000000..5ae1ab4c6f --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/configmap.yaml @@ -0,0 +1,25 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/mongodb-init/templates/job.yaml b/kubernetes/common/mongodb-init/templates/job.yaml new file mode 100644 index 0000000000..2721d1ff45 --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/job.yaml @@ -0,0 +1,125 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-config-job + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + backoffLimit: 20 + template: + metadata: + labels: {{- include "common.labels" . | nindent 8 }} + name: {{ include "common.name" . }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + - name: {{ include "common.name" . }}-update-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + command: + - sh + args: + - -c + - | + function prepare_password { + echo -n $1 | sed -e "s/'/''/g" + } + export MONGODB_PASSWORD=`prepare_password $MONGODB_PASSWORD_INPUT`; + export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`; + export MONGODB_USER=`prepare_password $MONGODB_USER_INPUT`; + export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`; + {{- if include "common.onServiceMesh" . }} + echo "waiting 15s for istio side cars to be up"; sleep 15s; + {{- end }} + cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done; + env: + - name: MONGODB_HOST + value: "{{ .Values.global.mongodb.service.name }}" + - name: MONGODB_USER_INPUT + #value: "{{ .Values.config.mgUserName }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "login") | indent 10 }} + - name: MONGODB_PASSWORD_INPUT + #value: "{{ .Values.config.mgUserPassword }}" + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" .Values.config.mgDatabase "key" "password") | indent 10 }} + - name: MONGO_DATABASE + value: "{{ .Values.config.mgDatabase }}" + - name: MONGODB_ROOT_USER_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootUserKey) | indent 10 }} + - name: MONGODB_ROOT_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" .Values.config.mgRootPasswordKey) | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: mgconf + containers: + - name: {{ include "common.name" . }}-setup-db + image: {{ include "repositoryGenerator.image.mongodbImage" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + command: + - sh + args: + - -c + - | + function prepare_password { + echo -n $1 | sed -e "s/'/''/g" + } + export MONGODB_ROOT_USER=`prepare_password $MONGODB_ROOT_USER_INPUT`; + export MONGODB_ROOT_PASSWORD=`prepare_password $MONGODB_ROOT_PASSWORD_INPUT`; + mongosh "mongodb://${MONGODB_ROOT_USER}:${MONGODB_ROOT_PASSWORD}@$MONGODB_HOST" < /config/setup.sql + env: + - name: MONGODB_HOST + value: "{{ .Values.global.mongodb.service.name }}" + - name: MONGODB_ROOT_USER_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_USER") | indent 10 }} + - name: MONGODB_ROOT_PASSWORD_INPUT + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.mongodb.secret.rootPassUID" .) "key" "MONGODB_DATABASE_ADMIN_PASSWORD") | indent 10 }} + volumeMounts: + - mountPath: /config-input/setup.sql + name: config + subPath: setup.sql + - mountPath: /config + name: mgconf + resources: {{ include "common.resources" . | nindent 10 }} + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: config + configMap: + name: {{ include "common.fullname" . }} + - name: mgconf + emptyDir: + medium: Memory + sizeLimit: 64Mi + restartPolicy: Never + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/mongodb-init/templates/secrets.yaml b/kubernetes/common/mongodb-init/templates/secrets.yaml new file mode 100644 index 0000000000..783147b0ba --- /dev/null +++ b/kubernetes/common/mongodb-init/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{/* +# ## Copyright © 2024 Deutsche Telekom +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/common/mongodb-init/values.yaml b/kubernetes/common/mongodb-init/values.yaml new file mode 100644 index 0000000000..1ab74c635c --- /dev/null +++ b/kubernetes/common/mongodb-init/values.yaml @@ -0,0 +1,126 @@ +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + mongodb: + service: + name: mgset + container: + name: mongodb + + imagePullSecrets: + - '{{ include "common.namespace" . }}-docker-registry-key' + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: '{{ include "common.mongodb.secret.rootPassUID" . }}' + type: password + externalSecret: '{{ tpl (default "" .Values.config.mgExternalSecret) . }}' + password: '{{ .Values.config.mgRootPasswordKey }}' + - uid: '{{ .Values.config.mgDatabase }}' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.mgUserExternalSecret) . }}' + login: '{{ .Values.config.mgUserName }}' + password: '{{ .Values.config.mgUserPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# + +pullPolicy: Always + +# application configuration +config: + mgUserName: testuser + mgUserPassword: testuser123 + mgDatabase: testdb + mgDataPath: data + #mgRootPasswordExternalSecret: '{{ include "common.namespace" . }}-mongodb-db-root-password' + mgExternalSecret: '{{ include "common.name" . }}-mongo-secrets' + mgRootUserKey: MONGODB_DATABASE_ADMIN_USER + mgRootPasswordKey: MONGODB_DATABASE_ADMIN_PASSWORD + mgUserExternalSecret: '{{ include "common.release" . }}-{{ include "common.name" . }}-mg-secret' + +nodeSelector: {} + +affinity: {} + +flavor: small + +#resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "100m" + memory: "0.3Gi" + requests: + cpu: "10m" + memory: "0.09Gi" + large: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: mongodb-init + roles: + - read + +securityContext: + user_id: 100 + group_id: 65533 + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.mongodb.service.name }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-setup-db' + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" diff --git a/kubernetes/common/mongodb/.helmignore b/kubernetes/common/mongodb/.helmignore new file mode 100644 index 0000000000..207983f368 --- /dev/null +++ b/kubernetes/common/mongodb/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/kubernetes/common/mongodb/CHANGELOG.md b/kubernetes/common/mongodb/CHANGELOG.md new file mode 100644 index 0000000000..186011a905 --- /dev/null +++ b/kubernetes/common/mongodb/CHANGELOG.md @@ -0,0 +1,2039 @@ +# Changelog + +## 16.5.7 (2025-05-13) + +* [bitnami/mongodb] :zap: :arrow_up: Update dependency references ([#33636](https://github.com/bitnami/charts/pull/33636)) + +## 16.5.6 (2025-05-06) + +* [bitnami/mongodb] chore: :recycle: :arrow_up: Update common and remove k8s < 1.23 references (#33405 ([59d21e7](https://github.com/bitnami/charts/commit/59d21e7d2e6fe9785f6960ceb690c72c64e75190)), closes [#33405](https://github.com/bitnami/charts/issues/33405) + +## 16.5.5 (2025-05-01) + +* [bitnami/mongodb] Release 16.5.5 (#33286) ([c084df3](https://github.com/bitnami/charts/commit/c084df377f1cb009a149dd58fa9eb691aa3d635c)), closes [#33286](https://github.com/bitnami/charts/issues/33286) + +## 16.5.4 (2025-04-30) + +* [bitnami/mongodb] Remove extra volumeClaimTemplates fields (#33236) ([3576e85](https://github.com/bitnami/charts/commit/3576e85131e5ee110040f9fa900249a57e35d79d)), closes [#33236](https://github.com/bitnami/charts/issues/33236) + +## 16.5.3 (2025-04-28) + +* [bitnami/mongodb] Release 16.5.3 (#33211) ([8ec0951](https://github.com/bitnami/charts/commit/8ec095186aa934f76bd311a7d734a5eb77f98b58)), closes [#33211](https://github.com/bitnami/charts/issues/33211) + +## 16.5.2 (2025-04-25) + +* [bitnami/mongodb] Fix authentication in mongodump job (#33143) ([3b50d1b](https://github.com/bitnami/charts/commit/3b50d1b1199d31408b26a7b2c71320087a2fd77f)), closes [#33143](https://github.com/bitnami/charts/issues/33143) [#33121](https://github.com/bitnami/charts/issues/33121) [#33140](https://github.com/bitnami/charts/issues/33140) + +## 16.5.1 (2025-04-14) + +* [bitnami/mongodb] Release 16.5.1 (#32996) ([ab86a7f](https://github.com/bitnami/charts/commit/ab86a7fe41187495cbdb2c3bbbb6c179160cca2b)), closes [#32996](https://github.com/bitnami/charts/issues/32996) + +## 16.5.0 (2025-04-07) + +* [bitnami/mongodb] Set `usePasswordFiles=true` by default (#32800) ([f51db33](https://github.com/bitnami/charts/commit/f51db33f27df9c1242539be2c3a5dedb8a73249c)), closes [#32800](https://github.com/bitnami/charts/issues/32800) + +## 16.4.12 (2025-04-02) + +* [bitnami/mongodb] Release 16.4.12 (#32752) ([a28adbd](https://github.com/bitnami/charts/commit/a28adbd7b634755e6320c2321e37f97be9578cca)), closes [#32752](https://github.com/bitnami/charts/issues/32752) + +## 16.4.11 (2025-03-28) + +* [bitnami/mongodb] backup cronjob time zone variable should be camel case (#32663) ([e5b94bc](https://github.com/bitnami/charts/commit/e5b94bc5c00c2c96d3e8f0fcedf02ad2c020f2a6)), closes [#32663](https://github.com/bitnami/charts/issues/32663) + +## 16.4.10 (2025-03-25) + +* [bitnami/mongodb] fix broken conditional (#32591) ([f98e77e](https://github.com/bitnami/charts/commit/f98e77e989c35d7fa67e3b118bf69e64121d7454)), closes [#32591](https://github.com/bitnami/charts/issues/32591) +* Update README.md (#32588) ([3c9e14a](https://github.com/bitnami/charts/commit/3c9e14ac3fa81ac439f64a20c284244eadb9481d)), closes [#32588](https://github.com/bitnami/charts/issues/32588) + +## 16.4.9 (2025-03-24) + +* [bitnami/mongodb] #27482 - fix replicaset config handling (#32381) ([5f50d43](https://github.com/bitnami/charts/commit/5f50d43900bd5305b9d83ceddd17354081109641)), closes [#32381](https://github.com/bitnami/charts/issues/32381) + +## 16.4.8 (2025-03-21) + +* [bitnami/*] Add tanzuCategory annotation (#32409) ([a8fba5c](https://github.com/bitnami/charts/commit/a8fba5cb01f6f4464ca7f69c50b0fbe97d837a95)), closes [#32409](https://github.com/bitnami/charts/issues/32409) +* [bitnami/mongodb] Release 16.4.8 (#32551) ([07d0b66](https://github.com/bitnami/charts/commit/07d0b664ed13ac2388db93f4369597948f16ee25)), closes [#32551](https://github.com/bitnami/charts/issues/32551) + +## 16.4.7 (2025-03-12) + +* [bitnami/mongodb] Update dns-check init container condition (#32394) ([430e759](https://github.com/bitnami/charts/commit/430e7599e01ab720e67cc6f0fb5098704434ef28)), closes [#32394](https://github.com/bitnami/charts/issues/32394) + +## 16.4.6 (2025-03-10) + +* [bitnami/mongodb] Use actual hostname instead of localhost for mongodb_exporter URI string (#32192) ([cbfec4f](https://github.com/bitnami/charts/commit/cbfec4f962119b505b5c81b6d61448506b7a6216)), closes [#32192](https://github.com/bitnami/charts/issues/32192) + +## 16.4.5 (2025-02-21) + +* [bitnami/*] Fix typo in named template name (#31858) ([b739b69](https://github.com/bitnami/charts/commit/b739b69532e637bd33b4a44eeb422c3e749eac77)), closes [#31858](https://github.com/bitnami/charts/issues/31858) +* [bitnami/*] Use CDN url for the Bitnami Application Icons (#31881) ([d9bb11a](https://github.com/bitnami/charts/commit/d9bb11a9076b9bfdcc70ea022c25ef50e9713657)), closes [#31881](https://github.com/bitnami/charts/issues/31881) +* [bitnami/mongodb] Enable publishNotReadyAddresses for ClusterIP services (#31145) ([0e8c150](https://github.com/bitnami/charts/commit/0e8c150374229c71161e96afe8a6c801060871e2)), closes [#31145](https://github.com/bitnami/charts/issues/31145) +* [bitnami/mongodb] Release 16.4.5 (#32135) ([3312b24](https://github.com/bitnami/charts/commit/3312b24b28c273ee9ffed1e37d22ca1f55ebac15)), closes [#32135](https://github.com/bitnami/charts/issues/32135) + +## 16.4.3 (2025-02-03) + +* [bitnami/mongodb] Release 16.4.3 (#31699) ([701d9dc](https://github.com/bitnami/charts/commit/701d9dc6b719f9202b60374f8d8855ef717478ca)), closes [#31699](https://github.com/bitnami/charts/issues/31699) +* Update copyright year (#31682) ([e9f02f5](https://github.com/bitnami/charts/commit/e9f02f5007068751f7eb2270fece811e685c99b6)), closes [#31682](https://github.com/bitnami/charts/issues/31682) + +## 16.4.2 (2025-01-20) + +* [bitnami/mongodb] remove undefined rts key from network policy template (#31356) ([53dc708](https://github.com/bitnami/charts/commit/53dc708eaf3daa0b265b8ed956a1eccaa2f443d7)), closes [#31356](https://github.com/bitnami/charts/issues/31356) + +## 16.4.1 (2025-01-15) + +* [bitnami/*] Fix typo in README (#31052) ([b41a51d](https://github.com/bitnami/charts/commit/b41a51d1bd04841fc108b78d3b8357a5292771c8)), closes [#31052](https://github.com/bitnami/charts/issues/31052) +* [bitnami/mongodb] Release 16.4.1 (#31390) ([639b28e](https://github.com/bitnami/charts/commit/639b28e5326003ba369f423c9718f1a6a4b4985c)), closes [#31390](https://github.com/bitnami/charts/issues/31390) + +## 16.4.0 (2024-12-10) + +* [bitnami/*] Add Bitnami Premium to NOTES.txt (#30854) ([3dfc003](https://github.com/bitnami/charts/commit/3dfc00376df6631f0ce54b8d440d477f6caa6186)), closes [#30854](https://github.com/bitnami/charts/issues/30854) +* [bitnami/mongodb] Detect non-standard images (#30926) ([9b7cdc2](https://github.com/bitnami/charts/commit/9b7cdc25e189dcb8256a4a11aa35bf46fa01b6c7)), closes [#30926](https://github.com/bitnami/charts/issues/30926) + +## 16.3.3 (2024-12-06) + +* [bitnami/mongodb] Release 16.3.3 (#30822) ([83e96a2](https://github.com/bitnami/charts/commit/83e96a2cd17a29f10230af3ec16e0451fc5f4d0c)), closes [#30822](https://github.com/bitnami/charts/issues/30822) + +## 16.3.2 (2024-12-04) + +* [bitnami/*] docs: :memo: Add "Backup & Restore" section (#30711) ([35ab536](https://github.com/bitnami/charts/commit/35ab5363741e7548f4076f04da6e62d10153c60c)), closes [#30711](https://github.com/bitnami/charts/issues/30711) +* [bitnami/*] docs: :memo: Add "Prometheus metrics" (batch 4) (#30669) ([a4ec006](https://github.com/bitnami/charts/commit/a4ec00624589023a70a7094fcfb9f12e382bc280)), closes [#30669](https://github.com/bitnami/charts/issues/30669) +* [bitnami/*] docs: :memo: Unify "Securing Traffic using TLS" section (#30707) ([b572333](https://github.com/bitnami/charts/commit/b57233336e4fe9af928ecb4f2a5f334011efb1bc)), closes [#30707](https://github.com/bitnami/charts/issues/30707) +* [bitnami/mongodb] Release 16.3.2 (#30785) ([38df250](https://github.com/bitnami/charts/commit/38df25008477850e56123c286ff9daa5e28777e4)), closes [#30785](https://github.com/bitnami/charts/issues/30785) + +## 16.3.1 (2024-11-26) + +* [bitnami/mongodb] Modify access modes to match YAML 1.2 schema (#30512) ([7cd0bfa](https://github.com/bitnami/charts/commit/7cd0bfa7a78bb1c97c5658a31ecf3b54d60a1812)), closes [#30512](https://github.com/bitnami/charts/issues/30512) + +## 16.3.0 (2024-11-14) + +* [bitnami/mongodb] feat: :sparkles: Add password update job (#30460) ([a4d8d5b](https://github.com/bitnami/charts/commit/a4d8d5b3c164f946901b91651a7bd5cc338a11c0)), closes [#30460](https://github.com/bitnami/charts/issues/30460) + +## 16.2.2 (2024-11-13) + +* [bitnami/mongodb] allow setting the timezone for backup cronjob (#30421) ([f001424](https://github.com/bitnami/charts/commit/f001424f6aad534d5fe5a9ad09265b24b1fd6fe7)), closes [#30421](https://github.com/bitnami/charts/issues/30421) + +## 16.2.1 (2024-10-30) + +* [bitnami/*] Remove wrong comment about imagePullPolicy (#30107) ([a51f9e4](https://github.com/bitnami/charts/commit/a51f9e4bb0fbf77199512d35de7ac8abe055d026)), closes [#30107](https://github.com/bitnami/charts/issues/30107) +* [bitnami/mongodb] Fix render values of resources on init container (#30115) ([7722763](https://github.com/bitnami/charts/commit/77227635ce659923da314f1a3268574697ef63f9)), closes [#30115](https://github.com/bitnami/charts/issues/30115) + +## 16.2.0 (2024-10-28) + +* [bitnami/mongodb] fix: initial primary host variable for arbiter and hidden replicas (#29584) ([a1df969](https://github.com/bitnami/charts/commit/a1df96944f48ea2cde075396d235a07a6d7aa165)), closes [#29584](https://github.com/bitnami/charts/issues/29584) + +## 16.1.1 (2024-10-25) + +* [bitnami/mongodb] Release 16.1.1 (#30084) ([24f6cde](https://github.com/bitnami/charts/commit/24f6cde58746cdc617a672d63add5bfd8b7e6b6d)), closes [#30084](https://github.com/bitnami/charts/issues/30084) + +## 16.1.0 (2024-10-23) + +* [bitnami/mongodb] Add resources for backup cronjob (#30021) ([4836089](https://github.com/bitnami/charts/commit/48360898aedcdb853fb8f967ed64bfdc72399ba8)), closes [#30021](https://github.com/bitnami/charts/issues/30021) +* Update documentation links to techdocs.broadcom.com (#29931) ([f0d9ad7](https://github.com/bitnami/charts/commit/f0d9ad78f39f633d275fc576d32eae78ded4d0b8)), closes [#29931](https://github.com/bitnami/charts/issues/29931) + +## 16.0.3 (2024-10-10) + +* [bitnami/mongodb] Fixed awk script to extract in order to be more st… (#29824) ([86745de](https://github.com/bitnami/charts/commit/86745de16a329beadf4277bc602a12224a93e84a)), closes [#29824](https://github.com/bitnami/charts/issues/29824) + +## 16.0.2 (2024-10-09) + +* [bitnami/mongodb] Release 16.0.2 (#29855) ([7fec11a](https://github.com/bitnami/charts/commit/7fec11aa57b1c66cea587219b86081fde3ac0b97)), closes [#29855](https://github.com/bitnami/charts/issues/29855) + +## 16.0.1 (2024-10-08) + +* [bitnami/mongodb] Release 16.0.1 (#29830) ([6360c47](https://github.com/bitnami/charts/commit/6360c478136e8c0d58b7bb50e7f507308afc25f6)), closes [#29830](https://github.com/bitnami/charts/issues/29830) +* [bitnami/mongodb] Update README (#29812) ([6f8a1bf](https://github.com/bitnami/charts/commit/6f8a1bf241a0032a3e44a2ea47f9574f6786d436)), closes [#29812](https://github.com/bitnami/charts/issues/29812) + +## 16.0.0 (2024-10-07) + +* [bitnami/mongodb] Release 16.0.0 (#29801) ([5973e5c](https://github.com/bitnami/charts/commit/5973e5c8e6aa766997000d6a49b9be7936298c30)), closes [#29801](https://github.com/bitnami/charts/issues/29801) + +## 15.6.26 (2024-09-23) + +* [bitnami/mongodb] Fixed arbiter anti affinity rules to prevent it from running on the same node of a ([ded7e1f](https://github.com/bitnami/charts/commit/ded7e1f62ddcaba8fdeaf29a485aaf199295ccfc)), closes [#29565](https://github.com/bitnami/charts/issues/29565) + +## 15.6.25 (2024-09-19) + +* [bitnami/mongodb] Release 15.6.25 (#29529) ([8091ced](https://github.com/bitnami/charts/commit/8091ced2fc72072724265e78a09ad490e4711c6a)), closes [#29529](https://github.com/bitnami/charts/issues/29529) + +## 15.6.24 (2024-09-14) + +* [bitnami/mongodb] Release 15.6.24 (#29414) ([dd49bc9](https://github.com/bitnami/charts/commit/dd49bc9b8e14aef99705e0c9eba76ac01de93d5f)), closes [#29414](https://github.com/bitnami/charts/issues/29414) + +## 15.6.23 (2024-09-11) + +* [bitnami/mongodb] Allow rendering resources values (#29346) ([2fbc081](https://github.com/bitnami/charts/commit/2fbc081c5441b904df0b142e5ae42f77f9357385)), closes [#29346](https://github.com/bitnami/charts/issues/29346) + +## 15.6.22 (2024-08-29) + +* [bitnami/mongodb] add securityContext via helper to initContainter dns-check (#29038) ([56299fe](https://github.com/bitnami/charts/commit/56299fe14d54ac685fb55da7d23c6b91c15f8e3e)), closes [#29038](https://github.com/bitnami/charts/issues/29038) + +## 15.6.21 (2024-08-26) + +* [bitnami/mongodb] Release 15.6.21 (#29035) ([21acb97](https://github.com/bitnami/charts/commit/21acb974bf8edca0550bccb71a1df126a277d59b)), closes [#29035](https://github.com/bitnami/charts/issues/29035) + +## 15.6.20 (2024-08-20) + +* [bitnami/mongodb] Fix logic to add custom annotations to external-access service (#28883) ([785e59b](https://github.com/bitnami/charts/commit/785e59bccf87c5ecae2b472901e7f6e7fbf2c196)), closes [#28883](https://github.com/bitnami/charts/issues/28883) + +## 15.6.19 (2024-08-14) + +* [bitnami/mongodb] Release 15.6.19 (#28889) ([8b3cb57](https://github.com/bitnami/charts/commit/8b3cb57c221f0f035e020cecc70b44e26cfd8040)), closes [#28889](https://github.com/bitnami/charts/issues/28889) + +## 15.6.18 (2024-08-07) + +* [bitnami/mongodb] fix(NOTES.txt): Missing messages (#28685) ([7e31f12](https://github.com/bitnami/charts/commit/7e31f12208a7ae11060d3eaa68c09f74cbc4a6a4)), closes [#28685](https://github.com/bitnami/charts/issues/28685) + +## 15.6.17 (2024-08-06) + +* [bitnami/mongodb] Release 15.6.17 (#28697) ([b6d6a24](https://github.com/bitnami/charts/commit/b6d6a2449195d87387cce9aec88cc6215763c569)), closes [#28697](https://github.com/bitnami/charts/issues/28697) + +## 15.6.16 (2024-07-25) + +* [bitnami/mongodb] Release 15.6.16 (#28453) ([86d3ac8](https://github.com/bitnami/charts/commit/86d3ac8763d831263d8436ce890cd54ef62a9a17)), closes [#28453](https://github.com/bitnami/charts/issues/28453) + +## 15.6.15 (2024-07-24) + +* [bitnami/mongodb] Release 15.6.15 (#28332) ([e107031](https://github.com/bitnami/charts/commit/e107031d3833f020d47d5fddcc24c7f43859443e)), closes [#28332](https://github.com/bitnami/charts/issues/28332) + +## 15.6.14 (2024-07-18) + +* [bitnami/mongodb] Global StorageClass as default value (#28061) ([0661fba](https://github.com/bitnami/charts/commit/0661fbaf3436de16452d82cbf244a616c5892e64)), closes [#28061](https://github.com/bitnami/charts/issues/28061) + +## 15.6.13 (2024-07-16) + +* [bitnami/mongodb] Fix autoDiscovery initContainer template (#27953) ([c3955b0](https://github.com/bitnami/charts/commit/c3955b0e2c0cd7fc287f3acc36990b8c0a8c09ac)), closes [#27953](https://github.com/bitnami/charts/issues/27953) + +## 15.6.12 (2024-07-01) + +* [bitnami/*] Update README changing TAC wording (#27530) ([52dfed6](https://github.com/bitnami/charts/commit/52dfed6bac44d791efabfaf06f15daddc4fefb0c)), closes [#27530](https://github.com/bitnami/charts/issues/27530) +* [bitnami/mongodb] Release 15.6.12 (#27590) ([97d0ec8](https://github.com/bitnami/charts/commit/97d0ec8a20365d93a4121dd7df98352eac8e69a7)), closes [#27590](https://github.com/bitnami/charts/issues/27590) + +## 15.6.11 (2024-06-25) + +* [bitnami/mongodb] Recover logging to stdout (#27510) ([33bbddd](https://github.com/bitnami/charts/commit/33bbddd532d0debbe775a13a1b0c31e59ccd3c35)), closes [#27510](https://github.com/bitnami/charts/issues/27510) + +## 15.6.10 (2024-06-20) + +* [bitnami/mongodb] add space back so script works again (#27183) ([e880657](https://github.com/bitnami/charts/commit/e880657e7744f7871d04c55283f34fad9d04598a)), closes [#27183](https://github.com/bitnami/charts/issues/27183) + +## 15.6.9 (2024-06-18) + +* [bitnami/mongodb] Release 15.6.9 (#27382) ([d59a4b1](https://github.com/bitnami/charts/commit/d59a4b1346d607d82a68d59c6c162197b2305858)), closes [#27382](https://github.com/bitnami/charts/issues/27382) + +## 15.6.8 (2024-06-17) + +* [bitnami/mongodb] Release 15.6.8 (#27317) ([71d3b7e](https://github.com/bitnami/charts/commit/71d3b7efac8585b90018d0cda9099104bb6a8ae4)), closes [#27317](https://github.com/bitnami/charts/issues/27317) + +## 15.6.7 (2024-06-17) + +* [bitnami/mongodb] Release 15.6.7 (#27254) ([33a8fd2](https://github.com/bitnami/charts/commit/33a8fd21116b9ee49238ab13553010b859149bc1)), closes [#27254](https://github.com/bitnami/charts/issues/27254) + +## 15.6.6 (2024-06-10) + +* [bitnami/mongodb] Add securityContext to generate-tls in replicaset (#26606) ([34ff09b](https://github.com/bitnami/charts/commit/34ff09b6e8f797163172059c194250961869e034)), closes [#26606](https://github.com/bitnami/charts/issues/26606) + +## 15.6.5 (2024-06-06) + +* [bitnami/mongodb] Release 15.6.5 (#26988) ([1b8c210](https://github.com/bitnami/charts/commit/1b8c210aa7585a5a3731c3d8c033625c170fa1dc)), closes [#26988](https://github.com/bitnami/charts/issues/26988) + +## 15.6.4 (2024-06-06) + +* [bitnami/mongodb] Release 15.6.4 (#26907) ([0fbcf92](https://github.com/bitnami/charts/commit/0fbcf926bb04ce00021013314b511324cd96056e)), closes [#26907](https://github.com/bitnami/charts/issues/26907) + +## 15.6.3 (2024-06-04) + +* [bitnami/mongodb] Bump chart version (#26650) ([8a4412d](https://github.com/bitnami/charts/commit/8a4412df8904d90daefe8ac8a5345270867d329f)), closes [#26650](https://github.com/bitnami/charts/issues/26650) + +## 15.6.2 (2024-06-04) + +* [bitnami/mongodb] Remove UTF-8 chars (#26607) ([9ab3365](https://github.com/bitnami/charts/commit/9ab33654ca45ee82d27088578308068e493c43cd)), closes [#26607](https://github.com/bitnami/charts/issues/26607) + +## 15.6.1 (2024-05-28) + +* [bitnami/mongodb] Release 15.6.1 (#26481) ([f4dbc07](https://github.com/bitnami/charts/commit/f4dbc07bf19489d2ce4156675c1cf7e291ad0385)), closes [#26481](https://github.com/bitnami/charts/issues/26481) + +## 15.6.0 (2024-05-24) + +* [bitnami/mongodb] PDB review (#26154) ([a4ecaf9](https://github.com/bitnami/charts/commit/a4ecaf9ed62fe573de17ce95d9ec090d3b1bde88)), closes [#26154](https://github.com/bitnami/charts/issues/26154) + +## 15.5.3 (2024-05-24) + +* [bitnami/mongodb]Add "or" condition between .Values.auth.existingSecret and .Values.auth.rootPasswor ([5f2204f](https://github.com/bitnami/charts/commit/5f2204f02bdd65fa5514dc0158797d0c3d85b635)), closes [#25944](https://github.com/bitnami/charts/issues/25944) [#25885](https://github.com/bitnami/charts/issues/25885) + +## 15.5.2 (2024-05-22) + +* [bitnami/mongodb] Allow templating for initdbScriptsConfigMap (#26324) ([dc5fe4b](https://github.com/bitnami/charts/commit/dc5fe4b8240dc1c935280a541e0133426a4f349b)), closes [#26324](https://github.com/bitnami/charts/issues/26324) + +## 15.5.1 (2024-05-21) + +* [bitnami/mongodb] Use different liveness/readiness probes (#26152) ([c8b04d4](https://github.com/bitnami/charts/commit/c8b04d44069a0d2a3e0d816fbaaff792558a9d4f)), closes [#26152](https://github.com/bitnami/charts/issues/26152) + +## 15.5.0 (2024-05-21) + +* [bitnami/*] ci: :construction_worker: Add tag and changelog support (#25359) ([91c707c](https://github.com/bitnami/charts/commit/91c707c9e4e574725a09505d2d313fb93f1b4c0a)), closes [#25359](https://github.com/bitnami/charts/issues/25359) +* [bitnami/mongodb] feat: :sparkles: :lock: Add warning when original images are replaced (#26247) ([8a2137a](https://github.com/bitnami/charts/commit/8a2137a67a652dd54419f07da340a8ab81f19483)), closes [#26247](https://github.com/bitnami/charts/issues/26247) + +## 15.4.5 (2024-05-20) + +* [bitnami/mongodb] Fix volumePermissions rendering (#26120) ([63a739e](https://github.com/bitnami/charts/commit/63a739e395d226e3cb7390da79656191c3711cf4)), closes [#26120](https://github.com/bitnami/charts/issues/26120) + +## 15.4.4 (2024-05-18) + +* [bitnami/mongodb] Release 15.4.4 updating components versions (#26050) ([838329e](https://github.com/bitnami/charts/commit/838329ede3aa0b74f4c70b1b5c8b2663edb0d55f)), closes [#26050](https://github.com/bitnami/charts/issues/26050) + +## 15.4.3 (2024-05-14) + +* [bitnami/mongodb] Release 15.4.3 updating components versions (#25849) ([8a4f695](https://github.com/bitnami/charts/commit/8a4f69561d3b3cc0865881e8e5361d6037b59345)), closes [#25849](https://github.com/bitnami/charts/issues/25849) + +## 15.4.2 (2024-05-14) + +* [bitnami/mongodb] Release 15.4.2 updating components versions (#25845) ([13aef1b](https://github.com/bitnami/charts/commit/13aef1b55a85654cc2b489fd5d25f3ee99f74671)), closes [#25845](https://github.com/bitnami/charts/issues/25845) + +## 15.4.1 (2024-05-13) + +* [bitnami/mongodb] Release 15.4.1 updating components versions (#25734) ([27fba2f](https://github.com/bitnami/charts/commit/27fba2f92b02d9dc5966784a4a6840b880e2d41a)), closes [#25734](https://github.com/bitnami/charts/issues/25734) + +## 15.4.0 (2024-05-13) + +* bitnami/mongodb: Allow labels for volumeClaimTemplates (#25571) ([7605c31](https://github.com/bitnami/charts/commit/7605c31a9ce6ef46639a5aee170e1ca33b620b15)), closes [#25571](https://github.com/bitnami/charts/issues/25571) [#25678](https://github.com/bitnami/charts/issues/25678) [#25680](https://github.com/bitnami/charts/issues/25680) [#25685](https://github.com/bitnami/charts/issues/25685) [#25688](https://github.com/bitnami/charts/issues/25688) + +## 15.3.1 (2024-05-13) + +* [bitnami/mongodb] Release 15.3.1 updating components versions (#25707) ([5120460](https://github.com/bitnami/charts/commit/51204602b0fbf91fa10304c5213f33198b65de2e)), closes [#25707](https://github.com/bitnami/charts/issues/25707) + +## 15.3.0 (2024-05-10) + +* [bitnami/mongodb] Simplify and fix externalAccess configuration (#25397) ([90b73a8](https://github.com/bitnami/charts/commit/90b73a829a1c1d5b85fcfdee619fa8874b27999a)), closes [#25397](https://github.com/bitnami/charts/issues/25397) + +## 15.2.0 (2024-05-09) + +* [bitnami/*] Change non-root and rolling-tags doc URLs (#25628) ([b067c94](https://github.com/bitnami/charts/commit/b067c94f6bcde427863c197fd355f0b5ba12ff5b)), closes [#25628](https://github.com/bitnami/charts/issues/25628) +* [bitnami/*] Set new header/owner (#25558) ([8d1dc11](https://github.com/bitnami/charts/commit/8d1dc11f5fb30db6fba50c43d7af59d2f79deed3)), closes [#25558](https://github.com/bitnami/charts/issues/25558) +* [bitnami/mongodb] Network policy review (#25519) ([54c44d3](https://github.com/bitnami/charts/commit/54c44d3eb6cf08eebdb800a779dbc4fe77a1d40a)), closes [#25519](https://github.com/bitnami/charts/issues/25519) + +## 15.1.7 (2024-04-27) + +* [bitnami/mongodb] Release 15.1.7 updating components versions (#25431) ([d7cae59](https://github.com/bitnami/charts/commit/d7cae59f58a5ba16677c05d8192ac012799e6397)), closes [#25431](https://github.com/bitnami/charts/issues/25431) + +## 15.1.6 (2024-04-26) + +* [bitnami/mongodb] Release 15.1.6 updating components versions (#25416) ([0f0b8ed](https://github.com/bitnami/charts/commit/0f0b8ed733f3de4c0e3672ea4402cd0210e936ca)), closes [#25416](https://github.com/bitnami/charts/issues/25416) +* [bitnami/multiple charts] Fix typo: "NetworkPolice" vs "NetworkPolicy" (#25348) ([6970c1b](https://github.com/bitnami/charts/commit/6970c1ba245873506e73d459c6eac1e4919b778f)), closes [#25348](https://github.com/bitnami/charts/issues/25348) +* Replace VMware by Broadcom copyright text (#25306) ([a5e4bd0](https://github.com/bitnami/charts/commit/a5e4bd0e35e419203793976a78d9d0a13de92c76)), closes [#25306](https://github.com/bitnami/charts/issues/25306) + +## 15.1.5 (2024-04-23) + +* [bitnami/mongodb] Fix validations and Autodiscovery (#25283) ([288a544](https://github.com/bitnami/charts/commit/288a544c640bd8850b6e2b40c254d246952524a9)), closes [#25283](https://github.com/bitnami/charts/issues/25283) + +## 15.1.4 (2024-04-09) + +* [bitnami/mongodb] Release 15.1.4 updating components versions (#25082) ([e364fc1](https://github.com/bitnami/charts/commit/e364fc11fb808f0d4169b6a1ee7e665e646fde60)), closes [#25082](https://github.com/bitnami/charts/issues/25082) + +## 15.1.3 (2024-04-05) + +* [bitnami/mongodb] Release 15.1.3 updating components versions (#24969) ([0d95685](https://github.com/bitnami/charts/commit/0d956854c40d09b7add2cfa2084c67d253879d10)), closes [#24969](https://github.com/bitnami/charts/issues/24969) + +## 15.1.2 (2024-04-04) + +* [bitnami/mongodb] Release 15.1.2 (#24901) ([3687a3c](https://github.com/bitnami/charts/commit/3687a3ca8b3c36bb77b52ece5835e52edcb63c52)), closes [#24901](https://github.com/bitnami/charts/issues/24901) +* Update resourcesPreset comments (#24467) ([92e3e8a](https://github.com/bitnami/charts/commit/92e3e8a507326d2a20a8f10ab3e7746a2ec5c554)), closes [#24467](https://github.com/bitnami/charts/issues/24467) + +## 15.1.1 (2024-04-01) + +* Fix invalid secret pointer in MongoDB ServiceAccount (#24751) ([bccb4e6](https://github.com/bitnami/charts/commit/bccb4e6657f9d9fcca1f16c747f625fd4072eb8e)), closes [#24751](https://github.com/bitnami/charts/issues/24751) + +## 15.1.0 (2024-03-21) + +* [bitnami/mongodb] feat: backoffLimit should be configurable in backup cronjob (#24505) ([5b46a67](https://github.com/bitnami/charts/commit/5b46a673582c77c226aca29c4b4bb712a066ccdc)), closes [#24505](https://github.com/bitnami/charts/issues/24505) [#24326](https://github.com/bitnami/charts/issues/24326) + +## 15.0.2 (2024-03-19) + +* [bitnami/mongodb] fix: :bug: Mount emptyDir in /bitnami/mongodb in arbiter node (#24535) ([798a885](https://github.com/bitnami/charts/commit/798a8853984a7b3fe811d20c577e6a8455c19bb4)), closes [#24535](https://github.com/bitnami/charts/issues/24535) + +## 15.0.1 (2024-03-18) + +* [bitnami/mongodb] Release 15.0.1 updating components versions (#24523) ([1e9d09e](https://github.com/bitnami/charts/commit/1e9d09e4bf5661c5b47d89bd3517c1b7010b6945)), closes [#24523](https://github.com/bitnami/charts/issues/24523) + +## 15.0.0 (2024-03-18) + +* [bitnami/*] Reorder Chart sections (#24455) ([0cf4048](https://github.com/bitnami/charts/commit/0cf4048e8743f70a9753d460655bd030cbff6824)), closes [#24455](https://github.com/bitnami/charts/issues/24455) +* [bitnami/mongodb] feat!: :lock: :boom: Improve security defaults (#24374) ([8057b1f](https://github.com/bitnami/charts/commit/8057b1fcb37a4d02eef71710e5a336fdd07692ce)), closes [#24374](https://github.com/bitnami/charts/issues/24374) + +## 14.13.0 (2024-03-06) + +* [bitnami/mongodb] feat: :sparkles: :lock: Add automatic adaptation for Openshift restricted-v2 SCC ( ([3025e74](https://github.com/bitnami/charts/commit/3025e74f11470105fb1a28b8b54fe23c8c3a793e)), closes [#24124](https://github.com/bitnami/charts/issues/24124) + +## 14.12.3 (2024-02-29) + +* [bitnami/mongodb] Release 14.12.3 updating components versions (#23975) ([43306df](https://github.com/bitnami/charts/commit/43306df9f67a6c38743cac362676317aa7a8318e)), closes [#23975](https://github.com/bitnami/charts/issues/23975) + +## 14.12.2 (2024-02-27) + +* [bitnami/mongodb] fix: :bug: Add missing empty-dir in arbiter (#23936) ([abcddbc](https://github.com/bitnami/charts/commit/abcddbcdbcac415d093ffb48eece332d172f0858)), closes [#23936](https://github.com/bitnami/charts/issues/23936) + +## 14.12.1 (2024-02-22) + +* [bitnami/mongodb] Fix zombie processes by probes (#23390) ([1f9b662](https://github.com/bitnami/charts/commit/1f9b662ee7fbc5f795a77ed6d4cbbe121fc6711e)), closes [#23390](https://github.com/bitnami/charts/issues/23390) [bitnami/charts#13365](https://github.com/bitnami/charts/issues/13365) + +## 14.12.0 (2024-02-22) + +* [bitnami/mongodb] feat: :sparkles: :lock: Add readOnlyRootFilesystem support (#23746) ([550fbdc](https://github.com/bitnami/charts/commit/550fbdc01cd0be150d049bfebccd5ad4b8f81f7f)), closes [#23746](https://github.com/bitnami/charts/issues/23746) + +## 14.11.1 (2024-02-21) + +* [bitnami/mongodb] Release 14.11.1 updating components versions (#23730) ([96c398f](https://github.com/bitnami/charts/commit/96c398f7cca8f220ce707e2d15349cbcc74de9af)), closes [#23730](https://github.com/bitnami/charts/issues/23730) + +## 14.11.0 (2024-02-20) + +* [bitnami/*] Bump all versions (#23602) ([b70ee2a](https://github.com/bitnami/charts/commit/b70ee2a30e4dc256bf0ac52928fb2fa7a70f049b)), closes [#23602](https://github.com/bitnami/charts/issues/23602) + +## 14.10.1 (2024-02-19) + +* [bitnami/mongodb] Fix secret svcbind (#23560) ([fb988a5](https://github.com/bitnami/charts/commit/fb988a55d7b941d93762fb73a73fcef74b81981b)), closes [#23560](https://github.com/bitnami/charts/issues/23560) + +## 14.10.0 (2024-02-16) + +* [bitnami/mongodb] Added the possibilty to define number of replicas in standalone mode (#22366) ([c6c54b8](https://github.com/bitnami/charts/commit/c6c54b8d3703cfac0488918ac378203fd08ae7f8)), closes [#22366](https://github.com/bitnami/charts/issues/22366) + +## 14.9.0 (2024-02-15) + +* [bitnami/mongodb] feat: :sparkles: :lock: Add resource preset support (#23491) ([27a4bb0](https://github.com/bitnami/charts/commit/27a4bb00b253eefec6305fad1e934e221b28431c)), closes [#23491](https://github.com/bitnami/charts/issues/23491) + +## 14.8.3 (2024-02-05) + +* [bitnami/mongodb] Fix metrics container port in the ingress of NetworkPolicy (#23173) ([c1268ad](https://github.com/bitnami/charts/commit/c1268ad0f067ed1e96278d3e937e5540d6fe0403)), closes [#23173](https://github.com/bitnami/charts/issues/23173) + +## 14.8.2 (2024-02-03) + +* [bitnami/mongodb] Release 14.8.2 updating components versions (#23112) ([7d6b257](https://github.com/bitnami/charts/commit/7d6b257f695396d6fcd7db99fa23375ba86bff69)), closes [#23112](https://github.com/bitnami/charts/issues/23112) + +## 14.8.1 (2024-02-02) + +* [bitnami/mongodb] feat: :lock: Enable networkPolicy (#22879) ([2240e19](https://github.com/bitnami/charts/commit/2240e1966119ee0ff851e57bb904aa145ce2649e)), closes [#22879](https://github.com/bitnami/charts/issues/22879) +* backup cronjob respects global imagePullSecrets and image.pullPolicy (#23022) ([0524ec6](https://github.com/bitnami/charts/commit/0524ec61623218b29fdb8fce9fde4900dc7b9558)), closes [#23022](https://github.com/bitnami/charts/issues/23022) + +## 14.8.0 (2024-02-01) + +* [bitnami/mongodb] Add securityContext to init tls container (#22994) ([22daef5](https://github.com/bitnami/charts/commit/22daef5326fe56e12e054a767de28b38ec92a3c9)), closes [#22994](https://github.com/bitnami/charts/issues/22994) + +## 14.7.3 (2024-01-31) + +* [bitnami/mongodb] Release 14.7.3 updating components versions (#22945) ([9f8e16c](https://github.com/bitnami/charts/commit/9f8e16cd0cc0b94b828052425cd71e17ac9ad6d8)), closes [#22945](https://github.com/bitnami/charts/issues/22945) + +## 14.7.2 (2024-01-29) + +* [bitnami/mongodb] Fix issue with svcbind secret generation (#22521) ([c72da80](https://github.com/bitnami/charts/commit/c72da80995c79ccaeddc58ef8fa69a0b17614025)), closes [#22521](https://github.com/bitnami/charts/issues/22521) + +## 14.7.1 (2024-01-25) + +* [bitnami/*] Move documentation sections from docs.bitnami.com back to the README (#22203) ([7564f36](https://github.com/bitnami/charts/commit/7564f36ca1e95ff30ee686652b7ab8690561a707)), closes [#22203](https://github.com/bitnami/charts/issues/22203) +* [bitnami/mongodb] fix: :bug: Set seLinuxOptions to null for Openshift compatibility (#22628) ([19dba7c](https://github.com/bitnami/charts/commit/19dba7c5d668bfb4edd5ac7c935f2acd27139286)), closes [#22628](https://github.com/bitnami/charts/issues/22628) + +## 14.7.0 (2024-01-22) + +* [bitnami/mongodb] fix: :lock: Move service-account token auto-mount to pod declaration (#22437) ([ad9e50a](https://github.com/bitnami/charts/commit/ad9e50afba73fbcc1a94c8296a017a95c0fe0768)), closes [#22437](https://github.com/bitnami/charts/issues/22437) + +## 14.6.1 (2024-01-18) + +* [bitnami/mongodb] Release 14.6.1 updating components versions (#22317) ([bf4cf67](https://github.com/bitnami/charts/commit/bf4cf67e757c4b0143b3feebe7b8e4d66fe12fd6)), closes [#22317](https://github.com/bitnami/charts/issues/22317) + +## 14.6.0 (2024-01-17) + +* [bitnami/mongodb] fix: :lock: Improve podSecurityContext and containerSecurityContext with essential ([29831ee](https://github.com/bitnami/charts/commit/29831ee42d431ca8d5c2ee54972e010adb9d4653)), closes [#22159](https://github.com/bitnami/charts/issues/22159) + +## 14.5.1 (2024-01-15) + +* [bitnami/*] Fix docs.bitnami.com broken links (#21901) ([f35506d](https://github.com/bitnami/charts/commit/f35506d2dadee4f097986e7792df1f53ab215b5d)), closes [#21901](https://github.com/bitnami/charts/issues/21901) +* [bitnami/*] Fix ref links (in comments) (#21822) ([e4fa296](https://github.com/bitnami/charts/commit/e4fa296106b225cf8c82445727c675c7c725e380)), closes [#21822](https://github.com/bitnami/charts/issues/21822) +* [bitnami/mongodb] fix: :lock: Do not automount the service account token unless necessary (#22054) ([5dbc1a6](https://github.com/bitnami/charts/commit/5dbc1a614c1693c57c74f7326f324e46f2d29f48)), closes [#22054](https://github.com/bitnami/charts/issues/22054) + +## 14.5.0 (2024-01-08) + +* [bitnami/mongodb] Added possibility to configure persistence volume name and claim name (#21851) ([3b273bb](https://github.com/bitnami/charts/commit/3b273bb9cb3c212d315dcdafc6bd7806548d2c66)), closes [#21851](https://github.com/bitnami/charts/issues/21851) + +## 14.4.10 (2024-01-06) + +* [bitnami/*] Update copyright: Year and company (#21815) ([6c4bf75](https://github.com/bitnami/charts/commit/6c4bf75dec58fc7c9aee9f089777b1a858c17d5b)), closes [#21815](https://github.com/bitnami/charts/issues/21815) +* [bitnami/mongodb] Release 14.4.10 updating components versions (#21870) ([4740dd4](https://github.com/bitnami/charts/commit/4740dd40861a92958be4999dd6181af2043e2b47)), closes [#21870](https://github.com/bitnami/charts/issues/21870) + +## 14.4.9 (2023-12-29) + +* [bitnami/mongodb] set authentication database for backup job (#21419) ([ba5527e](https://github.com/bitnami/charts/commit/ba5527e42df17a98beebf3c481c2d556b8cc5469)), closes [#21419](https://github.com/bitnami/charts/issues/21419) + +## 14.4.8 (2023-12-27) + +* [bitnami/mongodb] Release 14.4.8 updating components versions (#21773) ([c9319ea](https://github.com/bitnami/charts/commit/c9319ea12d95cd1e889ae42185f18d90af7e261a)), closes [#21773](https://github.com/bitnami/charts/issues/21773) + +## 14.4.7 (2023-12-26) + +* [bitnami/mongodb] fix: Use correct values in cronjob.annotations (#21717) ([3f38e0a](https://github.com/bitnami/charts/commit/3f38e0ac93506c808da87ae586201adcfdd2efd6)), closes [#21717](https://github.com/bitnami/charts/issues/21717) + +## 14.4.6 (2023-12-22) + +* [bitnami/mongodb] Release 14.4.6 updating components versions (#21737) ([f139cef](https://github.com/bitnami/charts/commit/f139cef6e98ea45561a949829825c2c72af4f01d)), closes [#21737](https://github.com/bitnami/charts/issues/21737) + +## 14.4.5 (2023-12-21) + +* [bitnami/mongodb] ServiceBinding to consider existing secret while upgrading (#21648) ([eb08954](https://github.com/bitnami/charts/commit/eb089544f9bf06246f091f572c54f9e037c66324)), closes [#21648](https://github.com/bitnami/charts/issues/21648) + +## 14.4.4 (2023-12-21) + +* [bitnami/mongodb] Pod security context doesn't apply to cronjobs (#21705) ([360b322](https://github.com/bitnami/charts/commit/360b322bfb5b5cd7f9705e81e8a6540921d7ebb3)), closes [#21705](https://github.com/bitnami/charts/issues/21705) + +## 14.4.3 (2023-12-18) + +* [bitnami/mongodb] remove securityContext.enabled from cronjob template (#21514) ([2521131](https://github.com/bitnami/charts/commit/25211319489a3dc1591205f2c7699936f45985e8)), closes [#21514](https://github.com/bitnami/charts/issues/21514) + +## 14.4.2 (2023-12-07) + +* [bitnami/mongodb] Release 14.4.2 updating components versions (#21473) ([dd3be27](https://github.com/bitnami/charts/commit/dd3be2785b903db0e8307ed707116914589208e4)), closes [#21473](https://github.com/bitnami/charts/issues/21473) + +## 14.4.1 (2023-12-05) + +* [bitnami/mongodb] fix: metric and reolicaset script issues with tls and mtls (#21383) ([2573f2b](https://github.com/bitnami/charts/commit/2573f2bebf49522f9f4c0fe62496e6c56c90e1f9)), closes [#21383](https://github.com/bitnami/charts/issues/21383) + +## 14.4.0 (2023-12-04) + +* [bitnami/mongodb] feat: add node configuration (#21343) ([647cb1f](https://github.com/bitnami/charts/commit/647cb1f1fefef626755c33bcc9ad817911d3967d)), closes [#21343](https://github.com/bitnami/charts/issues/21343) + +## 14.3.2 (2023-11-27) + +* [bitnami/mongodb] Release 14.3.2 updating components versions (#21274) ([53a45b3](https://github.com/bitnami/charts/commit/53a45b3c0a7791ae380a1cbc406da5efa9aab8a5)), closes [#21274](https://github.com/bitnami/charts/issues/21274) + +## 14.3.1 (2023-11-22) + +* [bitnami/mongodb] Release 14.3.1 updating components versions (#21212) ([bce54b2](https://github.com/bitnami/charts/commit/bce54b2c815ac0ae094f0e1d24d40e52f675e5e3)), closes [#21212](https://github.com/bitnami/charts/issues/21212) + +## 14.3.0 (2023-11-20) + +* [bitnami/mongodb] Add Persistent Volume Claim Retention Policy to mongodb Statefulsets (#20921) ([7b77bd0](https://github.com/bitnami/charts/commit/7b77bd092be4d0b721f975d344ce9af37fc699cd)), closes [#20921](https://github.com/bitnami/charts/issues/20921) + +## 14.2.8 (2023-11-17) + +* [bitnami/mongodb] Release 14.2.8 updating components versions (#21041) ([186d565](https://github.com/bitnami/charts/commit/186d565d001764f5a881b4d9f0078c76fea27a75)), closes [#21041](https://github.com/bitnami/charts/issues/21041) + +## 14.2.7 (2023-11-17) + +* [bitnami/*] Remove relative links to non-README sections, add verification for that and update TL;DR ([1103633](https://github.com/bitnami/charts/commit/11036334d82df0490aa4abdb591543cab6cf7d7f)), closes [#20967](https://github.com/bitnami/charts/issues/20967) +* [bitnami/mongodb] Release 14.2.7 updating components versions (#21023) ([4c10f47](https://github.com/bitnami/charts/commit/4c10f478bbdf6cb31ed14bc2cca3fa250c5edf60)), closes [#21023](https://github.com/bitnami/charts/issues/21023) + +## 14.2.6 (2023-11-14) + +* [bitnami/mongodb] Release 14.2.6 updating components versions (#20937) ([6109497](https://github.com/bitnami/charts/commit/610949711d09e5afd870d73123745d82b1f75f8d)), closes [#20937](https://github.com/bitnami/charts/issues/20937) + +## 14.2.5 (2023-11-10) + +* [bitnami/mongodb] Release 14.2.5 updating components versions (#20887) ([56e9f76](https://github.com/bitnami/charts/commit/56e9f7665b8e5c72312a3330c099d41c45b61fb9)), closes [#20887](https://github.com/bitnami/charts/issues/20887) + +## 14.2.4 (2023-11-09) + +* [bitnami/mongodb] Release 14.2.4 updating components versions (#20877) ([89df2e0](https://github.com/bitnami/charts/commit/89df2e09e589d7a7d5546021b958328fbc2d2fb8)), closes [#20877](https://github.com/bitnami/charts/issues/20877) + +## 14.2.3 (2023-11-09) + +* [bitnami/mongodb] Release 14.2.2 updating components versions (#20837) ([41aaf71](https://github.com/bitnami/charts/commit/41aaf71f19ea378eba1cfb7e661047f75288ffa2)), closes [#20837](https://github.com/bitnami/charts/issues/20837) +* [bitnami/mongodb] Release 14.2.3 updating components versions (#20848) ([5b8cf9f](https://github.com/bitnami/charts/commit/5b8cf9fa6532be1d3b34d213008ecdd82ee513b1)), closes [#20848](https://github.com/bitnami/charts/issues/20848) + +## 14.2.2 (2023-11-09) + +* [bitnami/mongodb] Replace deprecated pull secret partial (#20665) ([7c4ffe3](https://github.com/bitnami/charts/commit/7c4ffe3f1842ae00286bdf4f1eabc75300ae95ac)), closes [#20665](https://github.com/bitnami/charts/issues/20665) + +## 14.2.1 (2023-11-08) + +* [bitnami/mongodb] Release 14.2.1 updating components versions (#20763) ([1f648ea](https://github.com/bitnami/charts/commit/1f648ea9195ca29aba79a27b117a40b199753394)), closes [#20763](https://github.com/bitnami/charts/issues/20763) + +## 14.2.0 (2023-11-07) + +* feat: Add support for enableServiceLinks on mongodb chart (#20309) ([f896794](https://github.com/bitnami/charts/commit/f8967946a0ca7c48764cbdde3ddcf8c7efb40cd4)), closes [#20309](https://github.com/bitnami/charts/issues/20309) + +## 14.1.1 (2023-11-06) + +* [bitnami/mongodb] feat: Add network policy template into mongodb chart (#20478) ([23e23dc](https://github.com/bitnami/charts/commit/23e23dcd5ae760c740380749fa9ac5bd4fa14d28)), closes [#20478](https://github.com/bitnami/charts/issues/20478) + +## 14.1.0 (2023-10-31) + +* [bitnami/mongodb] feat: :sparkles: Add support for PSA restricted policy (#20506) ([bdfc03c](https://github.com/bitnami/charts/commit/bdfc03ceaf245e7a3730e0154e2e877bb48d0aa5)), closes [#20506](https://github.com/bitnami/charts/issues/20506) + +## 14.0.14 (2023-10-27) + +* [bitnami/mongodb] Fixed mongodb arbiter configmap (#20452) ([ec0670a](https://github.com/bitnami/charts/commit/ec0670a29aeaa914d6ddd73df72fa9eb8b8817f6)), closes [#20452](https://github.com/bitnami/charts/issues/20452) [#20255](https://github.com/bitnami/charts/issues/20255) + +## 14.0.13 (2023-10-25) + +* [bitnami/*] Rename VMware Application Catalog (#20361) ([3acc734](https://github.com/bitnami/charts/commit/3acc73472beb6fb56c4d99f929061001205bc57e)), closes [#20361](https://github.com/bitnami/charts/issues/20361) +* [mongo] Add tls.mTLS.enabled flag to disable requiring client certs (#20329) ([8d26cb1](https://github.com/bitnami/charts/commit/8d26cb1c0b9c5d8e08bcd9bd53a0dc142536e00f)), closes [#20329](https://github.com/bitnami/charts/issues/20329) + +## 14.0.12 (2023-10-20) + +* [bitnami/*] Skip image's tag in the README files of the Bitnami Charts (#19841) ([bb9a01b](https://github.com/bitnami/charts/commit/bb9a01b65911c87e48318db922cc05eb42785e42)), closes [#19841](https://github.com/bitnami/charts/issues/19841) +* [bitnami/*] Standardize documentation (#19835) ([af5f753](https://github.com/bitnami/charts/commit/af5f7530c1bc8c5ded53a6c4f7b8f384ac1804f2)), closes [#19835](https://github.com/bitnami/charts/issues/19835) +* [bitnami/mongodb] Release 14.0.12 updating components versions (#20342) ([fb7197e](https://github.com/bitnami/charts/commit/fb7197ea20c729734e632054e447e741ab9108aa)), closes [#20342](https://github.com/bitnami/charts/issues/20342) + +## 14.0.11 (2023-10-19) + +* [bitnami/mongodb] whitespace preventing YAML from being parsed (#20219) ([9bc97e1](https://github.com/bitnami/charts/commit/9bc97e10e8e08e49c99534dbc68b872dede0a545)), closes [#20219](https://github.com/bitnami/charts/issues/20219) + +## 14.0.10 (2023-10-12) + +* [bitnami/mongodb] Release 14.0.10 (#20156) ([794e3e5](https://github.com/bitnami/charts/commit/794e3e5d448726fb0a962b576e5743e781b16cc0)), closes [#20156](https://github.com/bitnami/charts/issues/20156) + +## 14.0.9 (2023-10-10) + +* [bitnami/mongodb] Release 14.0.9 (#19960) ([fd0ac02](https://github.com/bitnami/charts/commit/fd0ac028e97d37e275101d81a8151a3c8c80ede5)), closes [#19960](https://github.com/bitnami/charts/issues/19960) + +## 14.0.8 (2023-10-09) + +* [bitnami/mongodb] Release 14.0.8 (#19923) ([76a8524](https://github.com/bitnami/charts/commit/76a85248a29506ea2ef6c3b8a1f32997fa908726)), closes [#19923](https://github.com/bitnami/charts/issues/19923) + +## 14.0.7 (2023-10-09) + +* [bitnami/mongodb] Release 14.0.7 (#19869) ([1c25080](https://github.com/bitnami/charts/commit/1c250803014d66946d0bea861dd717fd86422c85)), closes [#19869](https://github.com/bitnami/charts/issues/19869) + +## 14.0.6 (2023-10-09) + +* [bitnami/*] Update Helm charts prerequisites (#19745) ([eb755dd](https://github.com/bitnami/charts/commit/eb755dd36a4dd3cf6635be8e0598f9a7f4c4a554)), closes [#19745](https://github.com/bitnami/charts/issues/19745) +* [bitnami/mongodb] Release 14.0.6 (#19858) ([58adca7](https://github.com/bitnami/charts/commit/58adca7a1b37003260c1df7ff006f486783d3cc1)), closes [#19858](https://github.com/bitnami/charts/issues/19858) + +## 14.0.5 (2023-10-05) + +* [bitnami/mongodb] support backups for standalone TLS-enabled instances (#19241) ([63e8c98](https://github.com/bitnami/charts/commit/63e8c9814fbc83dd767066d56ac2034ab57aeb9f)), closes [#19241](https://github.com/bitnami/charts/issues/19241) + +## 14.0.4 (2023-09-30) + +* [bitnami/mongodb] Release 14.0.4 (#19660) ([809d65d](https://github.com/bitnami/charts/commit/809d65dba33be776aae27c62b365e01cdef42182)), closes [#19660](https://github.com/bitnami/charts/issues/19660) + +## 14.0.3 (2023-09-29) + +* [bitnami/mongodb] Use common capabilities for PSP (#19633) ([78f103c](https://github.com/bitnami/charts/commit/78f103c4297c481b6baa14113f375455d5a5c353)), closes [#19633](https://github.com/bitnami/charts/issues/19633) + +## 14.0.2 (2023-09-27) + +* [bitnami/mongodb] Release 14.0.2 (#19576) ([f731aa0](https://github.com/bitnami/charts/commit/f731aa05670ca21225110804261563a85efe71fd)), closes [#19576](https://github.com/bitnami/charts/issues/19576) + +## 14.0.1 (2023-09-25) + +* [bitnami/mongodb] Release 14.0.1 (#19500) ([9c8163f](https://github.com/bitnami/charts/commit/9c8163f83703c8d841dd9f491c5fd9c7775c0cf1)), closes [#19500](https://github.com/bitnami/charts/issues/19500) + +## 14.0.0 (2023-09-22) + +* [bitnami/mongodb] Release 14.0.0 (#19470) ([2587a91](https://github.com/bitnami/charts/commit/2587a913f1f8ad325870d94673f87ecaf1781098)), closes [#19470](https://github.com/bitnami/charts/issues/19470) + +## 13.18.5 (2023-09-21) + +* [bitnami/mongodb] Release 13.18.5 (#19460) ([5b4515c](https://github.com/bitnami/charts/commit/5b4515c834cca652da2282ad2c393ee8ed7289c5)), closes [#19460](https://github.com/bitnami/charts/issues/19460) +* Revert "Autogenerate schema files (#19194)" (#19335) ([73d80be](https://github.com/bitnami/charts/commit/73d80be525c88fb4b8a54451a55acd506e337062)), closes [#19194](https://github.com/bitnami/charts/issues/19194) [#19335](https://github.com/bitnami/charts/issues/19335) + +## 13.18.4 (2023-09-14) + +* [bitnami/mongodb] enable backup with auth: {enabled: false} (#19272) ([30b6b64](https://github.com/bitnami/charts/commit/30b6b6491581c52adc9535c366245c70524ee870)), closes [#19272](https://github.com/bitnami/charts/issues/19272) + +## 13.18.3 (2023-09-14) + +* [bitnami/mongodb] Release 13.18.3 (#19271) ([de18b6a](https://github.com/bitnami/charts/commit/de18b6a340bc6657fec1c89262ff482eb30b6125)), closes [#19271](https://github.com/bitnami/charts/issues/19271) +* Autogenerate schema files (#19194) ([a2c2090](https://github.com/bitnami/charts/commit/a2c2090b5ac97f47b745c8028c6452bf99739772)), closes [#19194](https://github.com/bitnami/charts/issues/19194) + +## 13.18.2 (2023-09-07) + +* [bitnami/mongodb]: Use merge helper (#19082) ([d7ea4e9](https://github.com/bitnami/charts/commit/d7ea4e9f9b5e339b6f26ebe719573a1c974f0289)), closes [#19082](https://github.com/bitnami/charts/issues/19082) + +## 13.18.1 (2023-08-30) + +* [bitnami/mongodb] Release 13.18.1 (#18952) ([7d5b2bf](https://github.com/bitnami/charts/commit/7d5b2bfa97af8f17631dda1e0a14722f23fd64c0)), closes [#18952](https://github.com/bitnami/charts/issues/18952) + +## 13.18.0 (2023-08-30) + +* [bitnami/mongodb] Add trivial backup option (#17816) ([323d4fb](https://github.com/bitnami/charts/commit/323d4fbba3b26b24678eda017b522dfe71db8451)), closes [#17816](https://github.com/bitnami/charts/issues/17816) + +## 13.17.2 (2023-08-28) + +* [bitnami/mongodb] test: :white_check_mark: Add persistence tests (#18761) ([fc584e9](https://github.com/bitnami/charts/commit/fc584e95e850b9178f3ea93fcb2409a770e7e5cf)), closes [#18761](https://github.com/bitnami/charts/issues/18761) + +## 13.17.1 (2023-08-25) + +* [bitnami/mongodb] Release 13.17.1 (#18863) ([85b3773](https://github.com/bitnami/charts/commit/85b3773c86a26253c7eecfbc0d924cb47b3d95f5)), closes [#18863](https://github.com/bitnami/charts/issues/18863) + +## 13.17.0 (2023-08-23) + +* [bitnami/mongodb] Support for customizing standard labels (#18350) ([3b23422](https://github.com/bitnami/charts/commit/3b2342203eb84f7e7ca1c21d2c9655747385860a)), closes [#18350](https://github.com/bitnami/charts/issues/18350) + +## 13.16.4 (2023-08-17) + +* [bitnami/mongodb] Release 13.16.4 (#18556) ([d1c4f25](https://github.com/bitnami/charts/commit/d1c4f25b6b0d167b491174e5083a842afb8f6aaf)), closes [#18556](https://github.com/bitnami/charts/issues/18556) + +## 13.16.3 (2023-08-09) + +* Remove duplicated hostAliases from dep/sts (#17831) ([ab48bc8](https://github.com/bitnami/charts/commit/ab48bc8af2da73acd9765651a0db4b286bf25c6b)), closes [#17831](https://github.com/bitnami/charts/issues/17831) + +## 13.16.2 (2023-07-31) + +* [bitnami/mongodb] ServiceBinding secrets for custom users (#17463) ([8257309](https://github.com/bitnami/charts/commit/8257309d02bfbbc2c5352a9567de8a74d1a0c406)), closes [#17463](https://github.com/bitnami/charts/issues/17463) + +## 13.16.1 (2023-07-26) + +* [bitnami/mongodb] Release 13.16.1 (#17929) ([b7bd19a](https://github.com/bitnami/charts/commit/b7bd19af6a1cd38a768f0cf3d56a070787496edd)), closes [#17929](https://github.com/bitnami/charts/issues/17929) + +## 13.16.0 (2023-07-18) + +* [bitnami/mongodb] Try to seed mongodb with pss-restricted (#17236) ([15d3dcb](https://github.com/bitnami/charts/commit/15d3dcbaa1fd342083d968ed7a0c5b5eaafd22a5)), closes [#17236](https://github.com/bitnami/charts/issues/17236) + +## 13.15.5 (2023-07-15) + +* [bitnami/mongodb] Release 13.15.5 (#17700) ([48ead37](https://github.com/bitnami/charts/commit/48ead37cc70e965cc0fb05a38e04091db6854a35)), closes [#17700](https://github.com/bitnami/charts/issues/17700) + +## 13.15.4 (2023-07-01) + +* [bitnami/mongodb] Release 13.15.4 (#17441) ([9f76ae9](https://github.com/bitnami/charts/commit/9f76ae9767f8a9265f48418344c3918505961470)), closes [#17441](https://github.com/bitnami/charts/issues/17441) +* Add copyright header (#17300) ([da68be8](https://github.com/bitnami/charts/commit/da68be8e951225133c7dfb572d5101ca3d61c5ae)), closes [#17300](https://github.com/bitnami/charts/issues/17300) +* Update charts readme (#17217) ([31b3c0a](https://github.com/bitnami/charts/commit/31b3c0afd968ff4429107e34101f7509e6a0e913)), closes [#17217](https://github.com/bitnami/charts/issues/17217) + +## 13.15.3 (2023-06-20) + +* [bitnami/mongodb] Release 13.15.3 (#17229) ([e55ce93](https://github.com/bitnami/charts/commit/e55ce93d2e798dc9cb88983110bdc7a1c0d11208)), closes [#17229](https://github.com/bitnami/charts/issues/17229) + +## 13.15.2 (2023-06-19) + +* [bitnami/*] Change copyright section in READMEs (#17006) ([ef986a1](https://github.com/bitnami/charts/commit/ef986a1605241102b3dcafe9fd8089e6fc1201ad)), closes [#17006](https://github.com/bitnami/charts/issues/17006) +* [bitnami/several] Change copyright section in READMEs (#16989) ([5b6a5cf](https://github.com/bitnami/charts/commit/5b6a5cfb7625a751848a2e5cd796bd7278f406ca)), closes [#16989](https://github.com/bitnami/charts/issues/16989) +* [MongoDB] Respecting the MONGODB_ROOT_USER environment variable (#17116) ([9561be7](https://github.com/bitnami/charts/commit/9561be73b8b8b7f92b858a07d3446c31186d292e)), closes [#17116](https://github.com/bitnami/charts/issues/17116) + +## 13.15.1 (2023-05-25) + +* [bitnami/mongodb] Avoid hostname validation with TLS enabled (#16670) ([2a1621f](https://github.com/bitnami/charts/commit/2a1621fa460e426323667a86add0121b8785f043)), closes [#16670](https://github.com/bitnami/charts/issues/16670) + +## 13.15.0 (2023-05-24) + +* [bitnami/mongodb] Support specifying external master host to bootstra… (#16853) ([358ca64](https://github.com/bitnami/charts/commit/358ca646a20a7af6bd892802dd4caeb186cfdc46)), closes [#16853](https://github.com/bitnami/charts/issues/16853) + +## 13.14.2 (2023-05-24) + +* Add apiVersion and kind in volumeClaimTemplates (#16877) ([5193124](https://github.com/bitnami/charts/commit/5193124c548339aed506b17496eb27c0acf7fe27)), closes [#16877](https://github.com/bitnami/charts/issues/16877) + +## 13.14.1 (2023-05-22) + +* [bitnami/mongodb] Ensuring the .Values.auth.rootUser is used everywhere (#16849) ([99ebd2b](https://github.com/bitnami/charts/commit/99ebd2b762966c3fc2cdc0dfa8dff18f8e5b6854)), closes [#16849](https://github.com/bitnami/charts/issues/16849) + +## 13.14.0 (2023-05-22) + +* [bitnami/mongodb] Adding tls.pemChainIncluded value to support wider range of TLS certificates (#167 ([5c2b7b9](https://github.com/bitnami/charts/commit/5c2b7b9a6fbeba6859d08fb7ea7bd368e799a0b4)), closes [#16731](https://github.com/bitnami/charts/issues/16731) + +## 13.13.1 (2023-05-21) + +* [bitnami/mongodb] Release 13.13.1 (#16812) ([a013246](https://github.com/bitnami/charts/commit/a013246952c25b6104a392ceea59c20916bb54f4)), closes [#16812](https://github.com/bitnami/charts/issues/16812) + +## 13.13.0 (2023-05-17) + +* Adding extra volume mounts to the metrics container (#16698) ([4b993f5](https://github.com/bitnami/charts/commit/4b993f5045a64732a78095ab4a4fe5ba505471b3)), closes [#16698](https://github.com/bitnami/charts/issues/16698) + +## 13.12.1 (2023-05-12) + +* [bitnami/mongodb] Release 13.12.1 (#16624) ([9d8d279](https://github.com/bitnami/charts/commit/9d8d2798284c4fd13c993bcf896805b874f69815)), closes [#16624](https://github.com/bitnami/charts/issues/16624) + +## 13.12.0 (2023-05-12) + +* [bitnami/mongodb] Handle mongodb-exporter arguments with chart values (#16398) ([eb37a81](https://github.com/bitnami/charts/commit/eb37a81b05bf1550dd504ced8f2cbb2e9c5359ea)), closes [#16398](https://github.com/bitnami/charts/issues/16398) +* Add wording for enterprise page (#16560) ([8f22774](https://github.com/bitnami/charts/commit/8f2277440b976d52785ba9149762ad8620a73d1f)), closes [#16560](https://github.com/bitnami/charts/issues/16560) + +## 13.11.0 (2023-05-09) + +* [bitnami/several] Adapt Chart.yaml to set desired OCI annotations (#16546) ([fc9b18f](https://github.com/bitnami/charts/commit/fc9b18f2e98805d4df629acbcde696f44f973344)), closes [#16546](https://github.com/bitnami/charts/issues/16546) + +## 13.10.3 (2023-05-09) + +* [bitnami/mongodb] Release 13.10.3 (#16476) ([0ed1163](https://github.com/bitnami/charts/commit/0ed116385f9784b79908a3f90001fd07b4743b69)), closes [#16476](https://github.com/bitnami/charts/issues/16476) + +## 13.10.2 (2023-05-01) + +* [bitnami/mongodb] Release 13.10.2 (#16315) ([cdb385d](https://github.com/bitnami/charts/commit/cdb385d5cd5024b4dc0747c349bfd9549b4c483c)), closes [#16315](https://github.com/bitnami/charts/issues/16315) + +## 13.10.1 (2023-04-27) + +* [bitnami/mongodb] Use username as key in the Service Binding secret (#16251) ([c678dc6](https://github.com/bitnami/charts/commit/c678dc6eb98263312c57f12b67c487a1f364ef4d)), closes [#16251](https://github.com/bitnami/charts/issues/16251) + +## 13.10.0 (2023-04-20) + +* [bitnami/*] Make Helm charts 100% OCI (#15998) ([8841510](https://github.com/bitnami/charts/commit/884151035efcbf2e1b3206e7def85511073fb57d)), closes [#15998](https://github.com/bitnami/charts/issues/15998) + +## 13.9.4 (2023-04-01) + +* [bitnami/mongodb] Release 13.9.4 (#15908) ([5b63b06](https://github.com/bitnami/charts/commit/5b63b064599b3fb38963adb33c3956947d8c7f54)), closes [#15908](https://github.com/bitnami/charts/issues/15908) + +## 13.9.3 (2023-03-24) + +* [bitnami/mongodb] Change static DNS entry to clusterDomain variable (#15682) ([e19b3e7](https://github.com/bitnami/charts/commit/e19b3e7729e8bb64976678ca8eabb7c6349c19d2)), closes [#15682](https://github.com/bitnami/charts/issues/15682) + +## 13.9.2 (2023-03-20) + +* [bitnami/mongodb] Release 13.9.2 (#15631) ([1b595d8](https://github.com/bitnami/charts/commit/1b595d8c95085fd820caa59846de9d35cc4deb85)), closes [#15631](https://github.com/bitnami/charts/issues/15631) + +## 13.9.1 (2023-03-13) + +* [bitnami/mongodb] Release 13.9.1 (#15484) ([628590f](https://github.com/bitnami/charts/commit/628590fdb92e92b9dee42d1e60b144be021323be)), closes [#15484](https://github.com/bitnami/charts/issues/15484) + +## 13.9.0 (2023-03-10) + +* [bitnami/mongodb] Add support for service.headless.annotations (#15435) ([d511822](https://github.com/bitnami/charts/commit/d511822ab3e5486b4d995aa410d313dfb65458f5)), closes [#15435](https://github.com/bitnami/charts/issues/15435) + +## 13.8.3 (2023-03-08) + +* [bitnami/charts] Apply linter to README files (#15357) ([0e29e60](https://github.com/bitnami/charts/commit/0e29e600d3adc8b1b46e506eccb3decfab3b4e63)), closes [#15357](https://github.com/bitnami/charts/issues/15357) +* [bitnami/mongodb] Fix chart upgrade when auth.enable=false (#15387) ([782da45](https://github.com/bitnami/charts/commit/782da457b2c73f23441e3f05a5e06944677151bc)), closes [#15387](https://github.com/bitnami/charts/issues/15387) +* fix(mongodb): fixing doc comment (#15090) ([cfe5b42](https://github.com/bitnami/charts/commit/cfe5b42dba8e0224c98e910e021ec807e009d2ff)), closes [#15090](https://github.com/bitnami/charts/issues/15090) + +## 13.8.2 (2023-03-01) + +* [bitnami/mongodb] Release 13.8.2 (#15216) ([8a916c3](https://github.com/bitnami/charts/commit/8a916c3a8e2bb98d127c0534d896ec1784cd6f1e)), closes [#15216](https://github.com/bitnami/charts/issues/15216) + +## 13.8.1 (2023-02-22) + +* [bitnami/mongodb] fix variable assignment preventing certificate generation (#15079) ([95873be](https://github.com/bitnami/charts/commit/95873becd9afd7cbb346948c12e9f32b0477002c)), closes [#15079](https://github.com/bitnami/charts/issues/15079) + +## 13.8.0 (2023-02-22) + +* [bitnami/mongodb] Added `allocateLoadBalancerNodePorts` option for LoadBalancer (#14919) ([d103602](https://github.com/bitnami/charts/commit/d103602c85d2979d031df94539b1fcbe667db211)), closes [#14919](https://github.com/bitnami/charts/issues/14919) + +## 13.7.0 (2023-02-21) + +* [bitnami/mongodb] feat: :sparkles: Add ServiceBinding-compatible secrets (#14910) ([6bc7961](https://github.com/bitnami/charts/commit/6bc7961f5027bb17a949c69c0e16bdd686a13745)), closes [#14910](https://github.com/bitnami/charts/issues/14910) [#14887](https://github.com/bitnami/charts/issues/14887) + +## 13.6.8 (2023-02-20) + +* [bitnami/*] Fix markdown linter issues (#14874) ([a51e0e8](https://github.com/bitnami/charts/commit/a51e0e8d35495b907f3e70dd2f8e7c3bcbf4166a)), closes [#14874](https://github.com/bitnami/charts/issues/14874) +* [bitnami/*] Fix markdown linter issues 2 (#14890) ([aa96572](https://github.com/bitnami/charts/commit/aa9657237ee8df4a46db0d7fdf8a23230dd6902a)), closes [#14890](https://github.com/bitnami/charts/issues/14890) +* [bitnami/mongodb] Don't regenerate self-signed certs on upgrade (#14642) ([d481e84](https://github.com/bitnami/charts/commit/d481e84e895daaadc936c99465e7f19787f0054f)), closes [#14642](https://github.com/bitnami/charts/issues/14642) +* [bitnami/mongodb] Release 13.6.8 (#15005) ([f7ea17f](https://github.com/bitnami/charts/commit/f7ea17f77274fb8592646c2f0233a6bf462e8361)), closes [#15005](https://github.com/bitnami/charts/issues/15005) + +## 13.6.7 (2023-01-31) + +* [bitnami/*] Change copyright date (#14682) ([add4ec7](https://github.com/bitnami/charts/commit/add4ec701108ac36ed4de2dffbdf407a0d091067)), closes [#14682](https://github.com/bitnami/charts/issues/14682) +* [bitnami/mongodb] Change endpoint for metrics liveness and readiness probes (#14573) ([68039b1](https://github.com/bitnami/charts/commit/68039b19040391c445c8b4112a9b9514a148c89b)), closes [#14573](https://github.com/bitnami/charts/issues/14573) [bitnami/charts#14466](https://github.com/bitnami/charts/issues/14466) + +## 13.6.6 (2023-01-25) + +* [bitnami/mongodb] Increase timeout for probes (#14539) ([f64c2cc](https://github.com/bitnami/charts/commit/f64c2ccfb102046874226b909dd4ae620e08f10e)), closes [#14539](https://github.com/bitnami/charts/issues/14539) + +## 13.6.5 (2023-01-25) + +* [bitnami/*] Unify READMEs (#14472) ([2064fb8](https://github.com/bitnami/charts/commit/2064fb8dcc78a845cdede8211af8c3cc52551161)), closes [#14472](https://github.com/bitnami/charts/issues/14472) +* [bitnami/mongodb] Fix service.nameOverride and TLS certificate generation in standalone mode (#14424 ([aa4d948](https://github.com/bitnami/charts/commit/aa4d9484167515142b28ec1d3ede5a63a51f3f6c)), closes [#14424](https://github.com/bitnami/charts/issues/14424) + +## 13.6.4 (2023-01-19) + +* [bitnami/*] Change licenses annotation format (#14377) ([0ab7608](https://github.com/bitnami/charts/commit/0ab760862c660fcc78cffadf8e1d8cdd70881473)), closes [#14377](https://github.com/bitnami/charts/issues/14377) +* [bitnami/mongodb] Release 13.6.4 (#14441) ([dffa595](https://github.com/bitnami/charts/commit/dffa595836682ba9fc9ad8daec513d4903cf7d2b)), closes [#14441](https://github.com/bitnami/charts/issues/14441) + +## 13.6.3 (2023-01-14) + +* [bitnami/*] Add license annotation and remove obsolete engine parameter (#14293) ([da2a794](https://github.com/bitnami/charts/commit/da2a7943bae95b6e9b5b4ed972c15e990b69fdb0)), closes [#14293](https://github.com/bitnami/charts/issues/14293) +* [bitnami/mongodb] Release 13.6.3 (#14355) ([5a71013](https://github.com/bitnami/charts/commit/5a71013c500b5dd87cac5691f1a7e864569220e4)), closes [#14355](https://github.com/bitnami/charts/issues/14355) + +## 13.6.2 (2022-12-21) + +* [bitnami/mongodb] Set dynamic port on mongodb-exporter uri (#14041) ([3c04e9a](https://github.com/bitnami/charts/commit/3c04e9a8adb5d45b76860894b5f66533e1986cff)), closes [#14041](https://github.com/bitnami/charts/issues/14041) + +## 13.6.1 (2022-12-15) + +* [bitnami/mongodb] Release 13.6.1 (#13967) ([03ad0ec](https://github.com/bitnami/charts/commit/03ad0ec16c11ade4aa59f6d4fa01a003ea50009b)), closes [#13967](https://github.com/bitnami/charts/issues/13967) + +## 13.6.0 (2022-12-07) + +* [bitnami/mongodb] topology override option (#13694) ([c5df4d6](https://github.com/bitnami/charts/commit/c5df4d6b03fec1f6027d2586301a62ddf06c4f64)), closes [#13694](https://github.com/bitnami/charts/issues/13694) + +## 13.5.0 (2022-11-21) + +* [bitnami/mongodb] Add support for envvars in tls.extraDnsNames (#13558) ([59a316b](https://github.com/bitnami/charts/commit/59a316bce3d3bb4f9366183912dbb9dab518c376)), closes [#13558](https://github.com/bitnami/charts/issues/13558) + +## 13.4.4 (2022-11-15) + +* [bitnami/mongodb] stop overwriting custom env variable MONGODB_ADVERTISED_PORT_NUMBER (#13276) ([ded7c3d](https://github.com/bitnami/charts/commit/ded7c3d42616915546ad25e639645f608e555e08)), closes [#13276](https://github.com/bitnami/charts/issues/13276) + +## 13.4.3 (2022-11-15) + +* [bitnami/mongodb] Release 13.4.3 (#13518) ([fb9307b](https://github.com/bitnami/charts/commit/fb9307bb5862791737983973f3a7edf681f1042f)), closes [#13518](https://github.com/bitnami/charts/issues/13518) + +## 13.4.2 (2022-11-14) + +* [bitnami/mongodb] Add commonLabels also to pods: replicaset, arbiter, hidden (#13501) ([6b3cca2](https://github.com/bitnami/charts/commit/6b3cca2863fed3eee51797a7e6b9165246e818b0)), closes [#13501](https://github.com/bitnami/charts/issues/13501) + +## 13.4.1 (2022-11-03) + +* [bitnami/mongodb] Add loadBalancerClass options - fix typo (#13331) ([b3acaf0](https://github.com/bitnami/charts/commit/b3acaf02fd97acd89ede4dbc7e848046317d6e9d)), closes [#13331](https://github.com/bitnami/charts/issues/13331) + +## 13.4.0 (2022-11-02) + +* [bitnami/mongodb] Update common-scripts-cm.yaml (#13131) ([bcecde7](https://github.com/bitnami/charts/commit/bcecde74ff9740da875270dbbbc8fc1bc20f8f7f)), closes [#13131](https://github.com/bitnami/charts/issues/13131) + +## 13.3.1 (2022-10-30) + +* [bitnami/mongodb] Release 13.3.1 (#13253) ([9f9f9ab](https://github.com/bitnami/charts/commit/9f9f9ab52aa8b0521e0808e71b5e4e32aa6041a1)), closes [#13253](https://github.com/bitnami/charts/issues/13253) + +## 13.3.0 (2022-10-24) + +* [bitnami/mongodb] Mongodb custom certs (#11239) ([c8e80b7](https://github.com/bitnami/charts/commit/c8e80b703827ec9b9a3b437e30c8aae50d0626b8)), closes [#11239](https://github.com/bitnami/charts/issues/11239) + +## 13.2.0 (2022-10-24) + +* [bitnami/*] Use new default branch name in links (#12943) ([a529e02](https://github.com/bitnami/charts/commit/a529e02597d49d944eba1eb0f190713293247176)), closes [#12943](https://github.com/bitnami/charts/issues/12943) +* [bitnami/mongodb] Add loadBalancerClass options (#13092) ([6d9c603](https://github.com/bitnami/charts/commit/6d9c603c703c018edbaa00cb5988778087b16616)), closes [#13092](https://github.com/bitnami/charts/issues/13092) +* Generic README instructions related to the repo (#12792) ([3cf6b10](https://github.com/bitnami/charts/commit/3cf6b10e10e60df4b3e191d6b99aa99a9f597755)), closes [#12792](https://github.com/bitnami/charts/issues/12792) + +## 13.1.7 (2022-09-30) + +* [bitnami/mongodb] Release 13.1.7 (#12765) ([d346d01](https://github.com/bitnami/charts/commit/d346d01e92ccf7d760a4d65549345cf3ad8cbb20)), closes [#12765](https://github.com/bitnami/charts/issues/12765) + +## 13.1.6 (2022-09-29) + +* [bitnami/mongodb] Release 13.1.6 (#12734) ([4e4907f](https://github.com/bitnami/charts/commit/4e4907f5fb6d660dd4db41e95041a662effeedde)), closes [#12734](https://github.com/bitnami/charts/issues/12734) + +## 13.1.5 (2022-09-20) + +* [bitnami/mongodb] Use custom probes if given (#12528) ([e4eab8c](https://github.com/bitnami/charts/commit/e4eab8c2489eada73a106531283b5bfc49f88712)), closes [#12528](https://github.com/bitnami/charts/issues/12528) [#12354](https://github.com/bitnami/charts/issues/12354) + +## 13.1.4 (2022-09-18) + +* [bitnami/mongodb] Release 13.1.4 (#12475) ([239e06b](https://github.com/bitnami/charts/commit/239e06b06315014c9342ca2c45e071bfd4f5af20)), closes [#12475](https://github.com/bitnami/charts/issues/12475) + +## 13.1.3 (2022-09-14) + +* issue 12411 (#12415) ([5d31922](https://github.com/bitnami/charts/commit/5d3192203cd191479671db4f6568fd7d5c4bd388)), closes [#12415](https://github.com/bitnami/charts/issues/12415) + +## 13.1.2 (2022-08-26) + +* [bitnami/mongodb] Fix probes when url connection contains 'true' (#12133) ([39df1e7](https://github.com/bitnami/charts/commit/39df1e709fea983e95c87876d8dd2af165cdfb1e)), closes [#12133](https://github.com/bitnami/charts/issues/12133) + +## 13.1.1 (2022-08-23) + +* [bitnami/mongodb] Update Chart.lock (#12043) ([2c3548d](https://github.com/bitnami/charts/commit/2c3548d921f82da695160c09891d6f6241ac6765)), closes [#12043](https://github.com/bitnami/charts/issues/12043) + +## 13.1.0 (2022-08-22) + +* [bitnami/mongodb] Add support for image digest apart from tag (#11914) ([fa34484](https://github.com/bitnami/charts/commit/fa3448449254efa052da1f7093549a3540cfbf90)), closes [#11914](https://github.com/bitnami/charts/issues/11914) + +## 13.0.2 (2022-08-19) + +* [bitnami/mongodb] Release 13.0.2 (#11861) ([5532749](https://github.com/bitnami/charts/commit/5532749be271089b45366052a78342735b864081)), closes [#11861](https://github.com/bitnami/charts/issues/11861) + +## 13.0.1 (2022-08-16) + +* [bitnami/mongodb] Release 13.0.1 (#11776) ([1a6248b](https://github.com/bitnami/charts/commit/1a6248b9368b6b1dccd96d9baa1f4657a1a17b54)), closes [#11776](https://github.com/bitnami/charts/issues/11776) + +## 13.0.0 (2022-08-04) + +* [bitnami/mongodb] Release 13.0.0 (#11586) ([ac90a7b](https://github.com/bitnami/charts/commit/ac90a7b2d8f8f86091ad1293f0f09c09fccbced5)), closes [#11586](https://github.com/bitnami/charts/issues/11586) + +## 12.1.31 (2022-08-03) + +* [bitnami/mongodb] Release 12.1.31 (#11538) ([5c35513](https://github.com/bitnami/charts/commit/5c35513abddcf4bcab9b9b071f2fc9f905f78a28)), closes [#11538](https://github.com/bitnami/charts/issues/11538) + +## 12.1.30 (2022-07-28) + +* Change metrics endpoint for liveness and readiness probes (#11398) ([7a73c44](https://github.com/bitnami/charts/commit/7a73c441ad9560af8601c397085ff0332a89a9c2)), closes [#11398](https://github.com/bitnami/charts/issues/11398) + +## 12.1.29 (2022-07-27) + +* [bitnami/mongodb] Release 12.1.29 (#11393) ([fb5a4ce](https://github.com/bitnami/charts/commit/fb5a4ce87625879a12d8e2f7a0d46c08060ef756)), closes [#11393](https://github.com/bitnami/charts/issues/11393) + +## 12.1.28 (2022-07-27) + +* [bitnami/*] Update URLs to point to the new bitnami/containers monorepo (#11352) ([d665af0](https://github.com/bitnami/charts/commit/d665af0c708846192d8d5fb2f5f9ea65dd464ab0)), closes [#11352](https://github.com/bitnami/charts/issues/11352) +* [bitnami/mongodb] Release 12.1.28 (#11362) ([f527284](https://github.com/bitnami/charts/commit/f5272840eaa0c6693978595ad44bdba95490c5db)), closes [#11362](https://github.com/bitnami/charts/issues/11362) + +## 12.1.27 (2022-07-19) + +* [bitnami/mongodb] Release 12.1.27 (#11252) ([b451ec1](https://github.com/bitnami/charts/commit/b451ec12def686142582e3bc4e03dea003803de7)), closes [#11252](https://github.com/bitnami/charts/issues/11252) + +## 12.1.26 (2022-07-12) + +* [bitnami/mongodb] Fix commonAnnotations when working with external access svc (#11128) ([fa8694f](https://github.com/bitnami/charts/commit/fa8694f8aff028b3c635474e5b6fd64c58b05f0f)), closes [#11128](https://github.com/bitnami/charts/issues/11128) + +## 12.1.25 (2022-07-09) + +* [bitnami/mongodb] Release 12.1.25 (#11104) ([b8e2d20](https://github.com/bitnami/charts/commit/b8e2d2026a624413d58917ea6780571a933e8162)), closes [#11104](https://github.com/bitnami/charts/issues/11104) + +## 12.1.24 (2022-07-05) + +* [bitnami/mongodb] Release 12.1.24 (#11034) ([8a34239](https://github.com/bitnami/charts/commit/8a34239e7a76770868ddddf7b10bf91900cd0924)), closes [#11034](https://github.com/bitnami/charts/issues/11034) + +## 12.1.23 (2022-07-04) + +* [bitnami/mongodb] Release 12.1.23 (#11017) ([416904a](https://github.com/bitnami/charts/commit/416904a57e9e86a259c0c1e5dedfabc8cb23e306)), closes [#11017](https://github.com/bitnami/charts/issues/11017) + +## 12.1.22 (2022-06-30) + +* [bitnami/mongodb] Release 12.1.22 (#10966) ([d707550](https://github.com/bitnami/charts/commit/d70755028cf2c85847b8524b77835172849796d9)), closes [#10966](https://github.com/bitnami/charts/issues/10966) + +## 12.1.21 (2022-06-27) + +* [bitnami/mongodb] Readiness Probe bug fix (#10865) ([b34a09f](https://github.com/bitnami/charts/commit/b34a09f62f70457a950952e5ee08c3e92b0a4acb)), closes [#10865](https://github.com/bitnami/charts/issues/10865) + +## 12.1.20 (2022-06-15) + +* [bitnami/mongodb] Release 12.1.20 (#10768) ([9e2d3cc](https://github.com/bitnami/charts/commit/9e2d3cc39d1f4bf5b4c930af47822eecd789f178)), closes [#10768](https://github.com/bitnami/charts/issues/10768) + +## 12.1.19 (2022-06-08) + +* [bitnami/mongodb] Release 12.1.19 (#10660) ([093d55f](https://github.com/bitnami/charts/commit/093d55f1ec11138857ec1b3aa32f7e4d19a32c1d)), closes [#10660](https://github.com/bitnami/charts/issues/10660) + +## 12.1.18 (2022-06-08) + +* [bitnami/*] Replace Kubeapps URL in READMEs (and kubeapps Chart.yaml) and remove BKPR references (#1 ([c6a7914](https://github.com/bitnami/charts/commit/c6a7914361e5aea6016fb45bf4d621edfd111d32)), closes [#10600](https://github.com/bitnami/charts/issues/10600) +* [bitnami/mongodb] - Fixing mongdb certificate generation issue when external access is enabled - #10 ([99119c0](https://github.com/bitnami/charts/commit/99119c04fc7642858bd3803517b01c732758822b)), closes [#10262](https://github.com/bitnami/charts/issues/10262) [#10513](https://github.com/bitnami/charts/issues/10513) [#10262](https://github.com/bitnami/charts/issues/10262) [bitnami#10262](https://github.com/bitnami/issues/10262) [bitnami#10262](https://github.com/bitnami/issues/10262) + +## 12.1.17 (2022-06-06) + +* [bitnami/mongodb] Fix wrongly named mongodb secret key 'mongodb-passwords' (#10546) ([56a2b5d](https://github.com/bitnami/charts/commit/56a2b5dc53143a6ead1878963dcb330251547628)), closes [#10546](https://github.com/bitnami/charts/issues/10546) + +## 12.1.16 (2022-06-01) + +* [bitnami/several] Replace maintainers email by url (#10523) ([ff3cf61](https://github.com/bitnami/charts/commit/ff3cf617a1680509b0f3855d17c4ccff7b29a0ff)), closes [#10523](https://github.com/bitnami/charts/issues/10523) + +## 12.1.15 (2022-05-30) + +* [bitnami/several] Replace base64 --decode with base64 -d (#10495) ([099286a](https://github.com/bitnami/charts/commit/099286ae7a87784cf809df0b64ab24f7ff0144c8)), closes [#10495](https://github.com/bitnami/charts/issues/10495) + +## 12.1.14 (2022-05-30) + +* [bitnami/mongodb] Replicaset environment variable typo (#10465) ([ba7ad19](https://github.com/bitnami/charts/commit/ba7ad1926045a783957e37b35416edd7626fc62f)), closes [#10465](https://github.com/bitnami/charts/issues/10465) + +## 12.1.13 (2022-05-27) + +* [bitnami/mongodb] enabled mdb all collectors (#10445) ([c7a8543](https://github.com/bitnami/charts/commit/c7a854308cb0a53ad0b73b96bf57a963ebb9c3ca)), closes [#10445](https://github.com/bitnami/charts/issues/10445) + +## 12.1.12 (2022-05-26) + +* [bitnami/mongodb] Release 12.1.12 updating components versions ([bb711e3](https://github.com/bitnami/charts/commit/bb711e34ca5685e4b5723bb3d85adb04e3ac2cd0)) + +## 12.1.11 (2022-05-23) + +* Fixes #10300 Signed-off-by: Jonathan Weber (#10302) ([627b9c4](https://github.com/bitnami/charts/commit/627b9c4240f48c8cd84097d8d4fa8410c35cbbe6)), closes [#10300](https://github.com/bitnami/charts/issues/10300) [#10302](https://github.com/bitnami/charts/issues/10302) + +## 12.1.10 (2022-05-21) + +* [bitnami/mongodb] Release 12.1.10 updating components versions ([3dd8685](https://github.com/bitnami/charts/commit/3dd8685ebb935dde27fa7746bab4fb343c52cdae)) + +## 12.1.9 (2022-05-20) + +* [bitnami/mongodb] Use deepCopy in "common.secrets.passwords.manage" call (#10319) ([a3ccd0e](https://github.com/bitnami/charts/commit/a3ccd0eef75ed55f94904f2113d4128662ffb546)), closes [#10319](https://github.com/bitnami/charts/issues/10319) + +## 12.1.8 (2022-05-19) + +* [bitnami/mongodb] Release 12.1.8 updating components versions ([a836a36](https://github.com/bitnami/charts/commit/a836a36a33572a41ef4e54287ad87b251c84ba8d)) + +## 12.1.7 (2022-05-18) + +* [bitnami/mongodb] remove unnecessary merge call (#10308) ([a40fee8](https://github.com/bitnami/charts/commit/a40fee8dd4059dfaedfcb0796e51127f99967008)), closes [#10308](https://github.com/bitnami/charts/issues/10308) + +## 12.1.6 (2022-05-18) + +* [bitnami/mongodb] Release 12.1.6 updating components versions ([ea71483](https://github.com/bitnami/charts/commit/ea71483c960a8823c539f92085dfd4bded021668)) + +## 12.1.5 (2022-05-13) + +* [bitnami/mongodb] Fix incorrect SAN field for MongoDB TLS certs (#10220) ([187af92](https://github.com/bitnami/charts/commit/187af92cedd0f1e92beabb4abf624113c3077ae3)), closes [#10220](https://github.com/bitnami/charts/issues/10220) + +## 12.1.4 (2022-05-13) + +* [bitnami/*] Remove old 'ci' files (#10171) ([5df30c4](https://github.com/bitnami/charts/commit/5df30c44dbd1812da8786579ce4a94917d46a6ad)), closes [#10171](https://github.com/bitnami/charts/issues/10171) +* [bitnami/*] Unify k8s directives separators (#10185) ([2650214](https://github.com/bitnami/charts/commit/26502141d146ca3bdfb3bf744fcdec8ca5cece44)), closes [#10185](https://github.com/bitnami/charts/issues/10185) + +## 12.1.3 (2022-05-11) + +* [bitnami/mongodb] Add missing namespace metadata (#10141) ([dcda6af](https://github.com/bitnami/charts/commit/dcda6af36bf65b1e8c4f48c4b9fe5e6385bbe82c)), closes [#10141](https://github.com/bitnami/charts/issues/10141) + +## 12.1.2 (2022-05-10) + +* [bitnami/mongodb] Fix metrics containerPort when using standalone (#10084) ([cf8deb1](https://github.com/bitnami/charts/commit/cf8deb12a1cbc50bd3faaafee77c5912ab951cbd)), closes [#10084](https://github.com/bitnami/charts/issues/10084) + +## 12.1.1 (2022-05-09) + +* [bitnami/mongodb] Remove unnecessary logic around externalAccess.service.nodePorts (#10079) ([36749d7](https://github.com/bitnami/charts/commit/36749d7f3213c77440d5c5c06146b077aca36f33)), closes [#10079](https://github.com/bitnami/charts/issues/10079) + +## 12.1.0 (2022-05-05) + +* [bitnami/mongodb] Allow custom command and args in the metrics container (#10030) ([bdefd11](https://github.com/bitnami/charts/commit/bdefd1129a288f23d6d53ba8b33fc2b72943373b)), closes [#10030](https://github.com/bitnami/charts/issues/10030) + +## 12.0.2 (2022-05-03) + +* bitnami/mongodb adding generate-tls-certs resource block (#10011) ([2712205](https://github.com/bitnami/charts/commit/27122053639af7d3320278db47d8968df6aa68c2)), closes [#10011](https://github.com/bitnami/charts/issues/10011) + +## 12.0.1 (2022-04-29) + +* [bitnami/mongodb] Release 12.0.1 updating components versions ([6a8c5a5](https://github.com/bitnami/charts/commit/6a8c5a54b1c2517a06a38bec790fae38b3a87f50)) + +## 12.0.0 (2022-04-29) + +* [bitnami/mongodb] Standarize mongodb (#9648) ([fdd8b69](https://github.com/bitnami/charts/commit/fdd8b691290c8f039d192a2b7c6f87706e7c2390)), closes [#9648](https://github.com/bitnami/charts/issues/9648) + +## 11.2.0 (2022-04-26) + +* [bitnami/mongodb] feat: :wastebasket: Remove mongo references (#9916) ([f126710](https://github.com/bitnami/charts/commit/f1267104df0dd5900be7629c2ad6dbf90655fbc9)), closes [#9916](https://github.com/bitnami/charts/issues/9916) + +## 11.1.10 (2022-04-22) + +* [bitnami/mongodb] Fix Prometheus Rules (#9870) ([534be04](https://github.com/bitnami/charts/commit/534be04d03e115315d55ad53a548416decadb2d1)), closes [#9870](https://github.com/bitnami/charts/issues/9870) +* [bitnami/mongodb] Release 11.1.10 updating components versions ([8fec889](https://github.com/bitnami/charts/commit/8fec88993c56557f04859fb628da252136b8a6b2)) + +## 11.1.9 (2022-04-21) + +* [bitnami/mongodb] Release 11.1.9 updating components versions ([355616f](https://github.com/bitnami/charts/commit/355616f383a1caa8907d5ee300688c67491b2e97)) + +## 11.1.8 (2022-04-20) + +* [bitnami/mongodb] Release 11.1.8 updating components versions ([c10d34c](https://github.com/bitnami/charts/commit/c10d34c9b10aad6dd8672321e6e5cf49c3fb5356)) + +## 11.1.7 (2022-04-19) + +* [bitnami/mongodb] Release 11.1.7 updating components versions ([21a6772](https://github.com/bitnami/charts/commit/21a677271896b37d73b52abfccc68b23170dc941)) + +## 11.1.6 (2022-04-18) + +* [bitnami/mongodb] Release 11.1.6 updating components versions ([d89031b](https://github.com/bitnami/charts/commit/d89031b0b37367d0bfd186463c25b612d40a8c3a)) + +## 11.1.5 (2022-04-05) + +* [bitnami/mongodb] Release 11.1.5 updating components versions ([2c93040](https://github.com/bitnami/charts/commit/2c930401b1cb5774eb4c159491280d54fe14e9a7)) + +## 11.1.4 (2022-04-02) + +* [bitnami/mongodb] Release 11.1.4 updating components versions ([15e4f8d](https://github.com/bitnami/charts/commit/15e4f8d06c3af635ee5696027d5de430bb6836fd)) + +## 11.1.3 (2022-03-28) + +* [bitnami/mongodb] Release 11.1.3 updating components versions ([a6e8ef3](https://github.com/bitnami/charts/commit/a6e8ef3cb1923008eac9a8f9d356c2205efcdba4)) + +## 11.1.2 (2022-03-27) + +* [bitnami/mongodb] Release 11.1.2 updating components versions ([ad92c81](https://github.com/bitnami/charts/commit/ad92c81b28d36f5e99a1b1160647fc40b82e41cc)) + +## 11.1.1 (2022-03-16) + +* [bitnami/mongodb] Release 11.1.1 updating components versions ([e87c6b5](https://github.com/bitnami/charts/commit/e87c6b5cfdaa2aeaa7610be41dd0dec71a613dbd)) + +## 11.1.0 (2022-03-11) + +* [bitnami/mongodb] feat: :sparkles: Check replicaset status when persistence is not detected (#9387) ([7d9d4a3](https://github.com/bitnami/charts/commit/7d9d4a38a1a7cf64cb8a7163ec67de517e4f3a93)), closes [#9387](https://github.com/bitnami/charts/issues/9387) + +## 11.0.6 (2022-03-02) + +* [bitnami/mongodb] Release 11.0.6 updating components versions ([820c436](https://github.com/bitnami/charts/commit/820c436bc06c963e0e5e3a472c2986b226470e49)) + +## 11.0.5 (2022-02-27) + +* [bitnami/mongodb] Release 11.0.5 updating components versions ([d997058](https://github.com/bitnami/charts/commit/d997058e6f9c99826242c0ae6d19ccc1cdc2106a)) + +## 11.0.4 (2022-02-21) + +* [bitnami/mongodb] Do not hardcode PDB apiVersion (#9105) ([8123881](https://github.com/bitnami/charts/commit/81238811d4a6d09b2946dff7c0b65881449b2c4f)), closes [#9105](https://github.com/bitnami/charts/issues/9105) + +## 11.0.3 (2022-02-04) + +* [bitnami/mongodb] fix duplicated arbiter MONGODB_EXTRA_FLAGS env var (#8892) ([23ff0af](https://github.com/bitnami/charts/commit/23ff0afe07cc5d78f824c11fc969be174879424e)), closes [#8892](https://github.com/bitnami/charts/issues/8892) + +## 11.0.2 (2022-02-01) + +* [bitnami/mongodb] Release 11.0.2 updating components versions ([5de4fe8](https://github.com/bitnami/charts/commit/5de4fe8011b189e5a6a280e9a9a1e56dd57fc863)) + +## 11.0.1 (2022-01-31) + +* [bitnami/*] Fix non-utf8 characters (#8826) ([aebe0ed](https://github.com/bitnami/charts/commit/aebe0ed63d845e1e2b38751103810adf200b18f5)), closes [#8826](https://github.com/bitnami/charts/issues/8826) +* [bitnami/mongodb] Fix exporter command (#8843) ([e2b5314](https://github.com/bitnami/charts/commit/e2b53140f8ecb2b0c1886c76d32f3c0a8e7bbf2f)), closes [#8843](https://github.com/bitnami/charts/issues/8843) + +## 11.0.0 (2022-01-27) + +* [bitnami/mongodb*] New major version using 0.30.X for the exporter (#8818) ([282d315](https://github.com/bitnami/charts/commit/282d315386d6f7f20a65ea3b7a46bb26cc95fa15)), closes [#8818](https://github.com/bitnami/charts/issues/8818) + +## 10.31.5 (2022-01-24) + +* fix(): Fixed closing bracket for hidden node scripts (#8754) ([8db5126](https://github.com/bitnami/charts/commit/8db51260fb7656d3301c612b6263ee459a09ba0d)), closes [#8754](https://github.com/bitnami/charts/issues/8754) + +## 10.31.4 (2022-01-20) + +* [bitnami/*] Readme automation (#8579) ([78d1938](https://github.com/bitnami/charts/commit/78d193831c900d178198491ffd08fa2217a64ecd)), closes [#8579](https://github.com/bitnami/charts/issues/8579) +* [bitnami/*] Update READMEs (#8716) ([b9a9533](https://github.com/bitnami/charts/commit/b9a953337590eb2979453385874a267bacf50936)), closes [#8716](https://github.com/bitnami/charts/issues/8716) +* [bitnami/several] Change prerequisites (#8725) ([8d740c5](https://github.com/bitnami/charts/commit/8d740c566cfdb7e2d933c40128b4e919fce953a5)), closes [#8725](https://github.com/bitnami/charts/issues/8725) + +## 10.31.3 (2022-01-11) + +* [bitnami/mongodb] Release 10.31.3 updating components versions ([ef0367c](https://github.com/bitnami/charts/commit/ef0367cebe3f8f75acd50903983e8ab72d6ee90e)) + +## 10.31.2 (2022-01-07) + +* fix(): Fixed commonlabel issues for hidden node external service (#8590) ([dfc59a9](https://github.com/bitnami/charts/commit/dfc59a99aa0865915e0baffe0a4797063436fe81)), closes [#8590](https://github.com/bitnami/charts/issues/8590) + +## 10.31.1 (2022-01-05) + +* [bitnami/mongodb] Fixed NodePort External Access (#8515) ([7cd5728](https://github.com/bitnami/charts/commit/7cd5728f4689dd43b389c337c60aeec6ce3619a3)), closes [#8515](https://github.com/bitnami/charts/issues/8515) + +## 10.31.0 (2022-01-05) + +* [bitnami/several] Adapt templating format (#8562) ([8cad18a](https://github.com/bitnami/charts/commit/8cad18aed9966a6f0208e5ad6cee46cb217f47ab)), closes [#8562](https://github.com/bitnami/charts/issues/8562) + +## 10.30.12 (2022-01-04) + +* [bitnami/mongodb] Release 10.30.12 updating components versions ([9fe8ea7](https://github.com/bitnami/charts/commit/9fe8ea7dc654e07b187a3a784265cf73b0793c98)) +* [bitnami/several] Add license to the README ([05f7633](https://github.com/bitnami/charts/commit/05f763372501d596e57db713dd53ff4ff3027cc4)) +* [bitnami/several] Add license to the README ([32fb238](https://github.com/bitnami/charts/commit/32fb238e60a0affc6debd3142eaa3c3d9089ec2a)) +* [bitnami/several] Add license to the README ([b87c2f7](https://github.com/bitnami/charts/commit/b87c2f7899d48a8b02c506765e6ae82937e9ba3f)) + +## 10.30.11 (2021-12-31) + +* [bitnami/mongodb] Add metrics active wait (#8537) ([3a01fd4](https://github.com/bitnami/charts/commit/3a01fd4f89c7c62a13459d58fe77fe33cf42a101)), closes [#8537](https://github.com/bitnami/charts/issues/8537) + +## 10.30.10 (2021-12-29) + +* [bitnami/mongodb] Release 10.30.10 updating components versions ([bd5647d](https://github.com/bitnami/charts/commit/bd5647d778e26257907ba34fa3c4250830870c52)) + +## 10.30.9 (2021-12-27) + +* [bitnami/mongodb] Release 10.30.9 updating components versions ([70d0e55](https://github.com/bitnami/charts/commit/70d0e55da7591e6a2a3f56c2982fe36c40e438b8)) + +## 10.30.8 (2021-12-17) + +* Revert "[bitnami/mongodb] Fix deprecated 'IP Address in the DNS Name field on certificate' when usin ([ed8306a](https://github.com/bitnami/charts/commit/ed8306ab169c34d99d694198aec8dc0931c43014)), closes [#8416](https://github.com/bitnami/charts/issues/8416) + +## 10.30.7 (2021-12-17) + +* [bitnami/mongodb] Fix deprecated 'IP Address in the DNS Name field on certificate' when using tls (# ([275b91a](https://github.com/bitnami/charts/commit/275b91ad43d0058577edb9c58580ff197d5ba4b9)), closes [#8416](https://github.com/bitnami/charts/issues/8416) +* bitnami/mongodb: enable to configure topology spread constraints (#8222) ([3bcf0b6](https://github.com/bitnami/charts/commit/3bcf0b6f9e39110dbaa34915ffa3e4d098841dc9)), closes [#8222](https://github.com/bitnami/charts/issues/8222) +* Fixed tls.extraDnsNames example (#8352) ([e7cacec](https://github.com/bitnami/charts/commit/e7caceca2c009b27fbb534776a9a366e0bbf5a46)), closes [#8352](https://github.com/bitnami/charts/issues/8352) + +## 10.30.6 (2021-12-02) + +* [bitnami/*] Fix parameters for schema generation (#8297) ([d7d52ac](https://github.com/bitnami/charts/commit/d7d52acdbd1b0629e4e5295652fa6f5830daf2af)), closes [#8297](https://github.com/bitnami/charts/issues/8297) + +## 10.30.5 (2021-12-02) + +* [bitnami/mongodb] Fix default replicaSetConfigurationSettings.configuration (#8295) ([7f29d4e](https://github.com/bitnami/charts/commit/7f29d4edcb28d8feac57b9b359eab1d8d2b0fb11)), closes [#8295](https://github.com/bitnami/charts/issues/8295) +* [bitnami/several] Regenerate README tables ([a43cca7](https://github.com/bitnami/charts/commit/a43cca73cabae95609e943f6eb2cdeefc04e866b)) + +## 10.30.4 (2021-12-01) + +* [bitnami/mongodb] Release 10.30.4 updating components versions ([76dcbd5](https://github.com/bitnami/charts/commit/76dcbd5c5801143a5f23261ce1482653860380bf)) +* [bitnami/several] Regenerate README tables ([8150149](https://github.com/bitnami/charts/commit/8150149f0bb746e86ff0029fc375d43775bdf15a)) + +## 10.30.3 (2021-11-30) + +* [bitnami/mongodb] Support tls.extraDnsNames in "replicaset" architecture (#8267) ([58900c8](https://github.com/bitnami/charts/commit/58900c8dc1f732fbbf979630f44eec9e5552647e)), closes [#8267](https://github.com/bitnami/charts/issues/8267) + +## 10.30.2 (2021-11-29) + +* [bitnami/several] Replace HTTP by HTTPS when possible (#8259) ([eafb5bd](https://github.com/bitnami/charts/commit/eafb5bd5a2cc3aaf04fc1e8ebedd73f420d76864)), closes [#8259](https://github.com/bitnami/charts/issues/8259) + +## 10.30.1 (2021-11-26) + +* [bitnami/mongodb] Added ability to configure run-time replica set configuration settings (#7042) ([46b1e90](https://github.com/bitnami/charts/commit/46b1e90ec9ffb7c32c4de6c323594c606bfaa923)), closes [#7042](https://github.com/bitnami/charts/issues/7042) + +## 10.30.0 (2021-11-26) + +* [bitnami/mongodb] Add medium option for non-persisted. (#8238) ([d762894](https://github.com/bitnami/charts/commit/d76289431509ec90111d54d997ba5632f71d88f3)), closes [#8238](https://github.com/bitnami/charts/issues/8238) + +## 10.29.4 (2021-11-24) + +* [bitnami/several] Fix deadlinks in README.md (#8215) ([99e90d2](https://github.com/bitnami/charts/commit/99e90d244b3244e059a42f72dcbecd3cda2b66bb)), closes [#8215](https://github.com/bitnami/charts/issues/8215) +* Fix tls mode value (#8219) ([47947a1](https://github.com/bitnami/charts/commit/47947a1b5a5cf9ea3318d0df42b893d7e017428e)), closes [#8219](https://github.com/bitnami/charts/issues/8219) + +## 10.29.3 (2021-11-23) + +* Add value for tlsMode (#8214) ([48c50df](https://github.com/bitnami/charts/commit/48c50df7406a95f72c8a6929ce97b146f63f52fd)), closes [#8214](https://github.com/bitnami/charts/issues/8214) + +## 10.29.2 (2021-11-10) + +* Fix service name in TLS init container (#8085) ([9108472](https://github.com/bitnami/charts/commit/9108472c07a0ad69db5f497711d36a018f1365cb)), closes [#8085](https://github.com/bitnami/charts/issues/8085) + +## 10.29.1 (2021-11-09) + +* [bitnami/mongodb] Fix custom passwords (#8067) ([f2e629a](https://github.com/bitnami/charts/commit/f2e629a69add604951ae1dd3525dc3ea4a215d9d)), closes [#8067](https://github.com/bitnami/charts/issues/8067) +* [bitnami/several] Regenerate README tables ([3cefed3](https://github.com/bitnami/charts/commit/3cefed3ef961fbd7596242b1165bcfa229a9cadb)) + +## 10.29.0 (2021-11-02) + +* [bitnami/mongodb] Add support for several custom users/dbs (#7930) ([4d8106f](https://github.com/bitnami/charts/commit/4d8106fc733907796fc60e0a728c77ecc7e9f7b1)), closes [#7930](https://github.com/bitnami/charts/issues/7930) + +## 10.28.7 (2021-10-28) + +* [bitnami/mongodb] Release 10.28.7 updating components versions ([f4d7b00](https://github.com/bitnami/charts/commit/f4d7b00f5fe902d4e435f19dec129db4089d48d0)) + +## 10.28.6 (2021-10-28) + +* [bitnami/*] Mark PodSecurityPolicy resources as deprecated (#7950) ([30e6946](https://github.com/bitnami/charts/commit/30e694657e21cea03a64ddbc6744f9bab1d1a169)), closes [#7950](https://github.com/bitnami/charts/issues/7950) +* [bitnami/several] Regenerate README tables ([412cf6a](https://github.com/bitnami/charts/commit/412cf6a513cb0c03444a6e7811c6f27193239a10)) + +## 10.28.5 (2021-10-27) + +* [bitnami/mongodb] Release 10.28.5 updating components versions ([77be157](https://github.com/bitnami/charts/commit/77be157ac7e1218ce320068bc809086dcf0f9d0f)) +* [bitnami/several] Regenerate README tables ([3df22fe](https://github.com/bitnami/charts/commit/3df22fe5caa595c007d5da96c97209942ba1f0a0)) + +## 10.28.4 (2021-10-25) + +* [bitnami/mongodb] Release 10.28.4 updating components versions ([f7b2803](https://github.com/bitnami/charts/commit/f7b280361dd71f980b2ea1f9a7903512e63e0875)) + +## 10.28.3 (2021-10-22) + +* [bitnami/several] Add chart info to NOTES.txt (#7889) ([a6751cd](https://github.com/bitnami/charts/commit/a6751cdd33c461fabbc459fbea6f219ec64ab6b2)), closes [#7889](https://github.com/bitnami/charts/issues/7889) + +## 10.28.2 (2021-10-19) + +* [bitnami/several] Change pullPolicy for bitnami-shell image (#7852) ([9711a33](https://github.com/bitnami/charts/commit/9711a33c6eec72ea79143c4b7574dbe6a148d6b2)), closes [#7852](https://github.com/bitnami/charts/issues/7852) +* [bitnami/several] Regenerate README tables ([dd25873](https://github.com/bitnami/charts/commit/dd2587368d006bcca6149be74d846752a15344b9)) + +## 10.28.1 (2021-10-14) + +* [bitnami/*] Generate READMEs (#7790) ([0833a8c](https://github.com/bitnami/charts/commit/0833a8c16300d68abf6030639c3479d8fb031e25)), closes [#7790](https://github.com/bitnami/charts/issues/7790) +* [bitnami/mongodb] Release 10.28.1 updating components versions ([ddef47a](https://github.com/bitnami/charts/commit/ddef47ab1da7b2ca64dd4d39c2031a1c844dcbd5)) + +## 10.28.0 (2021-10-13) + +* [bitnami/mongodb] Call tpl function on mongo existing secret value (#7781) ([b31d5b8](https://github.com/bitnami/charts/commit/b31d5b8530c76be1d4375e0ae5cc63ad7707d81a)), closes [#7781](https://github.com/bitnami/charts/issues/7781) [#7770](https://github.com/bitnami/charts/issues/7770) + +## 10.27.3 (2021-10-12) + +* [bitnami/mongodb] Release 10.27.3 updating components versions ([eb69d9d](https://github.com/bitnami/charts/commit/eb69d9d2cf32ad8d06d6c434a99fceee86904e42)) + +## 10.27.2 (2021-10-07) + +* Fix service name for hidden MongoDB pods (#7726) ([51a5a53](https://github.com/bitnami/charts/commit/51a5a53e9833f262be91c2616efeb31348e0d376)), closes [#7726](https://github.com/bitnami/charts/issues/7726) + +## 10.27.1 (2021-10-06) + +* [bitnami/mongodb] fix extraDnsNames (#7717) ([c76bc81](https://github.com/bitnami/charts/commit/c76bc81c91a7b09133b3b6bfab32086f5acd57ee)), closes [#7717](https://github.com/bitnami/charts/issues/7717) +* [bitnami/several] Regenerate README tables ([acd5b18](https://github.com/bitnami/charts/commit/acd5b18ce5bc30692bd4a318dbc4ddff297d7c9a)) + +## 10.27.0 (2021-10-05) + +* bitnami/mongodb - Add extra dns names for auto tls. (#7627) ([b22f271](https://github.com/bitnami/charts/commit/b22f27118382ab13945d943e4bedcaaccd834f84)), closes [#7627](https://github.com/bitnami/charts/issues/7627) + +## 10.26.4 (2021-09-27) + +* [bitnami/*] Generate READMEs with new generator version (#7614) ([e5ab2e6](https://github.com/bitnami/charts/commit/e5ab2e6ecdd6bce800863f154cda524ff9f6c117)), closes [#7614](https://github.com/bitnami/charts/issues/7614) +* [bitnami/mongodb] Add commonAnnotations on arbiter (#7618) ([571ac9a](https://github.com/bitnami/charts/commit/571ac9a50c387ec013798b1067efb884952ddf0c)), closes [#7618](https://github.com/bitnami/charts/issues/7618) +* [bitnami/several] Regenerate README tables ([fa939b3](https://github.com/bitnami/charts/commit/fa939b373a54c01c20aa28cdd4e7cfb2953ce2a4)) + +## 10.26.3 (2021-09-19) + +* [bitnami/mongodb] Release 10.26.3 updating components versions ([b4d29c0](https://github.com/bitnami/charts/commit/b4d29c021c3ba10146fbef3f8e89a3f2cc8d816f)) +* [bitnami/several] Regenerate README tables ([003a0fb](https://github.com/bitnami/charts/commit/003a0fbaedeb775c546b8d8452b7a5ab0a63af52)) + +## 10.26.2 (2021-09-17) + +* [bitnami/mongodb] Allow configuration of credentials for the metrics exporter (#7311) ([2ec31ed](https://github.com/bitnami/charts/commit/2ec31edee1fd3dcaa00b2af30d8fcafc3be070dd)), closes [#7311](https://github.com/bitnami/charts/issues/7311) + +## 10.26.1 (2021-09-16) + +* [bitnami/mongodb] Rename configmap file to match extension (#7466) ([eeead06](https://github.com/bitnami/charts/commit/eeead06d8a76969899825863bc71943befd89c70)), closes [#7466](https://github.com/bitnami/charts/issues/7466) + +## 10.26.0 (2021-09-13) + +* [bitnami/mongodb] Configurable admin/root user name (#7229) ([d7ef3be](https://github.com/bitnami/charts/commit/d7ef3be57959c905e69602a9f21cb03ee729541b)), closes [#7229](https://github.com/bitnami/charts/issues/7229) + +## 10.25.2 (2021-09-10) + +* [bitnami/mongodb] Use Recreate as strategy type for standalone deployments (#7443) ([9578898](https://github.com/bitnami/charts/commit/9578898cb34a42cc0567f413f443de50d265b82b)), closes [#7443](https://github.com/bitnami/charts/issues/7443) +* [bitnami/several] Regenerate README tables ([9c82ba2](https://github.com/bitnami/charts/commit/9c82ba295d70b1cac50ab4d8d494fdbefc1ec0ac)) + +## 10.25.1 (2021-09-01) + +* [bitnami/mongodb] Release 10.25.1 updating components versions ([7118531](https://github.com/bitnami/charts/commit/7118531d2ca04cac99e052ca7a8cb390008f3072)) + +## 10.25.0 (2021-09-01) + +* [bitnami/mongodb] Add runtimeClassName support (#7362) ([1b78083](https://github.com/bitnami/charts/commit/1b78083de8ff3cc1b4e3eeda426b05b99024b565)), closes [#7362](https://github.com/bitnami/charts/issues/7362) +* [bitnami/several] Regenerate README tables ([64d5d74](https://github.com/bitnami/charts/commit/64d5d747b84299ca9f63ea8a586b13870abe31a6)) + +## 10.24.1 (2021-08-31) + +* [bitnami/mongodb] Add persistence annotations to PVC (#7355) ([931b597](https://github.com/bitnami/charts/commit/931b597c43f6cd37919569acda4432a9bdd59a71)), closes [#7355](https://github.com/bitnami/charts/issues/7355) + +## 10.24.0 (2021-08-31) + +* [bitnami/mongodb] Add relabelings / metricRelabelings to ServiceMonitor (#7352) ([28417f3](https://github.com/bitnami/charts/commit/28417f38df7e1e82ee4ff66421da2a08f64f57bd)), closes [#7352](https://github.com/bitnami/charts/issues/7352) +* [bitnami/several] Regenerate README tables ([da2513b](https://github.com/bitnami/charts/commit/da2513bf0a33819f3b1151d387c631a9ffdb03e2)) + +## 10.23.13 (2021-08-25) + +* [bitnami/mongodb] Release 10.23.13 updating components versions ([daf22c1](https://github.com/bitnami/charts/commit/daf22c13e3be5d90af7eef89f2e4559e9c008a44)) + +## 10.23.12 (2021-08-25) + +* [bitnami/mongodb] doc: use existingSecret from Notes (#7032) ([16a4bbe](https://github.com/bitnami/charts/commit/16a4bbe92d2267e530c2598ff2f4679fa61c9d86)), closes [#7032](https://github.com/bitnami/charts/issues/7032) + +## 10.23.11 (2021-08-24) + +* [bitnami/mongodb] Release 10.23.11 updating components versions ([593efdf](https://github.com/bitnami/charts/commit/593efdff66988f27aeee3688cbe6b0e0df786ef2)) +* [bitnami/several] Regenerate README tables ([6c107e8](https://github.com/bitnami/charts/commit/6c107e835d6caf8db2e8b17dcd48c5971637e013)) + +## 10.23.10 (2021-08-11) + +* [bitnami/mongodb] Release 10.23.10 updating components versions ([b6dea8a](https://github.com/bitnami/charts/commit/b6dea8a7e8619bcaed473196a4269c97d787676c)) + +## 10.23.9 (2021-08-04) + +* [bitnami/mongodb] Clarify externalAccess parameter (#7135) ([249ae8f](https://github.com/bitnami/charts/commit/249ae8fe07822ac519ec2383d6b7c92c1cb22de6)), closes [#7135](https://github.com/bitnami/charts/issues/7135) + +## 10.23.8 (2021-08-01) + +* [bitnami/mongodb] Release 10.23.8 updating components versions ([658b1af](https://github.com/bitnami/charts/commit/658b1afe41574b3942fd295557a5bc4a8a3c3513)) +* [bitnami/several] Update READMEs (#7108) ([44961d9](https://github.com/bitnami/charts/commit/44961d9cdfae1b0d06808124c4b47e8adc3de146)), closes [#7108](https://github.com/bitnami/charts/issues/7108) + +## 10.23.7 (2021-07-30) + +* [bitnami/mongodb] Release 10.23.7 updating components versions ([f07bf4e](https://github.com/bitnami/charts/commit/f07bf4e39a4984d1db530aba7da9b8fba3f5c838)) + +## 10.23.6 (2021-07-27) + +* [bitnami/several] Bump version and update READMEs (#7069) ([6340bff](https://github.com/bitnami/charts/commit/6340bff66f93c8c797bda3ca0842e4bf770059f1)), closes [#7069](https://github.com/bitnami/charts/issues/7069) + +## 10.23.5 (2021-07-27) + +* Replace strings with ™ in the README files (#7066) ([d298b49](https://github.com/bitnami/charts/commit/d298b4996da33c9580c2594e6dc8ad665dd0ebab)), closes [#7066](https://github.com/bitnami/charts/issues/7066) + +## 10.23.4 (2021-07-26) + +* [bitnami/several] Fix default values and regenerate README (#7045) ([90c81ac](https://github.com/bitnami/charts/commit/90c81ac55e7b35709b04ea551bc54a40453ce630)), closes [#7045](https://github.com/bitnami/charts/issues/7045) + +## 10.23.3 (2021-07-24) + +* [bitnami/mongodb] Release 10.23.3 updating components versions ([ddc5dbe](https://github.com/bitnami/charts/commit/ddc5dbef663287bfab50b366469ab9d12ad1fab7)) + +## 10.23.2 (2021-07-21) + +* [bitnami/mongodb] Fix a bug that prevents install chart in the `replicaset` mode (#7006) ([236ba2b](https://github.com/bitnami/charts/commit/236ba2bf5442bffbdbcaaf0cd01dd82c72793cc0)), closes [#7006](https://github.com/bitnami/charts/issues/7006) + +## 10.23.1 (2021-07-19) + +* [bitnami/mongodb] Release 10.23.1 updating components versions ([783e9d4](https://github.com/bitnami/charts/commit/783e9d4b7f1157e71349404ea5691e959d4e3646)) + +## 10.23.0 (2021-07-15) + +* bitnami/mongodb - Fix for custom clusterDomain not joining the secondary nodes (#6938) ([b33b435](https://github.com/bitnami/charts/commit/b33b435b60c3ada7b1ef8a0988d670d66fbcb3f5)), closes [#6938](https://github.com/bitnami/charts/issues/6938) + +## 10.22.1 (2021-07-15) + +* [bitnami/mongodb] Release 10.22.1 updating components versions ([66325fb](https://github.com/bitnami/charts/commit/66325fb87c6ef2754ac96c760b3c4a2525366d4b)) + +## 10.22.0 (2021-07-13) + +* [bitnami/mongodb,mariadb-galera,redis] Add diagnostic mode (#6936) ([a907452](https://github.com/bitnami/charts/commit/a9074525f83c97df584fb7ebfe408d57cbb06b22)), closes [#6936](https://github.com/bitnami/charts/issues/6936) + +## 10.21.2 (2021-07-09) + +* [bitnami/*] Adapt values.yaml of metrics-server, MinIO and MongoDB charts (#6895) ([86922f0](https://github.com/bitnami/charts/commit/86922f08ea0e31876b82a508cd1c9b8c8b7eba4c)), closes [#6895](https://github.com/bitnami/charts/issues/6895) +* [bitnami/mongodb] Specify standalone replicas to be 1 (#6882) ([cd7c567](https://github.com/bitnami/charts/commit/cd7c5674189a54e638d6a225e1417f86efd1dd2d)), closes [#6882](https://github.com/bitnami/charts/issues/6882) + +## 10.21.1 (2021-07-08) + +* [bitnami/mongodb] fixed commonLabels for external access (#6888) ([aeaaf26](https://github.com/bitnami/charts/commit/aeaaf26cb058ff83d7c9725aa6a086c0785c2866)), closes [#6888](https://github.com/bitnami/charts/issues/6888) + +## 10.21.0 (2021-07-05) + +* bitnami/mongodb commonLabels (#6815) ([ffdf1f7](https://github.com/bitnami/charts/commit/ffdf1f71c5b2a32addb2b55f388fb714067a0a70)), closes [#6815](https://github.com/bitnami/charts/issues/6815) + +## 10.20.5 (2021-06-24) + +* [bitnami/mongodb] Release 10.20.5 updating components versions ([d5f8262](https://github.com/bitnami/charts/commit/d5f82623e6c437d90d0368336314dfe257f9d9e1)) + +## 10.20.4 (2021-06-22) + +* [bitnami/mongodb] Revert changes to secrets-ca.yaml (#6700) ([993af16](https://github.com/bitnami/charts/commit/993af163008301897ee2ebf4017c11aa2d05fa9b)), closes [#6700](https://github.com/bitnami/charts/issues/6700) + +## 10.20.3 (2021-06-21) + +* xs identation fix to extraDeploy section when un-commenting (#6710) ([2c8b58e](https://github.com/bitnami/charts/commit/2c8b58eb6d38034e93cdda6d8cc6a69003e8611c)), closes [#6710](https://github.com/bitnami/charts/issues/6710) + +## 10.20.2 (2021-06-19) + +* [bitnami/mongodb] Release 10.20.2 updating components versions ([9abf01a](https://github.com/bitnami/charts/commit/9abf01af0c3852a597bbfa30f89404f0751249d7)) + +## 10.20.1 (2021-06-18) + +* [bitnami/mongodb] Release 10.20.1 updating components versions ([40e10f6](https://github.com/bitnami/charts/commit/40e10f6e974c0c6dd62e136020a0121b32853c14)) + +## 10.20.0 (2021-06-16) + +* [bitnami/mongodb] Standardize certificates autogeneration (#6639) ([2463099](https://github.com/bitnami/charts/commit/246309975f718f836f51a1a02f13a0e936ac720d)), closes [#6639](https://github.com/bitnami/charts/issues/6639) + +## 10.19.0 (2021-06-03) + +* [bitnami/mongodb] support https://github.com/combor/k8s-mongo-labeler-sidecar - a very … (#6435) ([8a5cc0d](https://github.com/bitnami/charts/commit/8a5cc0df3279b97bb36aa7617dfaf908f0ffdbe6)) + +## 10.18.0 (2021-06-02) + +* [bitnami/mongodb] Support for custom RBAC rules (#6537) ([a1efd31](https://github.com/bitnami/charts/commit/a1efd31ab4c9da2a0fbb3966fd494119a4c2a568)), closes [#6537](https://github.com/bitnami/charts/issues/6537) + +## 10.17.0 (2021-06-02) + +* [bitnami/mongodb] Add support for 'extraDeploy' (#6536) ([cdf83aa](https://github.com/bitnami/charts/commit/cdf83aa3ee3c2907b7ee70830f4416c32de15b67)), closes [#6536](https://github.com/bitnami/charts/issues/6536) + +## 10.16.4 (2021-05-27) + +* [bitnami/mongodb] Release 10.16.4 updating components versions ([5d1db0a](https://github.com/bitnami/charts/commit/5d1db0a73ccb9e9218c794a811532c39f4dad11f)) + +## 10.16.3 (2021-05-26) + +* [bitnami/mongodb] Release 10.16.3 updating components versions ([43ef321](https://github.com/bitnami/charts/commit/43ef32145b38696ec352ac42ac88d97c4259460c)) + +## 10.16.2 (2021-05-25) + +* [bitnami/mongodb] Release 10.16.2 updating components versions ([88bd1d8](https://github.com/bitnami/charts/commit/88bd1d8a12e8e15698621b2c6918fac8870f5b5c)) + +## 10.16.1 (2021-05-24) + +* [bitnami/mongodb] Changes how the mongodb version is checked in readiness probes (#6442) ([29c842c](https://github.com/bitnami/charts/commit/29c842cb5d48971ebdb34db7de7da3cb1e0547fc)), closes [#6442](https://github.com/bitnami/charts/issues/6442) + +## 10.16.0 (2021-05-20) + +* [bitnami/*] Update Kubectl container version (#6420) ([dad6d38](https://github.com/bitnami/charts/commit/dad6d3857f54132e32b5860cd454129bc8b781fe)), closes [#6420](https://github.com/bitnami/charts/issues/6420) +* Update README.md ([2a8ed56](https://github.com/bitnami/charts/commit/2a8ed566b58a676e9c8cc2a77ac7f1fda7c732c1)) + +## 10.15.3 (2021-05-13) + +* [bitnami/mongodb] Improve readiness probe compatibility for some old versions of mongodb (#6342) ([656c7d9](https://github.com/bitnami/charts/commit/656c7d996670a4049155963eb3180b8d7e9c5575)), closes [#6342](https://github.com/bitnami/charts/issues/6342) + +## 10.15.2 (2021-05-07) + +* [bitnami/mongodb] Fixed hidden node headless service name in TLS (#6281) ([8ab1a15](https://github.com/bitnami/charts/commit/8ab1a15c831585b43345f38caefb054b1ee0e5cf)), closes [#6281](https://github.com/bitnami/charts/issues/6281) +* [bitnami/mongodb] Release 10.15.2 updating components versions ([5db07a2](https://github.com/bitnami/charts/commit/5db07a203955d0e002cc477848d063ee1b0f1f1f)) + +## 10.15.1 (2021-05-05) + +* Update NOTES.txt (#6292) ([ee5597c](https://github.com/bitnami/charts/commit/ee5597c86b1cd3587fb50feb1dbc7518195c8cab)), closes [#6292](https://github.com/bitnami/charts/issues/6292) + +## 10.15.0 (2021-05-04) + +* [bitnami/mongodb] add commonAnnotations (#6274) ([2b3e4c6](https://github.com/bitnami/charts/commit/2b3e4c61ec8ef6ee2bcb806b471a3e31ce975793)), closes [#6274](https://github.com/bitnami/charts/issues/6274) + +## 10.14.0 (2021-05-04) + +* [bitnami/mongodb] Add dataSource (#6275) ([63a7bba](https://github.com/bitnami/charts/commit/63a7bbac9b23eb486cc01b2d0498e0e54934b334)), closes [#6275](https://github.com/bitnami/charts/issues/6275) + +## 10.13.0 (2021-04-30) + +* [bitnami/mongodb] Add parameter to enable/disable journaling in MongoDB (#6254) ([c82c05b](https://github.com/bitnami/charts/commit/c82c05bdb7d4595fe6d59ae36779e2ec085c74fb)), closes [#6254](https://github.com/bitnami/charts/issues/6254) + +## 10.12.7 (2021-04-30) + +* Fix typos in several README files (#6252) ([fd16565](https://github.com/bitnami/charts/commit/fd1656587a007ac9b8e9d895f6b99607fb225f7c)), closes [#6252](https://github.com/bitnami/charts/issues/6252) + +## 10.12.6 (2021-04-27) + +* [bitnami/mongodb] remove nodePort: null (#6221) ([ca19612](https://github.com/bitnami/charts/commit/ca196124283ffae1b9fcd07441a81a6491b41afe)), closes [#6221](https://github.com/bitnami/charts/issues/6221) + +## 10.12.5 (2021-04-21) + +* [bitnami/mongodb] fixed advertised hostname for hidden nodes (#6161) ([da405a4](https://github.com/bitnami/charts/commit/da405a42b25840b3e73ce5f1df89669a8f9ad715)), closes [#6161](https://github.com/bitnami/charts/issues/6161) + +## 10.12.4 (2021-04-19) + +* Fix duplicate env variable MONGODB_EXTRA_FLAGS for hidden nodes (#6142) ([1dad545](https://github.com/bitnami/charts/commit/1dad5454dc3a36d640975bc55b003f7027f17dbb)), closes [#6142](https://github.com/bitnami/charts/issues/6142) + +## 10.12.3 (2021-04-16) + +* T39353 Updated links (#6128) ([9d5aa6e](https://github.com/bitnami/charts/commit/9d5aa6ef8af330126610c45e9c28fb0d312c54f1)), closes [#6128](https://github.com/bitnami/charts/issues/6128) + +## 10.12.2 (2021-04-08) + +* [bitnami/mongodb] Add support to load environment variables from files (#6049) ([5f67837](https://github.com/bitnami/charts/commit/5f67837fd1f837109426250f2d0905ef86c28431)), closes [#6049](https://github.com/bitnami/charts/issues/6049) + +## 10.12.1 (2021-04-07) + +* [bitnami/mongodb] Release 10.12.1 updating components versions ([3882ba8](https://github.com/bitnami/charts/commit/3882ba8ab33d5d9057014a7758c17b32258d9f6d)) + +## 10.12.0 (2021-04-05) + +* [bitnami/mongodb] Add startup probe (#5998) ([d1efebd](https://github.com/bitnami/charts/commit/d1efebd19577e050aee85d59a6684f37066aee1c)), closes [#5998](https://github.com/bitnami/charts/issues/5998) + +## 10.11.2 (2021-04-01) + +* [bitnami/mongodb] Improved README (#5961) ([db4689a](https://github.com/bitnami/charts/commit/db4689af558d2a8a8392c7a2478c3fd53e90e535)), closes [#5961](https://github.com/bitnami/charts/issues/5961) + +## 10.11.1 (2021-03-25) + +* Bumps mongodb image version used by the chart (#5911) ([762baad](https://github.com/bitnami/charts/commit/762baad337af9fde74ad5a419060c6895665627b)), closes [#5911](https://github.com/bitnami/charts/issues/5911) + +## 10.11.0 (2021-03-19) + +* [bitnami/mongodb] Fix certs permissions to match STIG requirements (#5822) ([e6d9c1c](https://github.com/bitnami/charts/commit/e6d9c1ce7ae8755ce8250dbbcbff3013927b4bf7)), closes [#5822](https://github.com/bitnami/charts/issues/5822) + +## 10.10.3 (2021-03-19) + +* [bitnami/mongodb] Release 10.10.3 updating components versions ([5476b23](https://github.com/bitnami/charts/commit/5476b23e9ee8b2f67538a3514d1dcca16b4d5228)) + +## 10.10.2 (2021-03-14) + +* [bitnami/mongodb] Release 10.10.2 updating components versions ([2589b9d](https://github.com/bitnami/charts/commit/2589b9d8769b67ecd870d6ada4a0837998da6623)) + +## 10.10.1 (2021-03-09) + +* [bitnami/mongodb] Fix duplicate env variable MONGODB_EXTRA_FLAGS (#5698) (#5726) ([6270554](https://github.com/bitnami/charts/commit/62705543af16e7aa5eedc829f443ab109a8ec28e)), closes [#5698](https://github.com/bitnami/charts/issues/5698) [#5726](https://github.com/bitnami/charts/issues/5726) + +## 10.10.0 (2021-03-08) + +* [bitnami/mongodb] Add support for externalAccess.service.type=ClusterIP (#5706) ([766da77](https://github.com/bitnami/charts/commit/766da779e2bb11e1e0070424a377ec3b7ba1e8f6)), closes [#5706](https://github.com/bitnami/charts/issues/5706) + +## 10.9.1 (2021-03-05) + +* fix(): Fixed portname var reference (#5689) ([1744ab1](https://github.com/bitnami/charts/commit/1744ab1173153973b26bd1e88296e9b088cc0290)), closes [#5689](https://github.com/bitnami/charts/issues/5689) + +## 10.9.0 (2021-03-04) + +* [bitnami/mongodb] add persistence.volumeClaimTemplates.requests (#5672) ([afd7de0](https://github.com/bitnami/charts/commit/afd7de04c7c95cf40ebb2d16c8c305c4863b880e)), closes [#5672](https://github.com/bitnami/charts/issues/5672) + +## 10.8.1 (2021-03-04) + +* [bitnami/*] Remove minideb mentions (#5677) ([870bc4d](https://github.com/bitnami/charts/commit/870bc4dba1fc3aa55dd157da6687b25e8d352206)), closes [#5677](https://github.com/bitnami/charts/issues/5677) + +## 10.8.0 (2021-03-04) + +* Added hidden node support (#5505) ([ee77ab0](https://github.com/bitnami/charts/commit/ee77ab0e08d4626fbf80c65b487656acdc278a3a)), closes [#5505](https://github.com/bitnami/charts/issues/5505) + +## 10.7.2 (2021-03-02) + +* [bitname/mongodb] fixed comment in values.yaml (#5650) ([6282c06](https://github.com/bitnami/charts/commit/6282c06401abb5568773554aa5ad6c740591dffb)), closes [#5650](https://github.com/bitnami/charts/issues/5650) + +## 10.7.1 (2021-02-22) + +* [bitnami/*] Use common macro to define RBAC apiVersion (#5585) ([71fb99f](https://github.com/bitnami/charts/commit/71fb99f541e971b1daafaa20ffb7d18b153b8d60)), closes [#5585](https://github.com/bitnami/charts/issues/5585) +* Fix typo in values documentation (#5540) ([5c0ef02](https://github.com/bitnami/charts/commit/5c0ef02c344e5c5911eb4b8e420b0010bb6213f1)), closes [#5540](https://github.com/bitnami/charts/issues/5540) + +## 10.7.0 (2021-02-12) + +* [bitnami/mongodb] Add metrics.containerPort (#5480) ([532f1c2](https://github.com/bitnami/charts/commit/532f1c2a576bdc60b6aeae05a55e4780b9155041)), closes [#5480](https://github.com/bitnami/charts/issues/5480) + +## 10.6.5 (2021-02-12) + +* [bitnami/*] Add notice regarding parameters immutability after chart installation (#4853) ([5f09573](https://github.com/bitnami/charts/commit/5f095734f92555dec7cd0e3ee961f315eac170ff)), closes [#4853](https://github.com/bitnami/charts/issues/4853) +* [bitnami/mongodb] Release 10.6.5 updating components versions ([c45e80e](https://github.com/bitnami/charts/commit/c45e80e65b0a05deb6945e78d079ececca8abd9b)) + +## 10.6.4 (2021-02-10) + +* [bitnami/mongodb] Release 10.6.4 updating components versions ([34562aa](https://github.com/bitnami/charts/commit/34562aa790f4d8555e73ea9cedaebb12a2a11b58)) + +## 10.6.3 (2021-02-09) + +* [bitnami/mongodb] Add optional parameters to configure service names used for mongo and arbiter serv ([74f2fd8](https://github.com/bitnami/charts/commit/74f2fd8f163cb4a9aa48bae1cb2a674ce4de2ae4)), closes [#5384](https://github.com/bitnami/charts/issues/5384) +* Add registered icon to all the MongoDB references (#5426) ([56f2088](https://github.com/bitnami/charts/commit/56f20884267e56175695b2917f7704b9510f4ba6)), closes [#5426](https://github.com/bitnami/charts/issues/5426) + +## 10.6.2 (2021-02-05) + +* [bitnami/mongodb] Release 10.6.2 updating components versions ([03b8b53](https://github.com/bitnami/charts/commit/03b8b530e9daeafa4edfa710a0a5f1868f5790ee)) + +## 10.6.1 (2021-01-29) + +* [bitnami/mongodb] fix: remove unnecesary hook (#5324) ([03eb8fc](https://github.com/bitnami/charts/commit/03eb8fca3169d2b633588b6c27e00876639a34a0)), closes [#5324](https://github.com/bitnami/charts/issues/5324) + +## 10.6.0 (2021-01-28) + +* [bitnami/mongodb] Add hostAliases (#5271) ([18fd4ce](https://github.com/bitnami/charts/commit/18fd4ce9755da7bece29d87a2e7a39df80feb5ec)), closes [#5271](https://github.com/bitnami/charts/issues/5271) + +## 10.5.2 (2021-01-26) + +* [bitnami/mongodb] Release 10.5.2 updating components versions ([9fb3d9d](https://github.com/bitnami/charts/commit/9fb3d9dff4db8a4d0e1e667337ec8b186e72f865)) + +## 10.5.1 (2021-01-22) + +* [bitnami/mongodb] Release 10.5.1 updating components versions ([444de39](https://github.com/bitnami/charts/commit/444de39ddc578ca85d671448c61c90fef018322c)) + +## 10.5.0 (2021-01-20) + +* [bitnami/mongodb] Enable psp for mongodb (#5020) ([d109865](https://github.com/bitnami/charts/commit/d10986573a3a79f1943afcb7315b80e5c69d8543)), closes [#5020](https://github.com/bitnami/charts/issues/5020) + +## 10.4.1 (2021-01-19) + +* [bitnami/*] Change helm version in the prerequisites (#5090) ([c5e67a3](https://github.com/bitnami/charts/commit/c5e67a388743cbee28439d2cabca27884b9daf97)), closes [#5090](https://github.com/bitnami/charts/issues/5090) +* [bitnami/mongodb] Drop values-production.yaml support (#5119) ([ccadbf3](https://github.com/bitnami/charts/commit/ccadbf3b4ffa999b8f62c337d0a51f8cdb45c407)), closes [#5119](https://github.com/bitnami/charts/issues/5119) + +## 10.4.0 (2021-01-14) + +* [bitnami/mongodb] Add serviceAccount annotations (#4968) ([430c331](https://github.com/bitnami/charts/commit/430c331dec46433d813b7c0fba4251fd167a41e6)), closes [#4968](https://github.com/bitnami/charts/issues/4968) +* [bitnami/mongodb] Make VolumePermission init container consistent with persistence.subPath value (#4 ([be82fa7](https://github.com/bitnami/charts/commit/be82fa732710a8b7e3c13a7ca471d1f421a32eb9)), closes [#4938](https://github.com/bitnami/charts/issues/4938) + +## 10.3.7 (2021-01-12) + +* [bitnami/mongodb] Make readiness probe only validate usable instance (#4937) ([a9668ba](https://github.com/bitnami/charts/commit/a9668ba40837371e2723ca0d5d4123326c418b5f)), closes [#4937](https://github.com/bitnami/charts/issues/4937) + +## 10.3.6 (2021-01-10) + +* Fix probe error messages (#4876) ([79889dc](https://github.com/bitnami/charts/commit/79889dc9fd37828317d4dc1698bcd5e428510665)), closes [#4876](https://github.com/bitnami/charts/issues/4876) + +## 10.3.5 (2021-01-07) + +* [bitnami/mongodb] Add helpful information about some variable validity (#4902) ([b009a58](https://github.com/bitnami/charts/commit/b009a5807f08b6e8dbb3dc518647cf3e418df3e2)), closes [#4902](https://github.com/bitnami/charts/issues/4902) + +## 10.3.4 (2021-01-04) + +* Fix metrics readinessProbe and livenessProbe in standalone deployment (#4880) ([e1b2243](https://github.com/bitnami/charts/commit/e1b22435d7e74f5cc06d66b88e862c74c1681cd2)), closes [#4880](https://github.com/bitnami/charts/issues/4880) + +## 10.3.3 (2020-12-23) + +* Fix metrics readinessProbe and livenessProbe since --test flag is removed in mongo-exporter (#4823) ([8097014](https://github.com/bitnami/charts/commit/8097014602f3a14d778e736557f103612bfa003d)), closes [#4823](https://github.com/bitnami/charts/issues/4823) + +## 10.3.2 (2020-12-22) + +* [bitnami/mongodb] Release 10.3.2 updating components versions ([ed25600](https://github.com/bitnami/charts/commit/ed25600c2b16f06a9287be65326412fd10afd607)) + +## 10.3.1 (2020-12-15) + +* [bitnami/mongodb] Release 10.3.1 updating components versions ([b21f43d](https://github.com/bitnami/charts/commit/b21f43ddadbdd83976a532eda7fdbc7fbfc0c339)) +* allow selector definitions for volumeClaimTemplates (#4715) ([e2b744e](https://github.com/bitnami/charts/commit/e2b744e83846e1c57b288baedb217ca3e9a3bf40)), closes [#4715](https://github.com/bitnami/charts/issues/4715) + +## 10.3.0 (2020-12-14) + +* [bitnami/*] fix typos (#4699) ([49adc63](https://github.com/bitnami/charts/commit/49adc63b672da976c55af2e077aa5648a357b77f)), closes [#4699](https://github.com/bitnami/charts/issues/4699) +* Added support for custom CA (#4690) ([7225d59](https://github.com/bitnami/charts/commit/7225d59bc602c7e2bef0770661fcd38ab7e85842)), closes [#4690](https://github.com/bitnami/charts/issues/4690) + +## 10.2.0 (2020-12-11) + +* [bitnami/mongodb] add existingSecret for tls certificates (#4687) ([c750ddd](https://github.com/bitnami/charts/commit/c750ddd2053ce2452b0ee3770e0e9d0f038b732a)), closes [#4687](https://github.com/bitnami/charts/issues/4687) + +## 10.1.5 (2020-12-11) + +* [bitnami/*] Update dependencies (#4694) ([2826c12](https://github.com/bitnami/charts/commit/2826c125b42505f28431301e3c1bbe5366e47a01)), closes [#4694](https://github.com/bitnami/charts/issues/4694) + +## 10.1.4 (2020-12-08) + +* [bitnami/mongodb] Register targetPod in global context (#4642) ([5222973](https://github.com/bitnami/charts/commit/52229733f86eb0bdb262af9fac3faa44e03e7205)), closes [#4642](https://github.com/bitnami/charts/issues/4642) + +## 10.1.3 (2020-12-01) + +* [bitnami/mongodb] ensure password is handled as string (#4488) ([44910ca](https://github.com/bitnami/charts/commit/44910ca2a803b11e32382a8a134805424797eeb4)), closes [#4488](https://github.com/bitnami/charts/issues/4488) + +## 10.1.2 (2020-11-26) + +* [bitnami/mongodb] Bump bitnami/common subchart version (#4507) ([4a93e2a](https://github.com/bitnami/charts/commit/4a93e2a663409c908db70650cb9869a86ad92350)), closes [#4507](https://github.com/bitnami/charts/issues/4507) + +## 10.1.1 (2020-11-26) + +* [bitnami/mongodb] Use common validations (#4498) ([aaf0545](https://github.com/bitnami/charts/commit/aaf0545acd40bfecb202f6bebdeec7ede054626a)), closes [#4498](https://github.com/bitnami/charts/issues/4498) + +## 10.1.0 (2020-11-26) + +* [bitnami/*] Affinity based on common presets (v) (#4494) ([f5abfb8](https://github.com/bitnami/charts/commit/f5abfb8e423872199518733bde449d57392eab0a)), closes [#4494](https://github.com/bitnami/charts/issues/4494) + +## 10.0.5 (2020-11-18) + +* [bitnami/mongodb] External static LoadBalancer IPs added to the SSL certificate SANs (#4249) ([72ca4e9](https://github.com/bitnami/charts/commit/72ca4e994dea7614620d247f7200767c748b3103)), closes [#4249](https://github.com/bitnami/charts/issues/4249) + +## 10.0.4 (2020-11-17) + +* [bitnami/mongodb] Release 10.0.4 updating components versions ([03dfb8d](https://github.com/bitnami/charts/commit/03dfb8d4de7e6ce556999936e71263486459eedd)) + +## 10.0.3 (2020-11-16) + +* [bitnami/mongodb] Metrics container will not take TLS settings when cluster is TLS enabled (#4233) ([b357fc6](https://github.com/bitnami/charts/commit/b357fc61af4ce1150d3c51205864a3273cd83beb)), closes [#4233](https://github.com/bitnami/charts/issues/4233) + +## 10.0.2 (2020-11-13) + +* [bitnami/mongodb] Release 10.0.2 updating components versions ([8fdca59](https://github.com/bitnami/charts/commit/8fdca59e14807432228776fc24ebe035714e4fc8)) + +## 10.0.1 (2020-11-13) + +* [bitnami/mongodb] Fix prometheus rules (#4339) ([487e50e](https://github.com/bitnami/charts/commit/487e50ece8160025ec7a6e2236666b14d99b27cb)), closes [#4339](https://github.com/bitnami/charts/issues/4339) + +## 10.0.0 (2020-11-10) + +* [bitnami/mongodb] Fix README.md issue (#4164) ([111391d](https://github.com/bitnami/charts/commit/111391dcc27addfb7b97e499a2a2e0ef8e487462)), closes [#4164](https://github.com/bitnami/charts/issues/4164) +* [bitnami/mongodb] Major version. Adapt Chart to apiVersion: v2 (#4296) ([ef81720](https://github.com/bitnami/charts/commit/ef817205d8ef56360c2b022532201002a6b8459f)), closes [#4296](https://github.com/bitnami/charts/issues/4296) + +## 9.3.1 (2020-10-30) + +* fix: add multiline string indicator in example data (#4153) ([2f94dcc](https://github.com/bitnami/charts/commit/2f94dccd10897af38a007e1c692849fd4266093e)), closes [#4153](https://github.com/bitnami/charts/issues/4153) + +## 9.3.0 (2020-10-29) + +* [bitnami/*] Include link to Troubleshootin guide on README.md (#4136) ([c08a20e](https://github.com/bitnami/charts/commit/c08a20e3db004215383004ff023a73fcc2522e72)), closes [#4136](https://github.com/bitnami/charts/issues/4136) +* bitnami/mongodb TLS cert generation (#3959) ([97a6b86](https://github.com/bitnami/charts/commit/97a6b8613a71d8fbf1ead89c00a28d2c73c778d5)), closes [#3959](https://github.com/bitnami/charts/issues/3959) + +## 9.2.6 (2020-10-26) + +* [bitnami/mongodb] document `auth.existingSecret` keys (#4099) ([4bd0268](https://github.com/bitnami/charts/commit/4bd0268633bc99a4a4d6f910a8540fffc35ef297)), closes [#4099](https://github.com/bitnami/charts/issues/4099) + +## 9.2.5 (2020-10-21) + +* [bitnami/mongodb] Release 9.2.5 updating components versions ([6585677](https://github.com/bitnami/charts/commit/6585677e51846d705925f15f58191128df0707c3)) + +## 9.2.4 (2020-10-09) + +* [bitnami/mongodb] Fix typo in external access namespace (#3965) ([9c93bc8](https://github.com/bitnami/charts/commit/9c93bc8ff4919e203009eb7bf96a8e3f2e5b07c2)), closes [#3965](https://github.com/bitnami/charts/issues/3965) + +## 9.2.3 (2020-10-08) + +* [bitnami/mongodb] Fix mongodb external access (#3937) ([d0d5956](https://github.com/bitnami/charts/commit/d0d595691e6230e56560b00f4f1be46efa5124dd)), closes [#3937](https://github.com/bitnami/charts/issues/3937) + +## 9.2.2 (2020-09-29) + +* [bitnami/mongodb] Add 'auth.replicaSetKey' to schema json (#3812) ([add3303](https://github.com/bitnami/charts/commit/add3303181a502450ae17eb3b46070cd45c1bd0e)), closes [#3812](https://github.com/bitnami/charts/issues/3812) + +## 9.2.1 (2020-09-21) + +* [bitnami/mongodb] Release 9.2.1 updating components versions ([e454d4e](https://github.com/bitnami/charts/commit/e454d4edc0867833dca59c989ab5005635be5c71)) + +## 9.2.0 (2020-09-21) + +* [bitnami/mongodb] Add arbitrary securityContext configuration to improve security (#3718) ([caaf351](https://github.com/bitnami/charts/commit/caaf351a2e96db080376f49cecaf4d26f1b74855)), closes [#3718](https://github.com/bitnami/charts/issues/3718) + +## 9.1.2 (2020-09-11) + +* [bitnami/mongodb] Fix values descriptions (#3656) ([ed2271d](https://github.com/bitnami/charts/commit/ed2271d53c13d6cddde28c4e966bc19328ba952e)), closes [#3656](https://github.com/bitnami/charts/issues/3656) + +## 9.1.1 (2020-09-09) + +* [bitnami/mongodb] Release 9.1.1 updating components versions ([5885fb1](https://github.com/bitnami/charts/commit/5885fb1012f4335d53d8e819e60d58e546358334)) + +## 9.1.0 (2020-09-07) + +* [bitnami/metrics-server] Add source repo (#3577) ([1ed12f9](https://github.com/bitnami/charts/commit/1ed12f96af75322b46afdb2b3d9907c11b13f765)), closes [#3577](https://github.com/bitnami/charts/issues/3577) +* [bitnami/mongodb] Additional URI options of the MongoDB Exporter (#3590) ([c4c8783](https://github.com/bitnami/charts/commit/c4c878369f0aced7257d33c81cf361d57011c0b9)), closes [#3590](https://github.com/bitnami/charts/issues/3590) + +## 9.0.1 (2020-08-31) + +* [bitnami/mongodb] fix required ReplicaSetKey when auth.enabled=false (#3544) ([2e55615](https://github.com/bitnami/charts/commit/2e556153228b0bd79728adaaea72570ad76aa2a3)), closes [#3544](https://github.com/bitnami/charts/issues/3544) + +## 9.0.0 (2020-08-25) + +* [bitnami/mongodb] Add notes to upgrade to 9.0.0 (#3511) ([e24e044](https://github.com/bitnami/charts/commit/e24e044e30297722a65fcfaa44b9182f80abb145)), closes [#3511](https://github.com/bitnami/charts/issues/3511) +* [bitnami/mongodb] Release 9.0.0 updating components versions ([99c83cf](https://github.com/bitnami/charts/commit/99c83cf16905bc0849e7f569264a450cc6425edf)) + +## 8.3.2 (2020-08-21) + +* [bitnami/mongodb] Release 8.3.2 updating components versions ([a4ef29d](https://github.com/bitnami/charts/commit/a4ef29dfb1df32b3bc5504c84acd39717d40f9b4)) + +## 8.3.1 (2020-08-18) + +* [bitnami/mongodb] Do not check passwords when auth.enabled=false (#3449) ([a3bae01](https://github.com/bitnami/charts/commit/a3bae01ad63912e3b5c4c4742928df09573b6d6c)), closes [#3449](https://github.com/bitnami/charts/issues/3449) + +## 8.3.0 (2020-08-13) + +* [bitnami/*] Use common helps for upgrade password errors (#3335) ([079f5bd](https://github.com/bitnami/charts/commit/079f5bd6ec59bb058216d6a931449b895517c789)), closes [#3335](https://github.com/bitnami/charts/issues/3335) +* fix existingSecret on metrics pod (#3370) ([28dfe83](https://github.com/bitnami/charts/commit/28dfe8395c4bb21b9aa50d830c51946b6f6bf45e)), closes [#3370](https://github.com/bitnami/charts/issues/3370) + +## 8.2.5 (2020-08-10) + +* [bitnami/mongodb] Not enable metrics-svc.yaml with metrics.enabled=false (#3346) ([39fc0e2](https://github.com/bitnami/charts/commit/39fc0e2e29d2bf81892374d754d8c3dfba924fb6)), closes [#3346](https://github.com/bitnami/charts/issues/3346) +* Update Chart.yaml ([b455016](https://github.com/bitnami/charts/commit/b4550164c8572682f36ea6dfe493999840ca0a94)) + +## 8.2.4 (2020-08-07) + +* [bitnami/mongodb] Release 8.2.4 updating components versions ([dbfdbb2](https://github.com/bitnami/charts/commit/dbfdbb277b0c9171ca29b52d990d5ef720c3cc06)) + +## 8.2.3 (2020-08-05) + +* [bitnami/mongodb] Fix default values for pdb.minAvailable/maxUnavailable (#3336) ([350f665](https://github.com/bitnami/charts/commit/350f6653bfcb3fd161ec71d668e568a73d37a9fd)), closes [#3336](https://github.com/bitnami/charts/issues/3336) + +## 8.2.2 (2020-08-05) + +* [bitnami/*] Fix TL;DR typo in READMEs (#3280) ([3d7ab40](https://github.com/bitnami/charts/commit/3d7ab406fecd64f1af25f53e7d27f03ec95b29a4)), closes [#3280](https://github.com/bitnami/charts/issues/3280) +* [bitnami/mongodb] Release 8.2.2 updating components versions ([938cd95](https://github.com/bitnami/charts/commit/938cd95e6ae334b4580dddafff0cde68f8f16f46)) + +## 8.2.1 (2020-07-23) + +* [bitnami/mongodb] Release 8.2.1 updating components versions ([7dcc46a](https://github.com/bitnami/charts/commit/7dcc46ae23080015895721b9f860e80dbe0bfffd)) + +## 8.2.0 (2020-07-22) + +* [bitnami/mongodb] Allow disabling the MongoDB Arbiter (#3165) ([ed275c5](https://github.com/bitnami/charts/commit/ed275c5f8748e233dfe85b9e1bcea2723a638cd9)), closes [#3165](https://github.com/bitnami/charts/issues/3165) + +## 8.1.5 (2020-07-21) + +* [bitnami/mongodb] Release 8.1.5 updating components versions ([7efaf3f](https://github.com/bitnami/charts/commit/7efaf3fdf94880f64d12c1ec6ed80304ada741cf)) + +## 8.1.4 (2020-07-21) + +* [bitnami/mongodb] Fix externalaccess svc (#3172) ([d1f0b7b](https://github.com/bitnami/charts/commit/d1f0b7b22e81e3536121a6ac57b28327935fb7fc)), closes [#3172](https://github.com/bitnami/charts/issues/3172) + +## 8.1.3 (2020-07-17) + +* [bitnami/mongodb] Release 8.1.3 updating components versions ([4e772b1](https://github.com/bitnami/charts/commit/4e772b1f966d4138c485c46811969ef62ed64fc9)) + +## 8.1.2 (2020-07-16) + +* [bitnami/mongodb] Fix metrics MongoDB when auth is disabled (#3136) ([bb8b520](https://github.com/bitnami/charts/commit/bb8b520840b54a507f127ccba601aa514f37d725)), closes [#3136](https://github.com/bitnami/charts/issues/3136) +* Fix MongoDB configmap usage (#3117) ([15a4eaa](https://github.com/bitnami/charts/commit/15a4eaa63b321755e753962ffca32758163460f5)), closes [#3117](https://github.com/bitnami/charts/issues/3117) + +## 8.1.1 (2020-07-14) + +* [bitnami/mongodb] Release 8.1.1 updating components versions ([da1225d](https://github.com/bitnami/charts/commit/da1225d2972ee6e0f48f4091218fd5aaa46a4156)) + +## 8.1.0 (2020-07-14) + +* [bitnami/all] Add categories (#3075) ([63bde06](https://github.com/bitnami/charts/commit/63bde066b87a140fab52264d0522401ab3d63509)), closes [#3075](https://github.com/bitnami/charts/issues/3075) +* [bitnami/mongodb] Allow custom port names (#3109) ([0336cb3](https://github.com/bitnami/charts/commit/0336cb351a61f0f6093e7ea0771466ecfd0bca4d)), closes [#3109](https://github.com/bitnami/charts/issues/3109) + +## 8.0.9 (2020-07-08) + +* [bitnami/mongodb] Release 8.0.9 updating components versions ([8a2478c](https://github.com/bitnami/charts/commit/8a2478c62a9313df92bbde1dad88100ab08f1a29)) + +## 8.0.8 (2020-07-08) + +* [bitnami/mongodb] Fix MongoDB Advertised hostname (#3060) ([d80d489](https://github.com/bitnami/charts/commit/d80d489e21f61c65c08f8c0c1f9377eb77d752bc)), closes [#3060](https://github.com/bitnami/charts/issues/3060) + +## 8.0.7 (2020-07-07) + +* [bitnami/mongodb] Release 8.0.7 updating components versions ([59c43e8](https://github.com/bitnami/charts/commit/59c43e8c395d7b964b9568d2d00975b2e6009b1c)) + +## 8.0.6 (2020-07-07) + +* Fix Mongodb helpers sintax (#3041) ([c471a59](https://github.com/bitnami/charts/commit/c471a59057cbc827ed35ec00a7c2a0e0498b2732)), closes [#3041](https://github.com/bitnami/charts/issues/3041) + +## 8.0.5 (2020-07-06) + +* [bitnami/mongodb] Release 8.0.5 updating components versions ([f730ec4](https://github.com/bitnami/charts/commit/f730ec44fad638ada792fa668d0be02987414af2)) + +## 8.0.4 (2020-07-06) + +* [bitnami/mongodb] Fix target port when enabling external access (#3027) ([de07253](https://github.com/bitnami/charts/commit/de072538f86428e5a46cc1ce39d7aa7e554314e3)), closes [#3027](https://github.com/bitnami/charts/issues/3027) + +## 8.0.3 (2020-07-03) + +* [bitnami/mongodb] Release 8.0.3 updating components versions ([25b828d](https://github.com/bitnami/charts/commit/25b828d36ba4145541a8646579174c6d132d3a60)) + +## 8.0.2 (2020-07-01) + +* [bitnami/mongodb] fix up StatefulSet metrics securityContext (#2982) ([aafdbd5](https://github.com/bitnami/charts/commit/aafdbd50759edf62b48b6e4a03093d63a2f77506)), closes [#2982](https://github.com/bitnami/charts/issues/2982) + +## 8.0.1 (2020-06-30) + +* [bitnami/mongodb] Release 8.0.1 updating components versions ([54aa501](https://github.com/bitnami/charts/commit/54aa501b7f6633c437add6eb260f9b3f16179f5f)) + +## 8.0.0 (2020-06-30) + +* [bitnami/mongodb] Refactor MongoDB exposure (#2918) ([a55ce7b](https://github.com/bitnami/charts/commit/a55ce7b2c35cdbbddf68f0933709e05ededd8af0)), closes [#2918](https://github.com/bitnami/charts/issues/2918) + +## 7.14.8 (2020-06-19) + +* [bitnami/mongodb] Release 7.14.8 updating components versions ([fd66bb3](https://github.com/bitnami/charts/commit/fd66bb3f9160a5459c647813e5d6b9ec16e67ed6)) +* [multiple charts] Update hidden properties in the different JSON schemas (#2871) ([4cff6ba](https://github.com/bitnami/charts/commit/4cff6ba8b0013b6dc368a1e7986c393e8447e75b)), closes [#2871](https://github.com/bitnami/charts/issues/2871) + +## 7.14.7 (2020-06-16) + +* MongoDB tolerations default value (#2850) ([abc650a](https://github.com/bitnami/charts/commit/abc650a51260ba36923769d12a00a76a8be028d7)), closes [#2850](https://github.com/bitnami/charts/issues/2850) + +## 7.14.6 (2020-06-11) + +* [bitnami/mongodb] Release 7.14.6 updating components versions ([abdb47f](https://github.com/bitnami/charts/commit/abdb47f0cfba2b86e9379ef7e007e252d4e25eda)) +* [bitnami/several] Add instructions about how to use different branches (#2785) ([c315cb0](https://github.com/bitnami/charts/commit/c315cb078a4cef97ff53cf2066b34add3f2926ba)), closes [#2785](https://github.com/bitnami/charts/issues/2785) + +## 7.14.5 (2020-06-02) + +* [bitnami/mongodb] Release 7.14.5 updating components versions ([d17d2b2](https://github.com/bitnami/charts/commit/d17d2b2fb1048a5241799509b878fcbb318294d6)) + +## 7.14.4 (2020-06-02) + +* [bitnami/mongodb] Rename serviceaccount.yml to serviceaccount.yaml (#2710) ([9ea3da1](https://github.com/bitnami/charts/commit/9ea3da107e1c655d26a3042f5bad2094d40bb4eb)), closes [#2710](https://github.com/bitnami/charts/issues/2710) + +## 7.14.3 (2020-05-29) + +* [bitnami/mongodb] Release 7.14.3 updating components versions ([83e99f9](https://github.com/bitnami/charts/commit/83e99f9c7728e0377929fb0800eeffd2759aa0f7)) + +## 7.14.2 (2020-05-21) + +* [bitnami/mongodb] Release 7.14.2 updating components versions ([e17eeb4](https://github.com/bitnami/charts/commit/e17eeb4ed644deff5139ba6100d6f3761d12e2e8)) +* update bitnami/common to be compatible with helm v2.12+ (#2615) ([c7751eb](https://github.com/bitnami/charts/commit/c7751eb5764e468e1854b58a1b8491d2b13e0a4a)), closes [#2615](https://github.com/bitnami/charts/issues/2615) + +## 7.14.1 (2020-05-12) + +* [bitnami/mongodb] Remove useless define functions (#2576) ([02a6c10](https://github.com/bitnami/charts/commit/02a6c10b689739776616371cfe2650c3b0cf84ea)), closes [#2576](https://github.com/bitnami/charts/issues/2576) + +## 7.14.0 (2020-05-04) + +* [bitnami/mongodb] add storageClass field for secondary in persistence (#2407) ([da5be26](https://github.com/bitnami/charts/commit/da5be265f7dab6159509789a72529e164453f70f)), closes [#2407](https://github.com/bitnami/charts/issues/2407) + +## 7.13.2 (2020-05-01) + +* [bitnami/mongodb] Corrected conditional check for clusterDomain and revert defaults (#2477) ([d30368c](https://github.com/bitnami/charts/commit/d30368c2986232b71004f29b569cf23b7109e2f2)), closes [#2477](https://github.com/bitnami/charts/issues/2477) [#2340](https://github.com/bitnami/charts/issues/2340) + +## 7.13.1 (2020-05-01) + +* [bitnami/mongodb] clusterDomain values forces to use only FQDN (#2340) ([4985844](https://github.com/bitnami/charts/commit/49858447aef3d8005073f167d6e3f84373ec8b36)), closes [#2340](https://github.com/bitnami/charts/issues/2340) +* [bitnami/mongodb] Release 7.13.1 updating components versions ([a0b7f1f](https://github.com/bitnami/charts/commit/a0b7f1f237515a8877000d12219e201dafc0c575)) + +## 7.13.0 (2020-04-23) + +* [bitnami/mongodb] add nodeSelector option for secondary statefulset (#2398) ([be173dc](https://github.com/bitnami/charts/commit/be173dc85d219332f551923e2ac6b42049fd6a9c)), closes [#2398](https://github.com/bitnami/charts/issues/2398) + +## 7.12.1 (2020-04-23) + +* [bitnami/mongodb] Release 7.12.1 updating components versions ([6c96a04](https://github.com/bitnami/charts/commit/6c96a042473ab7cf3a50a82c41bfe9fd396132ee)) + +## 7.12.0 (2020-04-23) + +* [bitnami/mongodb] allow arbiter to run on a different nodeSelector (#2370) ([01cb35c](https://github.com/bitnami/charts/commit/01cb35c8b16107a30cfe4dc281056a9dcb5381a4)), closes [#2370](https://github.com/bitnami/charts/issues/2370) + +## 7.11.1 (2020-04-22) + +* [bitnami/mongodb] Release 7.11.1 updating components versions ([59c8ec8](https://github.com/bitnami/charts/commit/59c8ec8ab645eab89925ff012a5c4c5f4ac00656)) + +## 7.11.0 (2020-04-22) + +* [bitnami/mongodb] adding local and global namespace overrides for mongodb (#2351) ([055679a](https://github.com/bitnami/charts/commit/055679aac7c213f82bb1bd25c3d73c377cfaf1dc)), closes [#2351](https://github.com/bitnami/charts/issues/2351) + +## 7.10.13 (2020-04-22) + +* [bitnami/mongodb] Release 7.10.13 updating components versions ([dd78f46](https://github.com/bitnami/charts/commit/dd78f46cf47a784544aeab50b319762b53062938)) + +## 7.10.12 (2020-04-17) + +* [bitnami/mongodb] Release 7.10.12 updating components versions ([aa69bdd](https://github.com/bitnami/charts/commit/aa69bdd399f5a4e51239f93a165ee6f55913403f)) + +## 7.10.11 (2020-04-17) + +* [bitnami/mongodb] Release 7.10.11 updating components versions ([3bbac20](https://github.com/bitnami/charts/commit/3bbac20572444c4c42ee43d0b7c44f706535e474)) + +## 7.10.10 (2020-04-06) + +* [bitnami/mongodb] Release 7.10.10 updating components versions ([f44ec94](https://github.com/bitnami/charts/commit/f44ec9461d746b8a455f3afc0219a45b946bce27)) + +## 7.10.9 (2020-04-06) + +* [bitnami/mongodb] add ALLOW_EMPTY_PASSWORD=yes when usePassword=false (#2091) ([ff1db9d](https://github.com/bitnami/charts/commit/ff1db9d4264e63ff3afb340ddaf0a4ff89ff8a82)), closes [#2091](https://github.com/bitnami/charts/issues/2091) + +## 7.10.8 (2020-04-06) + +* [bitnami/mongodb] Fix indentation of metrics.resources (#2224) ([26ba8a0](https://github.com/bitnami/charts/commit/26ba8a0c8bc56141c6e6dbc07eb2d3830e0f57fb)), closes [#2224](https://github.com/bitnami/charts/issues/2224) + +## 7.10.7 (2020-04-03) + +* [bitnami/mongodb]: Fix indentation on extraVolumeMounts in deployment-standalone.yaml (#2201) ([fe54855](https://github.com/bitnami/charts/commit/fe5485523a7c6447de4d49c6fa68b8e8ab6d59d8)), closes [#2201](https://github.com/bitnami/charts/issues/2201) + +## 7.10.6 (2020-03-31) + +* [bitnami/mongodb] fix indent error in resources (#2164) ([420efdd](https://github.com/bitnami/charts/commit/420efdd0e394c4676bc7376d8b5cac35ecba6ffd)), closes [#2164](https://github.com/bitnami/charts/issues/2164) [#2163](https://github.com/bitnami/charts/issues/2163) [#2163](https://github.com/bitnami/charts/issues/2163) +* [bitnami/mongodb] Fix indentation error (#2149) ([0b9ea37](https://github.com/bitnami/charts/commit/0b9ea37ac2495884613269bc70401e4a6b53c6cd)), closes [#2149](https://github.com/bitnami/charts/issues/2149) + +## 7.10.5 (2020-03-27) + +* [bitnami/mongodb] Release 7.10.5 updating components versions ([a922609](https://github.com/bitnami/charts/commit/a922609db168637c03652e255c551f1a2dd5efc2)) + +## 7.10.4 (2020-03-26) + +* [bitnami/mongodb] Release 7.10.4 updating components versions ([c5538a8](https://github.com/bitnami/charts/commit/c5538a86babea164117d278e53dbeb5bea72beea)) + +## 7.10.3 (2020-03-25) + +* [bitnami/mongodb] Fix indentation error (#2139) ([886a2c0](https://github.com/bitnami/charts/commit/886a2c0a5823846906b51c200c53a45763656e2a)), closes [#2139](https://github.com/bitnami/charts/issues/2139) + +## 7.10.2 (2020-03-25) + +* [bitnami/mongodb] Fix minor spelling error 'enalbed' (#2129) ([be41ed7](https://github.com/bitnami/charts/commit/be41ed7ee93282a1907feabf333ba55f8e45a041)), closes [#2129](https://github.com/bitnami/charts/issues/2129) +* [bitnami/mongodb] Release 7.10.2 updating components versions ([15b463d](https://github.com/bitnami/charts/commit/15b463d570e67fa8889342bc72a60089b5a46b18)) + +## 7.10.1 (2020-03-25) + +* [bitnami/mongodb] Release 7.10.1 updating components versions ([caba123](https://github.com/bitnami/charts/commit/caba1238592e52f58652a3c8c582b8d9c7c58780)) + +## 7.10.0 (2020-03-24) + +* [bitnami/mongodb] Allow using existingClaim in the cluster primary node (#2101) ([d9fcba3](https://github.com/bitnami/charts/commit/d9fcba3a3d5ccf67d2e3281baea102ae9885f90b)), closes [#2101](https://github.com/bitnami/charts/issues/2101) + +## 7.9.1 (2020-03-23) + +* [bitnami/mongodb] Issue 2096. Encode @ : in username / password when connect to mongo (#2099) ([39ec8d6](https://github.com/bitnami/charts/commit/39ec8d6dec88339da666abf036c78e7fdd41a3cd)), closes [#2099](https://github.com/bitnami/charts/issues/2099) + +## 7.9.0 (2020-03-23) + +* [bitnami/mongodb] Fix svc name in arbitrer (#2076) ([301bb18](https://github.com/bitnami/charts/commit/301bb18b0f8455d6f64c26aedd50ee9d7c74c221)), closes [#2076](https://github.com/bitnami/charts/issues/2076) +* Add serviceAccount.create and serviceAccount.name to mongodb chart (#2106) ([20312fc](https://github.com/bitnami/charts/commit/20312fc012d33f354ab0fde5d0b18d56efb56ba2)), closes [#2106](https://github.com/bitnami/charts/issues/2106) + +## 7.8.10 (2020-03-11) + +* [bitnami/mongodb] Release 7.8.10 updating components versions ([9601c81](https://github.com/bitnami/charts/commit/9601c816aa9c384291a12e71a9b2c63830e519d7)) + +## 7.8.9 (2020-03-11) + +* Move charts from upstreamed folder to bitnami (#2032) ([a0e44f7](https://github.com/bitnami/charts/commit/a0e44f7d6a10b8b5643186130ea420887cb72c7c)), closes [#2032](https://github.com/bitnami/charts/issues/2032) diff --git a/kubernetes/common/mongodb/Chart.yaml b/kubernetes/common/mongodb/Chart.yaml new file mode 100644 index 0000000000..62cc76cacf --- /dev/null +++ b/kubernetes/common/mongodb/Chart.yaml @@ -0,0 +1,46 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: Database + images: | + - name: kubectl + image: docker.io/bitnami/kubectl:1.33.0-debian-12-r1 + - name: mongodb + image: docker.io/bitnami/mongodb:8.0.9-debian-12-r0 + - name: mongodb-exporter + image: docker.io/bitnami/mongodb-exporter:0.44.0-debian-12-r5 + - name: nginx + image: docker.io/bitnami/nginx:1.28.0-debian-12-r0 + - name: os-shell + image: docker.io/bitnami/os-shell:12-debian-12-r43 + licenses: Apache-2.0 + tanzuCategory: service +apiVersion: v2 +appVersion: 8.0.9 +dependencies: +- name: common + repository: 'file://./common' + #repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: MongoDB(R) is a relational open source NoSQL database. Easy to use, it + stores data in JSON-like documents. Automated scalability and high-performance. + Ideal for developing cloud native applications. +home: https://bitnami.com +icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/mongodb/img/mongodb-stack-220x234.png +keywords: +- mongodb +- database +- nosql +- cluster +- replicaset +- replication +maintainers: +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: mongodb +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/mongodb +version: 16.5.7 diff --git a/kubernetes/common/mongodb/README.md b/kubernetes/common/mongodb/README.md new file mode 100644 index 0000000000..0de399915f --- /dev/null +++ b/kubernetes/common/mongodb/README.md @@ -0,0 +1,1326 @@ + + +# MongoDB® packaged by Bitnami + +MongoDB® is a relational open source NoSQL database. Easy to use, it stores data in JSON-like documents. Automated scalability and high-performance. Ideal for developing cloud native applications. + +[Overview of MongoDB®](http://www.mongodb.org) + +Disclaimer: The respective trademarks mentioned in the offering are owned by the respective companies. We do not provide a commercial license for any of these products. This listing has an open-source license. MongoDB® is run and maintained by MongoDB, which is a completely separate project from Bitnami. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/mongodb +``` + +Looking to use MongoDBreg; in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +This chart bootstraps a [MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Architecture + +This chart allows installing MongoDB(®) using two different architecture setups: `standalone` or `replicaset`. Use the `architecture` parameter to choose the one to use: + +```console +architecture="standalone" +architecture="replicaset" +``` + +### Standalone architecture + +The *standalone* architecture installs a deployment (or StatefulSet) with one MongoDB® server (it cannot be scaled): + +```text + ---------------- + | MongoDB® | + | svc | + ---------------- + | + v + ------------ + |MongoDB®| + | Server | + | Pod | + ----------- +``` + +### Replicaset architecture + +The chart also supports the *replicaset* architecture with and without a MongoDB(®) Arbiter: + +When the MongoDB(®) Arbiter is enabled, the chart installs two StatefulSets: A StatefulSet with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes), and a StatefulSet with one MongoDB(®) arbiter node (it cannot be scaled). + +```text + ---------------- ---------------- ---------------- ------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | Arbiter | + | external svc | | external svc | | external svc | | svc | + ---------------- ---------------- ---------------- ------------- + | | | | + v v v v + ---------------- ---------------- ---------------- -------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | | MongoDB® | + | Server | | Server | | Server | | Arbiter | + | Pod | | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- -------------- + primary secondary secondary +``` + +The PSA model is useful when the third Availability Zone cannot hold a full MongoDB(®) instance. The MongoDB(®) Arbiter as decision maker is lightweight and can run alongside other workloads. + +> NOTE: An update takes your MongoDB(®) replicaset offline if the Arbiter is enabled and the number of MongoDB(®) replicas is two. Helm applies updates to the StatefulSets for the MongoDB(®) instance and the Arbiter at the same time so you lose two out of three quorum votes. + +Without the Arbiter, the chart deploys a single statefulset with N MongoDB(®) servers (organised with one primary and N-1 secondary nodes). + +```text + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | external svc | | external svc | | external svc | + ---------------- ---------------- ---------------- + | | | + v v v + ---------------- ---------------- ---------------- + | MongoDB® 0 | | MongoDB® 1 | | MongoDB® N | + | Server | | Server | | Server | + | Pod | | Pod | | Pod | + ---------------- ---------------- ---------------- + primary secondary secondary +``` + +There are no services load balancing requests between MongoDB(®) nodes; instead, each node has an associated service to access them individually. + +> NOTE: Although the first replica is initially assigned the primary role, any of the secondary nodes can become the primary if it is down, or during upgrades. Do not make any assumption about what replica has the primary role. Instead, configure your MongoDB(®) client with the list of MongoDB(®) hostnames so it can dynamically choose the node to send requests. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The command deploys MongoDB(®) on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### Prometheus metrics + +This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [mongodb_exporter](https://github.com/percona/mongodb_exporter) in all pods and a `metrics` service, which can be configured under the `metrics.service` section. This `metrics` service will have the necessary annotations to be automatically scraped by Prometheus. + +#### Prometheus requirements + +It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. + +#### Integration with Prometheus Operator + +The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: + +```text +no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" +``` + +Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. + +### [Rolling vs Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customize a new MongoDB instance + +The [Bitnami MongoDB(®) image](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) supports the use of custom scripts to initialize a fresh instance. In order to execute the scripts, two options are available: + +- Specify them using the `initdbScripts` parameter as dict. +- Define an external Kubernetes ConfigMap with all the initialization scripts by setting the `initdbScriptsConfigMap` parameter. Note that this will override the previous option. + +The allowed script extensions are `.sh` and `.js`. + +### Replicaset: Access MongoDB(®) nodes from outside the cluster + +In order to access MongoDB(®) nodes from outside the cluster when using a replicaset architecture, a specific service per MongoDB(®) pod will be created. There are two ways of configuring external access: + +- Using LoadBalancer services +- Using NodePort services. + +#### Use LoadBalancer services + +Three alternatives are available to use *LoadBalancer* services: + +- Use random load balancer IP addresses using an *initContainer* that waits for the IP addresses to be ready and discovers them automatically. An example deployment configuration is shown below: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + autoDiscovery: + enabled: true + serviceAccount: + create: true + automountServiceAccountToken: true + rbac: + create: true + ``` + + > NOTE: This option requires creating RBAC rules on clusters where RBAC policies are enabled. + +- Manually specify the load balancer IP addresses. An example deployment configuration is shown below, with the placeholder EXTERNAL-IP-ADDRESS-X used in place of the load balancer IP addresses: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + loadBalancerIPs: + - 'EXTERNAL-IP-ADDRESS-1' + - 'EXTERNAL-IP-ADDRESS-2' + ``` + + > NOTE: This option requires knowing the load balancer IP addresses, so that each MongoDB® node's advertised hostname is configured with it. + +- Specify `externalAccess.service.publicNames`. These names must be resolvable by the MongoDB® containers. To ensure that, if this value is set, an initContainer is added to wait for the ip addresses associated to those names. We can combine this feature with `external-dns`, setting the required annotations to configure the load balancer names: + + ```yaml + architecture: replicaset + replicaCount: 2 + externalAccess: + enabled: true + service: + type: LoadBalancer + publicNames: + - 'mongodb-0.example.com' + - 'mongodb-1.example.com' + annotationsList: + - external-dns.alpha.kubernetes.io/hostname: mongodb-0.example.com + - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com + ``` + + > NOTE: If register new DNS records for those names is not an option, the release can be upgraded setting `hostAliases` with the public IPs assigned to the external services. + +#### Use NodePort services + +Manually specify the node ports to use. An example deployment configuration is shown below, with the placeholder NODE-PORT-X used in place of the node ports: + +```text +architecture=replicaset +replicaCount=2 +externalAccess.enabled=true +externalAccess.service.type=NodePort +externalAccess.service.nodePorts[0]='NODE-PORT-1' +externalAccess.service.nodePorts[1]='NODE-PORT-2' +``` + +> NOTE: This option requires knowing the node ports that will be exposed, so each MongoDB® node's advertised hostname is configured with it. + +The pod will try to get the external IP address of the node using the command `curl -s https://ipinfo.io/IP-ADDRESS` unless the `externalAccess.service.domain` parameter is set. + +### Bootstrapping with an External Cluster + +This chart is equipped with the ability to bring online a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. This effectively creates a hybrid MongoDB(®) Deployment where both Pods in Kubernetes and Instances such as Virtual Machines can partake in a single MongoDB(®) Deployment. This is helpful in situations where one may be migrating MongoDB(®) from Virtual Machines into Kubernetes, for example. To take advantage of this, use the following as an example configuration: + +```yaml +externalAccess: + externalMaster: + enabled: true + host: external-mongodb-0.internal +``` + +:warning: To bootstrap MongoDB(®) with an external master that lies outside of Kubernetes, be sure to set up external access using any of the suggested methods in this chart to have connectivity between the MongoDB(®) members. :warning: + +### Add extra environment variables + +To add extra environment variables (useful for advanced operations like custom init scripts), use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` properties. + +### Use Sidecars and Init Containers + +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). + +### Update credentials + +Bitnami charts, with its default settings, configure credentials at first boot. Any further change in the secrets or credentials can be done using one of the following methods: + +#### Manual update of the passwords and secrets + +- Update the user password following [the upstream documentation](https://www.mongodb.com/docs/manual/reference/method/db.changeUserPassword/) +- Update the password secret with the new values (replace the SECRET_NAME, PASSWORDS and ROOT_PASSWORD placeholders) + +```shell +kubectl create secret generic SECRET_NAME --from-literal=mongodb-passwords=PASSWORD --from-literal=mongodb-root-password=ROOT_PASSWORD --dry-run -o yaml | kubectl apply -f - +``` + +#### Automated update using a password update job + +The Bitnami MongoDB provides a password update job that will automatically change the MongoDB passwords when running helm upgrade. To enable the job set `passwordUpdateJob.enabled=true`. This job requires: + +- The new passwords: this is configured using either `auth.rootPassword`, `auth.passwords` and `metrics.passwords` (if applicable) or setting `auth.existingSecret`. +- The previous root password: This value is taken automatically from already deployed secret object. If you are using `auth.existingSecret` or `helm template` instead of `helm upgrade`, then set either `passwordUpdateJob.previousPasswords.rootPassword` or setting `passwordUpdateJob.previousPasswords.existingSecret`. + +In the following example we update only the root password via values.yaml in a MongoDB installation: + +```yaml +auth: + rootPassword: "newRootPassword123" +passwordUpdateJob: + enabled: true +``` + +In the following example we update the password via values.yaml in a MongoDB installation with replication and several usernames and databases (including metrics). + +```yaml +architecture: "replicaset" + +auth: + usernames: + - "user1" + - "user2" + rootPassword: "newRootPassword123" + passwords: + - "newUserPassword123" + - "newUserPassword144" + databases: + - "userdatabase" + - "userdatabase2" + +metrics: + username: "metricsuser" + password: "newMetricsPassword" + +passwordUpdateJob: + enabled: true +``` + +In this example we use two existing secrets (`new-password-secret` and `previous-password-secret`) to update several users and passwords (including metrics): + +```yaml +auth: + usernames: + - "user1" + - "user2" + databases: + - "userdatabase" + - "userdatabase2" + existingSecret: new-password-secret + +metrics: + username: "metricsuser" + +passwordUpdateJob: + enabled: true + previousPasswords: + existingSecret: previous-password-secret +``` + +You can add extra update commands using the `passwordUpdateJob.extraCommands` value. + +### Backup and restore + +Two different approaches are available to back up and restore Bitnami MongoDB® Helm chart deployments on Kubernetes: + +- Back up the data from the source deployment and restore it in a new deployment using MongoDB® built-in backup/restore tools. +- Back up the persistent volumes from the source deployment and attach them to a new deployment using Velero, a Kubernetes backup/restore tool. + +#### Method 1: Backup and restore data using MongoDB® built-in tools + +This method involves the following steps: + +- Use the *mongodump* tool to create a snapshot of the data in the source cluster. +- Create a new MongoDB® Cluster deployment and forward the MongoDB® Cluster service port for the new deployment. +- Restore the data using the *mongorestore* tool to import the backup to the new cluster. + +> NOTE: Under this approach, it is important to create the new deployment on the destination cluster using the same credentials as the original deployment on the source cluster. + +#### Method 2: Back up and restore persistent data volumes + +This method involves copying the persistent data volumes for the MongoDB® nodes and reusing them in a new deployment with [Velero](https://velero.io/), an open source Kubernetes backup/restore tool. This method is only suitable when: + +- The Kubernetes provider is [supported by Velero](https://velero.io/docs/latest/supported-providers/). +- Both clusters are on the same Kubernetes provider, as this is a requirement of [Velero's native support for migrating persistent volumes](https://velero.io/docs/latest/migration-case/). +- The restored deployment on the destination cluster will have the same name, namespace, topology and credentials as the original deployment on the source cluster. + +This method involves the following steps: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring MongoDB® chart deployments on Kubernetes](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-data-mongodb-kubernetes-index.html), which covers both these approaches, for more information. + +### Use custom Prometheus rules + +Custom Prometheus rules can be defined for the Prometheus Operator by using the `prometheusRule` parameter. A basic configuration example is shown below: + +```text + metrics: + enabled: true + prometheusRule: + enabled: true + rules: + - name: rule1 + rules: + - alert: HighRequestLatency + expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + for: 10m + labels: + severity: page + annotations: + summary: High request latency +``` + +### Securing traffic using TLS + +This chart supports enabling SSL/TLS between nodes in the cluster, as well as between MongoDB(®) clients and nodes, by setting the `MONGODB_EXTRA_FLAGS` and `MONGODB_CLIENT_EXTRA_FLAGS` container environment variables, together with the correct `MONGODB_ADVERTISED_HOSTNAME`. To enable full TLS encryption, set the `tls.enabled` parameter to `true`. + +#### Generate the self-signed certificates via pre-install Helm hooks + +The `secrets-ca.yaml` file utilizes the Helm "pre-install" hook to ensure that the certificates will only be generated on chart install. + +The `genCA()` function will create a new self-signed x509 certificate authority. The `genSignedCert()` function creates an object with the certificate and key, which are base64-encoded and used in a YAML-like object. The `genSignedCert()` function is passed the CN, an empty IP list (the nil part), the validity and the CA created previously. + +A Kubernetes Secret is used to hold the signed certificate created above, and the `initContainer` sets up the rest. Using Helm's hook annotations ensures that the certificates will only be generated on chart install. This will prevent overriding the certificates if the chart is upgraded. + +#### Use your own CA + +To use your own CA, set `tls.caCert` and `tls.caKey` with appropriate base64 encoded data. The `secrets-ca.yaml` file will utilize this data to create the Secret. + +> NOTE: Currently, only RSA private keys are supported. + +#### Use your own certificates + +To use your own certificates, set `tls.standalone.existingSecret`, `tls.replicaset.existingSecrets`, `tls.hidden.existingSecrets` and/or `tls.arbiter.existingSecret` secrets according to your needs. All of them must be references to `kubernetes.io/tls` secrets and the certificates must be created using the same CA. The CA can be added directly to each secret using the `ca.crt` key: + +```shell +kubectl create secret tls "mongodb-0-cert" --cert="mongodb-0.crt" --key="mongodb-0.key" +kubectl patch secret "mongodb-0-cert" -p="{\"data\":{\"ca.crt\": \"$(cat ca.crt | base64 -w0 )\"}}" +``` + +Or adding it to the "endpoint certificate" and setting the value `tls.pemChainIncluded`. If we reuse the example above, the `mongodb-0.crt` file should include CA cert and we shouldn't need to patch the secret to add the `ca.crt` set key. + +> NOTE: Certificates should be signed for the fully qualified domain names. If `externalAccess.service.publicNames`is set, those names should be used in the certificates set in `tls.replicaset.existingSecrets`. + +#### Access the cluster + +To access the cluster, enable the init container which generates the MongoDB(®) server/client PEM key needed to access the cluster. Please be sure to include the `$my_hostname` section with your actual hostname, and the alternative hostnames section should contain the hostnames that should be allowed access to the MongoDB(®) replicaset. Additionally, if external access is enabled, the load balancer IP addresses are added to the alternative names list. + +> NOTE: You will be generating self-signed certificates for the MongoDB(®) deployment. The init container generates a new MongoDB(®) private key which will be used to create a Certificate Authority (CA) and the public certificate for the CA. The Certificate Signing Request will be created as well and signed using the private key of the CA previously created. Finally, the PEM bundle will be created using the private key and public certificate. This process will be repeated for each node in the cluster. + +#### Start the cluster + +After the certificates have been generated and made available to the containers at the correct mount points, the MongoDB(®) server will be started with TLS enabled. The options for the TLS mode will be one of `disabled`, `allowTLS`, `preferTLS`, or `requireTLS`. This value can be changed via the `MONGODB_EXTRA_FLAGS` field using the `tlsMode` parameter. The client should now be able to connect to the TLS-enabled cluster with the provided certificates. + +### Set Pod affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod affinity in the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Persistence + +The [Bitnami MongoDB(®)](https://github.com/bitnami/containers/tree/main/bitnami/mongodb) image stores the MongoDB(®) data and configurations at the `/bitnami/mongodb` path of the container. + +The chart mounts a [Persistent Volume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) at this location. The volume is created using dynamic volume provisioning. + +If you encounter errors when working with persistent volumes, refer to our [troubleshooting guide for persistent volumes](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-persistence-volumes/). + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | +| `global.storageClass` | DEPRECATED: use global.defaultStorageClass instead | `""` | +| `global.namespaceOverride` | Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride | `""` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------- | --------------------------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override mongodb.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override mongodb.fullname template | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `clusterDomain` | Default Kubernetes cluster domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release | `[]` | +| `commonLabels` | Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `commonAnnotations` | Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template | `{}` | +| `topologyKey` | Override common lib default topology key. If empty - "kubernetes.io/hostname" is used | `""` | +| `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | +| `enableServiceLinks` | Whether information about services should be injected into pod's environment variable | `true` | +| `usePasswordFiles` | Mount credentials as files instead of using environment variables | `true` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the deployment | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the deployment | `["infinity"]` | + +### MongoDB(®) parameters + +| Name | Description | Value | +| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `image.registry` | MongoDB(®) image registry | `REGISTRY_NAME` | +| `image.repository` | MongoDB(®) image registry | `REPOSITORY_NAME/mongodb` | +| `image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | MongoDB(®) image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `architecture` | MongoDB(®) architecture (`standalone` or `replicaset`) | `standalone` | +| `useStatefulSet` | Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) | `false` | +| `auth.enabled` | Enable authentication | `true` | +| `auth.rootUser` | MongoDB(®) root user | `root` | +| `auth.rootPassword` | MongoDB(®) root password | `""` | +| `auth.usernames` | List of custom users to be created during the initialization | `[]` | +| `auth.passwords` | List of passwords for the custom users set at `auth.usernames` | `[]` | +| `auth.databases` | List of custom databases to be created during the initialization | `[]` | +| `auth.username` | DEPRECATED: use `auth.usernames` instead | `""` | +| `auth.password` | DEPRECATED: use `auth.passwords` instead | `""` | +| `auth.database` | DEPRECATED: use `auth.databases` instead | `""` | +| `auth.replicaSetKey` | Key used for authentication in the replicaset (only when `architecture=replicaset`) | `""` | +| `auth.existingSecret` | Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) | `""` | +| `tls.enabled` | Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes | `false` | +| `tls.mTLS.enabled` | IF TLS support is enabled, require clients to provide certificates | `true` | +| `tls.autoGenerated` | Generate a custom CA and self-signed certificates | `true` | +| `tls.existingSecret` | Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) | `""` | +| `tls.caCert` | Custom CA certificated (base64 encoded) | `""` | +| `tls.caKey` | CA certificate private key (base64 encoded) | `""` | +| `tls.pemChainIncluded` | Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. | `false` | +| `tls.standalone.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.replicaset.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.hidden.existingSecrets` | Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `[]` | +| `tls.arbiter.existingSecret` | Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. | `""` | +| `tls.image.registry` | Init container TLS certs setup image registry | `REGISTRY_NAME` | +| `tls.image.repository` | Init container TLS certs setup image repository | `REPOSITORY_NAME/nginx` | +| `tls.image.digest` | Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `tls.image.pullPolicy` | Init container TLS certs setup image pull policy | `IfNotPresent` | +| `tls.image.pullSecrets` | Init container TLS certs specify docker-registry secret names as an array | `[]` | +| `tls.extraDnsNames` | Add extra dns names to the CA, can solve x509 auth issue for pod clients | `[]` | +| `tls.mode` | Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) | `requireTLS` | +| `tls.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). | `nano` | +| `tls.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `tls.securityContext` | Init container generate-tls-cert Security context | `{}` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Add deployment host aliases | `[]` | +| `replicaSetName` | Name of the replica set (only when `architecture=replicaset`) | `rs0` | +| `replicaSetHostnames` | Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) | `true` | +| `enableIPv6` | Switch to enable/disable IPv6 on MongoDB(®) | `false` | +| `directoryPerDB` | Switch to enable/disable DirectoryPerDB on MongoDB(®) | `false` | +| `systemLogVerbosity` | MongoDB(®) system log verbosity level | `0` | +| `disableSystemLog` | Switch to enable/disable MongoDB(®) system log | `false` | +| `disableJavascript` | Switch to enable/disable MongoDB(®) server-side JavaScript execution | `false` | +| `enableJournal` | Switch to enable/disable MongoDB(®) Journaling | `true` | +| `configuration` | MongoDB(®) configuration file to be used for Primary and Secondary nodes | `""` | + +### replicaSetConfigurationSettings settings applied during runtime (not via configuration file) + +| Name | Description | Value | +| ----------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------- | +| `replicaSetConfigurationSettings.enabled` | Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings | `false` | +| `replicaSetConfigurationSettings.configuration` | run-time rs.conf settings | `{}` | +| `existingConfigmap` | Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes | `""` | +| `initdbScripts` | Dictionary of initdb scripts | `{}` | +| `initdbScriptsConfigMap` | Existing ConfigMap with custom initdb scripts | `""` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraFlags` | MongoDB(®) additional command line flags | `[]` | +| `extraEnvVars` | Extra environment variables to add to MongoDB(®) pods | `[]` | +| `extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | + +### MongoDB(®) statefulset parameters + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `annotations` | Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `labels` | Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template | `{}` | +| `replicaCount` | Number of MongoDB(®) nodes | `2` | +| `updateStrategy.type` | Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, | `RollingUpdate` | +| `podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `podAffinityPreset` | MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | MongoDB(®) Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | MongoDB(®) Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | MongoDB(®) Affinity for pod assignment | `{}` | +| `nodeSelector` | MongoDB(®) Node labels for pod assignment | `{}` | +| `tolerations` | MongoDB(®) Tolerations for pod assignment | `[]` | +| `topologySpreadConstraints` | MongoDB(®) Spread Constraints for Pods | `[]` | +| `lifecycleHooks` | LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup | `{}` | +| `terminationGracePeriodSeconds` | MongoDB(®) Termination Grace Period | `""` | +| `podLabels` | MongoDB(®) pod labels | `{}` | +| `podAnnotations` | MongoDB(®) Pod annotations | `{}` | +| `priorityClassName` | Name of the existing priority class to be used by MongoDB(®) pod(s) | `""` | +| `runtimeClassName` | Name of the runtime class to be used by MongoDB(®) pod(s) | `""` | +| `podSecurityContext.enabled` | Enable MongoDB(®) pod(s)' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Group ID for the volumes of the MongoDB(®) pod(s) | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the MongoDB(®) pod(s)' | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `small` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `containerPorts.mongodb` | MongoDB(®) container port | `27017` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `20` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `10` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `initContainers` | Add additional init containers for the hidden node pod(s) | `[]` | +| `sidecars` | Add additional sidecar containers for the MongoDB(®) pod(s) | `[]` | +| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) | `[]` | +| `extraVolumes` | Optionally specify extra list of additional volumes to the MongoDB(®) statefulset | `[]` | +| `pdb.create` | Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) | `true` | +| `pdb.minAvailable` | Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction | `""` | +| `pdb.maxUnavailable` | Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. | `""` | + +### Traffic exposure parameters + +| Name | Description | Value | +| ------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | +| `service.nameOverride` | MongoDB(®) service name | `""` | +| `service.type` | Kubernetes Service type (only for standalone architecture) | `ClusterIP` | +| `service.portName` | MongoDB(®) service port name (only for standalone architecture) | `mongodb` | +| `service.ports.mongodb` | MongoDB(®) service port. | `27017` | +| `service.nodePorts.mongodb` | Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) | `""` | +| `service.clusterIP` | MongoDB(®) service cluster IP (only for standalone architecture) | `""` | +| `service.externalIPs` | Specify the externalIP value ClusterIP service type (only for standalone architecture) | `[]` | +| `service.loadBalancerIP` | loadBalancerIP for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerClass` | loadBalancerClass for MongoDB(®) Service (only for standalone architecture) | `""` | +| `service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) | `[]` | +| `service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.annotations` | Provide any additional annotations that may be required | `{}` | +| `service.externalTrafficPolicy` | service external traffic policy (only for standalone architecture) | `Local` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `service.publishNotReadyAddresses` | Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready | `false` | +| `externalAccess.enabled` | Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) | `false` | +| `externalAccess.autoDiscovery.enabled` | Enable using an init container to auto-detect external IPs by querying the K8s API | `false` | +| `externalAccess.autoDiscovery.image.registry` | Init container auto-discovery image registry | `REGISTRY_NAME` | +| `externalAccess.autoDiscovery.image.repository` | Init container auto-discovery image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.autoDiscovery.image.digest` | Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.autoDiscovery.image.pullPolicy` | Init container auto-discovery image pull policy | `IfNotPresent` | +| `externalAccess.autoDiscovery.image.pullSecrets` | Init container auto-discovery image pull secrets | `[]` | +| `externalAccess.autoDiscovery.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | +| `externalAccess.autoDiscovery.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.dnsCheck.image.registry` | Init container dns-check image registry | `REGISTRY_NAME` | +| `externalAccess.dnsCheck.image.repository` | Init container dns-check image repository | `REPOSITORY_NAME/kubectl` | +| `externalAccess.dnsCheck.image.digest` | Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `externalAccess.dnsCheck.image.pullPolicy` | Init container dns-check image pull policy | `IfNotPresent` | +| `externalAccess.dnsCheck.image.pullSecrets` | Init container dns-check image pull secrets | `[]` | +| `externalAccess.dnsCheck.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). | `nano` | +| `externalAccess.dnsCheck.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `externalAccess.externalMaster.enabled` | Use external master for bootstrapping | `false` | +| `externalAccess.externalMaster.host` | External master host to bootstrap from | `""` | +| `externalAccess.externalMaster.port` | Port for MongoDB(®) service external master host | `27017` | +| `externalAccess.service.type` | Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP | `LoadBalancer` | +| `externalAccess.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.service.publicNames` | Array of public names. The size should be equal to the number of replicas. | `[]` | +| `externalAccess.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.service.allocateLoadBalancerNodePorts` | Whether to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort | `[]` | +| `externalAccess.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.service.annotations` | Service annotations for external access. These annotations are common for all services created. | `{}` | +| `externalAccess.service.annotationsList` | Service annotations for eache external service. This value contains a list allowing different annotations per each external service. | `[]` | +| `externalAccess.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `externalAccess.hidden.enabled` | Enable Kubernetes external cluster access to MongoDB(®) hidden nodes | `false` | +| `externalAccess.hidden.service.type` | Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer | `LoadBalancer` | +| `externalAccess.hidden.service.portName` | MongoDB(®) port name used for external access when service type is LoadBalancer | `mongodb` | +| `externalAccess.hidden.service.ports.mongodb` | MongoDB(®) port used for external access when service type is LoadBalancer | `27017` | +| `externalAccess.hidden.service.loadBalancerIPs` | Array of load balancer IPs for MongoDB(®) nodes | `[]` | +| `externalAccess.hidden.service.loadBalancerClass` | loadBalancerClass when service type is LoadBalancer | `""` | +| `externalAccess.hidden.service.loadBalancerSourceRanges` | Address(es) that are allowed when service is LoadBalancer | `[]` | +| `externalAccess.hidden.service.allocateLoadBalancerNodePorts` | Wheter to allocate node ports when service type is LoadBalancer | `true` | +| `externalAccess.hidden.service.externalTrafficPolicy` | MongoDB(®) service external traffic policy | `Local` | +| `externalAccess.hidden.service.nodePorts` | Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount | `[]` | +| `externalAccess.hidden.service.domain` | Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort | `""` | +| `externalAccess.hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `externalAccess.hidden.service.annotations` | Service annotations for external access | `{}` | +| `externalAccess.hidden.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `externalAccess.hidden.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | + +### Password update job + +| Name | Description | Value | +| --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `passwordUpdateJob.enabled` | Enable password update job | `false` | +| `passwordUpdateJob.backoffLimit` | set backoff limit of the job | `10` | +| `passwordUpdateJob.command` | Override default container command on mysql Primary container(s) (useful when using custom images) | `[]` | +| `passwordUpdateJob.args` | Override default container args on mysql Primary container(s) (useful when using custom images) | `[]` | +| `passwordUpdateJob.extraCommands` | Extra commands to pass to the generation job | `""` | +| `passwordUpdateJob.previousPasswords.rootPassword` | Previous root password (set if the password secret was already changed) | `""` | +| `passwordUpdateJob.previousPasswords.existingSecret` | Name of a secret containing the previous passwords (set if the password secret was already changed) | `""` | +| `passwordUpdateJob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `passwordUpdateJob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `passwordUpdateJob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `passwordUpdateJob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `passwordUpdateJob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `passwordUpdateJob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `passwordUpdateJob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `passwordUpdateJob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `passwordUpdateJob.podSecurityContext.enabled` | Enabled credential init job pods' Security Context | `true` | +| `passwordUpdateJob.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `passwordUpdateJob.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | +| `passwordUpdateJob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `passwordUpdateJob.podSecurityContext.fsGroup` | Set credential init job pod's Security Context fsGroup | `1001` | +| `passwordUpdateJob.extraEnvVars` | Array containing extra env vars to configure the credential init job | `[]` | +| `passwordUpdateJob.extraEnvVarsCM` | ConfigMap containing extra env vars to configure the credential init job | `""` | +| `passwordUpdateJob.extraEnvVarsSecret` | Secret containing extra env vars to configure the credential init job (in case of sensitive data) | `""` | +| `passwordUpdateJob.extraVolumes` | Optionally specify extra list of additional volumes for the credential init job | `[]` | +| `passwordUpdateJob.extraVolumeMounts` | Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. | `[]` | +| `passwordUpdateJob.initContainers` | Add additional init containers for the mysql Primary pod(s) | `[]` | +| `passwordUpdateJob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). | `micro` | +| `passwordUpdateJob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `passwordUpdateJob.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `passwordUpdateJob.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `passwordUpdateJob.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `passwordUpdateJob.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `passwordUpdateJob.hostAliases` | Add deployment host aliases | `[]` | +| `passwordUpdateJob.annotations` | Add annotations to the job | `{}` | +| `passwordUpdateJob.podLabels` | Additional pod labels | `{}` | +| `passwordUpdateJob.podAnnotations` | Additional pod annotations | `{}` | + +### Network policy parameters + +| Name | Description | Value | +| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.addExternalClientAccess` | Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressPodMatchLabels` | Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. | `{}` | +| `persistence.enabled` | Enable MongoDB(®) data persistence using PVC | `true` | +| `persistence.name` | Name of the PVC and mounted volume | `datadir` | +| `persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `persistence.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `persistence.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `persistence.storageClass` | PVC Storage Class for MongoDB(®) data volume | `""` | +| `persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `persistence.size` | PVC Storage Request for MongoDB(®) data volume | `8Gi` | +| `persistence.annotations` | PVC annotations | `{}` | +| `persistence.labels` | PVC labels | `{}` | +| `persistence.mountPath` | Path to mount the volume at | `/bitnami/mongodb` | +| `persistence.subPath` | Subdirectory of the volume to mount at | `""` | +| `persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `persistence.volumeClaimTemplates.dataSource` | Add dataSource to the VolumeClaimTemplate | `{}` | +| `persistentVolumeClaimRetentionPolicy.enabled` | Enable Persistent volume retention policy for MongoDB(®) Statefulset | `false` | +| `persistentVolumeClaimRetentionPolicy.whenScaled` | Volume retention behavior when the replica count of the StatefulSet is reduced | `Retain` | +| `persistentVolumeClaimRetentionPolicy.whenDeleted` | Volume retention behavior that applies when the StatefulSet is deleted | `Retain` | + +### Backup parameters + +| Name | Description | Value | +| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `backup.enabled` | Enable the logical dump of the database "regularly" | `false` | +| `backup.cronjob.schedule` | Set the cronjob parameter schedule | `@daily` | +| `backup.cronjob.timeZone` | Set the cronjob parameter timeZone | `""` | +| `backup.cronjob.concurrencyPolicy` | Set the cronjob parameter concurrencyPolicy | `Allow` | +| `backup.cronjob.failedJobsHistoryLimit` | Set the cronjob parameter failedJobsHistoryLimit | `1` | +| `backup.cronjob.successfulJobsHistoryLimit` | Set the cronjob parameter successfulJobsHistoryLimit | `3` | +| `backup.cronjob.startingDeadlineSeconds` | Set the cronjob parameter startingDeadlineSeconds | `""` | +| `backup.cronjob.ttlSecondsAfterFinished` | Set the cronjob parameter ttlSecondsAfterFinished | `""` | +| `backup.cronjob.restartPolicy` | Set the cronjob parameter restartPolicy | `OnFailure` | +| `backup.cronjob.backoffLimit` | Set the cronjob parameter backoffLimit | `6` | +| `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `backup.cronjob.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `backup.cronjob.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `backup.cronjob.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `backup.cronjob.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `backup.cronjob.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `backup.cronjob.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `none` | +| `backup.cronjob.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `backup.cronjob.command` | Set backup container's command to run | `[]` | +| `backup.cronjob.labels` | Set the cronjob labels | `{}` | +| `backup.cronjob.annotations` | Set the cronjob annotations | `{}` | +| `backup.cronjob.storage.existingClaim` | Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) | `""` | +| `backup.cronjob.storage.resourcePolicy` | Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted | `""` | +| `backup.cronjob.storage.storageClass` | PVC Storage Class for the backup data volume | `""` | +| `backup.cronjob.storage.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `backup.cronjob.storage.size` | PVC Storage Request for the backup data volume | `8Gi` | +| `backup.cronjob.storage.annotations` | PVC annotations | `{}` | +| `backup.cronjob.storage.mountPath` | Path to mount the volume at | `/backup/mongodb` | +| `backup.cronjob.storage.subPath` | Subdirectory of the volume to mount at | `""` | +| `backup.cronjob.storage.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | + +### RBAC parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for MongoDB(®) pods | `true` | +| `serviceAccount.name` | Name of the created serviceAccount | `""` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` | +| `rbac.create` | Whether to create & use RBAC resources or not | `false` | +| `rbac.rules` | Custom rules to create following the role specification | `[]` | +| `podSecurityPolicy.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | +| `podSecurityPolicy.allowPrivilegeEscalation` | Enable privilege escalation | `false` | +| `podSecurityPolicy.privileged` | Allow privileged | `false` | +| `podSecurityPolicy.spec` | Specify the full spec to use for Pod Security Policy | `{}` | + +### Volume Permissions parameters + +| Name | Description | Value | +| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `REGISTRY_NAME` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `REPOSITORY_NAME/os-shell` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `volumePermissions.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | +| `volumePermissions.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.securityContext.runAsUser` | User ID for the volumePermissions container | `0` | + +### Arbiter parameters + +| Name | Description | Value | +| ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `arbiter.enabled` | Enable deploying the arbiter | `true` | +| `arbiter.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `arbiter.hostAliases` | Add deployment host aliases | `[]` | +| `arbiter.configuration` | Arbiter configuration file to be used | `""` | +| `arbiter.existingConfigmap` | Name of existing ConfigMap with Arbiter configuration | `""` | +| `arbiter.command` | Override default container command (useful when using custom images) | `[]` | +| `arbiter.args` | Override default container args (useful when using custom images) | `[]` | +| `arbiter.extraFlags` | Arbiter additional command line flags | `[]` | +| `arbiter.extraEnvVars` | Extra environment variables to add to Arbiter pods | `[]` | +| `arbiter.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `arbiter.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `arbiter.annotations` | Additional labels to be added to the Arbiter statefulset | `{}` | +| `arbiter.labels` | Annotations to be added to the Arbiter statefulset | `{}` | +| `arbiter.topologySpreadConstraints` | MongoDB(®) Spread Constraints for arbiter Pods | `[]` | +| `arbiter.lifecycleHooks` | LifecycleHook for the Arbiter container to automate configuration before or after startup | `{}` | +| `arbiter.terminationGracePeriodSeconds` | Arbiter Termination Grace Period | `""` | +| `arbiter.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `arbiter.podManagementPolicy` | Pod management policy for MongoDB(®) | `OrderedReady` | +| `arbiter.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `arbiter.podAffinityPreset` | Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.podAntiAffinityPreset` | Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `arbiter.nodeAffinityPreset.type` | Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `arbiter.nodeAffinityPreset.key` | Arbiter Node label key to match Ignored if `affinity` is set. | `""` | +| `arbiter.nodeAffinityPreset.values` | Arbiter Node label values to match. Ignored if `affinity` is set. | `[]` | +| `arbiter.affinity` | Arbiter Affinity for pod assignment | `{}` | +| `arbiter.nodeSelector` | Arbiter Node labels for pod assignment | `{}` | +| `arbiter.tolerations` | Arbiter Tolerations for pod assignment | `[]` | +| `arbiter.podLabels` | Arbiter pod labels | `{}` | +| `arbiter.podAnnotations` | Arbiter Pod annotations | `{}` | +| `arbiter.priorityClassName` | Name of the existing priority class to be used by Arbiter pod(s) | `""` | +| `arbiter.runtimeClassName` | Name of the runtime class to be used by Arbiter pod(s) | `""` | +| `arbiter.podSecurityContext.enabled` | Enable Arbiter pod(s)' Security Context | `true` | +| `arbiter.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `arbiter.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `arbiter.podSecurityContext.fsGroup` | Group ID for the volumes of the Arbiter pod(s) | `1001` | +| `arbiter.podSecurityContext.sysctls` | sysctl settings of the Arbiter pod(s)' | `[]` | +| `arbiter.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `arbiter.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `arbiter.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `arbiter.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `arbiter.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `arbiter.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `arbiter.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `arbiter.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `arbiter.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `arbiter.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `arbiter.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). | `small` | +| `arbiter.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `arbiter.containerPorts.mongodb` | MongoDB(®) arbiter container port | `27017` | +| `arbiter.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `arbiter.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `arbiter.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `arbiter.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `arbiter.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `arbiter.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `arbiter.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `arbiter.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `arbiter.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `arbiter.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `arbiter.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `arbiter.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `arbiter.startupProbe.enabled` | Enable startupProbe | `false` | +| `arbiter.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `arbiter.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `arbiter.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `arbiter.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `arbiter.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `arbiter.customLivenessProbe` | Override default liveness probe for Arbiter containers | `{}` | +| `arbiter.customReadinessProbe` | Override default readiness probe for Arbiter containers | `{}` | +| `arbiter.customStartupProbe` | Override default startup probe for Arbiter containers | `{}` | +| `arbiter.initContainers` | Add additional init containers for the Arbiter pod(s) | `[]` | +| `arbiter.sidecars` | Add additional sidecar containers for the Arbiter pod(s) | `[]` | +| `arbiter.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Arbiter container(s) | `[]` | +| `arbiter.extraVolumes` | Optionally specify extra list of additional volumes to the Arbiter statefulset | `[]` | +| `arbiter.pdb.create` | Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) | `true` | +| `arbiter.pdb.minAvailable` | Minimum number/percentage of Arbiter pods that should remain scheduled | `""` | +| `arbiter.pdb.maxUnavailable` | Maximum number/percentage of Arbiter pods that may be made unavailable. Defaults to `1` if both `arbiter.pdb.minAvailable` and `arbiter.pdb.maxUnavailable` are empty. | `""` | +| `arbiter.service.nameOverride` | The arbiter service name | `""` | +| `arbiter.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `arbiter.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `arbiter.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `arbiter.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Hidden Node parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | +| `hidden.enabled` | Enable deploying the hidden nodes | `false` | +| `hidden.automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hidden.hostAliases` | Add deployment host aliases | `[]` | +| `hidden.configuration` | Hidden node configuration file to be used | `""` | +| `hidden.existingConfigmap` | Name of existing ConfigMap with Hidden node configuration | `""` | +| `hidden.command` | Override default container command (useful when using custom images) | `[]` | +| `hidden.args` | Override default container args (useful when using custom images) | `[]` | +| `hidden.extraFlags` | Hidden node additional command line flags | `[]` | +| `hidden.extraEnvVars` | Extra environment variables to add to Hidden node pods | `[]` | +| `hidden.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` | +| `hidden.extraEnvVarsSecret` | Name of existing Secret containing extra env vars (in case of sensitive data) | `""` | +| `hidden.annotations` | Additional labels to be added to thehidden node statefulset | `{}` | +| `hidden.labels` | Annotations to be added to the hidden node statefulset | `{}` | +| `hidden.topologySpreadConstraints` | MongoDB(®) Spread Constraints for hidden Pods | `[]` | +| `hidden.lifecycleHooks` | LifecycleHook for the Hidden container to automate configuration before or after startup | `{}` | +| `hidden.replicaCount` | Number of hidden nodes (only when `architecture=replicaset`) | `1` | +| `hidden.terminationGracePeriodSeconds` | Hidden Termination Grace Period | `""` | +| `hidden.updateStrategy.type` | Strategy that will be employed to update Pods in the StatefulSet | `RollingUpdate` | +| `hidden.podManagementPolicy` | Pod management policy for hidden node | `OrderedReady` | +| `hidden.schedulerName` | Name of the scheduler (other than default) to dispatch pods | `""` | +| `hidden.podAffinityPreset` | Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.podAntiAffinityPreset` | Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `hidden.nodeAffinityPreset.type` | Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `hidden.nodeAffinityPreset.key` | Hidden Node label key to match Ignored if `affinity` is set. | `""` | +| `hidden.nodeAffinityPreset.values` | Hidden Node label values to match. Ignored if `affinity` is set. | `[]` | +| `hidden.affinity` | Hidden node Affinity for pod assignment | `{}` | +| `hidden.nodeSelector` | Hidden node Node labels for pod assignment | `{}` | +| `hidden.tolerations` | Hidden node Tolerations for pod assignment | `[]` | +| `hidden.podLabels` | Hidden node pod labels | `{}` | +| `hidden.podAnnotations` | Hidden node Pod annotations | `{}` | +| `hidden.priorityClassName` | Name of the existing priority class to be used by hidden node pod(s) | `""` | +| `hidden.runtimeClassName` | Name of the runtime class to be used by hidden node pod(s) | `""` | +| `hidden.podSecurityContext.enabled` | Enable Hidden pod(s)' Security Context | `true` | +| `hidden.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `hidden.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `hidden.podSecurityContext.fsGroup` | Group ID for the volumes of the Hidden pod(s) | `1001` | +| `hidden.podSecurityContext.sysctls` | sysctl settings of the Hidden pod(s)' | `[]` | +| `hidden.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `hidden.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `hidden.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `hidden.containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `hidden.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `hidden.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `hidden.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `hidden.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `hidden.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `hidden.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `hidden.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). | `micro` | +| `hidden.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `hidden.containerPorts.mongodb` | MongoDB(®) hidden container port | `27017` | +| `hidden.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `hidden.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `hidden.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `20` | +| `hidden.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `hidden.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `hidden.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `hidden.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `hidden.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `hidden.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `20` | +| `hidden.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `hidden.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `hidden.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `hidden.startupProbe.enabled` | Enable startupProbe | `false` | +| `hidden.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `hidden.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `hidden.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `hidden.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `hidden.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `hidden.customLivenessProbe` | Override default liveness probe for hidden node containers | `{}` | +| `hidden.customReadinessProbe` | Override default readiness probe for hidden node containers | `{}` | +| `hidden.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `hidden.initContainers` | Add init containers to the MongoDB(®) Hidden pods. | `[]` | +| `hidden.sidecars` | Add additional sidecar containers for the hidden node pod(s) | `[]` | +| `hidden.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the hidden node container(s) | `[]` | +| `hidden.extraVolumes` | Optionally specify extra list of additional volumes to the hidden node statefulset | `[]` | +| `hidden.pdb.create` | Enable/disable a Pod Disruption Budget creation for hidden node pod(s) | `true` | +| `hidden.pdb.minAvailable` | Minimum number/percentage of hidden node pods that should remain scheduled | `""` | +| `hidden.pdb.maxUnavailable` | Maximum number/percentage of hidden node pods that may be made unavailable. Defaults to `1` if both `hidden.pdb.minAvailable` and `hidden.pdb.maxUnavailable` are empty. | `""` | +| `hidden.persistence.enabled` | Enable hidden node data persistence using PVC | `true` | +| `hidden.persistence.medium` | Provide a medium for `emptyDir` volumes. | `""` | +| `hidden.persistence.storageClass` | PVC Storage Class for hidden node data volume | `""` | +| `hidden.persistence.accessModes` | PV Access Mode | `["ReadWriteOnce"]` | +| `hidden.persistence.size` | PVC Storage Request for hidden node data volume | `8Gi` | +| `hidden.persistence.annotations` | PVC annotations | `{}` | +| `hidden.persistence.mountPath` | The path the volume will be mounted at, useful when using different MongoDB(®) images. | `/bitnami/mongodb` | +| `hidden.persistence.subPath` | The subdirectory of the volume to mount to, useful in dev environments | `""` | +| `hidden.persistence.volumeClaimTemplates.selector` | A label query over volumes to consider for binding (e.g. when using local volumes) | `{}` | +| `hidden.persistence.volumeClaimTemplates.requests` | Custom PVC requests attributes | `{}` | +| `hidden.persistence.volumeClaimTemplates.dataSource` | Set volumeClaimTemplate dataSource | `{}` | +| `hidden.service.nameOverride` | The hidden service name | `""` | +| `hidden.service.portName` | MongoDB(®) service port name | `mongodb` | +| `hidden.service.ports.mongodb` | MongoDB(®) service port | `27017` | +| `hidden.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `hidden.service.annotations` | Provide any additional annotations that may be required | `{}` | +| `hidden.service.headless.annotations` | Annotations for the headless service. | `{}` | + +### Metrics parameters + +| Name | Description | Value | +| -------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------- | +| `metrics.enabled` | Enable using a sidecar Prometheus exporter | `false` | +| `metrics.image.registry` | MongoDB(®) Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | MongoDB(®) Prometheus exporter image repository | `REPOSITORY_NAME/mongodb-exporter` | +| `metrics.image.digest` | MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | MongoDB(®) Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.username` | String with username for the metrics exporter | `""` | +| `metrics.password` | String with password for the metrics exporter | `""` | +| `metrics.compatibleMode` | Enables old style mongodb-exporter metrics | `true` | +| `metrics.collector.all` | Enable all collectors. Same as enabling all individual metrics | `false` | +| `metrics.collector.diagnosticdata` | Boolean Enable collecting metrics from getDiagnosticData | `true` | +| `metrics.collector.replicasetstatus` | Boolean Enable collecting metrics from replSetGetStatus | `true` | +| `metrics.collector.dbstats` | Boolean Enable collecting metrics from dbStats | `false` | +| `metrics.collector.topmetrics` | Boolean Enable collecting metrics from top admin command | `false` | +| `metrics.collector.indexstats` | Boolean Enable collecting metrics from $indexStats | `false` | +| `metrics.collector.collstats` | Boolean Enable collecting metrics from $collStats | `false` | +| `metrics.collector.collstatsColls` | List of \.\ to get $collStats | `[]` | +| `metrics.collector.indexstatsColls` | List - List of \.\ to get $indexStats | `[]` | +| `metrics.collector.collstatsLimit` | Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit | `0` | +| `metrics.extraFlags` | String with extra flags to the metrics exporter | `""` | +| `metrics.command` | Override default container command (useful when using custom images) | `[]` | +| `metrics.args` | Override default container args (useful when using custom images) | `[]` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.containerPort` | Port of the Prometheus metrics container | `9216` | +| `metrics.service.annotations` | Annotations for Prometheus Exporter pods. Evaluated as a template. | `{}` | +| `metrics.service.type` | Type of the Prometheus metrics service | `ClusterIP` | +| `metrics.service.ports.metrics` | Port of the Prometheus metrics service | `9216` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `15` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `5` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `10` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `10` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `30` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Override default liveness probe for MongoDB(®) containers | `{}` | +| `metrics.customReadinessProbe` | Override default readiness probe for MongoDB(®) containers | `{}` | +| `metrics.customStartupProbe` | Override default startup probe for MongoDB(®) containers | `{}` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the metrics container(s) | `[]` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace which Prometheus is running in | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | Specify the timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricsRelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.labels` | Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Set this to true to create prometheusRules for Prometheus operator | `false` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so prometheusRules will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.namespace` | Namespace where prometheusRules resource should be created | `""` | +| `metrics.prometheusRule.rules` | Rules to be created, check values for an example | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set auth.rootPassword=secretpassword,auth.username=my-user,auth.password=my-password,auth.database=my-database \ + oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the MongoDB(®) `root` account password to `secretpassword`. Additionally, it creates a standard database user named `my-user`, with the password `my-password`, who has access to a database named `my-database`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/mongodb/values.yaml) + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 16.4.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + +If authentication is enabled, it's necessary to set the `auth.rootPassword` (also `auth.replicaSetKey` when using a replicaset architecture) when upgrading for readiness/liveness probes to work properly. When you install this chart for the first time, some notes will be displayed providing the credentials you must use under the 'Credentials' section. Please note down the password, and run the command below to upgrade your chart: + +```console +helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mongodb --set auth.rootPassword=[PASSWORD] (--set auth.replicaSetKey=[REPLICASETKEY]) +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> Note: you need to substitute the placeholders [PASSWORD] and [REPLICASETKEY] with the values obtained in the installation notes. + +### To 16.0.0 + +To upgrade to MongoDB `8.0` from a `7.0` deployment, the `7.0` deployment must have `featureCompatibilityVersion` set to `7.0`. Please refer to the [official documentation](https://www.mongodb.com/docs/manual/release-notes/8.0/#upgrade-procedures). + +### To 15.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + +### To 12.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +Affected values: + +- `strategyType` is replaced by `updateStrategy` +- `service.port` is renamed to `service.ports.mongodb` +- `service.nodePort` is renamed to `service.nodePorts.mongodb` +- `externalAccess.service.port` is renamed to `externalAccess.hidden.service.ports.mongodb` +- `rbac.role.rules` is renamed to `rbac.rules` +- `externalAccess.hidden.service.port` is renamed ot `externalAccess.hidden.service.ports.mongodb` +- `hidden.strategyType` is replaced by `hidden.updateStrategy` +- `metrics.serviceMonitor.relabellings` is renamed to `metrics.serviceMonitor.relabelings`(typo fixed) +- `metrics.serviceMonitor.additionalLabels` is renamed to `metrics.serviceMonitor.labels` + +Additionally also updates the MongoDB image dependency to it newest major, 5.0 + +### To 11.0.0 + +In this version, the mongodb-exporter bundled as part of this Helm chart was updated to a new version which, even it is not a major change, can contain breaking changes (from `0.11.X` to `0.30.X`). +Please visit the release notes from the upstream project at + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +### To 9.0.0 + +MongoDB(®) container images were updated to `4.4.x` and it can affect compatibility with older versions of MongoDB(®). Refer to the following guides to upgrade your applications: + +- [Standalone](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-standalone/) +- [Replica Set](https://docs.mongodb.com/manual/release-notes/4.4-upgrade-replica-set/) + +### To 8.0.0 + +- Architecture used to configure MongoDB(®) as a replicaset was completely refactored. Now, both primary and secondary nodes are part of the same statefulset. +- Chart labels were adapted to follow the Helm charts best practices. +- This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +- Several parameters were renamed or disappeared in favor of new ones on this major version. These are the most important ones: + - `replicas` is renamed to `replicaCount`. + - Authentication parameters are reorganized under the `auth.*` parameter: + - `usePassword` is renamed to `auth.enabled`. + - `mongodbRootPassword`, `mongodbUsername`, `mongodbPassword`, `mongodbDatabase`, and `replicaSet.key` are now `auth.rootPassword`, `auth.username`, `auth.password`, `auth.database`, and `auth.replicaSetKey` respectively. + - `securityContext.*` is deprecated in favor of `podSecurityContext` and `containerSecurityContext`. + - Parameters prefixed with `mongodb` are renamed removing the prefix. E.g. `mongodbEnableIPv6` is renamed to `enableIPv6`. + - Parameters affecting Arbiter nodes are reorganized under the `arbiter.*` parameter. + +Consequences: + +- Backwards compatibility is not guaranteed. To upgrade to `8.0.0`, install a new release of the MongoDB(®) chart, and migrate your data by creating a backup of the database, and restoring it on the new release. + +### To 7.0.0 + +From this version, the way of setting the ingress rules has changed. Instead of using `ingress.paths` and `ingress.hosts` as separate objects, you should now define the rules as objects inside the `ingress.hosts` value, for example: + +```yaml +ingress: + hosts: + - name: mongodb.local + path: / +``` + +### To 6.0.0 + +From this version, `mongodbEnableIPv6` is set to `false` by default in order to work properly in most k8s clusters, if you want to use IPv6 support, you need to set this variable to `true` by adding `--set mongodbEnableIPv6=true` to your `helm` command. +You can find more information in the [`bitnami/mongodb` image README](https://github.com/bitnami/containers/tree/main/bitnami/mongodb#readme). + +### To 5.0.0 + +When enabling replicaset configuration, backwards compatibility is not guaranteed unless you modify the labels used on the chart's statefulsets. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is `my-release`: + +```console +kubectl delete statefulset my-release-mongodb-arbiter my-release-mongodb-primary my-release-mongodb-secondary --cascade=false +``` + +### Add extra deployment options + +To add extra deployments (useful for advanced features like sidecars), use the `extraDeploy` property. + +In the example below, you can find how to use a example here for a [MongoDB replica set pod labeler sidecar](https://github.com/combor/k8s-mongo-labeler-sidecar) to identify the primary pod and dynamically label it as the primary node: + +```yaml +extraDeploy: + - apiVersion: v1 + kind: Service + metadata: + name: mongodb-primary + namespace: default + labels: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mongodb + spec: + type: NodePort + externalTrafficPolicy: Cluster + ports: + - name: mongodb-primary + port: 30001 + nodePort: 30001 + protocol: TCP + targetPort: mongodb + selector: + app.kubernetes.io/component: mongodb + app.kubernetes.io/instance: mongodb + app.kubernetes.io/name: mongodb + primary: "true" +``` + +## License + +Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/common/mongodb/common/.helmignore b/kubernetes/common/mongodb/common/.helmignore new file mode 100644 index 0000000000..d0e10845d2 --- /dev/null +++ b/kubernetes/common/mongodb/common/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/kubernetes/common/mongodb/common/CHANGELOG.md b/kubernetes/common/mongodb/common/CHANGELOG.md new file mode 100644 index 0000000000..8f3dfe0996 --- /dev/null +++ b/kubernetes/common/mongodb/common/CHANGELOG.md @@ -0,0 +1,658 @@ +# Changelog + +## 2.31.1 (2025-05-07) + +* [bitnami/common] chore: :recycle: Remove unused helpers ([#33496](https://github.com/bitnami/charts/pull/33496)) + +## 2.31.0 (2025-05-05) + +* [bitnami/common] chore: :recycle: Remove deprecated APIs (<1.23.0) (#33320) ([3826a9e](https://github.com/bitnami/charts/commit/3826a9e1488c12545f11cf8cb1a11d23daf90602)), closes [#33320](https://github.com/bitnami/charts/issues/33320) + +## 2.30.2 (2025-04-30) + +* [bitnami/common] add namespaces to extraPodAffinityTerms for affinities (#33173) ([4e35d60](https://github.com/bitnami/charts/commit/4e35d6016945db7b9fd4eef72b177d4826d69ece)), closes [#33173](https://github.com/bitnami/charts/issues/33173) + +## 2.30.1 (2025-04-30) + +* [bitnami/common] Allows tpl in provided passwords "common.secrets.passwords.manage" (#33196) ([1f53dd8](https://github.com/bitnami/charts/commit/1f53dd862f2aca1071f5734c3ba825e3ff4fa383)), closes [#33196](https://github.com/bitnami/charts/issues/33196) +* [bitnami/common] Restore 'Paremeters' section of the README (#32861) ([72f3f35](https://github.com/bitnami/charts/commit/72f3f353e35da99060a1662770655a12a2253887)), closes [#32861](https://github.com/bitnami/charts/issues/32861) + +## 2.30.0 (2025-02-19) + +* [bitnami/*] Use CDN url for the Bitnami Application Icons (#31881) ([d9bb11a](https://github.com/bitnami/charts/commit/d9bb11a9076b9bfdcc70ea022c25ef50e9713657)), closes [#31881](https://github.com/bitnami/charts/issues/31881) +* [bitnami/common] Add helper to check API versions (#31969) ([5ba89c5](https://github.com/bitnami/charts/commit/5ba89c5afc3d57e36f90364638d9beabb32499f4)), closes [#31969](https://github.com/bitnami/charts/issues/31969) +* Update copyright year (#31682) ([e9f02f5](https://github.com/bitnami/charts/commit/e9f02f5007068751f7eb2270fece811e685c99b6)), closes [#31682](https://github.com/bitnami/charts/issues/31682) + +## 2.29.1 (2025-01-23) + +* [bitnami/common] Removing seLinuxOptions from omission (#31279) ([e7cb168](https://github.com/bitnami/charts/commit/e7cb168ca2bccd57e28bb985e099953a4f7e3b38)), closes [#31279](https://github.com/bitnami/charts/issues/31279) [#31278](https://github.com/bitnami/charts/issues/31278) + +## 2.29.0 (2025-01-03) + +* [bitnami/common] Add "common.capabilities.job.apiVersion" template (#31164) ([2ca979a](https://github.com/bitnami/charts/commit/2ca979a6add279384d60e6b35199eaf13553cefa)), closes [#31164](https://github.com/bitnami/charts/issues/31164) + +## 2.28.0 (2024-12-10) + +* [bitnami/common] New helper to detect non-standard images (#30851) ([ae33d01](https://github.com/bitnami/charts/commit/ae33d01968e8a353a569785f9867827153c797dc)), closes [#30851](https://github.com/bitnami/charts/issues/30851) + +## 2.27.2 (2024-11-27) + +* [bitnami/common] Fix appVersion (#30628) ([b87d39e](https://github.com/bitnami/charts/commit/b87d39e27a0889c74b20c3d2fe5ae0c4a2417bfd)), closes [#30628](https://github.com/bitnami/charts/issues/30628) +* [bitnami/common]: bump patch version (#30639) ([623e584](https://github.com/bitnami/charts/commit/623e5846ff827b7ecbcffa2dc51e2e94b14ef8fd)), closes [#30639](https://github.com/bitnami/charts/issues/30639) + +## 2.27.1 (2024-11-26) + +* [bitnami/common] Fix VPA apiVersion (#30625) ([8c24438](https://github.com/bitnami/charts/commit/8c24438a2f6e8ec646cad9901ed82d71d4196e3e)), closes [#30625](https://github.com/bitnami/charts/issues/30625) + +## 2.27.0 (2024-11-07) + +* [bitnami/*] Remove wrong comment about imagePullPolicy (#30107) ([a51f9e4](https://github.com/bitnami/charts/commit/a51f9e4bb0fbf77199512d35de7ac8abe055d026)), closes [#30107](https://github.com/bitnami/charts/issues/30107) +* [bitnami/common] feat: :sparkles: Add honorProvidedValues in common.secrets.manage (#30243) ([3d76a49](https://github.com/bitnami/charts/commit/3d76a4955c11fa4d2464da2c4d2096e1e3c6fa37)), closes [#30243](https://github.com/bitnami/charts/issues/30243) +* Update documentation links to techdocs.broadcom.com (#29931) ([f0d9ad7](https://github.com/bitnami/charts/commit/f0d9ad78f39f633d275fc576d32eae78ded4d0b8)), closes [#29931](https://github.com/bitnami/charts/issues/29931) + +## 2.26.0 (2024-10-14) + +* [bitnami/common] Drop unused custom empty password validators (#29432) ([5fb0e97](https://github.com/bitnami/charts/commit/5fb0e97d9336d40d86c3295637d4233218b8afea)), closes [#29432](https://github.com/bitnami/charts/issues/29432) + +## 2.25.0 (2024-10-11) + +* [bitnami/common] Add the ability to specify namespaces for affinity (#29479) ([005e0d6](https://github.com/bitnami/charts/commit/005e0d696004dd972915f290b7caffb2bc332400)), closes [#29479](https://github.com/bitnami/charts/issues/29479) + +## 2.24.0 (2024-10-03) + +* [bitnami/common] Add common.tplvalues.merge-overwrite helper (#29668) ([611b2a5](https://github.com/bitnami/charts/commit/611b2a59e06feaac878b3b218fd848a687216158)), closes [#29668](https://github.com/bitnami/charts/issues/29668) + +## 2.23.0 (2024-09-13) + +* [bitnami/common] Add option to remove empty seLinuxOptions from securityContext in non OpenShift env ([7e44e64](https://github.com/bitnami/charts/commit/7e44e64626f5b1fc6d56889cdfdeadc1f62c7cf1)), closes [#28945](https://github.com/bitnami/charts/issues/28945) + +## 2.22.0 (2024-08-08) + +* [bitnami/common] Fallback to chart appVersion in common.images.image (#28764) ([b4aa0a6](https://github.com/bitnami/charts/commit/b4aa0a685a21c50ca10e41e3eb2023bbd4282cf7)), closes [#28764](https://github.com/bitnami/charts/issues/28764) + +## 2.21.0 (2024-08-05) + +* [bitnami/common] Allow handling of new secrets after initial installation (#28581) ([07062ee](https://github.com/bitnami/charts/commit/07062ee01382e24b8204b27083ff3e8102110c2f)), closes [#28581](https://github.com/bitnami/charts/issues/28581) + +## 2.20.5 (2024-07-16) + +* [bitnami/common] [bitnami/wordpress] Use global.storageClass for fallback, not override (#24863) ([2b78e13](https://github.com/bitnami/charts/commit/2b78e137ac278cdf9d54523e8d37833a4ff0cd5b)), closes [#24863](https://github.com/bitnami/charts/issues/24863) + +## 2.20.4 (2024-07-11) + +* [bitnami/*] Update README changing TAC wording (#27530) ([52dfed6](https://github.com/bitnami/charts/commit/52dfed6bac44d791efabfaf06f15daddc4fefb0c)), closes [#27530](https://github.com/bitnami/charts/issues/27530) +* [bitnami/common] Increase ephemeral-storage default limits (#27902) ([dc0000d](https://github.com/bitnami/charts/commit/dc0000d7b56f68991bb8d8fff473103ed9026f5f)), closes [#27902](https://github.com/bitnami/charts/issues/27902) + +## 2.20.3 (2024-06-17) + +* [bitnami/common] chore: :wrench: Relax large and xlarge presets resource requests (#27312) ([6ca69f6](https://github.com/bitnami/charts/commit/6ca69f6769d0f65acc850fa0bcc08506de50cc41)), closes [#27312](https://github.com/bitnami/charts/issues/27312) + +## 2.20.2 (2024-06-10) + +* [bitnami/common] remove trailing spaces from imagePullSecrets rendering (#26882) ([362d4ac](https://github.com/bitnami/charts/commit/362d4ac94dd69be1b607fc531ceac4d67d8d57ef)), closes [#26882](https://github.com/bitnami/charts/issues/26882) + +## 2.20.1 (2024-06-10) + +* [bitnami/common] improve renderSecurityContext (#27053) ([5f0bdde](https://github.com/bitnami/charts/commit/5f0bdde77cf05afa20cb4a800090748a8d102d02)), closes [#27053](https://github.com/bitnami/charts/issues/27053) + +## 2.20.0 (2024-06-05) + +* [bitnami/*] ci: :construction_worker: Add tag and changelog support (#25359) ([91c707c](https://github.com/bitnami/charts/commit/91c707c9e4e574725a09505d2d313fb93f1b4c0a)), closes [#25359](https://github.com/bitnami/charts/issues/25359) +* [bitnami/common] Capabilities to return latest apiVersion if kubeVersion is undefined (#26758) ([6582c32](https://github.com/bitnami/charts/commit/6582c3237b772af9cb379f7eaceddb2d64b507f0)), closes [#26758](https://github.com/bitnami/charts/issues/26758) +* [bitnami/common] docs: :memo: Add changelog ([23349c9](https://github.com/bitnami/charts/commit/23349c99b70313f3e19ebcf9d3e0c154836b2cc0)) + +## 2.19.3 (2024-05-20) + +* [bitnami/*] Change non-root and rolling-tags doc URLs (#25628) ([b067c94](https://github.com/bitnami/charts/commit/b067c94f6bcde427863c197fd355f0b5ba12ff5b)), closes [#25628](https://github.com/bitnami/charts/issues/25628) +* [bitnami/*] Set new header/owner (#25558) ([8d1dc11](https://github.com/bitnami/charts/commit/8d1dc11f5fb30db6fba50c43d7af59d2f79deed3)), closes [#25558](https://github.com/bitnami/charts/issues/25558) +* [bitnami/common] feat: :sparkles: Show warning when original images are replaced (#25952) ([855045a](https://github.com/bitnami/charts/commit/855045a1a62618154c1216e8da31a4d2c14c7586)), closes [#25952](https://github.com/bitnami/charts/issues/25952) + +## 2.19.2 (2024-04-29) + +* [bitnami/common] Simplify syntax to deal with nullable objects (#25446) ([7dcea6a](https://github.com/bitnami/charts/commit/7dcea6aeb7c45d56bd6175b457bb8a2cddf8defc)), closes [#25446](https://github.com/bitnami/charts/issues/25446) +* Replace VMware by Broadcom copyright text (#25306) ([a5e4bd0](https://github.com/bitnami/charts/commit/a5e4bd0e35e419203793976a78d9d0a13de92c76)), closes [#25306](https://github.com/bitnami/charts/issues/25306) + +## 2.19.1 (2024-03-27) + +* [bitnami/common] chore: :wrench: Relax preset resource requests xlarge and 2xlarge instances (#24713 ([fdd93bb](https://github.com/bitnami/charts/commit/fdd93bb2a2f73a7df3e498b5072736a54610a908)), closes [#24713](https://github.com/bitnami/charts/issues/24713) + +## 2.19.0 (2024-03-08) + +* [bitnami/common] feat: :sparkles: Remove empty seLinuxOptions in adapted Openshift rendered security ([1f2f5ef](https://github.com/bitnami/charts/commit/1f2f5ef476efba7f284df0c36c265216325ffda9)), closes [#24268](https://github.com/bitnami/charts/issues/24268) + +## 2.18.0 (2024-03-04) + +* [bitnami/common] feat: :sparkles: :lock: Add compatibility support for securityContext in Openshift ([8fb0dd4](https://github.com/bitnami/charts/commit/8fb0dd48b6d7ec69bb59db2376365f6d76b26d97)), closes [#24040](https://github.com/bitnami/charts/issues/24040) + +## 2.17.0 (2024-02-20) + +* [bitnami/*] Bump all versions (#23602) ([b70ee2a](https://github.com/bitnami/charts/commit/b70ee2a30e4dc256bf0ac52928fb2fa7a70f049b)), closes [#23602](https://github.com/bitnami/charts/issues/23602) + +## 2.16.1 (2024-02-19) + +* [bitnami/common] chore: :wrench: Bump ephemeral storage limits (#23564) ([18c4d88](https://github.com/bitnami/charts/commit/18c4d88f7d4ae93f36d0896fa66dbe872bba1c48)), closes [#23564](https://github.com/bitnami/charts/issues/23564) + +## 2.16.0 (2024-02-15) + +* [bitnami/common] feat: :sparkles: Add ephemeral-storage to resources preset (#23544) ([23b6856](https://github.com/bitnami/charts/commit/23b68563a0e2e721aa07864cff1b877e1d074388)), closes [#23544](https://github.com/bitnami/charts/issues/23544) + +## 2.15.3 (2024-02-14) + +* [bitnami/common] chore: :pencil2: Fix typo in comment ([d07fb32](https://github.com/bitnami/charts/commit/d07fb324bd6455bf8607f66c642ff346443199ba)) + +## 2.15.2 (2024-02-14) + +* [bitnami/common] fix: :children_crossing: Improve resource warning message (#23425) ([7593e4f](https://github.com/bitnami/charts/commit/7593e4fc69fb8c50f7d626cc305c5adc56d23f48)), closes [#23425](https://github.com/bitnami/charts/issues/23425) + +## 2.15.1 (2024-02-13) + +* [bitnami/common] fix: :bug: Check if section is enabled before printing resource warning ([262b6ee](https://github.com/bitnami/charts/commit/262b6ee64c57a5293333879ec423ad41c44f162c)) + +## 2.15.0 (2024-02-13) + +* [bitnami/*] Fix docs.bitnami.com broken links (#21901) ([f35506d](https://github.com/bitnami/charts/commit/f35506d2dadee4f097986e7792df1f53ab215b5d)), closes [#21901](https://github.com/bitnami/charts/issues/21901) +* [bitnami/*] Move documentation sections from docs.bitnami.com back to the README (#22203) ([7564f36](https://github.com/bitnami/charts/commit/7564f36ca1e95ff30ee686652b7ab8690561a707)), closes [#22203](https://github.com/bitnami/charts/issues/22203) +* [bitnami/*] Update copyright: Year and company (#21815) ([6c4bf75](https://github.com/bitnami/charts/commit/6c4bf75dec58fc7c9aee9f089777b1a858c17d5b)), closes [#21815](https://github.com/bitnami/charts/issues/21815) +* [bitnami/common] feat: :sparkles: Add support for resource presets (#23410) ([310d9f9](https://github.com/bitnami/charts/commit/310d9f9e44cb913a2e482f57107970ed5bde9a69)), closes [#23410](https://github.com/bitnami/charts/issues/23410) + +## 2.14.1 (2023-12-19) + +* [bitnami/common] Fix typo with new line in common.secrets.passwords.manage (#21653) ([7e70463](https://github.com/bitnami/charts/commit/7e704634ef564adac330f1e0a67feb2a40a271dc)), closes [#21653](https://github.com/bitnami/charts/issues/21653) + +## 2.14.0 (2023-12-19) + +* [bitnami/common] add params skipB64enc and skipQuote to common.secrets.passwords.manage (#21595) ([2070eeb](https://github.com/bitnami/charts/commit/2070eeb30bbf48639e0177a42f65a1d13f42a180)), closes [#21595](https://github.com/bitnami/charts/issues/21595) + +## 2.13.4 (2023-12-15) + +* [bitnami/*] Remove relative links to non-README sections, add verification for that and update TL;DR ([1103633](https://github.com/bitnami/charts/commit/11036334d82df0490aa4abdb591543cab6cf7d7f)), closes [#20967](https://github.com/bitnami/charts/issues/20967) +* [bitnami/*] Rename VMware Application Catalog (#20361) ([3acc734](https://github.com/bitnami/charts/commit/3acc73472beb6fb56c4d99f929061001205bc57e)), closes [#20361](https://github.com/bitnami/charts/issues/20361) +* [bitnami/common] fix failOnNew implementation in common.secrets.passwords.manage (#21342) ([76a5f24](https://github.com/bitnami/charts/commit/76a5f248fbceb3d1d948c7e60fbba74fd7eb3200)), closes [#21342](https://github.com/bitnami/charts/issues/21342) +* [bitnami/common] Standardize documentation (#20334) ([3af2426](https://github.com/bitnami/charts/commit/3af242606877aea25c623b4185e6fcd285b7308d)), closes [#20334](https://github.com/bitnami/charts/issues/20334) + +## 2.13.3 (2023-10-17) + +* [bitnami/*] Update Helm charts prerequisites (#19745) ([eb755dd](https://github.com/bitnami/charts/commit/eb755dd36a4dd3cf6635be8e0598f9a7f4c4a554)), closes [#19745](https://github.com/bitnami/charts/issues/19745) +* [bitnami/common]: Address admission configuration typo (#19840) ([9a936f1](https://github.com/bitnami/charts/commit/9a936f158646e101c2507421fdcb85b787bbaf64)), closes [#19840](https://github.com/bitnami/charts/issues/19840) + +## 2.13.2 (2023-10-05) + +* [bitnami/common] update imagePullSecrets to handle map and list format (#19702) ([1d30563](https://github.com/bitnami/charts/commit/1d30563bf53d4c0ac898cf1070af57aa28a039f1)), closes [#19702](https://github.com/bitnami/charts/issues/19702) + +## 2.13.1 (2023-10-04) + +* [bitnami/common] render labels correctly when they contains templates (#19680) ([3cb44e3](https://github.com/bitnami/charts/commit/3cb44e376a472ca6721866b09f6d0ab412338cbc)), closes [#19680](https://github.com/bitnami/charts/issues/19680) + +## 2.13.0 (2023-09-29) + +* [bitnami/common]: Add capabilities macros to manage Pod Security Standard objects (#19428) ([322b76d](https://github.com/bitnami/charts/commit/322b76d6450840f08d53ecfddb5e151cac5c9e88)), closes [#19428](https://github.com/bitnami/charts/issues/19428) + +## 2.12.1 (2023-09-29) + +* [bitnami/common] allow for empty appVersion (#19467) ([8b46a33](https://github.com/bitnami/charts/commit/8b46a3366abc7d216d16ace89675f3fc42691e8f)), closes [#19467](https://github.com/bitnami/charts/issues/19467) + +## 2.12.0 (2023-09-22) + +* [bitnami/common] new macro to checksum config resources (#19261) ([73945fe](https://github.com/bitnami/charts/commit/73945fedfa2acff03fe172430fcc4b8bcf55282f)), closes [#19261](https://github.com/bitnami/charts/issues/19261) +* Revert "Autogenerate schema files (#19194)" (#19335) ([73d80be](https://github.com/bitnami/charts/commit/73d80be525c88fb4b8a54451a55acd506e337062)), closes [#19194](https://github.com/bitnami/charts/issues/19194) [#19335](https://github.com/bitnami/charts/issues/19335) + +## 2.11.1 (2023-09-15) + +* Common - Adding app.kubernetes.io/version to common labels (#17201) ([9c497be](https://github.com/bitnami/charts/commit/9c497be9d99a98a20cd01e5858014e097ebe0eaa)), closes [#17201](https://github.com/bitnami/charts/issues/17201) + +## 2.11.0 (2023-09-12) + +* [bitnami/common] New helper to return image version (#19223) ([db46696](https://github.com/bitnami/charts/commit/db466964c6cfb3368ab87be6bb4d16f74d5c6fd0)), closes [#19223](https://github.com/bitnami/charts/issues/19223) +* Autogenerate schema files (#19194) ([a2c2090](https://github.com/bitnami/charts/commit/a2c2090b5ac97f47b745c8028c6452bf99739772)), closes [#19194](https://github.com/bitnami/charts/issues/19194) + +## 2.10.1 (2023-09-08) + +* [bitnami/common]: Compatiblity with Helm 3.2.0+ (#19177) ([e4fc03d](https://github.com/bitnami/charts/commit/e4fc03d96bef6ab0318d642fb65ba508c49844f1)), closes [#19177](https://github.com/bitnami/charts/issues/19177) + +## 2.10.0 (2023-09-04) + +* [bitnami/common] new macro to merge a list of values with rendering (#18889) ([0fb66f2](https://github.com/bitnami/charts/commit/0fb66f2c6f6828a240a0c1e6857c337bf9f4202a)), closes [#18889](https://github.com/bitnami/charts/issues/18889) + +## 2.9.2 (2023-08-31) + +* Avoid using a tpl when there is no template (#18792) ([134924a](https://github.com/bitnami/charts/commit/134924a260fe2cd758a954f34e89ccb14012f348)), closes [#18792](https://github.com/bitnami/charts/issues/18792) + +## 2.9.1 (2023-08-29) + +* [bitnami/common] Add extraLabelSelectors to affinities templates (#18127) ([b9ecfdb](https://github.com/bitnami/charts/commit/b9ecfdb3421a057b76e6f35f58c26e631c74e686)), closes [#18127](https://github.com/bitnami/charts/issues/18127) + +## 2.9.0 (2023-08-22) + +* [bitnami/common] Add support for customizing standard labels (#18154) ([9a20483](https://github.com/bitnami/charts/commit/9a20483cfd1daa6bfe08fd8116516a9bb5cd9754)), closes [#18154](https://github.com/bitnami/charts/issues/18154) + +## 2.8.0 (2023-08-07) + +* [bitnami/common] Delete app kubernetes version field (#18240) ([5fe3ee4](https://github.com/bitnami/charts/commit/5fe3ee44eed88e9b6843c70cbeb6378194b2276b)), closes [#18240](https://github.com/bitnami/charts/issues/18240) + +## 2.7.0 (2023-08-07) + +* Add app.kubernetes.io/version based on AppVersion (#18194) ([4f698f8](https://github.com/bitnami/charts/commit/4f698f8ac54fc68cd8dab433b7c2d8ffb77a4067)), closes [#18194](https://github.com/bitnami/charts/issues/18194) + +## 2.6.0 (2023-07-04) + +* [bitnami/common] Add scope for common.tplvalues.render (#17033) ([daf1b54](https://github.com/bitnami/charts/commit/daf1b5445a5e1c961ab78673899dd8007b4f1000)), closes [#17033](https://github.com/bitnami/charts/issues/17033) + +## 2.5.0 (2023-06-30) + +* [bitnami/*] Change copyright section in READMEs (#17006) ([ef986a1](https://github.com/bitnami/charts/commit/ef986a1605241102b3dcafe9fd8089e6fc1201ad)), closes [#17006](https://github.com/bitnami/charts/issues/17006) +* [bitnami/common] Update common.secrets.passwords.manage and common.secrets.lookup (#17397) ([5a73cf1](https://github.com/bitnami/charts/commit/5a73cf19f92b93d88ee766669a947375135db903)), closes [#17397](https://github.com/bitnami/charts/issues/17397) +* [bitnami/several] Change copyright section in READMEs (#16989) ([5b6a5cf](https://github.com/bitnami/charts/commit/5b6a5cfb7625a751848a2e5cd796bd7278f406ca)), closes [#16989](https://github.com/bitnami/charts/issues/16989) +* Add copyright header (#17300) ([da68be8](https://github.com/bitnami/charts/commit/da68be8e951225133c7dfb572d5101ca3d61c5ae)), closes [#17300](https://github.com/bitnami/charts/issues/17300) +* Update charts readme (#17217) ([31b3c0a](https://github.com/bitnami/charts/commit/31b3c0afd968ff4429107e34101f7509e6a0e913)), closes [#17217](https://github.com/bitnami/charts/issues/17217) + +## 2.4.0 (2023-05-18) + +* [bitnami/common] feat: :sparkles: Add apiVersions for DaemonSet and VPA ([a86cfaf](https://github.com/bitnami/charts/commit/a86cfaf0acb7cc26a7a91256f4b76db8f31797ef)) + +## 2.3.0 (2023-05-12) + +* Add wording for enterprise page (#16560) ([8f22774](https://github.com/bitnami/charts/commit/8f2277440b976d52785ba9149762ad8620a73d1f)), closes [#16560](https://github.com/bitnami/charts/issues/16560) +* Remove duplicate in image pull secrets (#16529) ([ddfea70](https://github.com/bitnami/charts/commit/ddfea70831875639cb298a555ad6dd5e68f059e4)), closes [#16529](https://github.com/bitnami/charts/issues/16529) + +## 2.2.6 (2023-05-09) + +* [bitnami/several] Adapt Chart.yaml to set desired OCI annotations (#16546) ([fc9b18f](https://github.com/bitnami/charts/commit/fc9b18f2e98805d4df629acbcde696f44f973344)), closes [#16546](https://github.com/bitnami/charts/issues/16546) + +## 2.2.5 (2023-05-02) + +* [bitnami/*] Make Helm charts 100% OCI (#15998) ([8841510](https://github.com/bitnami/charts/commit/884151035efcbf2e1b3206e7def85511073fb57d)), closes [#15998](https://github.com/bitnami/charts/issues/15998) +* [bitnami/common] Fix typo in README.md to test chart publishing from GitHub (#16143) ([5b05ec3](https://github.com/bitnami/charts/commit/5b05ec32caa73240d38135e19501ab2658397d2e)), closes [#16143](https://github.com/bitnami/charts/issues/16143) + +## 2.2.4 (2023-03-07) + +* [bitnami/*] Fix markdown linter issues (#14874) ([a51e0e8](https://github.com/bitnami/charts/commit/a51e0e8d35495b907f3e70dd2f8e7c3bcbf4166a)), closes [#14874](https://github.com/bitnami/charts/issues/14874) +* [bitnami/*] Fix markdown linter issues 2 (#14890) ([aa96572](https://github.com/bitnami/charts/commit/aa9657237ee8df4a46db0d7fdf8a23230dd6902a)), closes [#14890](https://github.com/bitnami/charts/issues/14890) +* [bitnami/common] Allow empty registry name (#15296) ([f13df7b](https://github.com/bitnami/charts/commit/f13df7b00f38e5fce67eab7a1b78afb0b064344e)), closes [#15296](https://github.com/bitnami/charts/issues/15296) + +## 2.2.3 (2023-02-03) + +* [bitnami/*] Add license annotation and remove obsolete engine parameter (#14293) ([da2a794](https://github.com/bitnami/charts/commit/da2a7943bae95b6e9b5b4ed972c15e990b69fdb0)), closes [#14293](https://github.com/bitnami/charts/issues/14293) +* [bitnami/*] Change copyright date (#14682) ([add4ec7](https://github.com/bitnami/charts/commit/add4ec701108ac36ed4de2dffbdf407a0d091067)), closes [#14682](https://github.com/bitnami/charts/issues/14682) +* [bitnami/*] Change licenses annotation format (#14377) ([0ab7608](https://github.com/bitnami/charts/commit/0ab760862c660fcc78cffadf8e1d8cdd70881473)), closes [#14377](https://github.com/bitnami/charts/issues/14377) +* [bitnami/*] Unify READMEs (#14472) ([2064fb8](https://github.com/bitnami/charts/commit/2064fb8dcc78a845cdede8211af8c3cc52551161)), closes [#14472](https://github.com/bitnami/charts/issues/14472) +* [bitnami/common] chore: Correct common.images.image global in example (#14735) ([69ada7d](https://github.com/bitnami/charts/commit/69ada7da0c9c6b7ce718faef6920c61e3632fd02)), closes [#14735](https://github.com/bitnami/charts/issues/14735) + +## 2.2.2 (2022-12-12) + +* [bitnami/common] resolve namespace using common.names.namespace macro (#13481) ([35b84e8](https://github.com/bitnami/charts/commit/35b84e8ba209681d4f160ca102188af61307fccf)), closes [#13481](https://github.com/bitnami/charts/issues/13481) + +## 2.2.1 (2022-11-25) + +* [bitnami/common] fix common topology key affinity function (#13593) ([f95dec8](https://github.com/bitnami/charts/commit/f95dec803bd138b76d67a296545974c5a644d63e)), closes [#13593](https://github.com/bitnami/charts/issues/13593) + +## 2.2.0 (2022-11-14) + +* [bitnami/common] affinity topologyKey override (#13435) ([624c14e](https://github.com/bitnami/charts/commit/624c14e7121557e6a29ff0e814cb800c2f3cf619)), closes [#13435](https://github.com/bitnami/charts/issues/13435) +* [bitnami/common] Fixed naming of common.secrets.passwords.manage function in README (#13250) ([39a8bcb](https://github.com/bitnami/charts/commit/39a8bcbb1b606cc165643ae4ddcdc15f05e91583)), closes [#13250](https://github.com/bitnami/charts/issues/13250) + +## 2.1.2 (2022-10-31) + +* [bitnami/common] Do not explicitly specify namespace in affinity term. (#12932) ([638a48e](https://github.com/bitnami/charts/commit/638a48e4d3ec7b5d160f4b525ec40218512c464b)), closes [#12932](https://github.com/bitnami/charts/issues/12932) [#12668](https://github.com/bitnami/charts/issues/12668) + +## 2.1.1 (2022-10-27) + +* [bitnami/common] Fix appVersion mismatch (#13189) ([42b3b3e](https://github.com/bitnami/charts/commit/42b3b3e6c68e6af8ba19f7ec42be0d71b4c21852)), closes [#13189](https://github.com/bitnami/charts/issues/13189) + +## 2.1.0 (2022-10-27) + +* [bitnami/common] Add new function 'common.secrets.lookup' (#13150) ([e848934](https://github.com/bitnami/charts/commit/e84893410321b88adbd7d2e40b891685a15ce640)), closes [#13150](https://github.com/bitnami/charts/issues/13150) + +## 2.0.4 (2022-10-24) + +* [bitnami/*] Use new default branch name in links (#12943) ([a529e02](https://github.com/bitnami/charts/commit/a529e02597d49d944eba1eb0f190713293247176)), closes [#12943](https://github.com/bitnami/charts/issues/12943) +* [bitnami/common] kubernetes.io/tls-acme Ingress annotation triggers IngressTLS array (#13054) ([2008857](https://github.com/bitnami/charts/commit/200885790b34afd6fd04ea45949c887a907b6b38)), closes [#13054](https://github.com/bitnami/charts/issues/13054) +* [bitnami/common] quote secret value when lookup (#11276) ([c8e3019](https://github.com/bitnami/charts/commit/c8e301965f05996a2ae18e0fc8dbfcbe64428356)), closes [#11276](https://github.com/bitnami/charts/issues/11276) + +## 2.0.3 (2022-09-12) + +* [bitnami/common] Revert changes in HPA context from #12282 (#12372) ([55fdc3a](https://github.com/bitnami/charts/commit/55fdc3aff3e32502abfd8f0607ac2be54e585744)), closes [#12282](https://github.com/bitnami/charts/issues/12282) [#12372](https://github.com/bitnami/charts/issues/12372) + +## 2.0.2 (2022-09-05) + +* fix context for HPA util (#12282) ([ccd54a0](https://github.com/bitnami/charts/commit/ccd54a0d47a96903f499fbcdb52a336863020efe)), closes [#12282](https://github.com/bitnami/charts/issues/12282) + +## 2.0.1 (2022-08-23) + +* [bitnami/common] Digest/Tag new approach backward compatible (#12029) ([f1c27dc](https://github.com/bitnami/charts/commit/f1c27dc5d9540c2ea192abf1245da67f5b4f8916)), closes [#12029](https://github.com/bitnami/charts/issues/12029) + +## 2.0.0 (2022-08-18) + +* [bitnami/common] MAJOR: Add support for image digest apart from tag (#11830) ([e3fee4e](https://github.com/bitnami/charts/commit/e3fee4e41d34a6584660c3b77b8521922603ccab)), closes [#11830](https://github.com/bitnami/charts/issues/11830) + +## 1.17.1 (2022-08-18) + +* Revert changes from #11797 (#11829) ([22bb033](https://github.com/bitnami/charts/commit/22bb033224176c498920596c8d8b25b5f60a277d)), closes [#11797](https://github.com/bitnami/charts/issues/11797) [#11829](https://github.com/bitnami/charts/issues/11829) + +## 1.17.0 (2022-08-18) + +* [bitnami/common] Add support for image digest apart from tag (#11797) ([b069345](https://github.com/bitnami/charts/commit/b0693450f653318ac7da64575dac389d7041b69f)), closes [#11797](https://github.com/bitnami/charts/issues/11797) + +## 1.16.1 (2022-07-13) + +* [bitnami/*] Replace Kubeapps URL in READMEs (and kubeapps Chart.yaml) and remove BKPR references (#1 ([c6a7914](https://github.com/bitnami/charts/commit/c6a7914361e5aea6016fb45bf4d621edfd111d32)), closes [#10600](https://github.com/bitnami/charts/issues/10600) +* [bitnami/common] Affinities section does not use common.names.namespace (#11137) ([b70c24c](https://github.com/bitnami/charts/commit/b70c24c82c7a9112a4288441ad1fa8c035bb68b4)), closes [#11137](https://github.com/bitnami/charts/issues/11137) + +## 1.16.0 (2022-06-03) + +* [bitnami/common] Add mysql validation (#10565) ([75ae79a](https://github.com/bitnami/charts/commit/75ae79a434137694fd82198abe1f861d6e5a04ba)), closes [#10565](https://github.com/bitnami/charts/issues/10565) + +## 1.15.2 (2022-06-02) + +* Update Redis trademark references ([2cada87](https://github.com/bitnami/charts/commit/2cada87ed4967d5cb578b0409a0bb1edee79029a)) + +## 1.15.1 (2022-06-01) + +* [bitnami/several] Replace maintainers email by url (#10523) ([ff3cf61](https://github.com/bitnami/charts/commit/ff3cf617a1680509b0f3855d17c4ccff7b29a0ff)), closes [#10523](https://github.com/bitnami/charts/issues/10523) + +## 1.15.0 (2022-06-01) + +* Add common function common.names.fullname.namespace (#10462) ([96f447c](https://github.com/bitnami/charts/commit/96f447cd8654b6db51d9301c841bacb3a13089b3)), closes [#10462](https://github.com/bitnami/charts/issues/10462) + +## 1.14.2 (2022-05-30) + +* [bitnami/common] use -d flag for base64 (#10491) ([ca8d588](https://github.com/bitnami/charts/commit/ca8d5886a1bc0fb37d1bc770ad2333acdffd7996)), closes [#10491](https://github.com/bitnami/charts/issues/10491) [#10486](https://github.com/bitnami/charts/issues/10486) + +## 1.14.1 (2022-05-20) + +* Differentiate between autoscaling v1beta1 and v1beta2 (#10331) ([16d8a4e](https://github.com/bitnami/charts/commit/16d8a4ee73705ee6db2191d84e03a2ba3ea95deb)), closes [#10331](https://github.com/bitnami/charts/issues/10331) + +## 1.14.0 (2022-05-13) + +* [bitnami/common] Add common function for HPA api version (#10174) ([4379ab5](https://github.com/bitnami/charts/commit/4379ab56bd8f4d7f7b7817bf302c683bf9087e81)), closes [#10174](https://github.com/bitnami/charts/issues/10174) + +## 1.13.1 (2022-04-19) + +* Fix affinities identifier in README.md for common chart (#9821) ([fe95640](https://github.com/bitnami/charts/commit/fe95640ce3f5ddfb0458f440959ceda3a849a3a4)), closes [#9821](https://github.com/bitnami/charts/issues/9821) + +## 1.13.0 (2022-03-24) + +* [bitnami/common] Add apiService.apiVersion function to common.capabilities (#9562) ([bba2272](https://github.com/bitnami/charts/commit/bba227223e15937bb1f29f77425f6bd7d9238c02)), closes [#9562](https://github.com/bitnami/charts/issues/9562) + +## 1.12.0 (2022-03-16) + +* [bitnami/common] Helper to allow overriding namespace name (#9396) ([794fecb](https://github.com/bitnami/charts/commit/794fecb8cb112e8e5e9d55420451752e8bd21431)), closes [#9396](https://github.com/bitnami/charts/issues/9396) + +## 1.11.3 (2022-03-03) + +* [bitnami/common] Improve docs for passwords.manage (#9269) ([0d06114](https://github.com/bitnami/charts/commit/0d061147a5b7c7cf2bf44d2b61603ffeb48a0b51)), closes [#9269](https://github.com/bitnami/charts/issues/9269) + +## 1.11.2 (2022-02-28) + +* [bitnami/common] README: Fixed the desscription for `common.labels.matchLabels` (#9062) ([7f17db7](https://github.com/bitnami/charts/commit/7f17db7e9bcdd7918bde322b3b76a62c6a86e752)), closes [#9062](https://github.com/bitnami/charts/issues/9062) [bitnami/charts#9060](https://github.com/bitnami/charts/issues/9060) [bitnami/charts#9060](https://github.com/bitnami/charts/issues/9060) + +## 1.11.1 (2022-02-02) + +* [bitnami/common] Improve "common.secrets.passwords.manage" helper (#8861) ([01477b4](https://github.com/bitnami/charts/commit/01477b42f2be362388d69da913879c52f2250ac1)), closes [#8861](https://github.com/bitnami/charts/issues/8861) + +## 1.11.0 (2022-02-01) + +* [bitnami/common] Add ingress helper to detect cert-manager annotations (#8857) ([c0c986f](https://github.com/bitnami/charts/commit/c0c986f8d5c911c09dc84d289d2993ae1779a6ca)), closes [#8857](https://github.com/bitnami/charts/issues/8857) + +## 1.10.4 (2022-01-20) + +* [bitnami/several] Add license to the README ([05f7633](https://github.com/bitnami/charts/commit/05f763372501d596e57db713dd53ff4ff3027cc4)) +* [bitnami/several] Add license to the README ([32fb238](https://github.com/bitnami/charts/commit/32fb238e60a0affc6debd3142eaa3c3d9089ec2a)) +* [bitnami/several] Add license to the README ([b87c2f7](https://github.com/bitnami/charts/commit/b87c2f7899d48a8b02c506765e6ae82937e9ba3f)) +* [bitnami/several] Change prerequisites (#8725) ([8d740c5](https://github.com/bitnami/charts/commit/8d740c566cfdb7e2d933c40128b4e919fce953a5)), closes [#8725](https://github.com/bitnami/charts/issues/8725) + +## 1.10.3 (2021-11-29) + +* [bitnami/common] fix: :bug: Add extra check for "\"\"" values in existing secrets (#8266) ([de27be6](https://github.com/bitnami/charts/commit/de27be6e649472608f076a04a36be3674fe3b84e)), closes [#8266](https://github.com/bitnami/charts/issues/8266) + +## 1.10.2 (2021-11-29) + +* [bitnami/several] Replace HTTP by HTTPS when possible (#8259) ([eafb5bd](https://github.com/bitnami/charts/commit/eafb5bd5a2cc3aaf04fc1e8ebedd73f420d76864)), closes [#8259](https://github.com/bitnami/charts/issues/8259) + +## 1.10.1 (2021-10-27) + +* [bitnami/*] Mark PodSecurityPolicy resources as deprecated (#7948) ([5cac753](https://github.com/bitnami/charts/commit/5cac7539dcb6c3baef06ed6676bfa99c16fdb5fe)), closes [#7948](https://github.com/bitnami/charts/issues/7948) + +## 1.10.0 (2021-09-30) + +* [bitnami/common] Add new capability helper for Network Policies (#7658) ([3efb1ca](https://github.com/bitnami/charts/commit/3efb1cac924409cbda3216a2300cce031c56a1f5)), closes [#7658](https://github.com/bitnami/charts/issues/7658) + +## 1.9.1 (2021-09-22) + +* [bitnami/common] fix readme for common chart (#7577) ([3f06bdd](https://github.com/bitnami/charts/commit/3f06bdd8df1c00dbdf27230bcdf925c337826abb)), closes [#7577](https://github.com/bitnami/charts/issues/7577) +* Fix typo in bitname/common README (#7529) ([fccffb3](https://github.com/bitnami/charts/commit/fccffb33391751a1bf84c53184cffe0dcac83fd6)), closes [#7529](https://github.com/bitnami/charts/issues/7529) + +## 1.9.0 (2021-09-13) + +* [bitnami/common] Add new dependency fullname template (#7471) ([7ca2a4b](https://github.com/bitnami/charts/commit/7ca2a4bb917ac6a276a6b30be12538f4c7c3a63d)), closes [#7471](https://github.com/bitnami/charts/issues/7471) + +## 1.8.0 (2021-08-04) + +* Add cronjob apiVersion capability (#7122) ([7b84a67](https://github.com/bitnami/charts/commit/7b84a674ae99fd8ddac3b5b3c859c816b87aaf51)), closes [#7122](https://github.com/bitnami/charts/issues/7122) + +## 1.7.1 (2021-07-27) + +* [bitnami/*] Adapt values.yaml of common library, Tomcat, Wavefront and ZooKeeper charts (#6970) ([fb2693b](https://github.com/bitnami/charts/commit/fb2693bfe67a154b159d3998232cc613e1706c70)), closes [#6970](https://github.com/bitnami/charts/issues/6970) +* [bitnami/several] Bump version and update READMEs (#7069) ([6340bff](https://github.com/bitnami/charts/commit/6340bff66f93c8c797bda3ca0842e4bf770059f1)), closes [#7069](https://github.com/bitnami/charts/issues/7069) +* Replace strings with ™ in the README files (#7066) ([d298b49](https://github.com/bitnami/charts/commit/d298b4996da33c9580c2594e6dc8ad665dd0ebab)), closes [#7066](https://github.com/bitnami/charts/issues/7066) + +## 1.7.0 (2021-07-02) + +* [bitnami/common] Add supportIngressClassname (#6828) ([0c8a455](https://github.com/bitnami/charts/commit/0c8a45546a219b4b4cd370daf0643543c92739b0)), closes [#6828](https://github.com/bitnami/charts/issues/6828) + +## 1.6.1 (2021-06-16) + +* [bitnami/common] extend common.labels.matchLabels with .Values.extraMatchLabels (#6589) ([66edf04](https://github.com/bitnami/charts/commit/66edf04e3e244c343a845f9c684edf4c8ea04406)), closes [#6589](https://github.com/bitnami/charts/issues/6589) + +## 1.6.0 (2021-06-15) + +* bitnami/common: add version detection for policy api (#6662) ([dcacf06](https://github.com/bitnami/charts/commit/dcacf06f6f2b6d622e2226935db22d5b8efa20b3)), closes [#6662](https://github.com/bitnami/charts/issues/6662) + +## 1.5.2 (2021-05-21) + +* [bitnami/common] Update _ingress.tpl (#6437) ([9048150](https://github.com/bitnami/charts/commit/90481508542c4da588e0d71944592e6c4e8d36e4)), closes [#6437](https://github.com/bitnami/charts/issues/6437) + +## 1.5.1 (2021-05-14) + +* Node affinity values must be quoted. (#6348) ([f73efbe](https://github.com/bitnami/charts/commit/f73efbe074436eda6276bbf32c781fa913c6a17a)), closes [#6348](https://github.com/bitnami/charts/issues/6348) + +## 1.5.0 (2021-05-13) + +* [bitnami/common] pull secrets rendering (#6286) ([dfffe74](https://github.com/bitnami/charts/commit/dfffe74c212a28e27f537dbee54c3b5a81c7d572)), closes [#6286](https://github.com/bitnami/charts/issues/6286) + +## 1.4.3 (2021-04-26) + +* [bitnami/common] Update Redis validation's helper (#6192) ([1e3bf03](https://github.com/bitnami/charts/commit/1e3bf03e3aad56fd4dc159744626e25ec24c5772)), closes [#6192](https://github.com/bitnami/charts/issues/6192) + +## 1.4.2 (2021-03-25) + +* [bitnami/common] Common credential error (#5884) ([328ca86](https://github.com/bitnami/charts/commit/328ca863515f6ef9fe188c71110be7b951719d66)), closes [#5884](https://github.com/bitnami/charts/issues/5884) + +## 1.4.1 (2021-02-23) + +* [bitnami/common] Add possibility to pull images without giving registry name (#5582) ([15ca275](https://github.com/bitnami/charts/commit/15ca27520a16b590101fa39195f55017e2935a90)), closes [#5582](https://github.com/bitnami/charts/issues/5582) + +## 1.4.0 (2021-02-22) + +* [bitnami/common] Add RBAC/CRD apiVersion support for versions 1.22+ (#5583) ([fda87aa](https://github.com/bitnami/charts/commit/fda87aabcd004f9a67549f5d22d273dd9fff6836)), closes [#5583](https://github.com/bitnami/charts/issues/5583) + +## 1.3.9 (2021-02-09) + +* Add registered icon to all the MongoDB references (#5426) ([56f2088](https://github.com/bitnami/charts/commit/56f20884267e56175695b2917f7704b9510f4ba6)), closes [#5426](https://github.com/bitnami/charts/issues/5426) + +## 1.3.8 (2021-02-03) + +* fix(common): quote namespace name (#5363) ([d27fb5e](https://github.com/bitnami/charts/commit/d27fb5e0b327728bb4304503376aaa4d2ab50619)), closes [#5363](https://github.com/bitnami/charts/issues/5363) + +## 1.3.7 (2021-01-20) + +* [bitnami/*] Change helm version in the prerequisites (#5090) ([c5e67a3](https://github.com/bitnami/charts/commit/c5e67a388743cbee28439d2cabca27884b9daf97)), closes [#5090](https://github.com/bitnami/charts/issues/5090) +* [bitnami/common] Remove helm version checker from secret helper (#5156) ([20231b1](https://github.com/bitnami/charts/commit/20231b138fae524371e6b29504acd4cbd19ce697)), closes [#5156](https://github.com/bitnami/charts/issues/5156) + +## 1.3.6 (2021-01-18) + +* [bitnami/common] same behavior with empty string when the secret obje… (#5057) ([0bae2bb](https://github.com/bitnami/charts/commit/0bae2bbb9b42c5a8dd2b8a144ffa55ace1c8a936)), closes [#5057](https://github.com/bitnami/charts/issues/5057) + +## 1.3.5 (2021-01-17) + +* [bitnami/common] fix wrong include reference (#5056) ([11efd59](https://github.com/bitnami/charts/commit/11efd59177419d4177e59800f04b4f26ab7243f8)), closes [#5056](https://github.com/bitnami/charts/issues/5056) + +## 1.3.4 (2021-01-15) + +* [bitnami/common] Fix lookup function backward compatibility and README (#5018) ([14a0042](https://github.com/bitnami/charts/commit/14a0042dc90c01fd38f814e1e43559384a3baa9f)), closes [#5018](https://github.com/bitnami/charts/issues/5018) + +## 1.3.3 (2021-01-14) + +* [bitnami/several] Add Redis trademark (#5023) ([dfa89b8](https://github.com/bitnami/charts/commit/dfa89b865989da26a3c73f397fd3c402dd56ebe8)), closes [#5023](https://github.com/bitnami/charts/issues/5023) + +## 1.3.2 (2021-01-13) + +* [bitnami/common] Add missing else statement to ingress apiversion ([22ab07a](https://github.com/bitnami/charts/commit/22ab07ac7d39d4153cc839de2b714086e99cfc04)) + +## 1.3.1 (2021-01-13) + +* [bitnami/common] Fix cases where ingress is not at the root (#4984) ([e447d9d](https://github.com/bitnami/charts/commit/e447d9d2205fc3f2f6cd990386a691fd9204b214)), closes [#4984](https://github.com/bitnami/charts/issues/4984) + +## 1.3.0 (2021-01-13) + +* [bitnami/*] POC Lookup function implementation (#4831) ([240dc1b](https://github.com/bitnami/charts/commit/240dc1bea80a3e121fd595636496d7941bdbc5e0)), closes [#4831](https://github.com/bitnami/charts/issues/4831) + +## 1.2.3 (2020-12-31) + +* [bitnami/common] Fix incorrect backend calculation for networking/v1beta1 ([c59b869](https://github.com/bitnami/charts/commit/c59b86919f47504bc8fd06f75a024f55e58ace77)) + +## 1.2.2 (2020-12-30) + +* [bitnami/common] Fix typo in common.capabilities.kubeVersion ([a371b73](https://github.com/bitnami/charts/commit/a371b734b854aa81a7dec16c40d061f5e9a14875)) + +## 1.2.1 (2020-12-30) + +* [bitnami/common] Fix issue with global kubeversion calculation ([0bbb339](https://github.com/bitnami/charts/commit/0bbb339d60b41ab978e759863709ebb1451d07a4)) + +## 1.2.0 (2020-12-30) + +* [bitnami/common] Make ingress rules compatible with all Kubernetes versions (#4859) ([2b22a21](https://github.com/bitnami/charts/commit/2b22a217020fe3d16ef98fdcdd4a562c43f9824a)), closes [#4859](https://github.com/bitnami/charts/issues/4859) + +## 1.1.4 (2020-12-23) + +* [bitnami/common] fix: moving kube version comparison (#4804) ([cdb6ae8](https://github.com/bitnami/charts/commit/cdb6ae8f00d114f0998c604416b79f62dc27f19d)), closes [#4804](https://github.com/bitnami/charts/issues/4804) + +## 1.1.3 (2020-12-18) + +* [bitnami/*] fix typos (#4699) ([49adc63](https://github.com/bitnami/charts/commit/49adc63b672da976c55af2e077aa5648a357b77f)), closes [#4699](https://github.com/bitnami/charts/issues/4699) +* [bitnami/common] Adding networking apiVersion support for versions 1.19+ (#4776) ([5ed8c54](https://github.com/bitnami/charts/commit/5ed8c54f5e0a905effc4c1ae5c4931e6669cec30)), closes [#4776](https://github.com/bitnami/charts/issues/4776) + +## 1.1.2 (2020-12-11) + +* [bitnami/common] Fix node affinity templates (#4692) ([5b51a5c](https://github.com/bitnami/charts/commit/5b51a5c004b062282849a4abaaffd6840bb6c95f)), closes [#4692](https://github.com/bitnami/charts/issues/4692) + +## 1.1.1 (2020-11-26) + +* fix: mongodb validation auth (#4506) ([ca3fdfb](https://github.com/bitnami/charts/commit/ca3fdfbeebeba5bd7dfa4805e1ca2411e5950b09)), closes [#4506](https://github.com/bitnami/charts/issues/4506) + +## 1.1.0 (2020-11-26) + +* [bitnami/common] Add mongodb validation template (#4497) ([14ece96](https://github.com/bitnami/charts/commit/14ece96c801a7326935b6269423d8854fed3a49e)), closes [#4497](https://github.com/bitnami/charts/issues/4497) + +## 1.0.1 (2020-11-19) + +* [bitnami/common] existingSecret is in auth map (#4389) ([de9b217](https://github.com/bitnami/charts/commit/de9b2177465e1c56ca2aa1c4c486bd37a7104d7a)), closes [#4389](https://github.com/bitnami/charts/issues/4389) + +## 1.0.0 (2020-11-10) + +* bitnami/common Major version. Adapt Chart to apiVersion: v2 (#4258) ([09dbc45](https://github.com/bitnami/charts/commit/09dbc45d11c5e8fe65d6eb64dbf51571ad2c7464)), closes [#4258](https://github.com/bitnami/charts/issues/4258) + +## 0.10.0 (2020-10-27) + +* [bitnami/common] feat: add cassandra passwords validations (#4110) ([b4923d4](https://github.com/bitnami/charts/commit/b4923d48018dff1673a32eefcc0d62eb484b36da)), closes [#4110](https://github.com/bitnami/charts/issues/4110) + +## 0.9.0 (2020-10-21) + +* [bitnami/common] feat: add redis passwords validations (#4070) ([0daa8d5](https://github.com/bitnami/charts/commit/0daa8d580c06e18d94dbc0e88467347a34418596)), closes [#4070](https://github.com/bitnami/charts/issues/4070) + +## 0.8.2 (2020-10-14) + +* [bitnami/common] Allow backward compatibility for existingSecret (#4006) ([aa2b3a1](https://github.com/bitnami/charts/commit/aa2b3a18610c69b2f5c76b839483db43fa3c093c)), closes [#4006](https://github.com/bitnami/charts/issues/4006) + +## 0.8.1 (2020-10-05) + +* [bitnami/common] Fix secret name bug with defaulNameSuffix. (#3888) ([d114d44](https://github.com/bitnami/charts/commit/d114d446ef86cb6e7a72de6542905ec3b07d3684)) + +## 0.8.0 (2020-10-02) + +* [bitnami/common] Add statefulset capabilities and prepare MariaDB passwords validation for new forma ([1eb4436](https://github.com/bitnami/charts/commit/1eb44366a72e39e84e33bed1a4940c1b2c6025fc)), closes [#3859](https://github.com/bitnami/charts/issues/3859) + +## 0.7.1 (2020-09-22) + +* [bitnami/common] fix: evaluate enabled as string (#3733) ([048cdae](https://github.com/bitnami/charts/commit/048cdae5488cfcfe83ec698afaa8318aa3b1d0ca)), closes [#3733](https://github.com/bitnami/charts/issues/3733) + +## 0.7.0 (2020-09-22) + +* [bitnami/metrics-server] Add source repo (#3577) ([1ed12f9](https://github.com/bitnami/charts/commit/1ed12f96af75322b46afdb2b3d9907c11b13f765)), closes [#3577](https://github.com/bitnami/charts/issues/3577) +* PoC for pods' affinity (#3713) ([9e6a915](https://github.com/bitnami/charts/commit/9e6a915392979f0c0148875f34cca1c27e399b59)), closes [#3713](https://github.com/bitnami/charts/issues/3713) + +## 0.6.2 (2020-09-01) + +* [bitnami/common] fix: wrong use of append function (#3566) ([c912fd0](https://github.com/bitnami/charts/commit/c912fd0b7378bf2d5d56182e6d2fa6bbd74df46f)), closes [#3566](https://github.com/bitnami/charts/issues/3566) + +## 0.6.1 (2020-08-31) + +* [bitnami/common] fix: mariadb checks secret fields after check enabled (#3565) ([498056a](https://github.com/bitnami/charts/commit/498056ad16a6e89aa3b7cc231da7467ab5bd3986)), closes [#3565](https://github.com/bitnami/charts/issues/3565) + +## 0.6.0 (2020-08-19) + +* [bitnami/mariadb] Require password option at secret resource (#3411) ([a8d2464](https://github.com/bitnami/charts/commit/a8d24643756470d0280fc585b01397358c1c242d)), closes [#3411](https://github.com/bitnami/charts/issues/3411) + +## 0.5.2 (2020-08-19) + +* [bitnami/common] fix: add global parameters to postgres validation (#3460) ([1c52a2a](https://github.com/bitnami/charts/commit/1c52a2a48ea65024a753eb5b32deadd46650fb18)), closes [#3460](https://github.com/bitnami/charts/issues/3460) + +## 0.5.1 (2020-08-10) + +* fix(common): missing $ in required values helpers (#3376) ([c972152](https://github.com/bitnami/charts/commit/c972152762c14c5ab5e3847a4870f4f4f2a31224)), closes [#3376](https://github.com/bitnami/charts/issues/3376) + +## 0.5.0 (2020-08-10) + +* [bitnami/common] add psql and mysql required password validations (#3374) ([1a4419e](https://github.com/bitnami/charts/commit/1a4419e15d985f67413beff98c9fc9b9f69108fb)), closes [#3374](https://github.com/bitnami/charts/issues/3374) + +## 0.4.0 (2020-08-04) + +* [bitnami/*] Fix TL;DR typo in READMEs (#3280) ([3d7ab40](https://github.com/bitnami/charts/commit/3d7ab406fecd64f1af25f53e7d27f03ec95b29a4)), closes [#3280](https://github.com/bitnami/charts/issues/3280) +* [bitnami/all] Add categories (#3075) ([63bde06](https://github.com/bitnami/charts/commit/63bde066b87a140fab52264d0522401ab3d63509)), closes [#3075](https://github.com/bitnami/charts/issues/3075) +* Add common helpers to check secrets when upgrade (#3150) ([5a5807c](https://github.com/bitnami/charts/commit/5a5807c1b1db1f2337f6aa5308d3ff73a4329e6a)), closes [#3150](https://github.com/bitnami/charts/issues/3150) + +## 0.3.1 (2020-06-05) + +* [bitnami/several] Fix table rendering in some hubs (#2770) ([fe9fd8c](https://github.com/bitnami/charts/commit/fe9fd8c261195385aae73e165ac6c1a666fef08e)), closes [#2770](https://github.com/bitnami/charts/issues/2770) + +## 0.3.0 (2020-06-02) + +* [bitnami/common]: add template function for ingress apiVersion (#2732) ([a968a50](https://github.com/bitnami/charts/commit/a968a50916ed9fa6f823a5a3ef6e4b98d615322f)), closes [#2732](https://github.com/bitnami/charts/issues/2732) + +## 0.2.4 (2020-05-29) + +* [bitnami/common] Bump chart version (#2707) ([ff2c37a](https://github.com/bitnami/charts/commit/ff2c37a576191f4523c7f69504aea669ab68aba8)), closes [#2707](https://github.com/bitnami/charts/issues/2707) +* [bitnami/several] Fix trailing spaces to make helm lint work on all of them (#2705) ([bafba3f](https://github.com/bitnami/charts/commit/bafba3fc8b8949897ad2d99d437bd8fc975223e4)), closes [#2705](https://github.com/bitnami/charts/issues/2705) + +## 0.2.3 (2020-05-26) + +* fix(common): add name attribute to imagePullSecrets helper (#2664) ([1ea21a9](https://github.com/bitnami/charts/commit/1ea21a92a8f44bd0d82d0fd4ed30108a89cf5b34)), closes [#2664](https://github.com/bitnami/charts/issues/2664) + +## 0.2.2 (2020-05-19) + +* update bitnami/common to be compatible with helm v2.12+ (#2615) ([c7751eb](https://github.com/bitnami/charts/commit/c7751eb5764e468e1854b58a1b8491d2b13e0a4a)), closes [#2615](https://github.com/bitnami/charts/issues/2615) + +## 0.2.1 (2020-05-13) + +* bump bitnami/common version number (#2580) ([1bd1e7b](https://github.com/bitnami/charts/commit/1bd1e7bc776614b6ae10f21e9c8b23fe15db5ff4)), closes [#2580](https://github.com/bitnami/charts/issues/2580) + +## 0.2.0 (2020-04-17) + +* [bitnami/common] add secrets and warnings helpers (#2347) ([a748ff8](https://github.com/bitnami/charts/commit/a748ff82259d6553a0d4ca56ca6d7d050de859f4)), closes [#2347](https://github.com/bitnami/charts/issues/2347) + +## 0.1.1 (2020-04-08) + +* [bitnami/common] bitnami common add values yaml (#2267) ([a88c902](https://github.com/bitnami/charts/commit/a88c90212021771eacc562dd38c04381e2f63d6f)), closes [#2267](https://github.com/bitnami/charts/issues/2267) + +## 0.1.0 (2020-04-03) + +* [bitnami/common]: add initial functions (#2188) ([9401e13](https://github.com/bitnami/charts/commit/9401e13316992c36b0e33de75d5f249645a2924e)), closes [#2188](https://github.com/bitnami/charts/issues/2188) diff --git a/kubernetes/common/mongodb/common/Chart.yaml b/kubernetes/common/mongodb/common/Chart.yaml new file mode 100644 index 0000000000..fcdd1d27f8 --- /dev/null +++ b/kubernetes/common/mongodb/common/Chart.yaml @@ -0,0 +1,26 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +# Please make sure that version and appVersion are always the same. +appVersion: 2.31.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. +home: https://bitnami.com +icon: https://dyltqmyl993wv.cloudfront.net/downloads/logos/bitnami-mark.png +keywords: + - common + - helper + - template + - function + - bitnami +maintainers: + - name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: common +sources: + - https://github.com/bitnami/charts/tree/main/bitnami/common +type: library +version: 2.31.1 diff --git a/kubernetes/common/mongodb/common/README.md b/kubernetes/common/mongodb/common/README.md new file mode 100644 index 0000000000..2860536077 --- /dev/null +++ b/kubernetes/common/mongodb/common/README.md @@ -0,0 +1,379 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +| ------------------------------- | ---------------------------------------------------- | ------------------------------------------------------------ | +| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes` | Return a nodeAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.topologyKey` | Return a topologyKey definition | `dict "topologyKey" "FOO"` | +| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods` | Return a podAffinity/podAntiAffinity definition | `dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +| --------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | --------------------------------------- | +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.apiVersions.has` | Return true if the apiVersion is supported | `dict "version" "batch/v1" "context" $` | +| `common.capabilities.job.apiVersion` | Return the appropriate apiVersion for job. | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.daemonset.apiVersion` | Return the appropriate apiVersion for daemonset. | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | +| `common.capabilities.vpa.apiVersion` | Return the appropriate apiVersion for Vertical Pod Autoscaler. | `.` Chart context | +| `common.capabilities.psp.supported` | Returns true if PodSecurityPolicy is supported | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | +| `common.capabilities.admissionConfiguration.supported` | Returns true if AdmissionConfiguration is supported | `.` Chart context | +| `common.capabilities.admissionConfiguration.apiVersion` | Return the appropriate apiVersion for AdmissionConfiguration. | `.` Chart context | +| `common.capabilities.podSecurityConfiguration.apiVersion` | Return the appropriate apiVersion for PodSecurityConfiguration. | `.` Chart context | + +### Compatibility + +| Helper identifier | Description | Expected Input | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- | +| `common.compatibility.isOpenshift` | Return true if the detected platform is Openshift | `.` Chart context | +| `common.compatibility.renderSecurityContext` | Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC | `dict "secContext" .Values.containerSecurityContext "context" $` | + +### Errors + +| Helper identifier | Description | Expected Input | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | +| `common.errors.insecureImages` | Throw error when original container images are replaced. The error can be bypassed by setting the `global.security.allowInsecureImages` to true. | `dict "images" (list .Values.path.to.the.imageRoot) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +| --------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ | +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | +| `common.images.version` | Return the proper image version | `dict "imageRoot" .Values.path.to.the.image "chart" .Chart` , see [ImageRoot](#imageroot) for the structure. | + +### Ingress + +| Helper identifier | Description | Expected Input | +| ----------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +| --------------------------- | --------------------------------------------------------------------------- | ----------------- | +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +| ---------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------- | +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | +| `common.names.dependency.fullname` | Create a default fully qualified dependency name. | `dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $` | + +### Resources + +| Helper identifier | Description | Expected Input | +| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | +| `common.resources.preset` | Return a resource request/limit object based on a given preset. These presets are for basic testing and not meant to be used in production. | `dict "type" "nano"` | + +### Secrets + +| Helper identifier | Description | Expected Input | +| --------------------------------- | -------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $`, length, strong, honorProvidedValues and chartName fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | +| `common.secrets.lookup` | Reuses the value from an existing secret, otherwise sets its value to a default value. | `dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +| ---------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------- | +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +| ---------------------------------- | ------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | +| `common.tplvalues.merge` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` | +| `common.tplvalues.merge-overwrite` | Merge a list of values that contains template after rendering them. | `dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $` | + +### Utils + +| Helper identifier | Description | Expected Input | +| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | +| `common.utils.checksumTemplate` | Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376) | `dict "path" "/configmap.yaml" "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +| -------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------- | +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | +| `common.warnings.modifiedImages` | Warning about replaced images from the original. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | +| `common.warnings.resources` | Warning about not setting the resource object in all deployments. | `dict "sections" (list "path1" "path2") context $` | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy.' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/common/mongodb/common/templates/_affinities.tpl b/kubernetes/common/mongodb/common/templates/_affinities.tpl new file mode 100644 index 0000000000..c6ccc62e2f --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_affinities.tpl @@ -0,0 +1,169 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if .namespaces }} + namespaces: + - {{ $.context.Release.Namespace }} + {{- with .namespaces }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if .namespaces }} + namespaces: + - {{ $.context.Release.Namespace }} + {{- with .namespaces }} + {{- include "common.tplvalues.render" (dict "value" . "context" $) | nindent 6 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_capabilities.tpl b/kubernetes/common/mongodb/common/templates/_capabilities.tpl new file mode 100644 index 0000000000..6efde9d348 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_capabilities.tpl @@ -0,0 +1,178 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} +{{- end -}} + +{{/* +Return true if the apiVersion is supported +Usage: +{{ include "common.capabilities.apiVersions.has" (dict "version" "batch/v1" "context" $) }} +*/}} +{{- define "common.capabilities.apiVersions.has" -}} +{{- $providedAPIVersions := default .context.Values.apiVersions ((.context.Values.global).apiVersions) -}} +{{- if and (empty $providedAPIVersions) (.context.Capabilities.APIVersions.Has .version) -}} + {{- true -}} +{{- else if has .version $providedAPIVersions -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- print "policy/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for job. +*/}} +{{- define "common.capabilities.job.apiVersion" -}} +{{- print "batch/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- print "batch/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- print "autoscaling/v2" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta2" -}} +{{- else -}} +{{- print "autoscaling/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} + {{- true -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_compatibility.tpl b/kubernetes/common/mongodb/common/templates/_compatibility.tpl new file mode 100644 index 0000000000..87343ca38f --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_compatibility.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} +{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_errors.tpl b/kubernetes/common/mongodb/common/templates/_errors.tpl new file mode 100644 index 0000000000..95b8b8e292 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_errors.tpl @@ -0,0 +1,85 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Throw error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} + +{{/* +Throw error when original container images are replaced. +The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case, +a warning message will be shown instead. + +Usage: +{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.errors.insecureImages" -}} +{{- $relocatedImages := list -}} +{{- $replacedImages := list -}} +{{- $retaggedImages := list -}} +{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $registryName := default .registry $globalRegistry -}} + {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}} + {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}} + {{- if not (contains $fullImageNameNoTag $originalImages) -}} + {{- if not (contains $registryName $originalImages) -}} + {{- $relocatedImages = append $relocatedImages $fullImageName -}} + {{- else if not (contains .repository $originalImages) -}} + {{- $replacedImages = append $replacedImages $fullImageName -}} + {{- end -}} + {{- end -}} + {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}} + {{- $retaggedImages = append $retaggedImages $fullImageName -}} + {{- end -}} +{{- end -}} + +{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}} + {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}} +{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}} + {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}} + {{- $errorString = print $errorString "\n\nUnrecognized images:" -}} + {{- range (concat $relocatedImages $replacedImages) -}} + {{- $errorString = print $errorString "\n - " . -}} + {{- end -}} + {{- if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) -}} + {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}} + {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}} + {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}} + {{- print $errorString | fail -}} + {{- else if gt (len $replacedImages) 0 -}} + {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}} + {{- print $errorString -}} + {{- end -}} +{{- else if gt (len $retaggedImages) 0 -}} + {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Tanzu Application Catalog containers. Substituting original image tags could cause unexpected behavior." -}} + {{- $warnString = print $warnString "\n\nRetagged images:" -}} + {{- range $retaggedImages -}} + {{- $warnString = print $warnString "\n - " . -}} + {{- end -}} + {{- print $warnString -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_images.tpl b/kubernetes/common/mongodb/common/templates/_images.tpl new file mode 100644 index 0000000000..6eedf75f56 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_images.tpl @@ -0,0 +1,114 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} + +{{- if not .imageRoot.tag }} + {{- if .chart }} + {{- $termination = .chart.AppVersion | toString -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_ingress.tpl b/kubernetes/common/mongodb/common/templates/_ingress.tpl new file mode 100644 index 0000000000..2d0dbf1e60 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_ingress.tpl @@ -0,0 +1,41 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_labels.tpl b/kubernetes/common/mongodb/common/templates/_labels.tpl new file mode 100644 index 0000000000..0a0cc5488f --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_labels.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} +*/}} +{{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. +*/}} +{{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_names.tpl b/kubernetes/common/mongodb/common/templates/_names.tpl new file mode 100644 index 0000000000..ba83956852 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_names.tpl @@ -0,0 +1,71 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_resources.tpl b/kubernetes/common/mongodb/common/templates/_resources.tpl new file mode 100644 index 0000000000..2aaf5750d4 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_secrets.tpl b/kubernetes/common/mongodb/common/templates/_secrets.tpl new file mode 100644 index 0000000000..7868c00ac0 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_secrets.tpl @@ -0,0 +1,192 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. + - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret +The order in which this function returns a secret password: + 1. Password provided via the values.yaml if honorProvidedValues = true + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 2. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 3. Password provided via the values.yaml if honorProvidedValues = false + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 4. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- end }} + +{{- if and $providedPasswordValue .honorProvidedValues }} + {{- $password = tpl ($providedPasswordValue | toString) .context }} +{{- end }} + +{{- if not $password }} + {{- if $providedPasswordValue }} + {{- $password = tpl ($providedPasswordValue | toString) .context }} + {{- else }} + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- if not (eq .failOnNew false) }} + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + {{- end }} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} + {{- end -}} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} +{{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_storage.tpl b/kubernetes/common/mongodb/common/templates/_storage.tpl new file mode 100644 index 0000000000..aa75856c07 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_storage.tpl @@ -0,0 +1,21 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} +{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else -}} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_tplvalues.tpl b/kubernetes/common/mongodb/common/templates/_tplvalues.tpl new file mode 100644 index 0000000000..a04f4c1eb3 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_tplvalues.tpl @@ -0,0 +1,52 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite +Usage: +{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge-overwrite" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_utils.tpl b/kubernetes/common/mongodb/common/templates/_utils.tpl new file mode 100644 index 0000000000..0a5a5bc88f --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_utils.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/_warnings.tpl b/kubernetes/common/mongodb/common/templates/_warnings.tpl new file mode 100644 index 0000000000..62c44dfcaa --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/_warnings.tpl @@ -0,0 +1,109 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html +{{- end }} +{{- end -}} + +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl b/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000000..f8fd213bcc --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_cassandra.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl b/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000000..6ea8c0f45b --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mariadb.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl b/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000000..e678a6de82 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mongodb.tpl @@ -0,0 +1,67 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl b/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000000..fbb65c338e --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_mysql.tpl @@ -0,0 +1,67 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl b/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000000..51d47162e7 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_postgresql.tpl @@ -0,0 +1,105 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_redis.tpl b/kubernetes/common/mongodb/common/templates/validations/_redis.tpl new file mode 100644 index 0000000000..9fedfef9d1 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_redis.tpl @@ -0,0 +1,48 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/templates/validations/_validations.tpl b/kubernetes/common/mongodb/common/templates/validations/_validations.tpl new file mode 100644 index 0000000000..7cdee61700 --- /dev/null +++ b/kubernetes/common/mongodb/common/templates/validations/_validations.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/common/values.yaml b/kubernetes/common/mongodb/common/values.yaml new file mode 100644 index 0000000000..de2cac57d0 --- /dev/null +++ b/kubernetes/common/mongodb/common/values.yaml @@ -0,0 +1,8 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/kubernetes/common/mongodb/templates/NOTES.txt b/kubernetes/common/mongodb/templates/NOTES.txt new file mode 100644 index 0000000000..2c47d5fd36 --- /dev/null +++ b/kubernetes/common/mongodb/templates/NOTES.txt @@ -0,0 +1,174 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information. + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + +{{- else }} + +{{- $replicaCount := int .Values.replicaCount }} +{{- $portNumber := int .Values.service.ports.mongodb }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := include "mongodb.namespace" . }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $mongoList := list }} +{{- range $e, $i := until $replicaCount }} +{{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} +{{- end }} + +{{- if and (or (and (eq .Values.architecture "standalone") (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort"))) (and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled)) (not .Values.auth.enabled) }} +------------------------------------------------------------------------------- + WARNING + + By not enabling "mongodb.auth.enabled" you have most likely exposed the + MongoDB® service externally without any authentication mechanism. + + For security reasons, we strongly suggest that you enable authentication + setting the "mongodb.auth.enabled" parameter to "true". + +------------------------------------------------------------------------------- +{{- end }} + +** Please be patient while the chart is being deployed ** + +MongoDB® can be accessed on the following DNS name(s) and ports from within your cluster: + +{{- if eq .Values.architecture "replicaset" }} +{{ join "\n" $mongoList | nindent 4 }} +{{- else }} + + {{ $fullname }}.{{ $releaseNamespace }}.svc.{{ .Values.clusterDomain }} + +{{- end }} + +{{- if .Values.auth.enabled }} + +To get the root password run: + + export MONGODB_ROOT_PASSWORD=$(kubectl get secret --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.secretName" . }} -o jsonpath="{.data.mongodb-root-password}" | base64 -d) + +{{- end }} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList := splitList "," $customUsers }} +{{- range $index, $user := $customUsersList }} + +To get the password for "{{ $user }}" run: + + export MONGODB_PASSWORD=$(kubectl get secret --namespace {{ include "mongodb.namespace" $ }} {{ include "mongodb.secretName" $ }} -o jsonpath="{.data.mongodb-passwords}" | base64 -d | awk -F',' '{print ${{ add 1 $index }}}') + +{{- end }} +{{- end }} + +To connect to your database, create a MongoDB® client container: + + kubectl run --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.fullname" . }}-client --rm --tty -i --restart='Never' --env="MONGODB_ROOT_PASSWORD=$MONGODB_ROOT_PASSWORD" --image {{ template "mongodb.image" . }} --command -- bash + +Then, run the following command: + + {{- if eq .Values.architecture "replicaset" }} + mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- else }} + mongosh admin --host "{{ template "mongodb.service.nameOverride" . }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }} + {{- end }} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled }} + +To connect to your database nodes from outside, you need to add both primary and secondary nodes hostnames/IPs to your Mongo client. To obtain them, follow the instructions below: + +{{- if eq "NodePort" .Values.externalAccess.service.type }} +{{- if .Values.externalAccess.service.domain }} + + MongoDB® nodes domain: Use your provided hostname to reach MongoDB® nodes, {{ .Values.externalAccess.service.domain }} + +{{- else }} + + MongoDB® nodes domain: you can reach MongoDB® nodes on any of the K8s nodes external IPs. + + kubectl get nodes -o wide + +{{- end }} + + MongoDB® nodes port: You will have a different node port for each MongoDB® node. You can get the list of configured node ports using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].spec.ports[0].nodePort}' | tr ' ' '\n')" + +{{- else if contains "LoadBalancer" .Values.externalAccess.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IPs to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -w' + + MongoDB® nodes domain: You will have a different external IP for each MongoDB® node. You can get the list of external IPs using the command below: + + echo "$(kubectl get svc --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ template "mongodb.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=mongodb,pod" -o jsonpath='{.items[*].status.loadBalancer.ingress[0].ip}' | tr ' ' '\n')" + + MongoDB® nodes port: {{ .Values.externalAccess.service.ports.mongodb }} + +{{- end }} + +{{- else if eq .Values.architecture "standalone" }} + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ template "mongodb.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "mongodb.service.nameOverride" . }}) + mongo --host $NODE_IP --port $NODE_PORT {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ template "mongodb.namespace" . }} -w {{ template "mongodb.service.nameOverride" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ template "mongodb.namespace" . }} {{ template "mongodb.service.nameOverride" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + mongosh --host $SERVICE_IP --port {{ $portNumber }} {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- else if contains "ClusterIP" .Values.service.type }} + + kubectl port-forward --namespace {{ template "mongodb.namespace" . }} svc/{{ template "mongodb.service.nameOverride" . }} {{ $portNumber }}:{{ $portNumber }} & + mongosh --host 127.0.0.1 {{- if .Values.auth.enabled }} --authenticationDatabase admin -p $MONGODB_ROOT_PASSWORD{{- end }} + +{{- end }} +{{- end }} + +{{- if .Values.metrics.enabled }} + +To access the MongoDB® Prometheus metrics, get the MongoDB® Prometheus URL by running: + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-metrics" (include "mongodb.fullname" .) }} {{ .Values.metrics.service.ports.metrics }}:{{ .Values.metrics.service.ports.metrics }} & + echo "Prometheus Metrics URL: http://127.0.0.1:{{ .Values.metrics.service.ports.metrics }}/metrics" + +Then, open the obtained URL in a browser. + +{{- end }} +{{- end }} +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "common.warnings.rollingTag" .Values.externalAccess.autoDiscovery.image }} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} +{{- include "common.warnings.rollingTag" .Values.tls.image }} +{{- include "mongodb.validateValues" . }} +{{- include "common.warnings.resources" (dict "sections" (list "arbiter" "externalAccess.autoDiscovery" "hidden" "metrics" "" "tls" "volumePermissions") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.tls.image .Values.externalAccess.autoDiscovery.image .Values.externalAccess.dnsCheck.image .Values.volumePermissions.image .Values.metrics.image) "context" $) }} diff --git a/kubernetes/common/mongodb/templates/_helpers.tpl b/kubernetes/common/mongodb/templates/_helpers.tpl new file mode 100644 index 0000000000..5b40e14bce --- /dev/null +++ b/kubernetes/common/mongodb/templates/_helpers.tpl @@ -0,0 +1,713 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mongodb.name" -}} +{{- include "common.names.name" . -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mongodb.fullname" -}} +{{- include "common.names.fullname" . -}} +{{- end -}} + +{{/* +Create a default mongo service name which can be overridden. +*/}} +{{- define "mongodb.service.nameOverride" -}} + {{- if and .Values.service .Values.service.nameOverride -}} + {{- print .Values.service.nameOverride -}} + {{- else -}} + {{- if eq .Values.architecture "replicaset" -}} + {{- printf "%s-headless" (include "mongodb.fullname" .) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Create a default mongo arbiter service name which can be overridden. +*/}} +{{- define "mongodb.arbiter.service.nameOverride" -}} + {{- if and .Values.arbiter.service .Values.arbiter.service.nameOverride -}} + {{- print .Values.arbiter.service.nameOverride -}} + {{- else -}} + {{- printf "%s-arbiter-headless" (include "mongodb.fullname" .) -}} + {{- end }} +{{- end }} + +{{/* +Create a default mongo hidden service name which can be overridden. +*/}} +{{- define "mongodb.hidden.service.nameOverride" -}} + {{- if and .Values.hidden.service .Values.hidden.service.nameOverride -}} + {{- print .Values.hidden.service.nameOverride -}} + {{- else -}} + {{- printf "%s-hidden-headless" (include "mongodb.fullname" .) -}} + {{- end }} +{{- end }} + +{{/* +Return the proper MongoDB® image name +*/}} +{{- define "mongodb.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the metrics image) +*/}} +{{- define "mongodb.metrics.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "mongodb.volumePermissions.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container auto-discovery image) +*/}} +{{- define "mongodb.externalAccess.autoDiscovery.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.autoDiscovery.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the init container dns-check image) +*/}} +{{- define "mongodb.externalAccess.dnsCheck.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.externalAccess.dnsCheck.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper image name (for the TLS Certs image) +*/}} +{{- define "mongodb.tls.image" -}} +{{- include "common.images.image" (dict "imageRoot" .Values.tls.image "global" .Values.global) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "mongodb.imagePullSecrets" -}} +{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image .Values.tls.image .Values.externalAccess.dnsCheck.image .Values.externalAccess.autoDiscovery.image) "context" $) -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "mongodb.namespace" -}} + {{- if and .Values.global .Values.global.namespaceOverride -}} + {{- print .Values.global.namespaceOverride -}} + {{- else -}} + {{- print .Release.Namespace -}} + {{- end }} +{{- end -}} +{{- define "mongodb.serviceMonitor.namespace" -}} + {{- if .Values.metrics.serviceMonitor.namespace -}} + {{- print .Values.metrics.serviceMonitor.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} +{{- define "mongodb.prometheusRule.namespace" -}} + {{- if .Values.metrics.prometheusRule.namespace -}} + {{- print .Values.metrics.prometheusRule.namespace -}} + {{- else -}} + {{- include "mongodb.namespace" . -}} + {{- end }} +{{- end -}} + +{{/* +Returns the proper service account name depending if an explicit service account name is set +in the values file. If the name is not set it will default to either mongodb.fullname if serviceAccount.create +is true or default otherwise. +*/}} +{{- define "mongodb.serviceAccountName" -}} + {{- if .Values.serviceAccount.create -}} + {{- default (include "mongodb.fullname" .) (print .Values.serviceAccount.name) -}} + {{- else -}} + {{- default "default" (print .Values.serviceAccount.name) -}} + {{- end -}} +{{- end -}} + +{{/* +Return the list of custom users to create during the initialization (string format) +*/}} +{{- define "mongodb.customUsers" -}} + {{- $customUsers := list -}} + {{- if .Values.auth.username -}} + {{- $customUsers = append $customUsers .Values.auth.username }} + {{- end }} + {{- range .Values.auth.usernames }} + {{- $customUsers = append $customUsers . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customUsers)) -}} +{{- end -}} + +{{/* +Return the list of passwords for the custom users (string format) +*/}} +{{- define "mongodb.customPasswords" -}} + {{- $customPasswords := list -}} + {{- if .Values.auth.password -}} + {{- $customPasswords = append $customPasswords .Values.auth.password }} + {{- end }} + {{- range .Values.auth.passwords }} + {{- $customPasswords = append $customPasswords . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customPasswords)) -}} +{{- end -}} + +{{/* +Return the list of custom databases to create during the initialization (string format) +*/}} +{{- define "mongodb.customDatabases" -}} + {{- $customDatabases := list -}} + {{- if .Values.auth.database -}} + {{- $customDatabases = append $customDatabases .Values.auth.database }} + {{- end }} + {{- range .Values.auth.databases }} + {{- $customDatabases = append $customDatabases . }} + {{- end }} + {{- printf "%s" (default "" (join "," $customDatabases)) -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration +*/}} +{{- define "mongodb.configmapName" -}} +{{- if .Values.existingConfigmap -}} + {{- printf "%s" (tpl .Values.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® +*/}} +{{- define "mongodb.createConfigmap" -}} +{{- if and .Values.configuration (not .Values.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with MongoDB® credentials +*/}} +{{- define "mongodb.secretName" -}} + {{- if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} + {{- else -}} + {{- printf "%s" (include "mongodb.fullname" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for MongoDB® +*/}} +{{- define "mongodb.createSecret" -}} +{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created for MongoDB +*/}} +{{- define "mongodb.createPreviousSecret" -}} +{{- if and .Values.passwordUpdateJob.previousPasswords.rootPassword (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret with previous MongoDB credentials +*/}} +{{- define "mongodb.update-job.previousSecretName" -}} + {{- if .Values.passwordUpdateJob.previousPasswords.existingSecret -}} + {{- /* The secret with the new password is managed externally */ -}} + {{- tpl .Values.passwordUpdateJob.previousPasswords.existingSecret $ -}} + {{- else if .Values.passwordUpdateJob.previousPasswords.rootPassword -}} + {{- /* The secret with the new password is managed externally */ -}} + {{- printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- /* The secret with the new password is managed by the helm chart. We use the current secret name as it has the old password */ -}} + {{- include "common.names.fullname" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return the secret with new MongoDB credentials +*/}} +{{- define "mongodb.update-job.newSecretName" -}} + {{- if and (not .Values.passwordUpdateJob.previousPasswords.existingSecret) (not .Values.passwordUpdateJob.previousPasswords.rootPassword) -}} + {{- /* The secret with the new password is managed by the helm chart. We create a new secret as the current one has the old password */ -}} + {{- printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}} + {{- else -}} + {{- /* The secret with the new password is managed externally */ -}} + {{- include "mongodb.secretName" . -}} + {{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "mongodb.initdbScriptsCM" -}} +{{- if .Values.initdbScriptsConfigMap -}} +{{- printf "%s" (tpl .Values.initdbScriptsConfigMap $) -}} +{{- else -}} +{{- printf "%s-init-scripts" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get initial primary host to configure MongoDB cluster. +*/}} +{{- define "mongodb.initialPrimaryHost" -}} +{{ ternary ( printf "%s-0.%s.$(MY_POD_NAMESPACE).svc.%s" (include "mongodb.fullname" .) (include "mongodb.service.nameOverride" .) .Values.clusterDomain ) ( first .Values.externalAccess.service.publicNames ) ( empty .Values.externalAccess.service.publicNames ) }} +{{- end -}} + +{{/* +Init container definition to change/establish volume permissions. +*/}} +{{- define "mongodb.initContainer.volumePermissions" }} +- name: volume-permissions + image: {{ include "mongodb.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + mkdir -p {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + chown {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} + find {{ printf "%s/%s" .Values.persistence.mountPath (default "" .Values.persistence.subPath) }} -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | xargs -r chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} + {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.volumePermissions.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.volumePermissions.resources "context" $) | nindent 12 }} + {{- else if ne .Values.volumePermissions.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} +{{- end -}} + +{{/* +Init container definition to recover log dir. +*/}} +{{- define "mongodb.initContainer.prepareLogDir" }} +- name: log-dir + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + ln -sf /dev/stdout "/opt/bitnami/mongodb/logs/mongodb.log" + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir +{{- end -}} + +{{/* +Init container definition to get external IP addresses. +*/}} +{{- define "mongodb.initContainers.autoDiscovery" -}} +- name: auto-discovery + image: {{ include "mongodb.externalAccess.autoDiscovery.image" . }} + imagePullPolicy: {{ .Values.externalAccess.autoDiscovery.image.pullPolicy | quote }} + # We need the service account token for contacting the k8s API + command: + - /scripts/auto-discovery.sh + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: SHARED_FILE + value: "/shared/info.txt" + {{- if .Values.externalAccess.autoDiscovery.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.externalAccess.autoDiscovery.resources "context" $) | nindent 12 }} + {{- else if ne .Values.externalAccess.autoDiscovery.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.autoDiscovery.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: shared + mountPath: /shared + - name: scripts + mountPath: /scripts/auto-discovery.sh + subPath: auto-discovery.sh + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir +{{- end -}} + +{{/* +Init container definition to wait external DNS names. +*/}} +{{- define "mongodb.initContainers.dnsCheck" -}} +- name: dns-check + image: {{ include "mongodb.externalAccess.dnsCheck.image" . }} + imagePullPolicy: {{ .Values.externalAccess.dnsCheck.image.pullPolicy | quote }} + command: + - /bin/bash + args: + - -ec + - | + # MONGODB_INITIAL_PRIMARY_HOST should be resolvable + while ! (getent ahosts "{{ include "mongodb.initialPrimaryHost" . }}" | grep STREAM); do + sleep 10 + done + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.externalAccess.dnsCheck.resources }} + resources: {{- toYaml .Values.externalAccess.dnsCheck.resources | nindent 12 }} + {{- else if ne .Values.externalAccess.dnsCheck.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.externalAccess.dnsCheck.resourcesPreset) | nindent 12 }} + {{- end }} +{{- end -}} + +{{/* +Return true if the Arbiter should be deployed +*/}} +{{- define "mongodb.arbiter.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Arbiter +*/}} +{{- define "mongodb.arbiter.configmapName" -}} +{{- if .Values.arbiter.existingConfigmap -}} + {{- printf "%s" (tpl .Values.arbiter.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-arbiter" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Arbiter +*/}} +{{- define "mongodb.arbiter.createConfigmap" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.arbiter.enabled .Values.arbiter.configuration (not .Values.arbiter.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if the Hidden should be deployed +*/}} +{{- define "mongodb.hidden.enabled" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.hidden.enabled }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the configmap with the MongoDB® configuration for the Hidden +*/}} +{{- define "mongodb.hidden.configmapName" -}} +{{- if .Values.hidden.existingConfigmap -}} + {{- printf "%s" (tpl .Values.hidden.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-hidden" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for MongoDB® Hidden +*/}} +{{- define "mongodb.hidden.createConfigmap" -}} +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.enabled .Values.hidden.configuration (not .Values.hidden.existingConfigmap) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "mongodb.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "mongodb.validateValues.pspAndRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.architecture" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBs" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.customUsersDBsLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessServiceType" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.loadBalancerIPsListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.nodePortListLength" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.externalAccessAutoDiscoverySA" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.replicaset.existingSecrets" .) -}} +{{- $messages := append $messages (include "mongodb.validateValues.hidden.existingSecrets" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate RBAC is created when using PSP */}} +{{- define "mongodb.validateValues.pspAndRBAC" -}} +{{- if and (.Values.podSecurityPolicy.create) (not .Values.rbac.create) -}} +mongodb: podSecurityPolicy.create, rbac.create + Both podSecurityPolicy.create and rbac.create must be true, if you want + to create podSecurityPolicy +{{- end -}} +{{- end -}} + +{{/* Validate values of MongoDB® - must provide a valid architecture */}} +{{- define "mongodb.validateValues.architecture" -}} +{{- if and (ne .Values.architecture "standalone") (ne .Values.architecture "replicaset") -}} +mongodb: architecture + Invalid architecture selected. Valid values are "standalone" and + "replicaset". Please set a valid architecture (--set mongodb.architecture="xxxx") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases are necessary +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBs" -}} +{{- $customUsers := include "mongodb.customUsers" . -}} +{{- $customDatabases := include "mongodb.customDatabases" . -}} +{{- if or (and (empty $customUsers) (not (empty $customDatabases))) (and (not (empty $customUsers)) (empty $customDatabases)) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases must be provided to create + custom users and databases during 1st initialization. + Please set both of them (--set auth.usernames[0]="xxxx",auth.databases[0]="yyyy") +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - both auth.usernames and auth.databases arrays should have the same length +to create a custom user and database during 1st initialization +*/}} +{{- define "mongodb.validateValues.customUsersDBsLength" -}} +{{- if ne (len .Values.auth.usernames) (len .Values.auth.databases) }} +mongodb: auth.usernames, auth.databases + Both auth.usernames and auth.databases arrays should have the same length +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - service type for external access +*/}} +{{- define "mongodb.validateValues.externalAccessServiceType" -}} +{{- if and (eq .Values.architecture "replicaset") (not (eq .Values.externalAccess.service.type "NodePort")) (not (eq .Values.externalAccess.service.type "LoadBalancer")) (not (eq .Values.externalAccess.service.type "ClusterIP")) -}} +mongodb: externalAccess.service.type + Available service type for external access are NodePort, LoadBalancer or ClusterIP. +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than LoadBalancer IPs list +*/}} +{{- define "mongodb.validateValues.loadBalancerIPsListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $publicNamesListLength := len .Values.externalAccess.service.publicNames }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "LoadBalancer") -}} +{{- if and (not .Values.externalAccess.autoDiscovery.enabled) (eq $loadBalancerListLength 0) (eq $publicNamesListLength 0) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs, .Values.externalAccess.service.publicNames + externalAccess.service.loadBalancerIPs, externalAccess.service.publicNames or externalAccess.autoDiscovery.enabled are required when externalAccess is enabled. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerListLength )) (not (eq $loadBalancerListLength 0)) -}} +mongodb: .Values.externalAccess.service.loadBalancerIPs + Number of replicas ({{ $replicaCount }}) and loadBalancerIPs array length ({{ $loadBalancerListLength }}) must be the same. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $publicNamesListLength )) (not (eq $publicNamesListLength 0)) -}} +mongodb: .Values.externalAccess.service.publicNames + Number of replicas ({{ $replicaCount }}) and publicNames array length ({{ $publicNamesListLength }}) must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - number of replicas must be the same than NodePort list +*/}} +{{- define "mongodb.validateValues.nodePortListLength" -}} +{{- $replicaCount := int .Values.replicaCount }} +{{- $nodePortListLength := len .Values.externalAccess.service.nodePorts }} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "NodePort") -}} +{{- if and (not .Values.externalAccess.autoDiscovery.enabled) (eq $nodePortListLength 0) -}} +mongodb: .Values.externalAccess.service.nodePorts + externalAccess.service.nodePorts or externalAccess.autoDiscovery.enabled are required when externalAccess is enabled. +{{- else if and (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $nodePortListLength )) -}} +mongodb: .Values.externalAccess.service.nodePorts + Number of replicas ({{ $replicaCount }}) and nodePorts ({{ $nodePortListLength }}) array length must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - RBAC should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoveryRBAC" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.rbac.create ) }} +mongodb: rbac.create + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires specific RBAC resources. You can create them + by specifying "--set rbac.create=true". +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - automountServiceAccountToken should be enabled when autoDiscovery is enabled +*/}} +{{- define "mongodb.validateValues.externalAccessAutoDiscoverySA" -}} +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (not .Values.automountServiceAccountToken ) }} +mongodb: automountServiceAccountToken + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to autodetect the external IPs/ports by querying the + K8s API. Please note this initContainer requires a service account to access K8S API. + You can attach it to the pod by specifying "--set automountServiceAccountToken=true". +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of replicaset secrets must be the same than number of replicaset nodes. +*/}} +{{- define "mongodb.validateValues.replicaset.existingSecrets" -}} +{{- if and .Values.tls.enabled (eq .Values.architecture "replicaset") (not (empty .Values.tls.replicaset.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.replicaset.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.replicaCount)) }} +mongodb: tls.replicaset.existingSecrets + tls.replicaset.existingSecrets Number of secrets and number of replicaset nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® - Number of hidden secrets must be the same than number of hidden nodes. +*/}} +{{- define "mongodb.validateValues.hidden.existingSecrets" -}} +{{- if and .Values.tls.enabled (include "mongodb.hidden.enabled" .) (not (empty .Values.tls.hidden.existingSecrets)) }} +{{- $nbSecrets := len .Values.tls.hidden.existingSecrets -}} +{{- if not (eq $nbSecrets (int .Values.hidden.replicaCount)) }} +mongodb: tls.hidden.existingSecrets + tls.hidden.existingSecrets Number of secrets and number of hidden nodes must be the same. +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of MongoDB® exporter URI string - auth.enabled and/or tls.enabled must be enabled or it defaults +*/}} +{{- define "mongodb.mongodb_exporter.uri" -}} + {{- $tlsEnabled := .Values.tls.enabled -}} + {{- $mTlsEnabled := and $tlsEnabled .Values.tls.mTLS.enabled -}} + {{- $tlsArgs := "" -}} + {{- if $tlsEnabled -}} + {{- $tlsCertKeyFile := ternary "&tlsCertificateKeyFile=/certs/mongodb.pem" "" $mTlsEnabled -}} + {{- $tlsArgs = printf "tls=true%s&tlsCAFile=/certs/mongodb-ca-cert" $tlsCertKeyFile -}} + {{- end -}} + {{- if .Values.metrics.username -}} + {{- $uriAuth := ternary "$(echo $MONGODB_METRICS_USERNAME | sed -r \"s/@/%40/g;s/:/%3A/g\"):$(echo $MONGODB_METRICS_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- else -}} + {{- $uriAuth := ternary "$MONGODB_ROOT_USER:$(echo $MONGODB_ROOT_PASSWORD | sed -r \"s/@/%40/g;s/:/%3A/g\")@" "" .Values.auth.enabled -}} + {{- printf "mongodb://%s$(hostname -s):%d/admin?%s" $uriAuth (int .Values.containerPorts.mongodb) $tlsArgs -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "mongodb.createTlsSecret" -}} +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) (include "mongodb.autoGenerateCerts" .) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the secret containing MongoDB® TLS certificates +*/}} +{{- define "mongodb.tlsSecretName" -}} +{{- $secretName := .Values.tls.existingSecret -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-ca" (include "mongodb.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if certificates must be auto generated +*/}} +{{- define "mongodb.autoGenerateCerts" -}} +{{- $standalone := (eq .Values.architecture "standalone") | ternary (not .Values.tls.standalone.existingSecret) true -}} +{{- $replicaset := (eq .Values.architecture "replicaset") | ternary (empty .Values.tls.replicaset.existingSecrets) true -}} +{{- $arbiter := (eq (include "mongodb.arbiter.enabled" .) "true") | ternary (not .Values.tls.arbiter.existingSecret) true -}} +{{- $hidden := (eq (include "mongodb.hidden.enabled" .) "true") | ternary (empty .Values.tls.hidden.existingSecrets) true -}} +{{- if and $standalone $replicaset $arbiter $hidden -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Generate argument list for mongodb-exporter +reference: https://github.com/percona/mongodb_exporter/blob/main/REFERENCE.md +*/}} +{{- define "mongodb.exporterArgs" -}} +{{- with .Values.metrics.collector -}} +{{- ternary " --collect-all" "" .all -}} +{{- ternary " --collector.diagnosticdata" "" .diagnosticdata -}} +{{- ternary " --collector.replicasetstatus" "" .replicasetstatus -}} +{{- ternary " --collector.dbstats" "" .dbstats -}} +{{- ternary " --collector.topmetrics" "" .topmetrics -}} +{{- ternary " --collector.indexstats" "" .indexstats -}} +{{- ternary " --collector.collstats" "" .collstats -}} +{{- if .collstatsColls -}} +{{- " --mongodb.collstats-colls=" -}} +{{- join "," .collstatsColls -}} +{{- end -}} +{{- if .indexstatsColls -}} +{{- " --mongodb.indexstats-colls=" -}} +{{- join "," .indexstatsColls -}} +{{- end -}} +{{- $limitArg := print " --collector.collstats-limit=" .collstatsLimit -}} +{{- ne (print .collstatsLimit) "0" | ternary $limitArg "" -}} +{{- end -}} +{{- ternary " --compatible-mode" "" .Values.metrics.compatibleMode -}} +{{- end -}} diff --git a/kubernetes/common/mongodb/templates/arbiter/configmap.yaml b/kubernetes/common/mongodb/templates/arbiter/configmap.yaml new file mode 100644 index 0000000000..a3b3f4c024 --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml b/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml new file mode 100644 index 0000000000..088eaf4516 --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.arbiter.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: tcp-mongodb + port: {{ .Values.arbiter.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.arbiter.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/pdb.yaml b/kubernetes/common/mongodb/templates/arbiter/pdb.yaml new file mode 100644 index 0000000000..0799eead48 --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.arbiter.enabled" .) .Values.arbiter.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.arbiter.pdb.minAvailable }} + minAvailable: {{ .Values.arbiter.pdb.minAvailable }} + {{- end }} + {{- if or .Values.arbiter.pdb.maxUnavailable (not .Values.arbiter.pdb.minAvailable) }} + maxUnavailable: {{ .Values.arbiter.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter +{{- end }} diff --git a/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml new file mode 100644 index 0000000000..d89d583807 --- /dev/null +++ b/kubernetes/common/mongodb/templates/arbiter/statefulset.yaml @@ -0,0 +1,339 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.arbiter.enabled" .) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-arbiter" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: arbiter + {{- if or .Values.arbiter.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.arbiter.service.nameOverride" . }} + podManagementPolicy: {{ .Values.arbiter.podManagementPolicy }} + replicas: 1 + {{- if .Values.arbiter.updateStrategy }} + updateStrategy: {{- toYaml .Values.arbiter.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.arbiter.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: arbiter + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: arbiter + {{- if or (include "mongodb.arbiter.createConfigmap" .) .Values.arbiter.podAnnotations .Values.passwordUpdateJob.enabled }} + annotations: + {{- if (include "mongodb.arbiter.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/arbiter/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.passwordUpdateJob.enabled }} + charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} + {{- end }} + {{- if .Values.arbiter.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.arbiter.schedulerName }} + schedulerName: {{ .Values.arbiter.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.arbiter.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.arbiter.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.arbiter.nodeAffinityPreset.type "key" .Values.arbiter.nodeAffinityPreset.key "values" .Values.arbiter.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.arbiter.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.nodeSelector "context" $) | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.arbiter.automountServiceAccountToken }} + {{- if .Values.arbiter.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.arbiter.priorityClassName }} + priorityClassName: {{ .Values.arbiter.priorityClassName }} + {{- end }} + {{- if .Values.arbiter.runtimeClassName }} + runtimeClassName: {{ .Values.arbiter.runtimeClassName }} + {{- end }} + {{- if .Values.arbiter.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.arbiter.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.arbiter.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.arbiter.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.arbiter.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }} + {{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.arbiter.service.nameOverride" . }} + {{- end }} + containers: + - name: mongodb-arbiter + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.arbiter.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.arbiter.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.arbiter.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.arbiter.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MONGODB_REPLICA_SET_MODE + value: "arbiter" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ include "mongodb.initialPrimaryHost" . | quote }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).{{ include "mongodb.arbiter.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + - name: MONGODB_PORT_NUMBER + value: {{ .Values.arbiter.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + {{- if .Values.auth.enabled }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + - name: MONGODB_REPLICA_SET_KEY_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key" + {{- else }} + - name: MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + {{- $extraFlags := .Values.arbiter.extraFlags | join " " -}} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.arbiter.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.arbiter.extraEnvVarsCM .Values.arbiter.extraEnvVarsSecret }} + envFrom: + {{- if .Values.arbiter.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.arbiter.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.arbiter.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.arbiter.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.arbiter.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.arbiter.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - pgrep + - mongod + {{- end }} + {{- if .Values.arbiter.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.readinessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: mongodb + {{- end }} + {{- if .Values.arbiter.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.arbiter.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.arbiter.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.arbiter.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.resources "context" $) | nindent 12 }} + {{- else if ne .Values.arbiter.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.arbiter.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /bitnami/mongodb + subPath: app-volume-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.arbiter.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.arbiter.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.arbiter.emptyDir.sizeLimit }} + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap .Values.arbiter.extraVolumes .Values.tls.enabled }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0o555 + {{- if or .Values.arbiter.configuration .Values.arbiter.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.arbiter.configmapName" . }} + {{- end }} + {{- if and .Values.tls.enabled .Values.arbiter.enabled }} + - name: certs + emptyDir: + sizeLimit: 64Mi + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0o600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0o600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.arbiter.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.arbiter.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.arbiter.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/backup/cronjob.yaml b/kubernetes/common/mongodb/templates/backup/cronjob.yaml new file mode 100644 index 0000000000..a4bd5641fd --- /dev/null +++ b/kubernetes/common/mongodb/templates/backup/cronjob.yaml @@ -0,0 +1,235 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.backup.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} +spec: + schedule: {{ quote .Values.backup.cronjob.schedule }} + {{- if .Values.backup.cronjob.timeZone }} + timeZone: {{ .Values.backup.cronjob.timeZone | quote }} + {{- end }} + concurrencyPolicy: {{ .Values.backup.cronjob.concurrencyPolicy }} + failedJobsHistoryLimit: {{ .Values.backup.cronjob.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.backup.cronjob.successfulJobsHistoryLimit }} + {{- if .Values.backup.cronjob.startingDeadlineSeconds }} + startingDeadlineSeconds: {{ .Values.backup.cronjob.startingDeadlineSeconds }} + {{- end }} + jobTemplate: + spec: + {{- if .Values.backup.cronjob.backoffLimit }} + backoffLimit: {{ .Values.backup.cronjob.backoffLimit }} + {{- end }} + {{- if .Values.backup.cronjob.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.backup.cronjob.ttlSecondsAfterFinished }} + {{- end }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 12 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 12 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations }} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 12 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 10 }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 12 }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + {{- if .Values.tls.enabled }} + initContainers: + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 16 }} + {{- end }} + {{- end }} + containers: + - name: {{ include "mongodb.fullname" . }}-mongodump + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + {{- if .Values.auth.enabled }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- end }} + - name: MONGODB_SERVICE_NAME + value: {{ include "mongodb.service.nameOverride" . }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODUMP_DIR + value: {{ .Values.backup.cronjob.storage.mountPath }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --ssl --sslPEMKeyFile=/certs/mongodb.pem --sslCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.backup.cronjob.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.command "context" $) | nindent 14 }} + {{- else }} + command: + - /bin/bash + - -c + - | + {{- if and .Values.auth.enabled .Values.usePasswordFiles }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + mongodump {{- if .Values.auth.enabled }} --username=${MONGODB_ROOT_USER} --password=${MONGODB_ROOT_PASSWORD} --authenticationDatabase=admin {{- end }} --host=${MONGODB_SERVICE_NAME} --port=${MONGODB_PORT_NUMBER} ${MONGODB_CLIENT_EXTRA_FLAGS} {{- if (eq $.Values.architecture "replicaset") }}--oplog{{- end }} --gzip --archive=${MONGODUMP_DIR}/mongodump-$(date '+%Y-%m-%d-%H-%M').gz + {{- end }} + {{- if .Values.backup.cronjob.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.resources "context" $) | nindent 14 }} + {{- else if ne .Values.backup.cronjob.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.backup.cronjob.resourcesPreset) | nindent 14 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + {{- end }} + - name: datadir + mountPath: {{ .Values.backup.cronjob.storage.mountPath }} + subPath: {{ .Values.backup.cronjob.storage.subPath }} + {{- if .Values.backup.cronjob.containerSecurityContext.enabled }} + securityContext: + {{- include "common.tplvalues.render" ( dict "value" ( omit .Values.backup.cronjob.containerSecurityContext "enabled" ) "context" $) | nindent 14 }} + {{- end }} + restartPolicy: {{ .Values.backup.cronjob.restartPolicy }} + volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.backup.emptyDir.sizeLimit }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0o550 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: + sizeLimit: 64Mi + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0o600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0o600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if .Values.backup.cronjob.storage.existingClaim }} + - name: datadir + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.backup.cronjob.storage.existingClaim .) }} + {{- else }} + - name: datadir + persistentVolumeClaim: + claimName: {{ include "mongodb.fullname" . }}-mongodump + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/backup/pvc.yaml b/kubernetes/common/mongodb/templates/backup/pvc.yaml new file mode 100644 index 0000000000..583ea41162 --- /dev/null +++ b/kubernetes/common/mongodb/templates/backup/pvc.yaml @@ -0,0 +1,41 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.backup.enabled (not .Values.backup.cronjob.storage.existingClaim) -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "mongodb.fullname" . }}-mongodump + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: mongodump + {{- if .Values.backup.cronjob.labels }} + {{- include "common.tplvalues.render" (dict "value" .Values.backup.cronjob.labels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if or .Values.backup.cronjob.annotations .Values.commonAnnotations .Values.backup.cronjob.storage.resourcePolicy}} + annotations: + {{- if .Values.backup.cronjob.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.backup.cronjob.annotations "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.backup.cronjob.storage.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.backup.cronjob.storage.resourcePolicy | quote }} + {{- end }} + {{- end }} +spec: + accessModes: + {{- range .Values.backup.cronjob.storage.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.backup.cronjob.storage.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.backup.cronjob.storage "global" .Values.global) | nindent 2 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/common-scripts-cm.yaml b/kubernetes/common/mongodb/templates/common-scripts-cm.yaml new file mode 100644 index 0000000000..6f65de402b --- /dev/null +++ b/kubernetes/common/mongodb/templates/common-scripts-cm.yaml @@ -0,0 +1,143 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + startup-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval 'if (!(db.hello().isWritablePrimary || db.hello().secondary)) { throw new Error("Not ready") }' + readiness-probe.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + # Run the proper check depending on the version + [[ $(mongod -version | grep "db version") =~ ([0-9]+\.[0-9]+\.[0-9]+) ]] && VERSION=${BASH_REMATCH[1]} + . /opt/bitnami/scripts/libversion.sh + VERSION_MAJOR="$(get_sematic_version "$VERSION" 1)" + VERSION_MINOR="$(get_sematic_version "$VERSION" 2)" + VERSION_PATCH="$(get_sematic_version "$VERSION" 3)" + readiness_test='db.isMaster().ismaster || db.isMaster().secondary' + if [[ ( "$VERSION_MAJOR" -ge 5 ) || ( "$VERSION_MAJOR" -ge 4 && "$VERSION_MINOR" -ge 4 && "$VERSION_PATCH" -ge 2 ) ]]; then + readiness_test='db.hello().isWritablePrimary || db.hello().secondary' + fi + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "if (!(${readiness_test})) { throw new Error(\"Not ready\") }" + ping-mongodb.sh: | + #!/bin/bash + {{- if .Values.tls.enabled }} + # Probes are using localhost/127.0.0.1 to tests if the service is up, ready or healthy. If TLS is enabled, we shouldn't validate the certificate hostname. + TLS_OPTIONS='--tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert --tlsAllowInvalidHostnames' + {{- end }} + exec mongosh $TLS_OPTIONS --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')" + {{- if .Values.tls.enabled }} + generate-certs.sh: | + #!/bin/bash + {{- if (include "mongodb.autoGenerateCerts" .) }} + additional_ips=() + additional_names=() + while getopts "i:n:s:" flag + do + case "${flag}" in + i) read -a additional_ips <<< ${OPTARG//,/ } ;; + n) read -a additional_names <<< ${OPTARG//,/ } ;; + s) svc=${OPTARG// /} ;; + \?) exit 1 ;; + esac + done + + my_hostname=$(hostname) + cp /certs/CAs/* /certs/ + cat >/certs/openssl.cnf <>/certs/openssl.cnf <>/certs/openssl.cnf < /certs/mongodb.pem + cd /certs/ + shopt -s extglob + rm -rf !(mongodb-ca-cert|mongodb.pem|CAs|openssl.cnf) + chmod 0600 mongodb-ca-cert mongodb.pem + {{- else }} + {{- if eq .Values.architecture "standalone" }} + ID="0" + {{- else }} + if [[ "$MY_POD_NAME" =~ "arbiter-0"$ ]]; then + ID="0" + elif [[ "$MY_POD_NAME" =~ "hidden-"[0-9]{1,}$ ]]; then + ID="${MY_POD_NAME#"{{ printf "%s-hidden-" $fullname }}"}" + else + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + fi + {{- end }} + + {{- if .Values.tls.pemChainIncluded }} + #Split the pem chain by the END CERTIFICATE string and store in files /certs/xx00, /certs/xx01 etc. + cat /certs-${ID}/tls.crt | csplit - -s -z '/\-*END CERTIFICATE\-*/+1' '{*}' -f /certs/xx + + #Use first certificate as leaf node and combine with key to store in pem file + cat "/certs/xx00" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + + #Use remaining intermediate certificates for ca.crt + echo $(find /certs/ -not -name 'xx00' -name 'xx*') | sort | xargs cat > "/certs/mongodb-ca-cert" + + rm -rf /certs/xx* + {{- else }} + cat "/certs-${ID}/tls.crt" "/certs-${ID}/tls.key" > "/certs/mongodb.pem" + cp "/certs-${ID}/ca.crt" "/certs/mongodb-ca-cert" + {{- end }} + + chmod 0600 /certs/mongodb-ca-cert /certs/mongodb.pem + {{- end }} + {{- end }} diff --git a/kubernetes/common/mongodb/templates/configmap.yaml b/kubernetes/common/mongodb/templates/configmap.yaml new file mode 100644 index 0000000000..0110445489 --- /dev/null +++ b/kubernetes/common/mongodb/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/extra-list.yaml b/kubernetes/common/mongodb/templates/extra-list.yaml new file mode 100644 index 0000000000..329f5c653a --- /dev/null +++ b/kubernetes/common/mongodb/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/configmap.yaml b/kubernetes/common/mongodb/templates/hidden/configmap.yaml new file mode 100644 index 0000000000..fb26bdd3c8 --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/configmap.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + mongodb.conf: |- + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.configuration "context" $) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml b/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml new file mode 100644 index 0000000000..4cfa5314e3 --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/external-access-svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.externalAccess.hidden.enabled }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.hidden.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-hidden-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-hidden-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.hidden.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.hidden.service.type }} + {{- if eq $root.Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.hidden.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.hidden.service.loadBalancerIPs $i }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.hidden.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.hidden.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.hidden.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.hidden.service.type "LoadBalancer") (eq $root.Values.externalAccess.hidden.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.hidden.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.hidden.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.hidden.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.hidden.service.portName | quote }} + port: {{ $root.Values.externalAccess.hidden.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.hidden.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.hidden.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.hidden.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml b/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml new file mode 100644 index 0000000000..a2af5197ff --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.hidden.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.service.headless.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.hidden.service.portName | quote }} + port: {{ .Values.hidden.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.hidden.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/pdb.yaml b/kubernetes/common/mongodb/templates/hidden/pdb.yaml new file mode 100644 index 0000000000..91250677fa --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "mongodb.hidden.enabled" .) .Values.hidden.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" . )}} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.hidden.pdb.minAvailable }} + minAvailable: {{ .Values.hidden.pdb.minAvailable }} + {{- end }} + {{- if or .Values.hidden.pdb.maxUnavailable (not .Values.hidden.pdb.minAvailable) }} + maxUnavailable: {{ .Values.hidden.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden +{{- end }} diff --git a/kubernetes/common/mongodb/templates/hidden/statefulset.yaml b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml new file mode 100644 index 0000000000..64b57f3db0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/hidden/statefulset.yaml @@ -0,0 +1,606 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.hidden.enabled" .) }} +{{- $replicaCount := int .Values.hidden.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.hidden.service.loadBalancerIPs }} +{{- if not (and .Values.externalAccess.hidden.enabled (not .Values.externalAccess.autoDiscovery.enabled) (not (eq $replicaCount $loadBalancerIPListLength )) (eq .Values.externalAccess.hidden.service.type "LoadBalancer")) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ printf "%s-hidden" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: hidden + {{- if or .Values.hidden.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.hidden.service.nameOverride" . }} + podManagementPolicy: {{ .Values.hidden.podManagementPolicy }} + replicas: {{ .Values.hidden.replicaCount }} + {{- if .Values.hidden.updateStrategy }} + updateStrategy: {{- toYaml .Values.hidden.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.hidden.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: hidden + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: hidden + {{- if or (include "mongodb.hidden.createConfigmap" .) .Values.hidden.podAnnotations .Values.passwordUpdateJob.enabled }} + annotations: + {{- if (include "mongodb.hidden.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/hidden/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.passwordUpdateJob.enabled }} + charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} + {{- end }} + {{- if .Values.hidden.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hidden.schedulerName }} + schedulerName: {{ .Values.hidden.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.hidden.automountServiceAccountToken }} + {{- if .Values.hidden.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.hidden.podAntiAffinityPreset "component" "hidden" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.hidden.nodeAffinityPreset.type "key" .Values.hidden.nodeAffinityPreset.key "values" .Values.hidden.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.hidden.priorityClassName }} + priorityClassName: {{ .Values.hidden.priorityClassName }} + {{- end }} + {{- if .Values.hidden.runtimeClassName }} + runtimeClassName: {{ .Values.hidden.runtimeClassName }} + {{- end }} + {{- if .Values.hidden.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.hidden.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.hidden.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.hidden.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.hidden.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.hidden.persistence.enabled }} + {{- include "mongodb.initContainer.volumePermissions" . | indent 8 }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + {{- include "mongodb.initContainers.autoDiscovery" . | indent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }} + {{- include "mongodb.initContainers.dnsCheck" . | indent 8 }} + {{- end }} + {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.hidden.service.nameOverride" . }} + {{- if .Values.externalAccess.hidden.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.hidden.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.hidden.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.hidden.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.hidden.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup-hidden.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.hidden.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MONGODB_REPLICA_SET_MODE + value: "hidden" + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ include "mongodb.initialPrimaryHost" . | quote }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.hidden.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).{{ include "mongodb.hidden.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_EXTRA_PASSWORDS_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-passwords" + {{- else }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + - name: MONGODB_REPLICA_SET_KEY_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key" + {{- else }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.hidden.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.hidden.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.hidden.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.hidden.extraEnvVarsCM .Values.hidden.extraEnvVarsSecret }} + envFrom: + {{- if .Values.hidden.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.hidden.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.hidden.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.hidden.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - containerPort: {{ .Values.hidden.containerPorts.mongodb }} + name: mongodb + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.hidden.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.hidden.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- if .Values.hidden.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.hidden.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.hidden.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.hidden.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.resources "context" $) | nindent 12 }} + {{- else if ne .Values.hidden.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.hidden.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: datadir + mountPath: {{ .Values.hidden.persistence.mountPath }} + subPath: {{ .Values.hidden.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup-hidden.sh + subPath: setup-hidden.sh + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /.mongodb + subPath: mongosh-home + {{- if .Values.hidden.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + {{- if .Values.metrics.username }} + export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)" + {{- else }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + {{- end }} + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + - name: empty-dir + mountPath: /opt/bitnami/redis-cluster/tmp + subPath: app-tmp-dir + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: 9216 + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.hidden.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.hidden.emptyDir.sizeLimit }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0o555 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.hidden.configuration .Values.hidden.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.hidden.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.hidden.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.hidden.service.type "LoadBalancer") }} + - name: shared + emptyDir: + sizeLimit: 64Mi + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0o755 + {{- if .Values.hidden.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: + sizeLimit: 64Mi + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0o600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0o600 + {{- else }} + {{- range $index, $secret := .Values.tls.hidden.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.hidden.persistence.enabled }} + - name: datadir + {{- if .Values.hidden.persistence.medium }} + emptyDir: + medium: {{ .Values.hidden.persistence.medium | quote }} + sizeLimit: 64Mi + {{- else }} + emptyDir: + sizeLimit: 64Mi + {{- end }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.hidden.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.hidden.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.hidden.persistence.size | quote }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.hidden.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.hidden.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.hidden.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/initialization-configmap.yaml b/kubernetes/common/mongodb/templates/initialization-configmap.yaml new file mode 100644 index 0000000000..2c1273cf68 --- /dev/null +++ b/kubernetes/common/mongodb/templates/initialization-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.initdbScripts (not .Values.initdbScriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: +{{- include "common.tplvalues.render" (dict "value" .Values.initdbScripts "context" .) | nindent 2 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/metrics-svc.yaml b/kubernetes/common/mongodb/templates/metrics-svc.yaml new file mode 100644 index 0000000000..b6bd266d86 --- /dev/null +++ b/kubernetes/common/mongodb/templates/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type }} + ports: + - port: {{ .Values.metrics.service.ports.metrics }} + targetPort: metrics + protocol: TCP + name: http-metrics + {{- if .Values.metrics.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/networkpolicy.yaml b/kubernetes/common/mongodb/templates/networkpolicy.yaml new file mode 100644 index 0000000000..4f64224ad1 --- /dev/null +++ b/kubernetes/common/mongodb/templates/networkpolicy.yaml @@ -0,0 +1,98 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotation }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.containerPorts.mongodb }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if (and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled) }} + {{- $kubernetesEndpoints := lookup "v1" "Endpoints" (include "common.names.namespace" .) "kubernetes" }} + {{- range $kubernetesEndpoints.subsets }} + # Allow connection to API server, required by auto-discovery containers + - ports: + {{- range .ports }} + - port: {{ .port }} + {{- end }} + to: + {{- range .addresses }} + - ipBlock: + cidr: {{ printf "%s/32" .ip }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.mongodb }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPort }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: mongodb + {{- if .Values.networkPolicy.addExternalClientAccess }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- end }} + {{- if .Values.networkPolicy.ingressPodMatchLabels }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} + {{- $ingressNSMatchLabels := coalesce .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.namespaceSelector }} + {{- if $ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSMatchLabels "context" $ ) | nindent 14 }} + {{- $ingressNSPodMatchLabels := coalesce .Values.networkPolicy.ingressNSPodMatchLabels .Values.networkPolicy.podSelector }} + {{- if $ingressNSPodMatchLabels }} + podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" $ingressNSPodMatchLabels "context" $ ) | nindent 14 }} + {{- end }} + {{- end }} + {{- end }} + {{- $extraIngress := coalesce .Values.networkPolicy.extraIngress .Values.networkPolicy.customRules }} + {{- if $extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" $extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/prometheusrule.yaml b/kubernetes/common/mongodb/templates/prometheusrule.yaml new file mode 100644 index 0000000000..e0d0f2840b --- /dev/null +++ b/kubernetes/common/mongodb/templates/prometheusrule.yaml @@ -0,0 +1,23 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.prometheusRule.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "mongodb.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/psp.yaml b/kubernetes/common/mongodb/templates/psp.yaml new file mode 100644 index 0000000000..4b93f4f7b6 --- /dev/null +++ b/kubernetes/common/mongodb/templates/psp.yaml @@ -0,0 +1,51 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: +{{- if .Values.podSecurityPolicy.spec }} +{{ include "common.tplvalues.render" ( dict "value" .Values.podSecurityPolicy.spec "context" $ ) | nindent 2 }} +{{- else }} + allowPrivilegeEscalation: {{ .Values.podSecurityPolicy.allowPrivilegeEscalation }} + fsGroup: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.podSecurityContext.fsGroup }} + max: {{ .Values.podSecurityContext.fsGroup }} + hostIPC: false + hostNetwork: false + hostPID: false + privileged: {{ .Values.podSecurityPolicy.privileged }} + readOnlyRootFilesystem: false + requiredDropCapabilities: + - ALL + runAsUser: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: {{ .Values.containerSecurityContext.runAsUser }} + max: {{ .Values.containerSecurityContext.runAsUser }} + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'persistentVolumeClaim' +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml b/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml new file mode 100644 index 0000000000..400db8ebe1 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/external-access-svc.yaml @@ -0,0 +1,73 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (not (eq .Values.externalAccess.service.type "ClusterIP")) }} +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d-external" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + pod: {{ $targetPod }} + {{- if or $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations $root.Values.externalAccess.service.annotationsList }} + {{- $exclusiveAnnotations := dict }} + {{- if gt (len $root.Values.externalAccess.service.annotationsList) $i }} + {{- $exclusiveAnnotations = index $root.Values.externalAccess.service.annotationsList $i }} + {{- end }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.externalAccess.service.annotations $root.Values.commonAnnotations $exclusiveAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ $root.Values.externalAccess.service.type }} + {{- if eq $root.Values.externalAccess.service.type "LoadBalancer" }} + {{- if not (empty $root.Values.externalAccess.service.loadBalancerIPs) }} + loadBalancerIP: {{ index $root.Values.externalAccess.service.loadBalancerIPs $i }} + {{- end }} + {{- if and (eq $root.Values.externalAccess.service.type "LoadBalancer") $root.Values.externalAccess.service.loadBalancerClass }} + loadBalancerClass: {{ $root.Values.externalAccess.service.loadBalancerClass }} + {{- end }} + {{- if $root.Values.externalAccess.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml $root.Values.externalAccess.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + allocateLoadBalancerNodePorts: {{ $root.Values.externalAccess.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if (or (eq $root.Values.externalAccess.service.type "LoadBalancer") (eq $root.Values.externalAccess.service.type "NodePort")) }} + externalTrafficPolicy: {{ $root.Values.externalAccess.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinity }} + sessionAffinity: {{ $root.Values.externalAccess.service.sessionAffinity }} + {{- end }} + {{- if $root.Values.externalAccess.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + publishNotReadyAddresses: true + ports: + - name: {{ $root.Values.externalAccess.service.portName | quote }} + port: {{ $root.Values.externalAccess.service.ports.mongodb }} + {{- if not (empty $root.Values.externalAccess.service.nodePorts) }} + {{- $nodePort := index $root.Values.externalAccess.service.nodePorts $i }} + nodePort: {{ $nodePort }} + {{- else }} + nodePort: null + {{- end }} + targetPort: mongodb + {{- if $root.Values.externalAccess.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.externalAccess.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml b/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml new file mode 100644 index 0000000000..eb6337d42c --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/headless-svc.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.commonAnnotations .Values.service.headless.annotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/pdb.yaml b/kubernetes/common/mongodb/templates/replicaset/pdb.yaml new file mode 100644 index 0000000000..a193ed2c0a --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml b/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml new file mode 100644 index 0000000000..3e9f066707 --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/scripts-configmap.yaml @@ -0,0 +1,321 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- if and .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + auto-discovery.sh: |- + #!/bin/bash + + SVC_NAME="${MY_POD_NAME}-external" + + # Auxiliary functions + retry_while() { + local -r cmd="${1:?cmd is missing}" + local -r retries="${2:-12}" + local -r sleep_time="${3:-5}" + local return_value=1 + + read -r -a command <<< "$cmd" + for ((i = 1 ; i <= retries ; i+=1 )); do + "${command[@]}" && return_value=0 && break + sleep "$sleep_time" + done + return $return_value + } + k8s_svc_lb_ip() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + local service_ip=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].ip}") + local service_hostname=$(kubectl get svc "$service" -n "$namespace" -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") + + if [[ -n ${service_ip} ]]; then + echo "${service_ip}" + else + echo "${service_hostname}" + fi + } + k8s_svc_lb_ip_ready() { + local namespace=${1:?namespace is missing} + local service=${2:?service is missing} + [[ -n "$(k8s_svc_lb_ip "$namespace" "$service")" ]] + } + # Wait until LoadBalancer IP is ready + retry_while "k8s_svc_lb_ip_ready {{ $releaseNamespace }} $SVC_NAME" || exit 1 + # Obtain LoadBalancer external IP + k8s_svc_lb_ip "{{ $releaseNamespace }}" "$SVC_NAME" | tee "$SHARED_FILE" + {{- end }} + setup.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + . /opt/bitnami/scripts/libfs.sh + . /opt/bitnami/scripts/liblog.sh + . /opt/bitnami/scripts/libvalidations.sh + + {{- if .Values.externalAccess.enabled }} + {{- if eq .Values.externalAccess.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ coalesce .Values.externalAccess.service.publicNames .Values.externalAccess.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + info "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + info "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + + # Check for existing replica set in case there is no data in the PVC + # This is for cases where the PVC is lost or for MongoDB caches without + # persistence + current_primary="" + if is_dir_empty "${MONGODB_DATA_DIR}/db"; then + info "Data dir empty, checking if the replica set already exists" + {{- $replicaCount := int .Values.replicaCount }} + {{- $portNumber := int .Values.service.ports.mongodb }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $mongoList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%d" $fullname $i $fullname $releaseNamespace $clusterDomain $portNumber) }} + {{- end }} + + {{- if .Values.externalAccess.externalMaster.enabled }} + current_primary={{ printf "%s:%d" (.Values.externalAccess.externalMaster.host) ( int .Values.externalAccess.externalMaster.port) }} + {{- else }} + current_primary=$(mongosh admin --host "{{ join "," $mongoList }}" {{- if .Values.auth.enabled }} --authenticationDatabase admin -u $MONGODB_ROOT_USER -p $MONGODB_ROOT_PASSWORD{{- end }}{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} --eval 'db.runCommand("ismaster")' | awk -F\' '/primary:/ {print $2}') + {{- end }} + if ! is_empty_value "$current_primary"; then + info "Detected existing primary: ${current_primary}" + fi + fi + + if ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" == "$current_primary" ]]; then + info "Advertised name matches current primary, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + elif ! is_empty_value "$current_primary" && [[ "$MONGODB_ADVERTISED_HOSTNAME:$MONGODB_ADVERTISED_PORT_NUMBER" != "$current_primary" ]]; then + info "Current primary is different from this node. Configuring the node as replica of ${current_primary}" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_HOST="${current_primary%:*}" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="${current_primary#*:}" + export MONGODB_SET_SECONDARY_OK="yes" + elif [[ "$MY_POD_NAME" = "{{ $fullname }}-0" ]]; then + info "Pod name matches initial primary pod name, configuring node as a primary" + export MONGODB_REPLICA_SET_MODE="primary" + else + info "Pod name doesn't match initial primary pod name, configuring node as a secondary" + export MONGODB_REPLICA_SET_MODE="secondary" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + fi + + if [[ "$MONGODB_REPLICA_SET_MODE" == "secondary" ]]; then + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + fi + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + setup-hidden.sh: |- + #!/bin/bash + + . /opt/bitnami/scripts/mongodb-env.sh + + {{- if .Values.externalAccess.hidden.enabled }} + {{- if eq .Values.externalAccess.hidden.service.type "LoadBalancer" }} + {{- if .Values.externalAccess.autoDiscovery.enabled }} + export MONGODB_ADVERTISED_HOSTNAME="$(<${SHARED_FILE})" + {{- else }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + export MONGODB_ADVERTISED_HOSTNAME=$(echo '{{ .Values.externalAccess.hidden.service.loadBalancerIPs }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + {{- end }} + {{- else if eq .Values.externalAccess.hidden.service.type "NodePort" }} + ID="${MY_POD_NAME#"{{ $fullname }}-hidden-"}" + if is_empty_value "$MONGODB_ADVERTISED_PORT_NUMBER"; then + export MONGODB_ADVERTISED_PORT_NUMBER=$(echo '{{ .Values.externalAccess.service.nodePorts }}' | tr -d '[]' | cut -d ' ' -f "$(($ID + 1))") + fi + {{- if .Values.externalAccess.hidden.service.domain }} + export MONGODB_ADVERTISED_HOSTNAME={{ .Values.externalAccess.hidden.service.domain }} + {{- else }} + export MONGODB_ADVERTISED_HOSTNAME=$MY_POD_HOST_IP + {{- end }} + {{- end }} + {{- end }} + + {{- if .Values.replicaSetConfigurationSettings.enabled }} + # placed here before root password env is overwritten + # makes no assumption about starting state + # ensures that any stepDown or non-default starting state is handled + /scripts/replicaSetConfigurationSettings.sh & + {{- end }} + + echo "Advertised Hostname: $MONGODB_ADVERTISED_HOSTNAME" + echo "Advertised Port: $MONGODB_ADVERTISED_PORT_NUMBER" + echo "Configuring node as a hidden node" + export MONGODB_REPLICA_SET_MODE="hidden" + export MONGODB_INITIAL_PRIMARY_ROOT_USER="$MONGODB_ROOT_USER" + export MONGODB_INITIAL_PRIMARY_ROOT_PASSWORD="$MONGODB_ROOT_PASSWORD" + export MONGODB_INITIAL_PRIMARY_PORT_NUMBER="$MONGODB_PORT_NUMBER" + export MONGODB_ROOT_PASSWORD="" + export MONGODB_EXTRA_USERNAMES="" + export MONGODB_EXTRA_DATABASES="" + export MONGODB_EXTRA_PASSWORDS="" + export MONGODB_ROOT_PASSWORD_FILE="" + export MONGODB_EXTRA_USERNAMES_FILE="" + export MONGODB_EXTRA_DATABASES_FILE="" + export MONGODB_EXTRA_PASSWORDS_FILE="" + exec /opt/bitnami/scripts/mongodb/entrypoint.sh /opt/bitnami/scripts/mongodb/run.sh + {{- if .Values.replicaSetConfigurationSettings.enabled }} + replicaSetConfigurationSettings.sh: |- + #!/bin/bash + # This script to be called when pod starts. + # This script sets rs settings which can not be applied via conf file + + function logger () + #$1 is the line to be logged + { + echo "replicaSetConfigurationSettings.sh -- ${1}" >&1 + } + + SLEEP_PERIOD=10 + + {{- if and .Values.auth.enabled (or .Values.auth.rootPassword .Values.auth.existingSecret)}} + usernameAndPassword="{{- if .Values.tls.enabled}} --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert{{- end }} -u ${MONGODB_ROOT_USER} -p ${MONGODB_ROOT_PASSWORD}" + {{- else }} + usernameAndPassword="" + {{- end }} + + # load Values.replicaSetConfigurationSettings.configuration into associtive array which makes iterating and string manipulation easy + declare -A desiredRsConf + {{ range $setting, $value := .Values.replicaSetConfigurationSettings.configuration -}} + {{ printf "desiredRsConf[%s]='%v'" $setting $value }} + {{ end }} + + rsConfWriteAttempts=0 + rs_conf_configured_ok=unknown + + while [[ "${rs_conf_configured_ok}" != "true" ]]; do + + # give the rs setup a chance to succeed before attempting to read or configure + sleep ${SLEEP_PERIOD} + + counter=0 + while ! mongosh ${usernameAndPassword} --eval 'rs.conf()'; do + counter=$((${counter} +1)) + logger "not yet able to read rs.conf settings from the currently running rs (after ${counter} attempts)" + sleep ${SLEEP_PERIOD} + done + counter=$((${counter} +1)) + logger "rs.conf settings have been read from the currently running rs (after ${counter} attempts)" + + # read rs.conf again and store it. settings format is '"" : ,' + currentRsConf=$(mongosh ${usernameAndPassword} --eval 'rs.conf()') + + desiredEqualsActual=unknown + settingsToConfigure="" + for key in ${!desiredRsConf[@]}; do + value=${desiredRsConf[$key]} + if [[ $key =~ ^members\[[0-9]+\]\..+ ]]; then + # Replica set member specific setting + if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.${key}" 2>/dev/null)" != "${value}" ]]; then + desiredEqualsActual=false + logger "rs conf: ${key} needs to be updated to desired value: ${value}" + settingsToConfigure="${settingsToConfigure}cfg.${key} = ${value}; " + else + logger "rs conf: ${key} is already at desired value: ${value}" + fi + else + # General rs setting + if [[ "$(mongosh --eval "cfg=${currentRsConf}; cfg.settings.${key}" 2>/dev/null)" != "${value}" ]]; then + desiredEqualsActual=false + logger "rs conf: ${key} needs to be updated to desired value: ${value}" + settingsToConfigure="${settingsToConfigure}cfg.settings.${key} = ${value}; " + else + logger "rs conf: ${key} is already at desired value: ${value}" + fi + fi + done + + if [[ "${desiredEqualsActual}" != "false" ]]; then + logger "replicaSetConfigurationSettings match the settings of the currently running rs" + desiredEqualsActual=true + rs_conf_configured_ok=true + logger "Current settings match desired settings (There have been ${rsConfWriteAttempts} attempts to write to mongoDB rs configuration)" + exit + fi + + # apply the settings only if this member is currently the mongo replicaset PRIMARY + # it might take a little time before any pod is PRIMARY + isMaster=unknown + if ! mongosh ${usernameAndPassword} --eval 'rs.isMaster()' | grep -q "ismaster: true"; then + isMaster=false + logger "This node is not yet PRIMARY - replicaSetConfigurationSettings will only be set on the member that is currently PRIMARY" + else + isMaster=true + logger "This node is PRIMARY" + fi + + if [[ "${isMaster}" == "true" ]]; then + logger "This node is currently PRIMARY - will apply rs.conf settings" + + # avoiding tricky string substitution with single quotes by making the eval string a set of vars + rsconf="cfg = rs.conf();" + rsreconf="rs.reconfig(cfg);" + rsCommand="${rsconf} ${settingsToConfigure} ${rsreconf}" + + mongosh ${usernameAndPassword} --eval "${rsCommand}" + if [ $? -ne 0 ]; then + logger "Failed to apply mongodb cfg.settings configuration" + else + logger "mongodb replicaset cfg.settings configuration applied" + logger "Will check rs conf" + # don't exit just yet - the settings will be checked in the next loop + fi + rsConfWriteAttempts=$((${rsConfWriteAttempts} + 1 )) + fi + done + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml new file mode 100644 index 0000000000..592b38e9ca --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/statefulset.yaml @@ -0,0 +1,615 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if eq .Values.architecture "replicaset" }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $loadBalancerIPListLength := len .Values.externalAccess.service.loadBalancerIPs }} +{{- $publicNamesLength := len .Values.externalAccess.service.publicNames }} +{{- if not (and .Values.externalAccess.enabled (not .Values.externalAccess.autoDiscovery.enabled) (eq .Values.externalAccess.service.type "LoadBalancer") (not (eq $replicaCount $loadBalancerIPListLength)) (not (eq $replicaCount $publicNamesLength))) }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + serviceName: {{ include "mongodb.service.nameOverride" . }} + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicaCount }} + {{- if .Values.updateStrategy }} + updateStrategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations .Values.passwordUpdateJob.enabled }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.passwordUpdateJob.enabled }} + charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + {{- include "mongodb.initContainer.volumePermissions" . | nindent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + {{- include "mongodb.initContainers.autoDiscovery" . | nindent 8 }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.service.publicNames }} + {{- include "mongodb.initContainers.dnsCheck" . | nindent 8 }} + {{- end }} + {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + {{- range $index, $_ := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + mountPath: /certs-{{ $index }} + {{- end }} + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- else }} + command: + - /scripts/setup.sh + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: SHARED_FILE + value: "/shared/info.txt" + {{- end }} + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: MONGODB_INITIAL_PRIMARY_HOST + value: {{ include "mongodb.initialPrimaryHost" . | quote }} + - name: MONGODB_REPLICA_SET_NAME + value: {{ .Values.replicaSetName | quote }} + {{- if and .Values.replicaSetHostnames (not .Values.externalAccess.enabled) }} + - name: MONGODB_ADVERTISED_HOSTNAME + value: "$(MY_POD_NAME).{{ include "mongodb.service.nameOverride" . }}.$(MY_POD_NAMESPACE).svc.{{ .Values.clusterDomain }}" + {{- end }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_EXTRA_PASSWORDS_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-passwords" + {{- else }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + - name: MONGODB_REPLICA_SET_KEY_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-replica-set-key" + {{- else }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + - name: MONGODB_REPLICA_SET_KEY + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-replica-set-key + {{- end }} + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /.mongodb + subPath: mongosh-home + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + - name: scripts + mountPath: /scripts/setup.sh + subPath: setup.sh + {{ if .Values.replicaSetConfigurationSettings.enabled }} + - name: scripts + mountPath: /scripts/replicaSetConfigurationSettings.sh + subPath: replicaSetConfigurationSettings.sh + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + mountPath: /shared + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + {{- if .Values.metrics.username }} + export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)" + {{- else }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + {{- end }} + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.replicaSet.emptyDir.sizeLimit }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0o550 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (eq .Values.externalAccess.service.type "LoadBalancer") }} + - name: shared + emptyDir: + sizeLimit: 64Mi + {{- end }} + - name: scripts + configMap: + name: {{ printf "%s-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0o755 + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: + sizeLimit: 64Mi + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0o600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0o600 + {{- else }} + {{- range $index, $secret := .Values.tls.replicaset.existingSecrets }} + - name: mongodb-certs-{{ $index }} + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" $secret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: datadir + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + sizeLimit: 64Mi + {{- else }} + emptyDir: + sizeLimit: 64Mi + {{- end }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: datadir + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.requests }} + {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.requests "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.dataSource "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/replicaset/svc.yaml b/kubernetes/common/mongodb/templates/replicaset/svc.yaml new file mode 100644 index 0000000000..7ada01941a --- /dev/null +++ b/kubernetes/common/mongodb/templates/replicaset/svc.yaml @@ -0,0 +1,42 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (eq .Values.architecture "replicaset") .Values.externalAccess.enabled (eq .Values.externalAccess.service.type "ClusterIP") }} + +{{- $fullName := include "mongodb.fullname" . }} +{{- $replicaCount := .Values.replicaCount | int }} +{{- $root := . }} + +{{- range $i, $e := until $replicaCount }} +{{- $targetPod := printf "%s-%d" (printf "%s" $fullName) $i }} +{{- $_ := set $ "targetPod" $targetPod }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-%d" $fullName $i }} + namespace: {{ include "mongodb.namespace" $ }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $root.Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or $root.Values.service.annotations $root.Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.service.annotations $root.Values.commonAnnotations ) "context" $ ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + publishNotReadyAddresses: {{ $root.Values.service.publishNotReadyAddresses }} + ports: + - name: {{ $root.Values.service.portName | quote }} + port: {{ $root.Values.service.ports.mongodb }} + targetPort: mongodb + {{- if $root.Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" $root.Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list $root.Values.podLabels $root.Values.commonLabels ) "context" $ ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + statefulset.kubernetes.io/pod-name: {{ $targetPod }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/role.yaml b/kubernetes/common/mongodb/templates/role.yaml new file mode 100644 index 0000000000..651b963e20 --- /dev/null +++ b/kubernetes/common/mongodb/templates/role.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +{{- if .Values.rbac.rules }} +{{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} +{{- end -}} +{{- if and (include "common.capabilities.psp.supported" .) .Values.podSecurityPolicy.create }} + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "mongodb.fullname" . }}] +{{- end -}} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/rolebinding.yaml b/kubernetes/common/mongodb/templates/rolebinding.yaml new file mode 100644 index 0000000000..7ff6b185d1 --- /dev/null +++ b/kubernetes/common/mongodb/templates/rolebinding.yaml @@ -0,0 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.serviceAccount.create .Values.rbac.create }} +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} +roleRef: + kind: Role + name: {{ include "mongodb.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/secrets-ca.yaml b/kubernetes/common/mongodb/templates/secrets-ca.yaml new file mode 100644 index 0000000000..932b0e6c80 --- /dev/null +++ b/kubernetes/common/mongodb/templates/secrets-ca.yaml @@ -0,0 +1,33 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if (include "mongodb.createTlsSecret" .) }} +{{- $secretName := printf "%s" (include "mongodb.tlsSecretName" .) }} +{{- $fullname := include "mongodb.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $cn := printf "%s.%s.svc.%s" $fullname .Release.Namespace $clusterDomain }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if or .Values.tls.caCert .Values.tls.caKey (not .Values.tls.autoGenerated) }} + {{- $ca := buildCustomCert (required "A valid .Values.tls.caCert is required!" .Values.tls.caCert) (required "A valid .Values.tls.caKey is required!" .Values.tls.caKey) }} + mongodb-ca-cert: {{ b64enc $ca.Cert }} + mongodb-ca-key: {{ b64enc $ca.Key }} + {{- else }} + {{- $ca := genCA "myMongo-ca" 3650 }} + mongodb-ca-cert: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-cert" "defaultValue" $ca.Cert "context" $) }} + mongodb-ca-key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "mongodb-ca-key" "defaultValue" $ca.Key "context" $) }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/secrets.yaml b/kubernetes/common/mongodb/templates/secrets.yaml new file mode 100644 index 0000000000..c7526efa99 --- /dev/null +++ b/kubernetes/common/mongodb/templates/secrets.yaml @@ -0,0 +1,128 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.auth.enabled }} +{{- $replicaCount := int .Values.replicaCount }} +{{- $port := .Values.service.ports.mongodb }} +{{- $host := include "mongodb.service.nameOverride" . }} +{{- $hostForURI := printf "%s:%s" (include "mongodb.service.nameOverride" .) (print $port) }} +{{- if (eq .Values.architecture "replicaset") }} + {{- $fullname := include "mongodb.fullname" . }} + {{- $releaseNamespace := include "mongodb.namespace" . }} + {{- $clusterDomain := .Values.clusterDomain }} + {{- $mongoList := list }} + {{- $mongoOnlyHostList := list }} + {{- range $e, $i := until $replicaCount }} + {{- $mongoOnlyHostList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s" $fullname $i $fullname $releaseNamespace $clusterDomain) }} + {{- $mongoList = append $mongoList (printf "%s-%d.%s-headless.%s.svc.%s:%s" $fullname $i $fullname $releaseNamespace $clusterDomain (print $port)) }} + {{- end }} + {{- $host = (join "," $mongoOnlyHostList) }} + {{- $hostForURI = (join "," $mongoList) }} +{{- end }} + +{{/* Root user section. */}} +{{- $rootPassword := include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-root-password" "providedValues" (list "auth.rootPassword" ) "honorProvidedValues" true "context" $) | trimAll "\"" | b64dec }} + +{{/* Custom user section. This chart allows creating multiple users */}} +{{- $customUsers := include "mongodb.customUsers" . }} +{{- $customDatabases := include "mongodb.customDatabases" . }} +{{- $customPasswords := include "mongodb.customPasswords" . }} +{{- $passwords := "" }} +{{- $passwordList := list -}} +{{- $customUsersList := list }} +{{- $customDatabasesList := list }} +{{- $customPasswordsList := list }} +{{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} +{{- $customUsersList = splitList "," $customUsers }} +{{- $customDatabasesList = splitList "," $customDatabases }} +{{- if not (empty $customPasswords) }} +{{- $passwordList = $customPasswords }} +{{- $customPasswordsList = splitList "," $customPasswords }} +{{- else }} +{{- range $customUsersList }} +{{- $customPasswordsList = append $customPasswordsList (randAlphaNum 10) }} +{{- end -}} +{{- $passwordList = (join "," $customPasswordsList) }} +{{- end }} +{{- $passwords = include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.secretName" .) "key" "mongodb-passwords" "providedValues" (list "mongodbPasswords") "honorProvidedValues" true "context" (set (deepCopy $) "Values" (dict "mongodbPasswords" $passwordList))) | trimAll "\"" | b64dec }} +{{- end }} + +{{- if (include "mongodb.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ template "mongodb.namespace" . }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + mongodb-root-password: {{ print $rootPassword | b64enc | quote }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + mongodb-passwords: {{ print $passwords | b64enc | quote }} + {{- end }} + {{- if .Values.metrics.username }} + mongodb-metrics-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-metrics-password" "providedValues" (list "metrics.password" ) "honorProvidedValues" true "context" $) }} + {{- end }} + {{- if eq .Values.architecture "replicaset" }} + mongodb-replica-set-key: {{ include "common.secrets.passwords.manage" (dict "secret" (include "mongodb.fullname" .) "key" "mongodb-replica-set-key" "providedValues" (list "auth.replicaSetKey" ) "honorProvidedValues" true "context" $) }} + {{- end }} +{{- end }} +{{- if .Values.serviceBindings.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-svcbind-root + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print .Values.auth.rootUser | b64enc | quote }} + password: {{ print $rootPassword | b64enc | quote }} + database: {{ print "admin" | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/admin" .Values.auth.rootUser $rootPassword $hostForURI | b64enc | quote }} +{{- range $e, $i := until (len $customUsersList) }} +--- +{{- $currentSecret := printf "%s-svcbind-%d" (include "common.names.fullname" $) $i }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $currentSecret }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: servicebinding.io/mongodb +data: + {{- $currentUser := index $customUsersList $i }} + {{- $currentDatabase := last $customDatabasesList }} + {{- if gt (len $customDatabasesList) $i }} + {{- $currentDatabase = index $customDatabasesList $i }} + {{- end }} + {{- $currentProvidedPassword := index $customPasswordsList $i }} + {{- $currentPassword := include "common.secrets.lookup" (dict "secret" $currentSecret "key" "password" "defaultValue" $currentProvidedPassword "context" $) | b64dec }} + provider: {{ print "bitnami" | b64enc | quote }} + type: {{ print "mongodb" | b64enc | quote }} + host: {{ print $host | b64enc | quote }} + port: {{ print $port | b64enc | quote }} + username: {{ print $currentUser | b64enc | quote }} + password: {{ print $currentPassword | b64enc | quote }} + database: {{ print $currentDatabase | b64enc | quote }} + uri: {{ printf "mongodb://%s:%s@%s/%s" $currentUser $currentPassword $hostForURI $currentDatabase | b64enc | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/serviceaccount.yaml b/kubernetes/common/mongodb/templates/serviceaccount.yaml new file mode 100644 index 0000000000..b54e8a0d2d --- /dev/null +++ b/kubernetes/common/mongodb/templates/serviceaccount.yaml @@ -0,0 +1,20 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "mongodb.serviceAccountName" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +secrets: + - name: {{ include "mongodb.secretName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/servicemonitor.yaml b/kubernetes/common/mongodb/templates/servicemonitor.yaml new file mode 100644 index 0000000000..7849d461d8 --- /dev/null +++ b/kubernetes/common/mongodb/templates/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.serviceMonitor.namespace" . }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - "{{ include "mongodb.namespace" . }}" +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml new file mode 100644 index 0000000000..3f02aebee0 --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/dep-sts.yaml @@ -0,0 +1,550 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: {{ if .Values.useStatefulSet }}{{ include "common.capabilities.statefulset.apiVersion" . }}{{- else }}{{ include "common.capabilities.deployment.apiVersion" . }}{{- end }} +kind: {{ if .Values.useStatefulSet }}StatefulSet{{- else }}Deployment{{- end }} +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + replicas: {{ gt (.Values.replicaCount | int) 1 | ternary 1 .Values.replicaCount }} + {{- if .Values.useStatefulSet }} + serviceName: {{ include "mongodb.service.nameOverride" . }} + {{- end }} + {{- if .Values.updateStrategy}} + {{- if .Values.useStatefulSet }} + updateStrategy: + {{- else }} + strategy: + {{- end }} + {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end}} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/component: mongodb + {{- if or (include "mongodb.createConfigmap" .) .Values.podAnnotations .Values.passwordUpdateJob.enabled }} + annotations: + {{- if (include "mongodb.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.passwordUpdateJob.enabled }} + charts.bitnami.com/password-last-update: {{ now | date "20060102150405" | quote }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + serviceAccountName: {{ template "mongodb.serviceAccountName" . }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "component" "mongodb" "customLabels" $podLabels "topologyKey" .Values.topologyKey "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.runtimeClassName }} + runtimeClassName: {{ .Values.runtimeClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{ if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + enableServiceLinks: {{ .Values.enableServiceLinks }} + initContainers: + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + {{- include "mongodb.initContainer.volumePermissions" . | indent 8 }} + {{- end }} + {{- include "mongodb.initContainer.prepareLogDir" . | nindent 8 }} + {{- if .Values.tls.enabled }} + - name: generate-tls-certs + image: {{ include "mongodb.tls.image" . }} + imagePullPolicy: {{ .Values.tls.image.pullPolicy | quote }} + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: MY_POD_HOST_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + mountPath: /certs/CAs + {{- else }} + - name: mongodb-certs-0 + mountPath: /certs-0 + {{- end }} + - name: certs + mountPath: /certs + - name: common-scripts + mountPath: /bitnami/scripts + command: + - /bitnami/scripts/generate-certs.sh + args: + - -s {{ include "mongodb.service.nameOverride" . }} + {{- if .Values.externalAccess.service.loadBalancerIPs }} + - -i {{ join "," .Values.externalAccess.service.loadBalancerIPs }} + {{- end }} + {{- if or .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames }} + - -n {{ join "," ( concat .Values.tls.extraDnsNames .Values.externalAccess.service.publicNames ) }} + {{- end }} + {{- if .Values.tls.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- else if ne .Values.tls.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.tls.resourcesPreset) | nindent 12 }} + {{- end }} + {{- if .Values.tls.securityContext }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.tls.securityContext "context" $) | nindent 12 }} + {{- end }} + {{- end }} + containers: + - name: mongodb + image: {{ include "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + {{- $customUsers := include "mongodb.customUsers" . -}} + {{- $customDatabases := include "mongodb.customDatabases" . -}} + {{- if not (empty $customUsers) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + {{- end }} + {{- if not (empty $customDatabases) }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- end }} + {{- if .Values.auth.enabled }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_EXTRA_PASSWORDS_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-passwords" + {{- else }} + - name: MONGODB_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-passwords + {{- end }} + {{- end }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- end }} + {{- if and .Values.metrics.enabled (not (empty .Values.metrics.username)) }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.auth.enabled }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + {{- end }} + - name: ALLOW_EMPTY_PASSWORD + value: {{ ternary "no" "yes" .Values.auth.enabled | quote }} + - name: MONGODB_SYSTEM_LOG_VERBOSITY + value: {{ .Values.systemLogVerbosity | quote }} + - name: MONGODB_DISABLE_SYSTEM_LOG + value: {{ ternary "yes" "no" .Values.disableSystemLog | quote }} + - name: MONGODB_DISABLE_JAVASCRIPT + value: {{ ternary "yes" "no" .Values.disableJavascript | quote }} + - name: MONGODB_ENABLE_JOURNAL + value: {{ ternary "yes" "no" .Values.enableJournal | quote }} + - name: MONGODB_PORT_NUMBER + value: {{ .Values.containerPorts.mongodb | quote }} + - name: MONGODB_ENABLE_IPV6 + value: {{ ternary "yes" "no" .Values.enableIPv6 | quote }} + - name: MONGODB_ENABLE_DIRECTORY_PER_DB + value: {{ ternary "yes" "no" .Values.directoryPerDB | quote }} + {{- $extraFlags := .Values.extraFlags | join " " -}} + {{- if .Values.tls.enabled }} + {{- if .Values.tls.mTLS.enabled }} + {{- $extraFlags = printf "--tlsCAFile=/certs/mongodb-ca-cert %s" $extraFlags }} + {{- end }} + {{- $extraFlags = printf "--tlsMode=%s --tlsCertificateKeyFile=/certs/mongodb.pem %s" .Values.tls.mode $extraFlags }} + {{- end }} + {{- if ne $extraFlags "" }} + - name: MONGODB_EXTRA_FLAGS + value: {{ $extraFlags | quote }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: MONGODB_CLIENT_EXTRA_FLAGS + value: --tls {{ if .Values.tls.mTLS.enabled }}--tlsCertificateKeyFile=/certs/mongodb.pem {{ end }}--tlsCAFile=/certs/mongodb-ca-cert + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.extraEnvVarsCM .Values.extraEnvVarsSecret }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ tpl .Values.extraEnvVarsCM . | quote }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ tpl .Values.extraEnvVarsSecret . | quote }} + {{- end }} + {{- end }} + ports: + - name: mongodb + containerPort: {{ .Values.containerPorts.mongodb }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/ping-mongodb.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/readiness-probe.sh + {{- end }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bitnami/scripts/startup-probe.sh + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.resources "context" $) | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/tmp + subPath: app-tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/mongodb/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /.mongodb + subPath: mongosh-home + - name: {{ .Values.persistence.name | default "datadir" }} + mountPath: {{ .Values.persistence.mountPath }} + subPath: {{ .Values.persistence.subPath }} + - name: common-scripts + mountPath: /bitnami/scripts + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + mountPath: /opt/bitnami/mongodb/conf/mongodb.conf + subPath: mongodb.conf + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ template "mongodb.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.metrics.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + {{- if .Values.metrics.username }} + export MONGODB_METRICS_PASSWORD="$(< $MONGODB_METRICS_PASSWORD_FILE)" + {{- else }} + export MONGODB_ROOT_PASSWORD="$(< $MONGODB_ROOT_PASSWORD_FILE)" + {{- end }} + {{- end }} + /bin/mongodb_exporter {{ include "mongodb.exporterArgs" $ }} --mongodb.direct-connect --mongodb.global-conn-pool --web.listen-address ":{{ .Values.metrics.containerPort }}" --mongodb.uri "{{ include "mongodb.mongodb_exporter.uri" . }}" {{ .Values.metrics.extraFlags }} + {{- end }} + env: + {{- if .Values.auth.enabled }} + {{- if not .Values.metrics.username }} + - name: MONGODB_ROOT_USER + value: {{ .Values.auth.rootUser | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_ROOT_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-root-password" + {{- else }} + - name: MONGODB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-root-password + {{- end }} + {{- else }} + - name: MONGODB_METRICS_USERNAME + value: {{ .Values.metrics.username | quote }} + {{- if .Values.usePasswordFiles }} + - name: MONGODB_METRICS_PASSWORD_FILE + value: "/opt/bitnami/mongodb/secrets/mongodb-metrics-password" + {{- else }} + - name: MONGODB_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "mongodb.secretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + mountPath: /opt/bitnami/mongodb/secrets + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + mountPath: /certs + {{- end }} + {{- if .Values.metrics.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPort }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: metrics + {{- end }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: metrics + {{- end }} + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.resources "context" $) | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.standalone.emptyDir.sizeLimit }} + - name: common-scripts + configMap: + name: {{ printf "%s-common-scripts" (include "mongodb.fullname" .) }} + defaultMode: 0o550 + {{- if and .Values.usePasswordFiles .Values.auth.enabled }} + - name: mongodb-secrets + secret: + secretName: {{ include "mongodb.secretName" . }} + {{- end }} + {{- if or .Values.initdbScriptsConfigMap .Values.initdbScripts }} + - name: custom-init-scripts + configMap: + name: {{ template "mongodb.initdbScriptsCM" . }} + {{- end }} + {{- if or .Values.configuration .Values.existingConfigmap }} + - name: config + configMap: + name: {{ include "mongodb.configmapName" . }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: certs + emptyDir: + sizeLimit: 64Mi + {{- if (include "mongodb.autoGenerateCerts" .) }} + - name: certs-volume + secret: + secretName: {{ template "mongodb.tlsSecretName" . }} + items: + - key: mongodb-ca-cert + path: mongodb-ca-cert + mode: 0o600 + - key: mongodb-ca-key + path: mongodb-ca-key + mode: 0o600 + {{- else }} + - name: mongodb-certs-0 + secret: + secretName: {{ include "common.tplvalues.render" ( dict "value" .Values.tls.standalone.existingSecret "context" $) }} + defaultMode: 256 + {{- end }} + {{- end }} + {{- if not .Values.persistence.enabled }} + - name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.medium }} + emptyDir: + medium: {{ .Values.persistence.medium | quote }} + sizeLimit: 64Mi + {{- else }} + emptyDir: + sizeLimit: 64Mi + {{- end }} + {{- else if .Values.persistence.existingClaim }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.persistence.existingClaim .) }} + {{- else if not .Values.useStatefulSet }} + - name: {{ .Values.persistence.name | default "datadir" }} + persistentVolumeClaim: + claimName: {{ template "mongodb.fullname" . }} + {{- else }} + {{- if .Values.persistentVolumeClaimRetentionPolicy.enabled }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ .Values.persistentVolumeClaimRetentionPolicy.whenDeleted }} + whenScaled: {{ .Values.persistentVolumeClaimRetentionPolicy.whenScaled }} + {{- end }} + volumeClaimTemplates: + - metadata: + name: {{ .Values.persistence.name | default "datadir" }} + {{- if .Values.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.volumeClaimTemplates.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.volumeClaimTemplates.selector "context" $) | nindent 10 }} + {{- end }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/pdb.yaml b/kubernetes/common/mongodb/templates/standalone/pdb.yaml new file mode 100644 index 0000000000..d11b39a53e --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/pdb.yaml @@ -0,0 +1,28 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and (not (eq .Values.architecture "replicaset")) .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable) }} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/pvc.yaml b/kubernetes/common/mongodb/templates/standalone/pvc.yaml new file mode 100644 index 0000000000..16098580e6 --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/pvc.yaml @@ -0,0 +1,31 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (not (eq .Values.architecture "replicaset")) (not .Values.useStatefulSet) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ include "mongodb.fullname" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + annotations: + {{- if .Values.persistence.resourcePolicy }} + helm.sh/resource-policy: {{ .Values.persistence.resourcePolicy | quote }} + {{- end }} + {{- if or .Values.persistence.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{ include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/standalone/svc.yaml b/kubernetes/common/mongodb/templates/standalone/svc.yaml new file mode 100644 index 0000000000..772c8cfccc --- /dev/null +++ b/kubernetes/common/mongodb/templates/standalone/svc.yaml @@ -0,0 +1,63 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if not (eq .Values.architecture "replicaset") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "mongodb.service.nameOverride" . }} + namespace: {{ include "mongodb.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} + {{- if .Values.service.externalIPs }} + externalIPs: {{ toYaml .Values.service.externalIPs | nindent 4 }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if (eq .Values.service.type "LoadBalancer") }} + allocateLoadBalancerNodePorts: {{ .Values.service.allocateLoadBalancerNodePorts }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + publishNotReadyAddresses: {{ .Values.service.publishNotReadyAddresses }} + ports: + - name: {{ .Values.service.portName | quote }} + port: {{ .Values.service.ports.mongodb }} + targetPort: mongodb + {{- if and (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) .Values.service.nodePorts.mongodb }} + nodePort: {{ .Values.service.nodePorts.mongodb }} + {{- else if eq .Values.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: mongodb +{{- end }} diff --git a/kubernetes/common/mongodb/templates/update-password/job.yaml b/kubernetes/common/mongodb/templates/update-password/job.yaml new file mode 100644 index 0000000000..587f816ce4 --- /dev/null +++ b/kubernetes/common/mongodb/templates/update-password/job.yaml @@ -0,0 +1,245 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.passwordUpdateJob.enabled }} +{{- $customUsers := include "mongodb.customUsers" . }} +{{- $customDatabases := include "mongodb.customDatabases" . }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ printf "%s-password-update" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mongodb + app.kubernetes.io/component: update-job + {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations .Values.passwordUpdateJob.annotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} +spec: + backoffLimit: {{ .Values.passwordUpdateJob.backoffLimit }} + template: + metadata: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.passwordUpdateJob.podLabels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + app.kubernetes.io/part-of: mongodb + app.kubernetes.io/component: update-job + {{- if .Values.passwordUpdateJob.podAnnotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.podAnnotations "context" $) | nindent 8 }} + {{- end }} + spec: + {{- include "mongodb.imagePullSecrets" . | nindent 6 }} + restartPolicy: OnFailure + {{- if .Values.passwordUpdateJob.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + automountServiceAccountToken: {{ .Values.passwordUpdateJob.automountServiceAccountToken }} + {{- if .Values.passwordUpdateJob.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.hostAliases "context" $) | nindent 8 }} + {{- end }} + initContainers: + {{- if .Values.passwordUpdateJob.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: update-credentials + image: {{ template "mongodb.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.passwordUpdateJob.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + {{- end }} + {{- if .Values.passwordUpdateJob.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.args "context" $) | nindent 12 }} + {{- else }} + args: + - | + {{- if .Values.usePasswordFiles }} + # We need to load all the secret env vars to the system + for file in $(find /bitnami/mongodb/secrets -type f); do + env_var_name="$(basename $file)" + echo "Exporting $env_var_name" + export $env_var_name="$(< $file)" + done + {{- end }} + + . /opt/bitnami/scripts/mongodb-env.sh + . /opt/bitnami/scripts/libmongodb.sh + . /opt/bitnami/scripts/liblog.sh + + protocol=mongodb + {{- if eq .Values.architecture "replicaset" }} + replicaset={{- range $i, $_ := until (int .Values.replicaCount) }}{{- if ne $i 0 }},{{- end }}{{ include "common.names.fullname" $ }}-{{ $i }}.{{ include "mongodb.service.nameOverride" $ }}:{{ $.Values.containerPorts.mongodb }}{{- end }} + {{- else }} + replicaset={{ include "common.names.fullname" . }}:{{ .Values.service.ports.mongodb }} + {{- end }} + + info "Starting password update job" + if [[ -f /job-status/root-password-changed ]]; then + info "Root password already updated. Skipping" + else + info "Updating root password" + mongosh "${protocol}://$MONGODB_ROOT_USER:$MONGODB_PREVIOUS_ROOT_PASSWORD@$replicaset/admin" --eval "db.changeUserPassword('$MONGODB_ROOT_USER', '$MONGODB_NEW_ROOT_PASSWORD')" + touch /job-status/root-password-changed + info "Root password successfully updated" + fi + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + + databases_extra=() + usernames_extra=() + IFS="$(mongodb_field_separator "$MONGODB_EXTRA_DATABASES")" read -r -a databases_extra <<<"$MONGODB_EXTRA_DATABASES" + IFS="$(mongodb_field_separator "$MONGODB_EXTRA_USERNAMES")" read -r -a usernames_extra <<<"$MONGODB_EXTRA_USERNAMES" + new_passwords_extra=() + IFS="$(mongodb_field_separator "$MONGODB_NEW_EXTRA_PASSWORDS")" read -r -a new_passwords_extra <<<"$MONGODB_NEW_EXTRA_PASSWORDS" + + for ((i = 0; i < ${#usernames_extra[@]}; i++)); do + if [[ -f /job-status/password-${usernames_extra[i]}-changed ]]; then + info "User ${usernames_extra[i]} password already updated. Skipping" + else + info "Updating user ${usernames_extra[i]} password" + mongosh "${protocol}://$MONGODB_ROOT_USER:$MONGODB_NEW_ROOT_PASSWORD@$replicaset/${databases_extra[i]}?authSource=admin" --eval "db.changeUserPassword('${usernames_extra[i]}', '${new_passwords_extra[i]}');" + touch /job-status/password-${usernames_extra[i]}-changed + info "User ${usernames_extra[i]} password successfully updated" + fi + done + + {{- end }} + + {{- if .Values.metrics.username }} + if [[ -f /job-status/metrics-password-changed ]]; then + info "Metrics password already updated. Skipping" + else + info "Updating metrics password" + mongosh "${protocol}://$MONGODB_ROOT_USER:$MONGODB_NEW_ROOT_PASSWORD@$replicaset/admin" --eval "db.changeUserPassword('$MONGODB_METRICS_USER', '$MONGODB_NEW_METRICS_PASSWORD')" + touch /job-status/root-password-changed + info "Metrics password successfully updated" + fi + {{- end }} + + {{- if .Values.passwordUpdateJob.extraCommands }} + info "Running extra commmands" + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraCommands "context" $) | nindent 14 }} + {{- end }} + info "Password update job finished successfully" + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + {{- if not .Values.usePasswordFiles }} + - name: MONGODB_PREVIOUS_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mongodb.update-job.previousSecretName" . }} + key: mongodb-root-password + - name: MONGODB_NEW_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mongodb.update-job.newSecretName" . }} + key: mongodb-root-password + {{- end }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - name: MONGODB_EXTRA_USERNAMES + value: {{ $customUsers | quote }} + - name: MONGODB_EXTRA_DATABASES + value: {{ $customDatabases | quote }} + {{- if not .Values.usePasswordFiles }} + - name: MONGODB_NEW_EXTRA_PASSWORDS + valueFrom: + secretKeyRef: + name: {{ template "mongodb.update-job.newSecretName" . }} + key: mongodb-passwords + {{- end }} + {{- end }} + {{- if .Values.metrics.username }} + - name: MONGODB_METRICS_USER + value: {{ .Values.metrics.username | quote }} + {{- if not .Values.usePasswordFiles }} + - name: MONGODB_PREVIOUS_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mongodb.update-job.previousSecretName" . }} + key: mongodb-metrics-password + - name: MONGODB_NEW_METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "mongodb.update-job.newSecretName" . }} + key: mongodb-metrics-password + {{- end }} + {{- end }} + {{- if .Values.passwordUpdateJob.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.passwordUpdateJob.extraEnvVarsCM .Values.passwordUpdateJob.extraEnvVarsSecret }} + envFrom: + {{- if .Values.passwordUpdateJob.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.passwordUpdateJob.extraEnvVarsCM }} + {{- end }} + {{- if .Values.passwordUpdateJob.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.passwordUpdateJob.extraEnvVarsSecret }} + {{- end }} + {{- end }} + {{- if .Values.passwordUpdateJob.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.passwordUpdateJob.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /job-status + subPath: job-dir + {{- if .Values.usePasswordFiles }} + - name: mongodb-previous-credentials + mountPath: /bitnami/mongodb/secrets/previous + - name: mongodb-new-credentials + mountPath: /bitnami/mongodb/secrets/new + {{- end }} + {{- if .Values.passwordUpdateJob.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.passwordUpdateJob.resources }} + resources: {{- toYaml .Values.passwordUpdateJob.resources | nindent 12 }} + {{- else if ne .Values.passwordUpdateJob.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.passwordUpdateJob.resourcesPreset) | nindent 12 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if and .Values.usePasswordFiles }} + - name: mongodb-previous-credentials + secret: + secretName: {{ template "mongodb.update-job.previousSecretName" . }} + items: + - key: mongodb-root-password + path: MONGODB_PREVIOUS_ROOT_PASSWORD + - name: mongodb-new-credentials + secret: + secretName: {{ template "mongodb.update-job.newSecretName" . }} + items: + - key: mongodb-root-password + path: MONGODB_NEW_ROOT_PASSWORD + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + - key: mongodb-passwords + path: MONGODB_NEW_EXTRA_PASSWORDS + {{- end }} + {{- if .Values.metrics.username }} + - key: mongodb-metrics-password + path: MONGODB_NEW_METRICS_PASSWORD + {{- end }} + {{- end }} + {{- if .Values.passwordUpdateJob.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.passwordUpdateJob.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/update-password/new-secret.yaml b/kubernetes/common/mongodb/templates/update-password/new-secret.yaml new file mode 100644 index 0000000000..0e0386a310 --- /dev/null +++ b/kubernetes/common/mongodb/templates/update-password/new-secret.yaml @@ -0,0 +1,32 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.passwordUpdateJob.enabled (include "mongodb.createSecret" .) (not ( include "mongodb.createPreviousSecret" . )) (not .Values.passwordUpdateJob.previousPasswords.existingSecret) }} +{{- $rootPassword := .Values.auth.rootPassword }} +{{- $metricsPassword := .Values.metrics.password }} +{{- $customUsers := include "mongodb.customUsers" . }} +{{- $customPasswords := join "," (include "mongodb.customPasswords" .) }} +{{- $customDatabases := include "mongodb.customDatabases" . }} +{{- $replicationPassword := .Values.auth.replicationPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-new-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mongodb + {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} +type: Opaque +data: + mongodb-root-password: {{ required "The new root password is required!" $rootPassword | b64enc | quote }} + {{- if and (not (empty $customUsers)) (not (empty $customDatabases)) }} + mongodb-passwords: {{ required "The new custom passwords are required!" $customPasswords | b64enc | quote }} + {{- end }} + {{- if .Values.metrics.username }} + mongodb-metrics-password: {{ required "The new metrics password is required!" $metricsPassword | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/mongodb/templates/update-password/previous-secret.yaml b/kubernetes/common/mongodb/templates/update-password/previous-secret.yaml new file mode 100644 index 0000000000..a1db9f8c42 --- /dev/null +++ b/kubernetes/common/mongodb/templates/update-password/previous-secret.yaml @@ -0,0 +1,21 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.passwordUpdateJob.enabled (eq ( include "mongodb.createPreviousSecret" . ) "true") }} +{{- $rootPassword := .Values.passwordUpdateJob.previousPasswords.rootPassword }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-previous-secret" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/part-of: mongodb + {{- $defaultAnnotations := dict "helm.sh/hook" "pre-upgrade" "helm.sh/hook-delete-policy" "hook-succeeded" }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonAnnotations $defaultAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }} +type: Opaque +data: + mongodb-root-password: {{ required "The previous root password is required!" $rootPassword | b64enc | quote }} +{{- end }} diff --git a/kubernetes/common/mongodb/values.schema.json b/kubernetes/common/mongodb/values.schema.json new file mode 100644 index 0000000000..3eb6a64ce7 --- /dev/null +++ b/kubernetes/common/mongodb/values.schema.json @@ -0,0 +1,232 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "MongoDB® architecture", + "form": true, + "description": "Allowed values: `standalone` or `replicaset`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Authentication", + "form": true + }, + "rootUser": { + "type": "string", + "title": "MongoDB® admin user", + "form": true, + "description": "Name of the admin user. Default is root" + }, + "rootPassword": { + "type": "string", + "title": "MongoDB® admin password", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "database": { + "type": "string", + "title": "MongoDB® custom database", + "description": "Name of the custom database to be created during the 1st initialization of MongoDB®", + "form": true + }, + "username": { + "type": "string", + "title": "MongoDB® custom user", + "description": "Name of the custom user to be created during the 1st initialization of MongoDB®. This user only has permissions on the MongoDB® custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for MongoDB® custom user", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": false, + "path": "auth/enabled" + } + }, + "replicaSetKey": { + "type": "string", + "title": "Key used for replica set authentication", + "form": true, + "description": "Defaults to a random 10-character alphanumeric string if not set", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of MongoDB® replicas", + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "configuration": { + "type": "string", + "title": "MongoDB® Custom Configuration", + "form": true, + "render": "textArea" + }, + "arbiter": { + "type": "object", + "title": "Arbiter configuration", + "form": true, + "properties": { + "configuration": { + "type": "string", + "title": "Arbiter Custom Configuration", + "form": true, + "render": "textArea", + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "networkPolicy": { + "type": "object", + "title": "Network policy configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable network policy", + "description": "Enable network policy using Kubernetes native NP", + "hidden": { + "value": false, + "path": "networkPolicy/enabled" + } + }, + "ingress": { + "type": "object", + "properties": { + "namespaceSelector": { + "type": "object", + "title": "Namespace selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/namespaceSelector" + } + }, + "podSelector": { + "type": "object", + "title": "Pod selector label that is allowed to access this instance", + "hidden": { + "value": {}, + "path": "networkPolicy/ingress/podSelector" + } + }, + "customRules": { + "type": "array", + "title": "Custom rules for ingress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/ingress/customRules" + } + } + } + }, + "egress": { + "type": "object", + "properties": { + "customRules": { + "type": "array", + "title": "Custom rules for egress network policy", + "hidden": { + "value": [], + "path": "networkPolicy/egress/customRules" + } + } + } + } + } + }, + "persistence": { + "type": "object", + "title": "Persistence configuration", + "form": true, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable persistence", + "description": "Enable persistence using Persistent Volume Claims" + }, + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi", + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "volumePermissions": { + "type": "object", + "hidden": { + "value": false, + "path": "persistence/enabled" + }, + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Use an init container to set required folder permissions on the data volume before mounting it in the final destination" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/kubernetes/common/mongodb/values.yaml b/kubernetes/common/mongodb/values.yaml new file mode 100644 index 0000000000..cbea26c99d --- /dev/null +++ b/kubernetes/common/mongodb/values.yaml @@ -0,0 +1,2687 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s) +## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead +## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + defaultStorageClass: "" + storageClass: "" + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + allowInsecureImages: false + namespaceOverride: "" + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters +## + +## @param nameOverride String to partially override mongodb.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override mongodb.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param clusterDomain Default Kubernetes cluster domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## extraDeploy: +## This needs to be uncommented and added to 'extraDeploy' in order to use the replicaset 'mongo-labeler' sidecar +## for dynamically discovering the mongodb primary pod +## suggestion is to use a hard-coded and predictable TCP port for the primary mongodb pod (here is 30001, choose your own) +## - apiVersion: v1 +## kind: Service +## metadata: +## name: mongodb-primary +## namespace: the-mongodb-namespace +## labels: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/managed-by: Helm +## app.kubernetes.io/name: mongodb +## spec: +## type: NodePort +## externalTrafficPolicy: Cluster +## ports: +## - name: mongodb +## port: 30001 +## nodePort: 30001 +## protocol: TCP +## targetPort: mongodb +## selector: +## app.kubernetes.io/component: mongodb +## app.kubernetes.io/instance: mongodb +## app.kubernetes.io/name: mongodb +## primary: "true" +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources (sub-charts are not considered). Evaluated as a template +## +commonLabels: {} +## @param commonAnnotations Common annotations to add to all Mongo resources (sub-charts are not considered). Evaluated as a template +## +commonAnnotations: {} +## @param topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used +## i.e. topologyKey: topology.kubernetes.io/zone +## +topologyKey: "" +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false +## @param enableServiceLinks Whether information about services should be injected into pod's environment variable +## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace. +## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. +## +enableServiceLinks: true +## @param usePasswordFiles Mount credentials as files instead of using environment variables +## +usePasswordFiles: true +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity +## @section MongoDB(®) parameters +## + +## Bitnami MongoDB(®) image +## ref: https://hub.docker.com/r/bitnami/mongodb/tags/ +## @param image.registry [default: REGISTRY_NAME] MongoDB(®) image registry +## @param image.repository [default: REPOSITORY_NAME/mongodb] MongoDB(®) image registry +## @skip image.tag MongoDB(®) image tag (immutable tags are recommended) +## @param image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy MongoDB(®) image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## +image: + registry: docker.io + repository: bitnami/mongodb + tag: 8.0.9-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param schedulerName Name of the scheduler (other than default) to dispatch pods +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) +## +architecture: standalone +## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) +## +useStatefulSet: false +## MongoDB(®) Authentication parameters +## +auth: + ## @param auth.enabled Enable authentication + ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ + ## + enabled: true + ## @param auth.rootUser MongoDB(®) root user + ## + rootUser: root + ## @param auth.rootPassword MongoDB(®) root password + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#setting-the-root-user-and-password-on-first-run + ## + rootPassword: "" + ## MongoDB(®) custom users and databases + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#creating-a-user-and-database-on-first-run + ## @param auth.usernames List of custom users to be created during the initialization + ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` + ## @param auth.databases List of custom databases to be created during the initialization + ## + usernames: [] + passwords: [] + databases: [] + ## @param auth.username DEPRECATED: use `auth.usernames` instead + ## @param auth.password DEPRECATED: use `auth.passwords` instead + ## @param auth.database DEPRECATED: use `auth.databases` instead + ## + username: "" + password: "" + database: "" + ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## + replicaSetKey: "" + ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-passwords`, `mongodb-root-password`, `mongodb-metrics-password`, `mongodb-replica-set-key`) + ## NOTE: When it's set the previous parameters are ignored. + ## + existingSecret: "" +tls: + ## @param tls.enabled Enable MongoDB(®) TLS support between nodes in the cluster as well as between mongo clients and nodes + ## + enabled: false + mTLS: + ## @param tls.mTLS.enabled IF TLS support is enabled, require clients to provide certificates + enabled: true + ## @param tls.autoGenerated Generate a custom CA and self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Existing secret with TLS certificates (keys: `mongodb-ca-cert`, `mongodb-ca-key`) + ## NOTE: When it's set it will disable secret creation. + ## + existingSecret: "" + ## Add Custom CA certificate + ## @param tls.caCert Custom CA certificated (base64 encoded) + ## @param tls.caKey CA certificate private key (base64 encoded) + ## + caCert: "" + caKey: "" + ## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert. + ## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA. + ## + pemChainIncluded: false + standalone: + ## @param tls.standalone.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + replicaset: + ## @param tls.replicaset.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + hidden: + ## @param tls.hidden.existingSecrets Array of existing secrets with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## existingSecrets: + ## - "mySecret-0" + ## - "mySecret-1" + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecrets: [] + arbiter: + ## @param tls.arbiter.existingSecret Existing secret with TLS certificates (`tls.key`, `tls.crt`, `ca.crt`) or (`tls.key`, `tls.crt`) with tls.pemChainIncluded set as enabled. + ## NOTE: When it's set it will disable certificate self-generation from existing CA. + ## + existingSecret: "" + ## Bitnami Nginx image + ## @param tls.image.registry [default: REGISTRY_NAME] Init container TLS certs setup image registry + ## @param tls.image.repository [default: REPOSITORY_NAME/nginx] Init container TLS certs setup image repository + ## @skip tls.image.tag Init container TLS certs setup image tag (immutable tags are recommended) + ## @param tls.image.digest Init container TLS certs setup image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param tls.image.pullPolicy Init container TLS certs setup image pull policy + ## @param tls.image.pullSecrets Init container TLS certs specify docker-registry secret names as an array + ## @param tls.extraDnsNames Add extra dns names to the CA, can solve x509 auth issue for pod clients + ## + image: + registry: docker.io + repository: bitnami/nginx + tag: 1.28.0-debian-12-r0 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## e.g: + ## extraDnsNames + ## "DNS.6": "$my_host" + ## "DNS.7": "$test" + ## + extraDnsNames: [] + ## @param tls.mode Allows to set the tls mode which should be used when tls is enabled (options: `allowTLS`, `preferTLS`, `requireTLS`) + ## + mode: requireTLS + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init Container securityContext + ## ref: https://kubernetes.io/docs/concepts/security/pod-security-policy/ + ## @param tls.securityContext Init container generate-tls-cert Security context + ## + securityContext: {} + ## Example: + ## allowPrivilegeEscalation: false + ## capabilities: + ## drop: ["ALL"] + ## +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases Add deployment host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## @param replicaSetName Name of the replica set (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## +replicaSet: + emptyDir: + sizeLimit: 1Gi + +standalone: + emptyDir: + sizeLimit: 1Gi + +replicaSetName: rs0 +## @param replicaSetHostnames Enable DNS hostnames in the replicaset config (only when `architecture=replicaset`) +## Ignored when mongodb.architecture=standalone +## Ignored when externalAccess.enabled=true +## +replicaSetHostnames: true +## @param enableIPv6 Switch to enable/disable IPv6 on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-ipv6 +## +enableIPv6: false +## @param directoryPerDB Switch to enable/disable DirectoryPerDB on MongoDB(®) +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#enablingdisabling-directoryperdb +## +directoryPerDB: false +## MongoDB(®) System Log configuration +## ref: https://github.com/bitnami/containers/tree/main/bitnami/mongodb#configuring-system-log-verbosity-level +## @param systemLogVerbosity MongoDB(®) system log verbosity level +## @param disableSystemLog Switch to enable/disable MongoDB(®) system log +## +systemLogVerbosity: 0 +disableSystemLog: false +## @param disableJavascript Switch to enable/disable MongoDB(®) server-side JavaScript execution +## ref: https://docs.mongodb.com/manual/core/server-side-javascript/ +## +disableJavascript: false +## @param enableJournal Switch to enable/disable MongoDB(®) Journaling +## ref: https://docs.mongodb.com/manual/reference/configuration-options/#mongodb-setting-storage.journal.enabled +## +enableJournal: true +## @param configuration MongoDB(®) configuration file to be used for Primary and Secondary nodes +## For documentation of all options, see: http://docs.mongodb.org/manual/reference/configuration-options/ +## Example: +## configuration: |- +## # where and how to store data. +## storage: +## dbPath: /bitnami/mongodb/data/db +## journal: +## enabled: true +## directoryPerDB: false +## # where to write logging data +## systemLog: +## destination: file +## quiet: false +## logAppend: true +## logRotate: reopen +## path: /opt/bitnami/mongodb/logs/mongodb.log +## verbosity: 0 +## # network interfaces +## net: +## port: 27017 +## unixDomainSocket: +## enabled: true +## pathPrefix: /opt/bitnami/mongodb/tmp +## ipv6: false +## bindIpAll: true +## # replica set options +## #replication: +## #replSetName: replicaset +## #enableMajorityReadConcern: true +## # process management options +## processManagement: +## fork: false +## pidFilePath: /opt/bitnami/mongodb/tmp/mongodb.pid +## # set parameter options +## setParameter: +## enableLocalhostAuthBypass: true +## # security options +## security: +## authorization: disabled +## #keyFile: /opt/bitnami/mongodb/conf/keyfile +## +configuration: "" +## @section replicaSetConfigurationSettings settings applied during runtime (not via configuration file) +## If enabled, these are applied by a script which is called within setup.sh +## for documentation see https://docs.mongodb.com/manual/reference/replica-configuration/#replica-set-configuration-fields +## @param replicaSetConfigurationSettings.enabled Enable MongoDB(®) Switch to enable/disable configuring MongoDB(®) run time rs.conf settings +## @param replicaSetConfigurationSettings.configuration run-time rs.conf settings +## +replicaSetConfigurationSettings: + enabled: false + configuration: {} +## Custom configurations for individual replica set members. +## Use the prefix 'members[X].' to apply settings to the member X of the replica set. +## Example: 'members[0].priority: 3' sets the priority of the first replica set member to 3. +## The index X in 'members[X]' corresponds to the member's position in the replica set. +## members[0].priority: 3 +## chainingAllowed : false +## heartbeatTimeoutSecs : 10 +## heartbeatIntervalMillis : 2000 +## electionTimeoutMillis : 10000 +## catchUpTimeoutMillis : 30000 +## @param existingConfigmap Name of existing ConfigMap with MongoDB(®) configuration for Primary and Secondary nodes +## NOTE: When it's set the arbiter.configuration parameter is ignored +## +existingConfigmap: "" +## @param initdbScripts Dictionary of initdb scripts +## Specify dictionary of scripts to be run at first boot +## Example: +## initdbScripts: +## my_init_script.sh: | +## #!/bin/bash +## echo "Do something." +## +initdbScripts: {} +## @param initdbScriptsConfigMap Existing ConfigMap with custom initdb scripts +## +initdbScriptsConfigMap: "" +## Command and args for running the container (set to default if not set). Use array form +## @param command Override default container command (useful when using custom images) +## @param args Override default container args (useful when using custom images) +## +command: [] +args: [] +## @param extraFlags MongoDB(®) additional command line flags +## Example: +## extraFlags: +## - "--wiredTigerCacheSizeGB=2" +## +extraFlags: [] +## @param extraEnvVars Extra environment variables to add to MongoDB(®) pods +## E.g: +## extraEnvVars: +## - name: FOO +## value: BAR +## +extraEnvVars: [] +## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) +## +extraEnvVarsSecret: "" +## @section MongoDB(®) statefulset parameters +## + +## @param annotations Additional labels to be added to the MongoDB(®) statefulset. Evaluated as a template +## +annotations: {} +## @param labels Annotations to be added to the MongoDB(®) statefulset. Evaluated as a template +## +labels: {} +## @param replicaCount Number of MongoDB(®) nodes +## When `mongodb.architecture=replicaset`, the number of replicas is taken in account +## When `mongodb.architecture=standalone`, the number of replicas can only be 0 or 1 (value higher then 1 will not be taken in account) +## +replicaCount: 2 +## @param updateStrategy.type Strategy to use to replace existing MongoDB(®) pods. When architecture=standalone and useStatefulSet=false, +## this parameter will be applied on a deployment object. In other case it will be applied on a statefulset object +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## Example: +## updateStrategy: +## type: RollingUpdate +## rollingUpdate: +## maxSurge: 25% +## maxUnavailable: 25% +## +updateStrategy: + type: RollingUpdate +## @param podManagementPolicy Pod management policy for MongoDB(®) +## Should be initialized one by one when building the replicaset for the first time +## +podManagementPolicy: OrderedReady +## @param podAffinityPreset MongoDB(®) Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset MongoDB(®) Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type MongoDB(®) Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key MongoDB(®) Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values MongoDB(®) Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity MongoDB(®) Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param nodeSelector MongoDB(®) Node labels for pod assignment +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations MongoDB(®) Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param topologySpreadConstraints MongoDB(®) Spread Constraints for Pods +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## +topologySpreadConstraints: [] +## @param lifecycleHooks LifecycleHook for the MongoDB(®) container(s) to automate configuration before or after startup +## +lifecycleHooks: {} +## @param terminationGracePeriodSeconds MongoDB(®) Termination Grace Period +## +terminationGracePeriodSeconds: "" +## @param podLabels MongoDB(®) pod labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations MongoDB(®) Pod annotations +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param priorityClassName Name of the existing priority class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +priorityClassName: "" +## @param runtimeClassName Name of the runtime class to be used by MongoDB(®) pod(s) +## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ +## +runtimeClassName: "" +## MongoDB(®) pods' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enable MongoDB(®) pod(s)' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Group ID for the volumes of the MongoDB(®) pod(s) +## @param podSecurityContext.sysctls sysctl settings of the MongoDB(®) pod(s)' +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] +## MongoDB(®) containers' Security Context (main and metrics container). +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + seccompProfile: + type: "RuntimeDefault" +## MongoDB(®) containers' resource requests and limits. +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "small" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## @param containerPorts.mongodb MongoDB(®) container port +## +containerPorts: + mongodb: 27017 +## MongoDB(®) pods' liveness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## MongoDB(®) pods' readiness probe. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 +## Slow starting containers can be protected through startup probes +## Startup probes are available in Kubernetes version 1.16 and above +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 30 +## @param customLivenessProbe Override default liveness probe for MongoDB(®) containers +## Ignored when livenessProbe.enabled=true +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe for MongoDB(®) containers +## Ignored when readinessProbe.enabled=true +## +customReadinessProbe: {} +## @param customStartupProbe Override default startup probe for MongoDB(®) containers +## Ignored when startupProbe.enabled=true +## +customStartupProbe: {} +## @param initContainers Add additional init containers for the hidden node pod(s) +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: [] +## @param sidecars Add additional sidecar containers for the MongoDB(®) pod(s) +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## This is an optional 'mongo-labeler' sidecar container that tracks replica-set for the primary mongodb pod +## and labels it dynamically with ' primary: "true" ' in order for an extra-deployed service to always expose +## and attach to the primary pod, this needs to be uncommented along with the suggested 'extraDeploy' example +## and the suggested rbac example for the pod to be allowed adding labels to mongo replica pods +## search 'mongo-labeler' through this file to find the sections that needs to be uncommented to make it work +## +## - name: mongo-labeler +## image: korenlev/k8s-mongo-labeler-sidecar +## imagePullPolicy: Always +## env: +## - name: LABEL_SELECTOR +## value: "app.kubernetes.io/component=mongodb,app.kubernetes.io/instance=mongodb,app.kubernetes.io/name=mongodb" +## - name: NAMESPACE +## value: "the-mongodb-namespace" +## - name: DEBUG +## value: "true" +## +sidecars: [] +## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MongoDB(®) container(s) +## Examples: +## extraVolumeMounts: +## - name: extras +## mountPath: /usr/share/extras +## readOnly: true +## +extraVolumeMounts: [] +## @param extraVolumes Optionally specify extra list of additional volumes to the MongoDB(®) statefulset +## extraVolumes: +## - name: extras +## emptyDir: {} +## +extraVolumes: [] +## MongoDB(®) Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Enable/disable a Pod Disruption Budget creation for MongoDB(®) pod(s) + ## + create: true + ## @param pdb.minAvailable Minimum number/percentage of MongoDB(®) pods that must still be available after the eviction + ## + minAvailable: "" + ## @param pdb.maxUnavailable Maximum number/percentage of MongoDB(®) pods that may be made unavailable after the eviction. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" +## @section Traffic exposure parameters +## + +## Service parameters +## +service: + ## @param service.nameOverride MongoDB(®) service name + ## + nameOverride: "" + ## @param service.type Kubernetes Service type (only for standalone architecture) + ## + type: ClusterIP + ## @param service.portName MongoDB(®) service port name (only for standalone architecture) + ## + portName: mongodb + ## @param service.ports.mongodb MongoDB(®) service port. + ## + ports: + mongodb: 27017 + ## @param service.nodePorts.mongodb Port to bind to for NodePort and LoadBalancer service types (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mongodb: "" + ## @param service.clusterIP MongoDB(®) service cluster IP (only for standalone architecture) + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.externalIPs Specify the externalIP value ClusterIP service type (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + ## @param service.loadBalancerIP loadBalancerIP for MongoDB(®) Service (only for standalone architecture) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerClass loadBalancerClass for MongoDB(®) Service (only for standalone architecture) + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer (only for standalone architecture) + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + loadBalancerSourceRanges: [] + ## @param service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## @param service.externalTrafficPolicy service external traffic policy (only for standalone architecture) + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param service.headless.annotations Annotations for the headless service. + ## + annotations: {} + ## @param service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready + ## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/ + ## + publishNotReadyAddresses: false +## External Access to MongoDB(®) nodes configuration +## +externalAccess: + ## @param externalAccess.enabled Enable Kubernetes external cluster access to MongoDB(®) nodes (only for replicaset architecture) + ## + enabled: false + ## External IPs auto-discovery configuration + ## An init container is used to auto-detect LB IPs or node ports by querying the K8s API + ## Note: RBAC might be required + ## + autoDiscovery: + ## @param externalAccess.autoDiscovery.enabled Enable using an init container to auto-detect external IPs by querying the K8s API + ## + enabled: false + ## Bitnami Kubectl image + ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/ + ## @param externalAccess.autoDiscovery.image.registry [default: REGISTRY_NAME] Init container auto-discovery image registry + ## @param externalAccess.autoDiscovery.image.repository [default: REPOSITORY_NAME/kubectl] Init container auto-discovery image repository + ## @skip externalAccess.autoDiscovery.image.tag Init container auto-discovery image tag (immutable tags are recommended) + ## @param externalAccess.autoDiscovery.image.digest Init container auto-discovery image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param externalAccess.autoDiscovery.image.pullPolicy Init container auto-discovery image pull policy + ## @param externalAccess.autoDiscovery.image.pullSecrets Init container auto-discovery image pull secrets + ## + image: + registry: docker.io + repository: bitnami/kubectl + tag: 1.33.0-debian-12-r1 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.autoDiscovery.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param externalAccess.autoDiscovery.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container what mission is ensure public names can be resolved. + ## + dnsCheck: + ## Bitnami os-shell image + ## ref: https://hub.docker.com/r/bitnami/os-shell/tags/ + ## @param externalAccess.dnsCheck.image.registry [default: REGISTRY_NAME] Init container dns-check image registry + ## @param externalAccess.dnsCheck.image.repository [default: REPOSITORY_NAME/kubectl] Init container dns-check image repository + ## @skip externalAccess.dnsCheck.image.tag Init container dns-check image tag (immutable tags are recommended) + ## @param externalAccess.dnsCheck.image.digest Init container dns-check image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param externalAccess.dnsCheck.image.pullPolicy Init container dns-check image pull policy + ## @param externalAccess.dnsCheck.image.pullSecrets Init container dns-check image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r43 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param externalAccess.dnsCheck.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if externalAccess.autoDiscovery.resources is set (externalAccess.autoDiscovery.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param externalAccess.dnsCheck.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Parameters to configure a set of Pods that connect to an existing MongoDB(®) deployment that lies outside of Kubernetes. + ## @param externalAccess.externalMaster.enabled Use external master for bootstrapping + ## @param externalAccess.externalMaster.host External master host to bootstrap from + ## @param externalAccess.externalMaster.port Port for MongoDB(®) service external master host + ## + externalMaster: + enabled: false + host: "" + port: 27017 + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.service.type Kubernetes Service type for external access. Allowed values: NodePort, LoadBalancer or ClusterIP + ## + type: LoadBalancer + ## @param externalAccess.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.service.publicNames Array of public names. The size should be equal to the number of replicas. + ## + publicNames: [] + ## @param externalAccess.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.service.annotations Service annotations for external access. These annotations are common for all services created. + ## + annotations: {} + ## @param externalAccess.service.annotationsList Service annotations for eache external service. This value contains a list allowing different annotations per each external service. + ## Eg: + ## annotationsList: + ## - external-dns.alpha.kubernetes.io/hostname: mongodb-0.example.com + ## - external-dns.alpha.kubernetes.io/hostname: mongodb-1.example.com + ## + annotationsList: [] + ## @param externalAccess.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## External Access to MongoDB(®) Hidden nodes configuration + ## + hidden: + ## @param externalAccess.hidden.enabled Enable Kubernetes external cluster access to MongoDB(®) hidden nodes + ## + enabled: false + ## Parameters to configure K8s service(s) used to externally access MongoDB(®) + ## A new service per broker will be created + ## + service: + ## @param externalAccess.hidden.service.type Kubernetes Service type for external access. Allowed values: NodePort or LoadBalancer + ## + type: LoadBalancer + ## @param externalAccess.hidden.service.portName MongoDB(®) port name used for external access when service type is LoadBalancer + ## + portName: "mongodb" + ## @param externalAccess.hidden.service.ports.mongodb MongoDB(®) port used for external access when service type is LoadBalancer + ## + ports: + mongodb: 27017 + ## @param externalAccess.hidden.service.loadBalancerIPs Array of load balancer IPs for MongoDB(®) nodes + ## Example: + ## loadBalancerIPs: + ## - X.X.X.X + ## - Y.Y.Y.Y + ## + loadBalancerIPs: [] + ## @param externalAccess.hidden.service.loadBalancerClass loadBalancerClass when service type is LoadBalancer + # ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class + loadBalancerClass: "" + ## @param externalAccess.hidden.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## Example: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param externalAccess.hidden.service.allocateLoadBalancerNodePorts Wheter to allocate node ports when service type is LoadBalancer + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation + ## + allocateLoadBalancerNodePorts: true + ## @param externalAccess.hidden.service.externalTrafficPolicy MongoDB(®) service external traffic policy + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Local + ## @param externalAccess.hidden.service.nodePorts Array of node ports used to configure MongoDB(®) advertised hostname when service type is NodePort. Length must be the same as replicaCount + ## Example: + ## nodePorts: + ## - 30001 + ## - 30002 + ## + nodePorts: [] + ## @param externalAccess.hidden.service.domain Domain or external IP used to configure MongoDB(®) advertised hostname when service type is NodePort + ## If not specified, the container will try to get the kubernetes node external IP + ## e.g: + ## domain: mydomain.com + ## + domain: "" + ## @param externalAccess.hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param externalAccess.hidden.service.annotations Service annotations for external access + ## + annotations: {} + ## @param externalAccess.hidden.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/ + ## + sessionAffinity: None + ## @param externalAccess.hidden.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} +## @section Password update job +## +passwordUpdateJob: + ## @param passwordUpdateJob.enabled Enable password update job + ## + enabled: false + ## @param passwordUpdateJob.backoffLimit set backoff limit of the job + ## + backoffLimit: 10 + ## @param passwordUpdateJob.command Override default container command on mysql Primary container(s) (useful when using custom images) + ## + command: [] + ## @param passwordUpdateJob.args Override default container args on mysql Primary container(s) (useful when using custom images) + ## + args: [] + ## @param passwordUpdateJob.extraCommands Extra commands to pass to the generation job + ## + extraCommands: "" + ## @param passwordUpdateJob.previousPasswords.rootPassword Previous root password (set if the password secret was already changed) + ## @param passwordUpdateJob.previousPasswords.existingSecret Name of a secret containing the previous passwords (set if the password secret was already changed) + previousPasswords: + rootPassword: "" + existingSecret: "" + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param passwordUpdateJob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param passwordUpdateJob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param passwordUpdateJob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param passwordUpdateJob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param passwordUpdateJob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param passwordUpdateJob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param passwordUpdateJob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param passwordUpdateJob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param passwordUpdateJob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param passwordUpdateJob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param passwordUpdateJob.podSecurityContext.enabled Enabled credential init job pods' Security Context + ## @param passwordUpdateJob.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param passwordUpdateJob.podSecurityContext.sysctls Set kernel settings using the sysctl interface + ## @param passwordUpdateJob.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param passwordUpdateJob.podSecurityContext.fsGroup Set credential init job pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + fsGroup: 1001 + ## @param passwordUpdateJob.extraEnvVars Array containing extra env vars to configure the credential init job + ## For example: + ## extraEnvVars: + ## - name: GF_DEFAULT_INSTANCE_NAME + ## value: my-instance + ## + extraEnvVars: [] + ## @param passwordUpdateJob.extraEnvVarsCM ConfigMap containing extra env vars to configure the credential init job + ## + extraEnvVarsCM: "" + ## @param passwordUpdateJob.extraEnvVarsSecret Secret containing extra env vars to configure the credential init job (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param passwordUpdateJob.extraVolumes Optionally specify extra list of additional volumes for the credential init job + ## + extraVolumes: [] + ## @param passwordUpdateJob.extraVolumeMounts Array of extra volume mounts to be added to the jwt Container (evaluated as template). Normally used with `extraVolumes`. + ## + extraVolumeMounts: [] + ## @param passwordUpdateJob.initContainers Add additional init containers for the mysql Primary pod(s) + ## + initContainers: [] + ## Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param passwordUpdateJob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if passwordUpdateJob.resources is set (passwordUpdateJob.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param passwordUpdateJob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param passwordUpdateJob.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param passwordUpdateJob.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param passwordUpdateJob.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param passwordUpdateJob.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param passwordUpdateJob.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param passwordUpdateJob.annotations [object] Add annotations to the job + ## + annotations: {} + ## @param passwordUpdateJob.podLabels Additional pod labels + ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param passwordUpdateJob.podAnnotations Additional pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + + +## @section Network policy parameters +## + +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true. + ## + addExternalClientAccess: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true. + ## e.g: + ## ingressPodMatchLabels: + ## my-client: "true" + # + ingressPodMatchLabels: {} + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true. + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +persistence: + ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC + ## + enabled: true + ## @param persistence.name Name of the PVC and mounted volume + ## + name: "datadir" + ## @param persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires persistence.enabled: false + ## + medium: "" + ## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + ## Ignored when mongodb.architecture=replicaset + ## + existingClaim: "" + ## @param persistence.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param persistence.storageClass PVC Storage Class for MongoDB(®) data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param persistence.size PVC Storage Request for MongoDB(®) data volume + ## + size: 8Gi + ## @param persistence.annotations PVC annotations + ## + annotations: {} + ## @param persistence.labels PVC labels + ## + labels: {} + ## @param persistence.mountPath Path to mount the volume at + ## MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param persistence.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param persistence.volumeClaimTemplates.dataSource Add dataSource to the VolumeClaimTemplate + ## + dataSource: {} +## Persistent Volume Claim Retention Policy +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention +## +persistentVolumeClaimRetentionPolicy: + ## @param persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for MongoDB(®) Statefulset + ## + enabled: false + ## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced + ## + whenScaled: Retain + ## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted + ## + whenDeleted: Retain +## @section Backup parameters +## This section implements a trivial logical dump cronjob of the database. +## This only comes with the consistency guarantees of the dump program. +## This is not a snapshot based roll forward/backward recovery backup. +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ +## +backup: + ## @param backup.enabled Enable the logical dump of the database "regularly" + ## + enabled: false + emptyDir: + sizeLimit: 1Gi + ## Fine tuning cronjob's config + ## + cronjob: + ## @param backup.cronjob.schedule Set the cronjob parameter schedule + ## + schedule: "@daily" + ## @param backup.cronjob.timeZone Set the cronjob parameter timeZone + ## + timeZone: "" + ## @param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy + ## + concurrencyPolicy: Allow + ## @param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit + ## + failedJobsHistoryLimit: 1 + ## @param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit + ## + successfulJobsHistoryLimit: 3 + ## @param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds + ## + startingDeadlineSeconds: "" + ## @param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished + ## + ttlSecondsAfterFinished: "" + ## @param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy + ## + restartPolicy: OnFailure + ## @param backup.cronjob.backoffLimit Set the cronjob parameter backoffLimit + backoffLimit: 6 + ## backup container's Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param backup.cronjob.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged + ## @param backup.cronjob.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param backup.cronjob.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param backup.cronjob.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + seccompProfile: + type: "RuntimeDefault" + ## backup container's resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param backup.cronjob.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param backup.cronjob.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param backup.cronjob.command Set backup container's command to run + ## + command: [] + ## @param backup.cronjob.labels Set the cronjob labels + ## + labels: {} + ## @param backup.cronjob.annotations Set the cronjob annotations + ## + annotations: {} + ## Backup container's + ## + storage: + ## @param backup.cronjob.storage.existingClaim Provide an existing `PersistentVolumeClaim` (only when `architecture=standalone`) + ## If defined, PVC must be created manually before volume will be bound + ## + existingClaim: "" + ## @param backup.cronjob.storage.resourcePolicy Setting it to "keep" to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted + ## + resourcePolicy: "" + ## @param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param backup.cronjob.storage.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param backup.cronjob.storage.size PVC Storage Request for the backup data volume + ## + size: 8Gi + ## @param backup.cronjob.storage.annotations PVC annotations + ## + annotations: {} + ## @param backup.cronjob.storage.mountPath Path to mount the volume at + ## + mountPath: /backup/mongodb + ## @param backup.cronjob.storage.subPath Subdirectory of the volume to mount at + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} +## @section RBAC parameters +## + +## ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for MongoDB(®) pods + ## + create: true + ## @param serviceAccount.name Name of the created serviceAccount + ## If not set and create is true, a name is generated using the mongodb.fullname template + ## + name: "" + ## @param serviceAccount.annotations Additional Service Account annotations + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: false +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create & use RBAC resources or not + ## binding MongoDB(®) ServiceAccount to a role + ## that allows MongoDB(®) pods querying the K8s API + ## this needs to be set to 'true' to enable the mongo-labeler sidecar primary mongodb discovery + ## + create: false + ## @param rbac.rules Custom rules to create following the role specification + ## The example below needs to be uncommented to use the 'mongo-labeler' sidecar for dynamic discovery of the primary mongodb pod: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## - watch + ## - update + ## + rules: [] +## PodSecurityPolicy configuration +## Be sure to also set rbac.create to true, otherwise Role and RoleBinding won't be created. +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.allowPrivilegeEscalation Enable privilege escalation + ## Either use predefined policy with some adjustments or use `podSecurityPolicy.spec` + ## + allowPrivilegeEscalation: false + ## @param podSecurityPolicy.privileged Allow privileged + ## + privileged: false + ## @param podSecurityPolicy.spec Specify the full spec to use for Pod Security Policy + ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## Defining a spec ignores the above values. + ## + spec: {} + ## Example: + ## allowPrivilegeEscalation: false + ## fsGroup: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## hostIPC: false + ## hostNetwork: false + ## hostPID: false + ## privileged: false + ## readOnlyRootFilesystem: true + ## requiredDropCapabilities: + ## - ALL + ## runAsUser: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## seLinux: + ## rule: 'RunAsAny' + ## supplementalGroups: + ## rule: 'MustRunAs' + ## ranges: + ## - min: 1001 + ## max: 1001 + ## volumes: + ## - 'configMap' + ## - 'secret' + ## - 'emptyDir' + ## - 'persistentVolumeClaim' + ## +## @section Volume Permissions parameters +## +## Init Container parameters +## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component +## values from the securityContext section of the component +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: false + ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry + ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository + ## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/os-shell + tag: 12-debian-12-r43 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init Container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Init container Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.securityContext.runAsUser + ## When runAsUser is set to special value "auto", init container will try to chwon the + ## data folder to autodetermined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic userids (and 0 is not allowed). + ## You may want to use this volumePermissions.securityContext.runAsUser="auto" in combination with + ## podSecurityContext.enabled=false,containerSecurityContext.enabled=false and shmVolume.chmod.enabled=false + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param volumePermissions.securityContext.runAsUser User ID for the volumePermissions container + ## + securityContext: + seLinuxOptions: {} + runAsUser: 0 +## @section Arbiter parameters +## +arbiter: + emptyDir: + sizeLimit: 1Gi + ## @param arbiter.enabled Enable deploying the arbiter + ## https://docs.mongodb.com/manual/tutorial/add-replica-set-arbiter/ + ## + enabled: true + ## @param arbiter.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param arbiter.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param arbiter.configuration Arbiter configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param arbiter.existingConfigmap Name of existing ConfigMap with Arbiter configuration + ## NOTE: When it's set the arbiter.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param arbiter.command Override default container command (useful when using custom images) + ## @param arbiter.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param arbiter.extraFlags Arbiter additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param arbiter.extraEnvVars Extra environment variables to add to Arbiter pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param arbiter.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param arbiter.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param arbiter.annotations Additional labels to be added to the Arbiter statefulset + ## + annotations: {} + ## @param arbiter.labels Annotations to be added to the Arbiter statefulset + ## + labels: {} + ## @param arbiter.topologySpreadConstraints MongoDB(®) Spread Constraints for arbiter Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param arbiter.lifecycleHooks LifecycleHook for the Arbiter container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param arbiter.terminationGracePeriodSeconds Arbiter Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param arbiter.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param arbiter.podManagementPolicy Pod management policy for MongoDB(®) + ## Should be initialized one by one when building the replicaset for the first time + ## + podManagementPolicy: OrderedReady + ## @param arbiter.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param arbiter.podAffinityPreset Arbiter Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param arbiter.podAntiAffinityPreset Arbiter Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param arbiter.nodeAffinityPreset.type Arbiter Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param arbiter.nodeAffinityPreset.key Arbiter Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param arbiter.nodeAffinityPreset.values Arbiter Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param arbiter.affinity Arbiter Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: arbiter.podAffinityPreset, arbiter.podAntiAffinityPreset, and arbiter.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param arbiter.nodeSelector Arbiter Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param arbiter.tolerations Arbiter Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param arbiter.podLabels Arbiter pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param arbiter.podAnnotations Arbiter Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param arbiter.priorityClassName Name of the existing priority class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param arbiter.runtimeClassName Name of the runtime class to be used by Arbiter pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Arbiter pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param arbiter.podSecurityContext.enabled Enable Arbiter pod(s)' Security Context + ## @param arbiter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param arbiter.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param arbiter.podSecurityContext.fsGroup Group ID for the volumes of the Arbiter pod(s) + ## @param arbiter.podSecurityContext.sysctls sysctl settings of the Arbiter pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Arbiter containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param arbiter.containerSecurityContext.enabled Enabled containers' Security Context + ## @param arbiter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param arbiter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param arbiter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param arbiter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param arbiter.containerSecurityContext.privileged Set container's Security Context privileged + ## @param arbiter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param arbiter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param arbiter.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param arbiter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Arbiter containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param arbiter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if arbiter.resources is set (arbiter.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "none" + ## @param arbiter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param arbiter.containerPorts.mongodb MongoDB(®) arbiter container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Arbiter pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.livenessProbe.enabled Enable livenessProbe + ## @param arbiter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param arbiter.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param arbiter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param arbiter.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param arbiter.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.readinessProbe.enabled Enable readinessProbe + ## @param arbiter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param arbiter.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param arbiter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param arbiter.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param arbiter.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Arbiter pods' startup probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param arbiter.startupProbe.enabled Enable startupProbe + ## @param arbiter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param arbiter.startupProbe.periodSeconds Period seconds for startupProbe + ## @param arbiter.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param arbiter.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param arbiter.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param arbiter.customLivenessProbe Override default liveness probe for Arbiter containers + ## Ignored when arbiter.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param arbiter.customReadinessProbe Override default readiness probe for Arbiter containers + ## Ignored when arbiter.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param arbiter.customStartupProbe Override default startup probe for Arbiter containers + ## Ignored when arbiter.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param arbiter.initContainers Add additional init containers for the Arbiter pod(s) + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param arbiter.sidecars Add additional sidecar containers for the Arbiter pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param arbiter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Arbiter container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param arbiter.extraVolumes Optionally specify extra list of additional volumes to the Arbiter statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Arbiter Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param arbiter.pdb.create Enable/disable a Pod Disruption Budget creation for Arbiter pod(s) + ## + create: true + ## @param arbiter.pdb.minAvailable Minimum number/percentage of Arbiter pods that should remain scheduled + ## + minAvailable: "" + ## @param arbiter.pdb.maxUnavailable Maximum number/percentage of Arbiter pods that may be made unavailable. Defaults to `1` if both `arbiter.pdb.minAvailable` and `arbiter.pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" + ## MongoDB(®) Arbiter service parameters + ## + service: + ## @param arbiter.service.nameOverride The arbiter service name + ## + nameOverride: "" + ## @param arbiter.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param arbiter.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param arbiter.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param arbiter.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Hidden Node parameters +## +hidden: + ## @param hidden.enabled Enable deploying the hidden nodes + ## https://docs.mongodb.com/manual/tutorial/configure-a-hidden-replica-set-member/ + ## + enabled: false + emptyDir: + sizeLimit: 1Gi + ## @param hidden.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false + ## @param hidden.hostAliases Add deployment host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param hidden.configuration Hidden node configuration file to be used + ## http://docs.mongodb.org/manual/reference/configuration-options/ + ## + configuration: "" + ## @param hidden.existingConfigmap Name of existing ConfigMap with Hidden node configuration + ## NOTE: When it's set the hidden.configuration parameter is ignored + ## + existingConfigmap: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param hidden.command Override default container command (useful when using custom images) + ## @param hidden.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## @param hidden.extraFlags Hidden node additional command line flags + ## Example: + ## extraFlags: + ## - "--wiredTigerCacheSizeGB=2" + ## + extraFlags: [] + ## @param hidden.extraEnvVars Extra environment variables to add to Hidden node pods + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param hidden.extraEnvVarsCM Name of existing ConfigMap containing extra env vars + ## + extraEnvVarsCM: "" + ## @param hidden.extraEnvVarsSecret Name of existing Secret containing extra env vars (in case of sensitive data) + ## + extraEnvVarsSecret: "" + ## @param hidden.annotations Additional labels to be added to thehidden node statefulset + ## + annotations: {} + ## @param hidden.labels Annotations to be added to the hidden node statefulset + ## + labels: {} + ## @param hidden.topologySpreadConstraints MongoDB(®) Spread Constraints for hidden Pods + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## + topologySpreadConstraints: [] + ## @param hidden.lifecycleHooks LifecycleHook for the Hidden container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param hidden.replicaCount Number of hidden nodes (only when `architecture=replicaset`) + ## Ignored when mongodb.architecture=standalone + ## + replicaCount: 1 + ## @param hidden.terminationGracePeriodSeconds Hidden Termination Grace Period + ## + terminationGracePeriodSeconds: "" + ## @param hidden.updateStrategy.type Strategy that will be employed to update Pods in the StatefulSet + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## updateStrategy: + ## type: RollingUpdate + ## rollingUpdate: + ## maxSurge: 25% + ## maxUnavailable: 25% + ## + updateStrategy: + type: RollingUpdate + ## @param hidden.podManagementPolicy Pod management policy for hidden node + ## + podManagementPolicy: OrderedReady + ## @param hidden.schedulerName Name of the scheduler (other than default) to dispatch pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param hidden.podAffinityPreset Hidden node Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param hidden.podAntiAffinityPreset Hidden node Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## Allowed values: soft, hard + ## + nodeAffinityPreset: + ## @param hidden.nodeAffinityPreset.type Hidden Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param hidden.nodeAffinityPreset.key Hidden Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param hidden.nodeAffinityPreset.values Hidden Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param hidden.affinity Hidden node Affinity for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param hidden.nodeSelector Hidden node Node labels for pod assignment + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + ## @param hidden.tolerations Hidden node Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param hidden.podLabels Hidden node pod labels + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param hidden.podAnnotations Hidden node Pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param hidden.priorityClassName Name of the existing priority class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param hidden.runtimeClassName Name of the runtime class to be used by hidden node pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## MongoDB(®) Hidden pods' Security Context. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param hidden.podSecurityContext.enabled Enable Hidden pod(s)' Security Context + ## @param hidden.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy + ## @param hidden.podSecurityContext.supplementalGroups Set filesystem extra groups + ## @param hidden.podSecurityContext.fsGroup Group ID for the volumes of the Hidden pod(s) + ## @param hidden.podSecurityContext.sysctls sysctl settings of the Hidden pod(s)' + ## + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] + ## MongoDB(®) Hidden containers' Security Context (only main container). + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param hidden.containerSecurityContext.enabled Enabled containers' Security Context + ## @param hidden.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param hidden.containerSecurityContext.runAsUser Set containers' Security Context runAsUser + ## @param hidden.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup + ## @param hidden.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot + ## @param hidden.containerSecurityContext.privileged Set container's Security Context privileged + ## @param hidden.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem + ## @param hidden.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation + ## @param hidden.containerSecurityContext.capabilities.drop List of capabilities to be dropped + ## @param hidden.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile + ## + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" + ## MongoDB(®) Hidden containers' resource requests and limits. + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param hidden.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if hidden.resources is set (hidden.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "micro" + ## @param hidden.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param hidden.containerPorts.mongodb MongoDB(®) hidden container port + ## + containerPorts: + mongodb: 27017 + ## MongoDB(®) Hidden pods' liveness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.livenessProbe.enabled Enable livenessProbe + ## @param hidden.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param hidden.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param hidden.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param hidden.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param hidden.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## MongoDB(®) Hidden pods' readiness probe. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param hidden.readinessProbe.enabled Enable readinessProbe + ## @param hidden.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param hidden.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param hidden.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param hidden.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param hidden.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 20 + timeoutSeconds: 10 + failureThreshold: 6 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param hidden.startupProbe.enabled Enable startupProbe + ## @param hidden.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param hidden.startupProbe.periodSeconds Period seconds for startupProbe + ## @param hidden.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param hidden.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param hidden.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param hidden.customLivenessProbe Override default liveness probe for hidden node containers + ## Ignored when hidden.livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param hidden.customReadinessProbe Override default readiness probe for hidden node containers + ## Ignored when hidden.readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param hidden.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when hidden.startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param hidden.initContainers Add init containers to the MongoDB(®) Hidden pods. + ## Example: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## @param hidden.sidecars Add additional sidecar containers for the hidden node pod(s) + ## Example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param hidden.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the hidden node container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## @param hidden.extraVolumes Optionally specify extra list of additional volumes to the hidden node statefulset + ## extraVolumes: + ## - name: extras + ## emptyDir: {} + ## + extraVolumes: [] + ## MongoDB(®) Hidden Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param hidden.pdb.create Enable/disable a Pod Disruption Budget creation for hidden node pod(s) + ## + create: true + ## @param hidden.pdb.minAvailable Minimum number/percentage of hidden node pods that should remain scheduled + ## + minAvailable: "" + ## @param hidden.pdb.maxUnavailable Maximum number/percentage of hidden node pods that may be made unavailable. Defaults to `1` if both `hidden.pdb.minAvailable` and `hidden.pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + ## + persistence: + ## @param hidden.persistence.enabled Enable hidden node data persistence using PVC + ## + enabled: true + ## @param hidden.persistence.medium Provide a medium for `emptyDir` volumes. + ## Requires hidden.persistence.enabled: false + ## + medium: "" + ## @param hidden.persistence.storageClass PVC Storage Class for hidden node data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param hidden.persistence.accessModes PV Access Mode + ## + accessModes: + - ReadWriteOnce + ## @param hidden.persistence.size PVC Storage Request for hidden node data volume + ## + size: 8Gi + ## @param hidden.persistence.annotations PVC annotations + ## + annotations: {} + ## @param hidden.persistence.mountPath The path the volume will be mounted at, useful when using different MongoDB(®) images. + ## + mountPath: /bitnami/mongodb + ## @param hidden.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments + ## and one PV for multiple services. + ## + subPath: "" + ## Fine tuning for volumeClaimTemplates + ## + volumeClaimTemplates: + ## @param hidden.persistence.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details + ## + selector: {} + ## @param hidden.persistence.volumeClaimTemplates.requests Custom PVC requests attributes + ## Sometime cloud providers use additional requests attributes to provision custom storage instance + ## See https://cloud.ibm.com/docs/containers?topic=containers-file_storage#file_dynamic_statefulset + ## + requests: {} + ## @param hidden.persistence.volumeClaimTemplates.dataSource Set volumeClaimTemplate dataSource + ## + dataSource: {} + service: + ## @param hidden.service.nameOverride The hidden service name + ## + nameOverride: "" + ## @param hidden.service.portName MongoDB(®) service port name + ## + portName: "mongodb" + ## @param hidden.service.ports.mongodb MongoDB(®) service port + ## + ports: + mongodb: 27017 + ## @param hidden.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param hidden.service.annotations Provide any additional annotations that may be required + ## + annotations: {} + ## Headless service properties + ## + headless: + ## @param hidden.service.headless.annotations Annotations for the headless service. + ## + annotations: {} +## @section Metrics parameters +## +metrics: + ## @param metrics.enabled Enable using a sidecar Prometheus exporter + ## + enabled: false + ## Bitnami MongoDB(®) Promtheus Exporter image + ## ref: https://hub.docker.com/r/bitnami/mongodb-exporter/tags/ + ## @param metrics.image.registry [default: REGISTRY_NAME] MongoDB(®) Prometheus exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/mongodb-exporter] MongoDB(®) Prometheus exporter image repository + ## @skip metrics.image.tag MongoDB(®) Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest MongoDB(®) image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy MongoDB(®) Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/mongodb-exporter + tag: 0.44.0-debian-12-r5 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.username String with username for the metrics exporter + ## If undefined the root user will be used for the metrics exporter + ## + username: "" + ## @param metrics.password String with password for the metrics exporter + ## If undefined but metrics.username is defined, a random password will be generated + ## + password: "" + ## @param metrics.compatibleMode Enables old style mongodb-exporter metrics + compatibleMode: true + collector: + ## @param metrics.collector.all Enable all collectors. Same as enabling all individual metrics + ## Enabling all metrics will cause significant CPU load on mongod + all: false + ## @param metrics.collector.diagnosticdata Boolean Enable collecting metrics from getDiagnosticData + diagnosticdata: true + ## @param metrics.collector.replicasetstatus Boolean Enable collecting metrics from replSetGetStatus + replicasetstatus: true + ## @param metrics.collector.dbstats Boolean Enable collecting metrics from dbStats + dbstats: false + ## @param metrics.collector.topmetrics Boolean Enable collecting metrics from top admin command + topmetrics: false + ## @param metrics.collector.indexstats Boolean Enable collecting metrics from $indexStats + indexstats: false + ## @param metrics.collector.collstats Boolean Enable collecting metrics from $collStats + collstats: false + ## @param metrics.collector.collstatsColls List of \.\ to get $collStats + collstatsColls: [] + ## @param metrics.collector.indexstatsColls List - List of \.\ to get $indexStats + indexstatsColls: [] + ## @param metrics.collector.collstatsLimit Number - Disable collstats, dbstats, topmetrics and indexstats collector if there are more than \ collections. 0=No limit + collstatsLimit: 0 + ## @param metrics.extraFlags String with extra flags to the metrics exporter + ## ref: https://github.com/percona/mongodb_exporter/blob/main/main.go + ## + extraFlags: "" + ## Command and args for running the container (set to default if not set). Use array form + ## @param metrics.command Override default container command (useful when using custom images) + ## @param metrics.args Override default container args (useful when using custom images) + ## + command: [] + args: [] + ## Metrics exporter container resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param metrics.containerPort Port of the Prometheus metrics container + ## + containerPort: 9216 + ## Prometheus Exporter service configuration + ## + service: + ## @param metrics.service.annotations [object] Annotations for Prometheus Exporter pods. Evaluated as a template. + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + prometheus.io/path: "/metrics" + ## @param metrics.service.type Type of the Prometheus metrics service + ## + type: ClusterIP + ## @param metrics.service.ports.metrics Port of the Prometheus metrics service + ## + ports: + metrics: 9216 + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## Metrics exporter liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Metrics exporter readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes) + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 10 + failureThreshold: 3 + successThreshold: 1 + ## Slow starting containers can be protected through startup probes + ## Startup probes are available in Kubernetes version 1.16 and above + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes + ## @param metrics.startupProbe.enabled Enable startupProbe + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 30 + ## @param metrics.customLivenessProbe Override default liveness probe for MongoDB(®) containers + ## Ignored when livenessProbe.enabled=true + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Override default readiness probe for MongoDB(®) containers + ## Ignored when readinessProbe.enabled=true + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Override default startup probe for MongoDB(®) containers + ## Ignored when startupProbe.enabled=true + ## + customStartupProbe: {} + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the metrics container(s) + ## Examples: + ## extraVolumeMounts: + ## - name: extras + ## mountPath: /usr/share/extras + ## readOnly: true + ## + extraVolumeMounts: [] + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping. + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricsRelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.labels Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator + ## + enabled: false + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.namespace Namespace where prometheusRules resource should be created + ## + namespace: "" + ## @param metrics.prometheusRule.rules Rules to be created, check values for an example + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#rulegroup + ## https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + ## + ## This is an example of a rule, you should add the below code block under the "rules" param, removing the brackets + ## rules: + ## - alert: HighRequestLatency + ## expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5 + ## for: 10m + ## labels: + ## severity: page + ## annotations: + ## summary: High request latency + ## + rules: [] diff --git a/kubernetes/common/music/Chart.yaml b/kubernetes/common/music/Chart.yaml deleted file mode 100644 index c41eff4d10..0000000000 --- a/kubernetes/common/music/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MUSIC - Multi-site State Coordination Service -name: music -version: 12.0.0 - -dependencies: - - name: music-cassandra - version: ~12.x-0 - repository: 'file://components/music-cassandra' - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' - - name: certInitializer - version: ~12.x-0 - repository: 'file://../certInitializer' \ No newline at end of file diff --git a/kubernetes/common/music/Makefile b/kubernetes/common/music/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/common/music/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/common/music/components/Makefile b/kubernetes/common/music/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/common/music/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/common/music/components/music-cassandra/Chart.yaml b/kubernetes/common/music/components/music-cassandra/Chart.yaml deleted file mode 100644 index 6c68082595..0000000000 --- a/kubernetes/common/music/components/music-cassandra/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP - Cassandra Database -name: music-cassandra -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../../../common' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../../../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt b/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt deleted file mode 100644 index 7f60913d26..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/LICENSE.txt +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. \ No newline at end of file diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql deleted file mode 100644 index a76d774bd3..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/admin.cql +++ /dev/null @@ -1,19 +0,0 @@ -CREATE KEYSPACE IF NOT EXISTS admin - WITH REPLICATION = { - 'class' : '{{.Values.cql.keyspace.replicationClass}}', - 'replication_factor': {{.Values.cql.keyspace.replicationFactor}} - } - AND DURABLE_WRITES = true; - -CREATE TABLE IF NOT EXISTS admin.keyspace_master ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - -describe keyspaces; diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql deleted file mode 100644 index 24f2ad77f7..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/admin_pw.cql +++ /dev/null @@ -1,8 +0,0 @@ -CREATE ROLE IF NOT EXISTS {{.Values.cql.adminUser.username}} -WITH PASSWORD = '{{.Values.cql.adminUser.password}}' -AND SUPERUSER = true -AND LOGIN = true; - -ALTER ROLE cassandra -WITH PASSWORD = '{{.Values.cql.adminUser.passwordReplace}}'; - diff --git a/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql b/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql deleted file mode 100644 index a516be857b..0000000000 --- a/kubernetes/common/music/components/music-cassandra/resources/cql/extra/check.cql +++ /dev/null @@ -1,23 +0,0 @@ -CREATE KEYSPACE testks - WITH REPLICATION = { - 'class' : '{{.Values.cql.keyspace.replicationClass}}', - 'replication_factor': {{.Values.cql.keyspace.replicationFactor}} - } - AND DURABLE_WRITES = true; - -CREATE TABLE testks.keyspace_master_table ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - -DESCRIBE KEYSPACES; -DESCRIBE keyspace testks; -SELECT * FROM system_auth.roles; -DROP keyspace testks; - diff --git a/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml b/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml deleted file mode 100755 index 011dccda25..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/configmap.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-cql - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/cql/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml b/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml deleted file mode 100755 index 72733b3088..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/configmap_extra.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-extra-cql - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/cql/extra/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/common/music/components/music-cassandra/templates/job.yaml b/kubernetes/common/music/components/music-cassandra/templates/job.yaml deleted file mode 100644 index d3c89d4a59..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/job.yaml +++ /dev/null @@ -1,87 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - music-cassandra - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-update-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.job.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: CASS_HOSTNAME - value: "{{ .Values.job.host }}" - - name: USERNAME - value: "{{ .Values.cql.adminUser.username }}" - - name: PORT - value: "{{ .Values.job.port }}" - - name: PASSWORD - value: "{{ .Values.cql.adminUser.password }}" - - name: TIMEOUT - value: "{{ .Values.job.timeout }}" - - name: DELAY - value: "{{ .Values.job.delay }}" - volumeMounts: - # Admin cql Files that setup Admin Keyspace and Change Admin user. - - name: {{ include "common.name" . }}-cql - mountPath: /cql/admin.cql - subPath: admin.cql - - name: {{ include "common.name" . }}-cql - mountPath: /cql/admin_pw.cql - subPath: admin_pw.cql - # This is where Apps or MISC will put any of their own startup cql scripts. - - name: {{ include "common.name" . }}-extra-cql - mountPath: /cql/extra - volumes: - - name: {{ include "common.name" . }}-cql - configMap: - name: {{ include "common.fullname" . }}-cql - - name: {{ include "common.name" . }}-extra-cql - configMap: - name: {{ include "common.fullname" . }}-extra-cql - restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/music/components/music-cassandra/templates/pv.yaml b/kubernetes/common/music/components/music-cassandra/templates/pv.yaml deleted file mode 100644 index 8399bff77d..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/pv.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- $global := . }} -{{- if and $global.Values.persistence.enabled (not $global.Values.persistence.existingClaim) }} -{{- if eq "True" (include "common.needPV" .) -}} -{{- range $i := until (int $global.Values.replicaCount)}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" $global }}-data-{{ $i }} - namespace: {{ include "common.namespace" $global }} - labels: - app: {{ include "common.fullname" $global }} - chart: "{{ $global.Chart.Name }}-{{ $global.Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" $global }}" - heritage: "{{ $global.Release.Service }}" - name: {{ include "common.fullname" $global }} -spec: - capacity: - storage: {{ $global.Values.persistence.size}} - accessModes: - - {{ $global.Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ $global.Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" $global }}-data" - hostPath: - path: {{ $global.Values.global.persistence.mountPath | default $global.Values.persistence.mountPath }}/{{ include "common.release" $global }}/{{ $global.Values.persistence.mountSubPath }}-{{$i}} -{{if ne $i (int $global.Values.replicaCount) }} ---- -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/music/components/music-cassandra/templates/service.yaml b/kubernetes/common/music/components/music-cassandra/templates/service.yaml deleted file mode 100644 index 5a26d6701c..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/service.yaml +++ /dev/null @@ -1,54 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" -spec: - type: {{ .Values.service.type }} - # Not working, open k8s bug: https://github.com/kubernetes/kubernetes/issues/58662 - publishNotReadyAddresses: true - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName3 }} - - port: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName3 }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - - port: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName3 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None diff --git a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml b/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml deleted file mode 100644 index d80e70b5fb..0000000000 --- a/kubernetes/common/music/components/music-cassandra/templates/statefulset.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{/* -# Copyright © 2019 AT&T, Amdocs, Bell Canada, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - podManagementPolicy: {{ .Values.podManagementPolicy }} - updateStrategy: - type: {{ .Values.updateStrategy.type }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - readinessProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - successThreshold: {{ .Values.readiness.successThreshold }} - failureThreshold: {{ .Values.readiness.failureThreshold }} - startupProbe: - exec: - command: - - /bin/bash - - -c - - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }' - initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} - periodSeconds: {{ .Values.startup.periodSeconds }} - timeoutSeconds: {{ .Values.startup.timeoutSeconds }} - successThreshold: {{ .Values.startup.successThreshold }} - failureThreshold: {{ .Values.startup.failureThreshold }} - lifecycle: - preStop: - exec: - command: ["/bin/sh", "-c", "PID=$(pidof java) && kill $PID && while ps -p $PID > /dev/null; do sleep 1; done"] - env: - {{- $seed_size := default 1 .Values.replicaCount | int -}} - {{- $global := . }} - - name: MAX_HEAP_SIZE - value: {{ .Values.config.heap.max }} - - name: HEAP_NEWSIZE - value: {{ .Values.config.heap.min }} - - name: CASSANDRA_SEEDS - value: "{{- range $i, $e := until $seed_size }}{{ template "common.fullname" $global }}-{{ $i }}.{{ include "common.servicename" $global }}{{- if (lt ( add 1 $i ) $seed_size ) }},{{- end }}{{- end }}" - - name: JVM_OPTS - value: {{ .Values.config.jvmOpts | quote }} - - name: CASSANDRA_CLUSTER_NAME - value: {{ .Values.config.clusterName | quote }} - - name: CASSANDRA_DC - value: {{ .Values.config.dataCenter | quote }} - - name: CASSANDRA_RACK - value: {{ .Values.config.rackName | quote }} - - name: CASSANDRA_AUTO_BOOTSTRAP - value: {{ .Values.config.autoBootstrap | quote }} - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP -{{- if .Values.persistence.enabled }} - volumeMounts: - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/cassandra -{{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - metadata: - name: {{ include "common.fullname" . }}-data - labels: - name: {{ include "common.fullname" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end }} diff --git a/kubernetes/common/music/components/music-cassandra/values.yaml b/kubernetes/common/music/components/music-cassandra/values.yaml deleted file mode 100644 index 92ed723989..0000000000 --- a/kubernetes/common/music/components/music-cassandra/values.yaml +++ /dev/null @@ -1,147 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - nodePortPrefix: 302 - persistence: {} - -replicaCount: 1 - -# Cassandra Image - This image is modified from the original on -# Docker Hub where the Security has been turned on. -# When logging into DB the default username and password are 'cassandra' -# kubectl exec -it -n cqlsh -u cassandra -p cassandra -image: onap/music/cassandra_3_11:3.0.24 -pullPolicy: Always - -# Cassandra ENV configuration -config: - heap: - max: 512M - min: 100M - jvmOpts: -Dcassandra.consistent.rangemovement=false - clusterName: music-cluster - dataCenter: onap-1 - rackName: Rack1 - autoBootstrap: true - ports: - cql: &cqlPort 9042 - thrift: &thriftPort 9160 - # If a JVM Agent is in place - # agent: 61621 - -service: - expose: true - type: ClusterIP - name: &cassandraService music-cassandra - internalPort: *cqlPort - portName: cql - internalPort2: *thriftPort - portName2: thrift - internalPort3: 61621 - portName3: agent - -job: - host: *cassandraService - port: *cqlPort - timeout: 30 - delay: 120 - image: onap/music/cassandra_job:3.0.24 - -cql: - keyspace: - replicationClass: "SimpleStrategy" - replicationFactor: 3 - adminUser: - username: nelson24 - password: nelson24 - passwordReplace: A2C4E6G8I0J2L4O6Q8S0U2W4Y6 - -# probe configuration parameters -liveness: - initialDelaySeconds: 1 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 1 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -startup: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 90 - -podManagementPolicy: OrderedReady -updateStrategy: - type: OnDelete - -ingress: - enabled: false - -tolerations: [] - -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - ## storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs/ - mountSubPath: common/cassandra/data - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 1.2Gi - requests: - cpu: 160m - memory: 900Mi - large: - limits: - cpu: 4 - memory: 10Gi - requests: - cpu: 2 - memory: 6Gi - unlimited: {} diff --git a/kubernetes/common/music/resources/config/logback.xml b/kubernetes/common/music/resources/config/logback.xml deleted file mode 100755 index 51423e547d..0000000000 --- a/kubernetes/common/music/resources/config/logback.xml +++ /dev/null @@ -1,302 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %X{keyspace} %msg%n - - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log.zip - 1GB - 5 - 5GB - - - ${applicationLoggerPattern} - - - - - 256 - true - - - - - - - - keyspace - unknown - - - - ${logDirectory}/${generalLogName}-keyspace.log - - ${logDirectory}/${generalLogName}-${keyspace}.%d{yyyy-MM-dd}.%i.log.zip - 30 - - - ${applicationLoggerPattern} - - - - - - - 256 - true - - - - - - - - - - - ${logDirectory}/${securityLogName}.log - - ${logDirectory}/${securityLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - %d{yyyy-MM-dd HH:mm:ss} [%thread] %-5level %logger{36} - %msg%n - - - - - 256 - 0 - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${auditLoggerPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%i.log.zip - - 1 - 9 - - - 5MB - - - - ${metricsLoggerPattern} - - - - - - 256 - - - - - ${logDirectory}/${errorLogName}.log - - ${logDirectory}/${errorLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${errorLoggerPattern} - - - - - 256 - - - - - ${debugLogDirectory}/${debugLogName}.log - - ${debugLogDirectory}/${debugLogName}.%i.log.zip - 1 - 9 - - - 5MB - - - ${debugLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/common/music/resources/config/music-sb.properties b/kubernetes/common/music/resources/config/music-sb.properties deleted file mode 100755 index 7a13f10d8e..0000000000 --- a/kubernetes/common/music/resources/config/music-sb.properties +++ /dev/null @@ -1,13 +0,0 @@ -server.port=8443 -server.servlet.context-path=/MUSIC/rest -spring.jackson.mapper.ACCEPT_CASE_INSENSITIVE_ENUMS=true -#server.ssl.enabled=false -server.tomcat.max-threads=100 -#logging.file=/opt/app/music/logs/MUSIC/music-app.log -#logging.config=file:/opt/app/music/etc/logback.xml -security.require-ssl=true -server.ssl.key-store=/opt/app/aafcertman/local/org.onap.music.jks -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.key-store-provider=SUN -server.ssl.key-store-type=JKS - diff --git a/kubernetes/common/music/resources/config/music.properties b/kubernetes/common/music/resources/config/music.properties deleted file mode 100755 index a7681d0a02..0000000000 --- a/kubernetes/common/music/resources/config/music.properties +++ /dev/null @@ -1,24 +0,0 @@ -lock.using={{.Values.properties.lockUsing}} -cassandra.host={{.Values.properties.cassandraHost}} -cassandra.port={{ .Values.properties.cassandraPort }} -lock.lease.period={{.Values.properties.lockLeasePeriod}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} -cassandra.connecttimeoutms={{.Values.properties.cassandraConnecttimeoutms}} -cassandra.readtimeoutms={{.Values.properties.cassandraReadtimeoutms}} -cadi={{.Values.properties.cadi}} -music.aaf.ns={{.Values.properties.musicAafNs}} -keyspace.active={{.Values.properties.keyspaceActive}} -transId.header.required={{.Values.properties.transIdRequired}} -transId.header.prefix={{.Values.properties.transIdPrefix}} -conversation.header.required={{.Values.properties.conversationRequired}} -conversation.header.prefix={{.Values.properties.conversationPrefix}} -clientId.header.required={{.Values.properties.clientIdRequired}} -clientId.header.prefix={{.Values.properties.clientIdPrefix}} -messageId.header.required={{.Values.properties.messageIdRequired}} -messageId.header.prefix={{.Values.properties.messageIdPrefix}} -retry.count={{.Values.properties.retryCount}} -lock.daemon.sleeptime.ms={{.Values.properties.lockDaemonSleeptimeMs}} -keyspaces.for.lock.cleanup={{.Values.properties.keyspaceForLockCleanup}} -create.lock.wait.period.ms=0 -create.lock.wait.increment.ms=0 diff --git a/kubernetes/common/music/resources/config/startup.sh b/kubernetes/common/music/resources/config/startup.sh deleted file mode 100755 index eb84b084d0..0000000000 --- a/kubernetes/common/music/resources/config/startup.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/sh - -{{/* -# ============LICENSE_START========================================== -# org.onap.music -# =================================================================== -# Copyright (c) 2019 AT&T Intellectual Property -# =================================================================== -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================= -# ==================================================================== -*/}} - -echo "Running startup script to get password from certman" -PWFILE=/opt/app/aafcertman/.password -LOGFILE=/opt/app/music/logs/MUSIC/music-sb.log -PROPS=/opt/app/music/etc/music-sb.properties -LOGBACK=/opt/app/music/etc/logback.xml -LOGGING= -DEBUG_PROP= -# Debug Setup. Uses env variables -# DEBUG and DEBUG_PORT -# DEBUG=true/false | DEBUG_PORT= -if [ "${DEBUG}" = "true" ]; then - if [ "${DEBUG_PORT}" = "" ]; then - DEBUG_PORT=8000 - fi - echo "Debug mode on" - DEBUG_PROP="-Xdebug -Xrunjdwp:server=y,transport=dt_socket,address=${DEBUG_PORT},suspend=n" -fi - -# LOGBACK file: if /opt/app/music/etc/logback.xml exists thenuse that. -if [ -f $LOGBACK ]; then - LOGGING="--logging.config=file:${LOGBACK}" -fi - -# Get Passwords from /opt/app/aafcertman -if [ -f $PWFILE ]; then - echo "Found ${PWFILE}" >> $LOGFILE - PASSWORD=$(cat ${PWFILE}) -else - PASSWORD=changeit - echo "#### Using Default Password for Certs" >> ${LOGFILE} -fi - -# If music-sb.properties exists in /opt/app/music/etc then use that to override the application.properties -if [ -f $PROPS ]; then - # Run with different Property file - #echo "java ${DEBUG_PROP} -jar MUSIC.jar --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE}" - java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --spring.config.location=file:${PROPS} ${LOGGING} 2>&1 | tee ${LOGFILE} -else - #echo "java ${DEBUG_PROP} -jar MUSIC.jar --server.ssl.key-store-password=${PASSWORD} ${LOGGING} 2>&1 | tee ${LOGFILE}" - java ${DEBUG_PROP} ${JAVA_OPTS} -jar MUSIC-SB.jar ${SPRING_OPTS} --server.ssl.key-store-password="${PASSWORD}" ${LOGGING} 2>&1 | tee ${LOGFILE} -fi - - - - diff --git a/kubernetes/common/music/templates/configmap.yaml b/kubernetes/common/music/templates/configmap.yaml deleted file mode 100644 index d42cf2e7e0..0000000000 --- a/kubernetes/common/music/templates/configmap.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/music/templates/deployment.yaml b/kubernetes/common/music/templates/deployment.yaml deleted file mode 100644 index 53d5a366f7..0000000000 --- a/kubernetes/common/music/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-cassandra-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-music-cassandra-config" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{ include "common.certInitializer.initContainer" . | indent 8 | trim }} - - command: - - sh - args: - - -c - - "export KEYSTORE_PASSWORD=$(cat /opt/app/aafcertman/local/.pass); cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "password") | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /config-input - name: properties-music-scrubbed - - mountPath: /config - name: properties-music - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - containers: - # MUSIC Container - - name: "{{ include "common.name" . }}-springboot" - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - env: - - name: SPRING_OPTS - value: "{{ .Values.springOpts }}" - - name: JAVA_OPTS - value: "{{ .Values.javaOpts }}" - - name: DEBUG - value: "{{ .Values.debug }}" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - - name: properties-music - mountPath: /opt/app/music/etc/music.properties - subPath: music.properties - - name: properties-music - mountPath: /opt/app/music/etc/music-sb.properties - subPath: music-sb.properties - - name: properties-music-scrubbed - mountPath: /opt/app/music/etc/logback.xml - subPath: logback.xml - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: shared-data - emptyDir: {} - - name: certificate-vol - emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-music-scrubbed - configMap: - name: {{ include "common.fullname" . }} - - name: properties-music - emptyDir: - medium: Memory diff --git a/kubernetes/common/music/templates/secrets.yaml b/kubernetes/common/music/templates/secrets.yaml deleted file mode 100644 index 15791a85d7..0000000000 --- a/kubernetes/common/music/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/common/music/templates/service.yaml b/kubernetes/common/music/templates/service.yaml deleted file mode 100644 index 3bd32a9419..0000000000 --- a/kubernetes/common/music/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2017-2020 AT&T, Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml deleted file mode 100644 index f578949196..0000000000 --- a/kubernetes/common/music/values.yaml +++ /dev/null @@ -1,167 +0,0 @@ -# Copyright © 2018-2020 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - truststore: truststoreONAPall.jks - - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: cassa-secret - type: basicAuth - login: '{{ .Values.properties.cassandraUser }}' - password: '{{ .Values.properties.cassandraPassword }}' - passwordPolicy: required - - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/music/music_sb:3.2.40 -pullPolicy: Always - -job: - host: cassandra - port: 9042 - - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 6 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - port: 8443 - - -# Java options that need to be passed to jave on CLI -#javaOpts: -Xms256m -Xmx2048m -javaOpts: -# Options that need to be passed to CLI for Sprngboot, pw is a secret passed in through ENV -springOpts: --spring.config.location=file:/opt/app/music/etc/music-sb.properties -# Resource Limit flavor -By Default using small -flavor: large -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1000m - memory: 1G - requests: - cpu: 300m - memory: 512Mi - large: - limits: - cpu: 1500m - memory: 3Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - -readiness: - initialDelaySeconds: 350 - periodSeconds: 120 - port: 8443 - -service: - useNodePortExt: true - type: NodePort - name: music - ports: - - name: https-api - port: 8443 - nodePort: '07' - -# Turn on Debugging true/false -debug: false -ingress: - enabled: false - -properties: - lockUsing: "cassandra" - # Comma dilimited list of hosts - cassandraHost: "music-cassandra" - cassandraUser: "nelson24" - cassandraPassword: "nelson24" - cassandraConnecttimeoutms: 12000 - cassandraPort: 9042 - # Connection Timeout for Cassandra in ms - # Read Timeout for Cassandra in ms - cassandraReadtimeoutms: 12000 - keyspaceActive: true - # Enable CADI - cadi: false - # Special headers that may be passed and if they are required. - # With the ability to add a Prefix if required. - transIdRequired: false - transIdPrefix: X-ATT- - conversationRequired: false - conversationPrefix: X-CSI- - clientIdRequired: false - clientIdPrefix: - messageIdRequired: false - messageIdPrefix: - - # sleep time for lock cleanup daemon, negative values turn off daemon -##### Lock settings - retryCount: 3 - lockLeasePeriod: 6000 - # sleep time for lock cleanup daemon, negative values turn off daemon - lockDaemonSleeptimeMs: 30000 - #comma separated list of keyspace names - keyspaceForLockCleanup: - - -logback: - errorLogLevel: info - securityLogLevel: info - applicationLogLevel: info - metricsLogLevel: info - auditLogLevel: info - # Values must be uppercase: INFO, WARN, CRITICAL,DEBUG etc.. - rootLogLevel: INFO - -#sub-charts configuration -certInitializer: - nameOverride: music-cert-initializer - fqdn: "music.onap" - app_ns: "org.osaaf.aaf" - fqi: "music@music.onap.org" - fqi_namespace: org.onap.music - public_fqdn: "music.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/app/aafcertman - aaf_add_config: > - echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass; diff --git a/kubernetes/common/network-name-gen/Chart.yaml b/kubernetes/common/network-name-gen/Chart.yaml deleted file mode 100644 index 17eaa684d8..0000000000 --- a/kubernetes/common/network-name-gen/Chart.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Name Generation Micro Service -name: network-name-gen -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' - - name: mariadb-galera - version: ~12.x-0 - repository: 'file://../mariadb-galera' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: 'file://../mariadb-init' - condition: not global.mariadbGalera.localCluster \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml deleted file mode 100644 index 97fece8a54..0000000000 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ /dev/null @@ -1,126 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: -{{- if .Values.global.mariadbGalera.localCluster }} - - --container-name - - {{ index .Values "mariadb-galera" "nameOverride" }} -{{- else }} - - --job-name - - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job -{{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - containers: - - name: {{ include "common.name" . }} - command: - - bash - args: - - '-c' - - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: SPRING_PROFILE - value: "{{ .Values.config.springProfile }}" - - name: NENG_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} - - name: NENG_DB_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} - - name: NENG_DB_URL - value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "db" "name" }} - - name: POL_CLIENT_AUTH - value: "{{ .Values.config.polClientAuth }}" - - name: POL_BASIC_AUTH_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} - - name: POL_BASIC_AUTH_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} - - name: POL_URL - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.polUrl.https }}" - {{- else }} - value: "{{ .Values.config.polUrl.http }}" - {{- end }} - - name: POL_ENV - value: "{{ .Values.config.polEnv }}" - - name: POL_REQ_ID - value: "{{ .Values.config.polReqId }}" - - name: AAI_CERT_PASS - value: "{{ .Values.config.aaiCertPass }}" - - name: AAI_CERT_PATH - value: "{{ .Values.config.aaiCertPath }}" - - name: AAI_URI - {{- if (include "common.needTLS" .) }} - value: "{{ .Values.config.aaiUri.https }}" - {{- else }} - value: "{{ .Values.config.aaiUri.http }}" - {{- end }} - - name: AAI_AUTH - value: "{{ .Values.config.aaiAuth }}" - - name: DISABLE_HOST_VERIFICATION - value: "{{ .Values.config.disableHostVerification }}" - volumeMounts: - - name: certs - mountPath: /opt/etc/config/aai_keystore - subPath: aai_keystore - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: certs - secret: - secretName: {{ include "common.release" . }}-aai-keystore - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/common/network-name-gen/templates/service.yaml b/kubernetes/common/network-name-gen/templates/service.yaml deleted file mode 100644 index 753448c5b7..0000000000 --- a/kubernetes/common/network-name-gen/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml deleted file mode 100644 index bfa5637275..0000000000 --- a/kubernetes/common/network-name-gen/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright (C) 2018 AT&T Intellectual Property. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - - # Change to an unused port prefix range to prevent port conflicts - # with other instances running within the same k8s cluster - nodePortPrefix: 302 - - # image pull policy - pullPolicy: IfNotPresent - - mariadbGalera: &mariadbGalera - #This flag allows SO to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: neng-db-secret - name: &dbUserSecretName '{{ include "common.release" . }}-neng-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.externalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: pol-basic-auth-secret - name: '{{ include "common.release" . }}-pol-basic-auth-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' - login: '{{ .Values.config.polBasicAuthUser }}' - password: '{{ .Values.config.polBasicAuthPassword }}' - -# sub-chart config -mariadb-galera: - db: - user: sdnctl - # password: - externalSecret: *dbUserSecretName - name: &mysqlDbName nengdb - nameOverride: nengdb - service: - name: nengdb - portName: nengdbport - replicaCount: 1 - persistence: - enabled: true - mountSubPath: network-name-gen/data - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: nengdb-init - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/ccsdk-apps-ms-neng:1.4.0 -pullPolicy: IfNotPresent - -# application configuration -config: - db: - userName: nenguser - # userPassword: password - # userCredentialsExternalSecret: some-secret - springProfile: live - polClientAuth: cHl0aG9uOnRlc3Q= - polBasicAuthUser: healthcheck - polBasicAuthPassword: zb!XztG34 - polUrl: - https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision - http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision - polEnv: TEST - polReqId: xx - disableHostVerification: true - aaiCertPass: changeit - aaiCertPath: /opt/etc/config/aai_keystore - aaiAuth: QUFJOkFBSQ== - aaiUri: - https: https://aai:8443/aai/v14/ - http: http://aai:8080/aai/v14/ - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: neng-serv - portName: http - internalPort: 8080 - externalPort: 8080 - -ingress: - enabled: false - -resources: {} diff --git a/kubernetes/common/nginx/.helmignore b/kubernetes/common/nginx/.helmignore new file mode 100644 index 0000000000..207983f368 --- /dev/null +++ b/kubernetes/common/nginx/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/kubernetes/common/nginx/Chart.yaml b/kubernetes/common/nginx/Chart.yaml new file mode 100644 index 0000000000..1a352c76ca --- /dev/null +++ b/kubernetes/common/nginx/Chart.yaml @@ -0,0 +1,37 @@ +annotations: + category: Infrastructure + images: | + - name: git + image: docker.io/bitnami/git:2.48.0-debian-12-r0 + - name: nginx + image: docker.io/bitnami/nginx:1.27.3-debian-12-r5 + - name: nginx-exporter + image: docker.io/bitnami/nginx-exporter:1.4.1-debian-12-r0 + licenses: Apache-2.0 +apiVersion: v2 +appVersion: 1.27.3 +dependencies: +- name: common + repository: 'file://./common' + #repository: oci://registry-1.docker.io/bitnamicharts + tags: + - bitnami-common + version: 2.x.x +description: NGINX Open Source is a web server that can be also used as a reverse + proxy, load balancer, and HTTP cache. Recommended for high-demanding sites due to + its ability to provide faster content. +home: https://bitnami.com +icon: https://bitnami.com/assets/stacks/nginx/img/nginx-stack-220x234.png +keywords: +- nginx +- http +- web +- www +- reverse proxy +maintainers: +- name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: nginx +sources: +- https://github.com/bitnami/charts/tree/main/bitnami/nginx +version: 18.3.5 diff --git a/kubernetes/common/nginx/README.md b/kubernetes/common/nginx/README.md new file mode 100644 index 0000000000..0043b875be --- /dev/null +++ b/kubernetes/common/nginx/README.md @@ -0,0 +1,557 @@ + + +# Bitnami package for NGINX Open Source + +NGINX Open Source is a web server that can be also used as a reverse proxy, load balancer, and HTTP cache. Recommended for high-demanding sites due to its ability to provide faster content. + +[Overview of NGINX Open Source](http://nginx.org) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```console +helm install my-release oci://registry-1.docker.io/bitnamicharts/nginx +``` + +Looking to use NGINX Open Source in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +Bitnami charts for Helm are carefully engineered, actively maintained and are the quickest and easiest way to deploy containers on a Kubernetes cluster that are ready to handle production workloads. + +This chart bootstraps a [NGINX Open Source](https://github.com/bitnami/containers/tree/main/bitnami/nginx) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +These commands deploy NGINX Open Source on the Kubernetes cluster in the default configuration. + +> **Tip**: List all releases using `helm list` + +## Configuration and installation details + +### Resource requests and limits + +Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case. + +To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcesPreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + +### Prometheus metrics + +This chart can be integrated with Prometheus by setting `metrics.enabled` to `true`. This will deploy a sidecar container with [nginx-prometheus-exporter](https://github.com/nginxinc/nginx-prometheus-exporter) in all pods and will expose it via the Nginx service. This service will be have the necessary annotations to be automatically scraped by Prometheus. + +#### Prometheus requirements + +It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the [Bitnami Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/prometheus) or the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) to easily have a working Prometheus in your cluster. + +#### Integration with Prometheus Operator + +The chart can deploy `ServiceMonitor` objects for integration with Prometheus Operator installations. To do so, set the value `metrics.serviceMonitor.enabled=true`. Ensure that the Prometheus Operator `CustomResourceDefinitions` are installed in the cluster or it will fail with the following error: + +```text +no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1" +``` + +Install the [Bitnami Kube Prometheus helm chart](https://github.com/bitnami/charts/tree/main/bitnami/kube-prometheus) for having the necessary CRDs and the Prometheus Operator. + +### Securing traffic using TLS + +Nginx can encrypt communications by setting `tls.enabled=true`. The chart allows two configuration options: + +- Provide your own secret using the `tls.certificatesSecret` value. Also set the correct name of the certificate files using the `tls.certFilename`, `tls.certKeyFilename` and `tls.certCAFilename` values. +- Have the chart auto-generate the certificates using `tls.autoGenerated=true`. + +### [Rolling VS Immutable tags](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Use a different NGINX version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### Backup and restore + +To back up and restore Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. Find the instructions for using Velero in [this guide](https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-backup-restore-deployments-velero-index.html). + +### Deploying your custom web application + +The NGINX chart allows you to deploy a custom web application using one of the following methods: + +- Cloning from a git repository: Set `cloneStaticSiteFromGit.enabled` to `true` and set the repository and branch using the `cloneStaticSiteFromGit.repository` and `cloneStaticSiteFromGit.branch` parameters. A sidecar will also pull the latest changes in an interval set by `cloneStaticSitesFromGit.interval`. +- Providing a ConfigMap: Set the `staticSiteConfigmap` value to mount a ConfigMap in the NGINX html folder. +- Using an existing PVC: Set the `staticSitePVC` value to mount an PersistentVolumeClaim with the static site content. + +You can deploy a example web application using git deploying the chart with the following parameters: + +```console +cloneStaticSiteFromGit.enabled=true +cloneStaticSiteFromGit.repository=https://github.com/mdn/beginner-html-site-styled.git +cloneStaticSiteFromGit.branch=master +``` + +### Providing a custom server block + +This helm chart supports using custom custom server block for NGINX to use. + +You can use the `serverBlock` or `streamServerBlock` value to provide a custom server block for NGINX to use. To do this, create a values files with your server block and install the chart using it: + +```yaml +serverBlock: |- + server { + listen 0.0.0.0:8080; + location / { + return 200 "hello!"; + } + } +``` + +> Warning: The above example is not compatible with enabling Prometheus metrics since it affects the `/status` endpoint. + +In addition, you can also set an external ConfigMap with the configuration file. This is done by setting the `existingServerBlockConfigmap` parameter. Note that this will override the previous option. + +### Adding extra environment variables + +In case you want to add extra environment variables (useful for advanced operations like custom init scripts), you can use the `extraEnvVars` property. + +```yaml +extraEnvVars: + - name: LOG_LEVEL + value: error +``` + +Alternatively, you can use a ConfigMap or a Secret with the environment variables. To do so, use the `extraEnvVarsCM` or the `extraEnvVarsSecret` values. + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `affinity` parameter. Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinity) chart. To do so, set the `podAffinityPreset`, `podAntiAffinityPreset`, or `nodeAffinityPreset` parameters. + +### Deploying extra resources + +There are cases where you may want to deploy extra objects, such a ConfigMap containing your app's configuration or some extra deployment with a micro service used by your app. For covering this case, the chart allows adding the full specification of other objects using the `extraDeploy` parameter. + +### Ingress + +This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application. + +To enable ingress integration, please set `ingress.enabled` to `true`. + +#### Hosts + +Most likely you will only want to have one hostname that maps to this NGINX installation. If that's your case, the property `ingress.hostname` will set it. However, it is possible to have more than one host. To facilitate this, the `ingress.extraHosts` object can be specified as an array. You can also use `ingress.extraTLS` to add the TLS configuration for extra hosts. + +For each host indicated at `ingress.extraHosts`, please indicate a `name`, `path`, and any `annotations` that you may want the ingress controller to know about. + +For annotations, please see [this document](https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.security.allowInsecureImages` | Allows skipping image verification | `false` | +| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | + +### Common parameters + +| Name | Description | Value | +| ------------------------ | --------------------------------------------------------------------------------------- | --------------- | +| `nameOverride` | String to partially override nginx.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override nginx.fullname template | `""` | +| `namespaceOverride` | String to fully override common.names.namespace | `""` | +| `kubeVersion` | Force target Kubernetes version (using Helm capabilities if not set) | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `extraDeploy` | Extra objects to deploy (value evaluated as a template) | `[]` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the the deployment(s)/statefulset(s) | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the the deployment(s)/statefulset(s) | `["infinity"]` | + +### NGINX parameters + +| Name | Description | Value | +| ------------------------------ | ----------------------------------------------------------------------------------------------------- | ----------------------- | +| `image.registry` | NGINX image registry | `REGISTRY_NAME` | +| `image.repository` | NGINX image repository | `REPOSITORY_NAME/nginx` | +| `image.digest` | NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | NGINX image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `image.debug` | Set to true if you would like to see extra information on logs | `false` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | +| `hostAliases` | Deployment pod host aliases | `[]` | +| `command` | Override default container command (useful when using custom images) | `[]` | +| `args` | Override default container args (useful when using custom images) | `[]` | +| `extraEnvVars` | Extra environment variables to be set on NGINX containers | `[]` | +| `extraEnvVarsCM` | ConfigMap with extra environment variables | `""` | +| `extraEnvVarsSecret` | Secret with extra environment variables | `""` | + +### NGINX deployment parameters + +| Name | Description | Value | +| --------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | +| `replicaCount` | Number of NGINX replicas to deploy | `1` | +| `revisionHistoryLimit` | The number of old history to retain to allow rollback | `10` | +| `updateStrategy.type` | NGINX deployment strategy type | `RollingUpdate` | +| `updateStrategy.rollingUpdate` | NGINX deployment rolling update configuration parameters | `{}` | +| `podLabels` | Additional labels for NGINX pods | `{}` | +| `podAnnotations` | Annotations for NGINX pods | `{}` | +| `podAffinityPreset` | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `nodeAffinityPreset.type` | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `nodeAffinityPreset.key` | Node label key to match Ignored if `affinity` is set. | `""` | +| `nodeAffinityPreset.values` | Node label values to match. Ignored if `affinity` is set. | `[]` | +| `affinity` | Affinity for pod assignment | `{}` | +| `hostNetwork` | Specify if host network should be enabled for NGINX pod | `false` | +| `hostIPC` | Specify if host IPC should be enabled for NGINX pod | `false` | +| `dnsPolicy` | Specifies the DNS policy for the NGINX pod | `""` | +| `dnsConfig` | Allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` | `{}` | +| `nodeSelector` | Node labels for pod assignment. Evaluated as a template. | `{}` | +| `tolerations` | Tolerations for pod assignment. Evaluated as a template. | `[]` | +| `priorityClassName` | NGINX pods' priorityClassName | `""` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `""` | +| `terminationGracePeriodSeconds` | In seconds, time the given to the NGINX pod needs to terminate gracefully | `""` | +| `topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` | +| `tls.enabled` | Enable TLS transport | `true` | +| `tls.autoGenerated` | Auto-generate self-signed certificates | `true` | +| `tls.existingSecret` | Name of a secret containing the certificates | `""` | +| `tls.certFilename` | Path of the certificate file when mounted as a secret | `tls.crt` | +| `tls.certKeyFilename` | Path of the certificate key file when mounted as a secret | `tls.key` | +| `tls.certCAFilename` | Path of the certificate CA file when mounted as a secret | `ca.crt` | +| `tls.cert` | Content of the certificate to be added to the secret | `""` | +| `tls.key` | Content of the certificate key to be added to the secret | `""` | +| `tls.ca` | Content of the certificate CA to be added to the secret | `""` | +| `podSecurityContext.enabled` | Enabled NGINX pods' Security Context | `true` | +| `podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` | +| `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | +| `podSecurityContext.fsGroup` | Set NGINX pod's Security Context fsGroup | `1001` | +| `podSecurityContext.sysctls` | sysctl settings of the NGINX pods | `[]` | +| `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | +| `containerSecurityContext.runAsGroup` | Set containers' Security Context runAsGroup | `1001` | +| `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | +| `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | +| `containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` | +| `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | +| `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | +| `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `containerPorts.http` | Sets http port inside NGINX container | `8080` | +| `containerPorts.https` | Sets https port inside NGINX container | `8443` | +| `extraContainerPorts` | Array of additional container ports for the Nginx container | `[]` | +| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` | +| `resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `lifecycleHooks` | Optional lifecycleHooks for the NGINX container | `{}` | +| `startupProbe.enabled` | Enable startupProbe | `false` | +| `startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `startupProbe.failureThreshold` | Failure threshold for startupProbe | `6` | +| `startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `livenessProbe.enabled` | Enable livenessProbe | `true` | +| `livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readinessProbe.enabled` | Enable readinessProbe | `true` | +| `readinessProbe.path` | Request path for livenessProbe | `/` | +| `readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | +| `readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `3` | +| `readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `customStartupProbe` | Custom liveness probe for the Web component | `{}` | +| `customLivenessProbe` | Override default liveness probe | `{}` | +| `customReadinessProbe` | Override default readiness probe | `{}` | +| `autoscaling.enabled` | Enable autoscaling for NGINX deployment | `false` | +| `autoscaling.minReplicas` | Minimum number of replicas to scale back | `""` | +| `autoscaling.maxReplicas` | Maximum number of replicas to scale out | `""` | +| `autoscaling.targetCPU` | Target CPU utilization percentage | `""` | +| `autoscaling.targetMemory` | Target Memory utilization percentage | `""` | +| `extraVolumes` | Array to add extra volumes | `[]` | +| `extraVolumeMounts` | Array to add extra mount | `[]` | +| `serviceAccount.create` | Enable creation of ServiceAccount for nginx pod | `true` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.annotations` | Annotations for service account. Evaluated as a template. | `{}` | +| `serviceAccount.automountServiceAccountToken` | Auto-mount the service account token in the pod | `false` | +| `sidecars` | Sidecar parameters | `[]` | +| `sidecarSingleProcessNamespace` | Enable sharing the process namespace with sidecars | `false` | +| `initContainers` | Extra init containers | `[]` | +| `pdb.create` | Created a PodDisruptionBudget | `true` | +| `pdb.minAvailable` | Min number of pods that must still be available after the eviction. | `""` | +| `pdb.maxUnavailable` | Max number of pods that can be unavailable after the eviction. | `""` | + +### Custom NGINX application parameters + +| Name | Description | Value | +| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------- | +| `cloneStaticSiteFromGit.enabled` | Get the server static content from a Git repository | `false` | +| `cloneStaticSiteFromGit.image.registry` | Git image registry | `REGISTRY_NAME` | +| `cloneStaticSiteFromGit.image.repository` | Git image repository | `REPOSITORY_NAME/git` | +| `cloneStaticSiteFromGit.image.digest` | Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `cloneStaticSiteFromGit.image.pullPolicy` | Git image pull policy | `IfNotPresent` | +| `cloneStaticSiteFromGit.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `cloneStaticSiteFromGit.repository` | Git Repository to clone static content from | `""` | +| `cloneStaticSiteFromGit.branch` | Git branch to checkout | `""` | +| `cloneStaticSiteFromGit.interval` | Interval for sidecar container pull from the Git repository | `60` | +| `cloneStaticSiteFromGit.gitClone.command` | Override default container command for git-clone-repository | `[]` | +| `cloneStaticSiteFromGit.gitClone.args` | Override default container args for git-clone-repository | `[]` | +| `cloneStaticSiteFromGit.gitSync.command` | Override default container command for git-repo-syncer | `[]` | +| `cloneStaticSiteFromGit.gitSync.args` | Override default container args for git-repo-syncer | `[]` | +| `cloneStaticSiteFromGit.gitSync.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production). | `nano` | +| `cloneStaticSiteFromGit.gitSync.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `cloneStaticSiteFromGit.extraEnvVars` | Additional environment variables to set for the in the containers that clone static site from git | `[]` | +| `cloneStaticSiteFromGit.extraEnvVarsSecret` | Secret with extra environment variables | `""` | +| `cloneStaticSiteFromGit.extraVolumeMounts` | Add extra volume mounts for the Git containers | `[]` | +| `serverBlock` | Custom server block to be added to NGINX configuration | `""` | +| `streamServerBlock` | Custom stream server block to be added to NGINX configuration | `""` | +| `existingServerBlockConfigmap` | ConfigMap with custom server block to be added to NGINX configuration | `""` | +| `existingStreamServerBlockConfigmap` | ConfigMap with custom stream server block to be added to NGINX configuration | `""` | +| `staticSiteConfigmap` | Name of existing ConfigMap with the server static site content | `""` | +| `staticSitePVC` | Name of existing PVC with the server static site content | `""` | + +### Traffic Exposure parameters + +| Name | Description | Value | +| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | +| `service.type` | Service type | `ClusterIP` | +| `service.ports.http` | Service HTTP port | `80` | +| `service.ports.https` | Service HTTPS port | `443` | +| `service.nodePorts` | Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. | `{}` | +| `service.targetPort` | Target port reference value for the Loadbalancer service types can be specified explicitly. | `{}` | +| `service.clusterIP` | NGINX service Cluster IP | `""` | +| `service.loadBalancerIP` | LoadBalancer service IP address | `""` | +| `service.loadBalancerSourceRanges` | NGINX service Load Balancer sources | `[]` | +| `service.loadBalancerClass` | service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.annotations` | Service annotations | `{}` | +| `service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | +| `ingress.enabled` | Set to true to enable ingress record generation | `false` | +| `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `ingress.pathType` | Ingress path type | `ImplementationSpecific` | +| `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | +| `ingress.hostname` | Default host for the ingress resource | `nginx.local` | +| `ingress.path` | The Path to Nginx. You may need to set this to '/*' in order to use this with ALB ingress controllers. | `/` | +| `ingress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `ingress.ingressClassName` | Set the ingerssClassName on the ingress record for k8s 1.18+ | `""` | +| `ingress.tls` | Create TLS Secret | `false` | +| `ingress.tlsWwwPrefix` | Adds www subdomain to default cert | `false` | +| `ingress.extraHosts` | The list of additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.extraPaths` | Any additional arbitrary paths that may need to be added to the ingress under the main host. | `[]` | +| `ingress.extraTls` | The tls configuration for additional hostnames to be covered with this ingress record. | `[]` | +| `ingress.secrets` | If you're providing your own certificates, please use this to add the certificates as secrets | `[]` | +| `ingress.extraRules` | The list of additional rules to be added to this ingress record. Evaluated as a template | `[]` | +| `healthIngress.enabled` | Set to true to enable health ingress record generation | `false` | +| `healthIngress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | +| `healthIngress.pathType` | Ingress path type | `ImplementationSpecific` | +| `healthIngress.hostname` | When the health ingress is enabled, a host pointing to this will be created | `example.local` | +| `healthIngress.path` | Default path for the ingress record | `/` | +| `healthIngress.annotations` | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | `{}` | +| `healthIngress.tls` | Enable TLS configuration for the hostname defined at `healthIngress.hostname` parameter | `false` | +| `healthIngress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | +| `healthIngress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | +| `healthIngress.extraTls` | TLS configuration for additional hostnames to be covered | `[]` | +| `healthIngress.secrets` | TLS Secret configuration | `[]` | +| `healthIngress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `""` | +| `healthIngress.extraRules` | The list of additional rules to be added to this ingress record. Evaluated as a template | `[]` | + +### Metrics parameters + +| Name | Description | Value | +| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a Prometheus exporter sidecar container | `false` | +| `metrics.image.registry` | NGINX Prometheus exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | NGINX Prometheus exporter image repository | `REPOSITORY_NAME/nginx-exporter` | +| `metrics.image.digest` | NGINX Prometheus exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | NGINX Prometheus exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | +| `metrics.port` | NGINX Container Status Port scraped by Prometheus Exporter | `""` | +| `metrics.extraArgs` | Extra arguments for Prometheus exporter | `[]` | +| `metrics.containerPorts.metrics` | Prometheus exporter container port | `9113` | +| `metrics.podAnnotations` | Additional annotations for NGINX Prometheus exporter pod(s) | `{}` | +| `metrics.securityContext.enabled` | Enabled NGINX Exporter containers' Security Context | `false` | +| `metrics.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.securityContext.runAsUser` | Set NGINX Exporter container's Security Context runAsUser | `1001` | +| `metrics.service.port` | NGINX Prometheus exporter service port | `9113` | +| `metrics.service.annotations` | Annotations for the Prometheus exporter service | `{}` | +| `metrics.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). | `nano` | +| `metrics.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | +| `metrics.serviceMonitor.enabled` | Creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) | `false` | +| `metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running | `""` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so PodMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | honorLabels chooses the metric's labels on collisions with target labels | `false` | +| `metrics.prometheusRule.enabled` | if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | Prometheus Rule definitions | `[]` | + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```console +helm install my-release \ + --set imagePullPolicy=Always \ + oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +The above command sets the `imagePullPolicy` to `Always`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```console +helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. +> **Tip**: You can use the default [values.yaml](https://github.com/bitnami/charts/tree/main/bitnami/nginx/values.yaml) + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +### To 18.3.0 + +This version introduces image verification for security purposes. To disable it, set `global.security.allowInsecureImages` to `true`. More details at [GitHub issue](https://github.com/bitnami/charts/issues/30850). + +### To 16.0.0 + +This major bump changes the following security defaults: + +- `runAsGroup` is changed from `0` to `1001` +- `readOnlyRootFilesystem` is set to `true` +- `resourcesPreset` is changed from `none` to the minimum size working in our test suites (NOTE: `resourcesPreset` is not meant for production usage, but `resources` adapted to your use case). +- `global.compatibility.openshift.adaptSecurityContext` is changed from `disabled` to `auto`. + +This could potentially break any customization or init scripts used in your deployment. If this is the case, change the default values to the previous ones. + +### To 11.0.0 + +This major release renames several values in this chart and adds missing features, in order to be aligned with the rest of the assets in the Bitnami charts repository. + +Affected values: + +- `service.port` was renamed as `service.ports.http`. +- `service.httpsPort` was deprecated. We recommend using `service.ports.https`. +- `serviceAccount.autoMount` was renamed as `serviceAccount.automountServiceAccountToken` +- `metrics.serviceMonitor.additionalLabels` was renamed as `metrics.serviceMonitor.labels` + +### To 10.0.0 + +This major release no longer uses the bitnami/nginx-ldap-auth-daemon container as a dependency since its upstream project is not actively maintained. + +*2022-04-12 edit*: + +[Bitnami's reference implementation](https://www.nginx.com/blog/nginx-plus-authenticate-users/). + +On 9 April 2022, security vulnerabilities in the [NGINX LDAP reference implementation](https://github.com/nginxinc/nginx-ldap-auth) were publicly shared. **Although the deprecation of this container from the Bitnami catalog was not related to this security issue, [here](https://docs.bitnami.com/general/security/) you can find more information from the Bitnami security team.** + +### To 8.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running `helm dependency update`, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +### To 7.0.0 + +- This version also introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. +- Ingress configuration was also adapted to follow the Helm charts best practices. + +> Note: There is no backwards compatibility due to the above mentioned changes. It's necessary to install a new release of the chart, and migrate your existing application to the new NGINX instances. + +### To 5.6.0 + +Added support for the use of LDAP. + +### To 5.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 5.0.0. The following example assumes that the release name is nginx: + +```console +kubectl delete deployment nginx --cascade=false +helm upgrade nginx oci://REGISTRY_NAME/REPOSITORY_NAME/nginx +``` + +> Note: You need to substitute the placeholders `REGISTRY_NAME` and `REPOSITORY_NAME` with a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to use `REGISTRY_NAME=registry-1.docker.io` and `REPOSITORY_NAME=bitnamicharts`. + +### To 1.0.0 + +Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. +Use the workaround below to upgrade from versions previous to 1.0.0. The following example assumes that the release name is nginx: + +```console +kubectl patch deployment nginx --type=json -p='[{"op": "remove", "path": "/spec/selector/matchLabels/chart"}]' +``` + +## License + +Copyright © 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/common/nginx/common/.helmignore b/kubernetes/common/nginx/common/.helmignore new file mode 100644 index 0000000000..d0e10845d2 --- /dev/null +++ b/kubernetes/common/nginx/common/.helmignore @@ -0,0 +1,26 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# img folder +img/ +# Changelog +CHANGELOG.md diff --git a/kubernetes/common/nginx/common/CHANGELOG.md b/kubernetes/common/nginx/common/CHANGELOG.md new file mode 100644 index 0000000000..b48a8dbacd --- /dev/null +++ b/kubernetes/common/nginx/common/CHANGELOG.md @@ -0,0 +1,635 @@ +# Changelog + +## 2.29.1 (2025-01-10) + +* [bitnami/common] Removing seLinuxOptions from omission ([#31279](https://github.com/bitnami/charts/pull/31279)) + +## 2.29.0 (2025-01-03) + +* [bitnami/common] Add "common.capabilities.job.apiVersion" template (#31164) ([2ca979a](https://github.com/bitnami/charts/commit/2ca979a6add279384d60e6b35199eaf13553cefa)), closes [#31164](https://github.com/bitnami/charts/issues/31164) + +## 2.28.0 (2024-12-10) + +* [bitnami/common] New helper to detect non-standard images (#30851) ([ae33d01](https://github.com/bitnami/charts/commit/ae33d01968e8a353a569785f9867827153c797dc)), closes [#30851](https://github.com/bitnami/charts/issues/30851) + +## 2.27.2 (2024-11-27) + +* [bitnami/common] Fix appVersion (#30628) ([b87d39e](https://github.com/bitnami/charts/commit/b87d39e27a0889c74b20c3d2fe5ae0c4a2417bfd)), closes [#30628](https://github.com/bitnami/charts/issues/30628) +* [bitnami/common]: bump patch version (#30639) ([623e584](https://github.com/bitnami/charts/commit/623e5846ff827b7ecbcffa2dc51e2e94b14ef8fd)), closes [#30639](https://github.com/bitnami/charts/issues/30639) + +## 2.27.1 (2024-11-26) + +* [bitnami/common] Fix VPA apiVersion (#30625) ([8c24438](https://github.com/bitnami/charts/commit/8c24438a2f6e8ec646cad9901ed82d71d4196e3e)), closes [#30625](https://github.com/bitnami/charts/issues/30625) + +## 2.27.0 (2024-11-07) + +* [bitnami/*] Remove wrong comment about imagePullPolicy (#30107) ([a51f9e4](https://github.com/bitnami/charts/commit/a51f9e4bb0fbf77199512d35de7ac8abe055d026)), closes [#30107](https://github.com/bitnami/charts/issues/30107) +* [bitnami/common] feat: :sparkles: Add honorProvidedValues in common.secrets.manage (#30243) ([3d76a49](https://github.com/bitnami/charts/commit/3d76a4955c11fa4d2464da2c4d2096e1e3c6fa37)), closes [#30243](https://github.com/bitnami/charts/issues/30243) +* Update documentation links to techdocs.broadcom.com (#29931) ([f0d9ad7](https://github.com/bitnami/charts/commit/f0d9ad78f39f633d275fc576d32eae78ded4d0b8)), closes [#29931](https://github.com/bitnami/charts/issues/29931) + +## 2.26.0 (2024-10-14) + +* [bitnami/common] Drop unused custom empty password validators (#29432) ([5fb0e97](https://github.com/bitnami/charts/commit/5fb0e97d9336d40d86c3295637d4233218b8afea)), closes [#29432](https://github.com/bitnami/charts/issues/29432) + +## 2.25.0 (2024-10-11) + +* [bitnami/common] Add the ability to specify namespaces for affinity (#29479) ([005e0d6](https://github.com/bitnami/charts/commit/005e0d696004dd972915f290b7caffb2bc332400)), closes [#29479](https://github.com/bitnami/charts/issues/29479) + +## 2.24.0 (2024-10-03) + +* [bitnami/common] Add common.tplvalues.merge-overwrite helper (#29668) ([611b2a5](https://github.com/bitnami/charts/commit/611b2a59e06feaac878b3b218fd848a687216158)), closes [#29668](https://github.com/bitnami/charts/issues/29668) + +## 2.23.0 (2024-09-13) + +* [bitnami/common] Add option to remove empty seLinuxOptions from securityContext in non OpenShift env ([7e44e64](https://github.com/bitnami/charts/commit/7e44e64626f5b1fc6d56889cdfdeadc1f62c7cf1)), closes [#28945](https://github.com/bitnami/charts/issues/28945) + +## 2.22.0 (2024-08-08) + +* [bitnami/common] Fallback to chart appVersion in common.images.image (#28764) ([b4aa0a6](https://github.com/bitnami/charts/commit/b4aa0a685a21c50ca10e41e3eb2023bbd4282cf7)), closes [#28764](https://github.com/bitnami/charts/issues/28764) + +## 2.21.0 (2024-08-05) + +* [bitnami/common] Allow handling of new secrets after initial installation (#28581) ([07062ee](https://github.com/bitnami/charts/commit/07062ee01382e24b8204b27083ff3e8102110c2f)), closes [#28581](https://github.com/bitnami/charts/issues/28581) + +## 2.20.5 (2024-07-16) + +* [bitnami/common] [bitnami/wordpress] Use global.storageClass for fallback, not override (#24863) ([2b78e13](https://github.com/bitnami/charts/commit/2b78e137ac278cdf9d54523e8d37833a4ff0cd5b)), closes [#24863](https://github.com/bitnami/charts/issues/24863) + +## 2.20.4 (2024-07-11) + +* [bitnami/*] Update README changing TAC wording (#27530) ([52dfed6](https://github.com/bitnami/charts/commit/52dfed6bac44d791efabfaf06f15daddc4fefb0c)), closes [#27530](https://github.com/bitnami/charts/issues/27530) +* [bitnami/common] Increase ephemeral-storage default limits (#27902) ([dc0000d](https://github.com/bitnami/charts/commit/dc0000d7b56f68991bb8d8fff473103ed9026f5f)), closes [#27902](https://github.com/bitnami/charts/issues/27902) + +## 2.20.3 (2024-06-17) + +* [bitnami/common] chore: :wrench: Relax large and xlarge presets resource requests (#27312) ([6ca69f6](https://github.com/bitnami/charts/commit/6ca69f6769d0f65acc850fa0bcc08506de50cc41)), closes [#27312](https://github.com/bitnami/charts/issues/27312) + +## 2.20.2 (2024-06-10) + +* [bitnami/common] remove trailing spaces from imagePullSecrets rendering (#26882) ([362d4ac](https://github.com/bitnami/charts/commit/362d4ac94dd69be1b607fc531ceac4d67d8d57ef)), closes [#26882](https://github.com/bitnami/charts/issues/26882) + +## 2.20.1 (2024-06-10) + +* [bitnami/common] improve renderSecurityContext (#27053) ([5f0bdde](https://github.com/bitnami/charts/commit/5f0bdde77cf05afa20cb4a800090748a8d102d02)), closes [#27053](https://github.com/bitnami/charts/issues/27053) + +## 2.20.0 (2024-06-05) + +* [bitnami/*] ci: :construction_worker: Add tag and changelog support (#25359) ([91c707c](https://github.com/bitnami/charts/commit/91c707c9e4e574725a09505d2d313fb93f1b4c0a)), closes [#25359](https://github.com/bitnami/charts/issues/25359) +* [bitnami/common] Capabilities to return latest apiVersion if kubeVersion is undefined (#26758) ([6582c32](https://github.com/bitnami/charts/commit/6582c3237b772af9cb379f7eaceddb2d64b507f0)), closes [#26758](https://github.com/bitnami/charts/issues/26758) +* [bitnami/common] docs: :memo: Add changelog ([23349c9](https://github.com/bitnami/charts/commit/23349c99b70313f3e19ebcf9d3e0c154836b2cc0)) + +## 2.19.3 (2024-05-20) + +* [bitnami/*] Change non-root and rolling-tags doc URLs (#25628) ([b067c94](https://github.com/bitnami/charts/commit/b067c94f6bcde427863c197fd355f0b5ba12ff5b)), closes [#25628](https://github.com/bitnami/charts/issues/25628) +* [bitnami/*] Set new header/owner (#25558) ([8d1dc11](https://github.com/bitnami/charts/commit/8d1dc11f5fb30db6fba50c43d7af59d2f79deed3)), closes [#25558](https://github.com/bitnami/charts/issues/25558) +* [bitnami/common] feat: :sparkles: Show warning when original images are replaced (#25952) ([855045a](https://github.com/bitnami/charts/commit/855045a1a62618154c1216e8da31a4d2c14c7586)), closes [#25952](https://github.com/bitnami/charts/issues/25952) + +## 2.19.2 (2024-04-29) + +* [bitnami/common] Simplify syntax to deal with nullable objects (#25446) ([7dcea6a](https://github.com/bitnami/charts/commit/7dcea6aeb7c45d56bd6175b457bb8a2cddf8defc)), closes [#25446](https://github.com/bitnami/charts/issues/25446) +* Replace VMware by Broadcom copyright text (#25306) ([a5e4bd0](https://github.com/bitnami/charts/commit/a5e4bd0e35e419203793976a78d9d0a13de92c76)), closes [#25306](https://github.com/bitnami/charts/issues/25306) + +## 2.19.1 (2024-03-27) + +* [bitnami/common] chore: :wrench: Relax preset resource requests xlarge and 2xlarge instances (#24713 ([fdd93bb](https://github.com/bitnami/charts/commit/fdd93bb2a2f73a7df3e498b5072736a54610a908)), closes [#24713](https://github.com/bitnami/charts/issues/24713) + +## 2.19.0 (2024-03-08) + +* [bitnami/common] feat: :sparkles: Remove empty seLinuxOptions in adapted Openshift rendered security ([1f2f5ef](https://github.com/bitnami/charts/commit/1f2f5ef476efba7f284df0c36c265216325ffda9)), closes [#24268](https://github.com/bitnami/charts/issues/24268) + +## 2.18.0 (2024-03-04) + +* [bitnami/common] feat: :sparkles: :lock: Add compatibility support for securityContext in Openshift ([8fb0dd4](https://github.com/bitnami/charts/commit/8fb0dd48b6d7ec69bb59db2376365f6d76b26d97)), closes [#24040](https://github.com/bitnami/charts/issues/24040) + +## 2.17.0 (2024-02-20) + +* [bitnami/*] Bump all versions (#23602) ([b70ee2a](https://github.com/bitnami/charts/commit/b70ee2a30e4dc256bf0ac52928fb2fa7a70f049b)), closes [#23602](https://github.com/bitnami/charts/issues/23602) + +## 2.16.1 (2024-02-19) + +* [bitnami/common] chore: :wrench: Bump ephemeral storage limits (#23564) ([18c4d88](https://github.com/bitnami/charts/commit/18c4d88f7d4ae93f36d0896fa66dbe872bba1c48)), closes [#23564](https://github.com/bitnami/charts/issues/23564) + +## 2.16.0 (2024-02-15) + +* [bitnami/common] feat: :sparkles: Add ephemeral-storage to resources preset (#23544) ([23b6856](https://github.com/bitnami/charts/commit/23b68563a0e2e721aa07864cff1b877e1d074388)), closes [#23544](https://github.com/bitnami/charts/issues/23544) + +## 2.15.3 (2024-02-14) + +* [bitnami/common] chore: :pencil2: Fix typo in comment ([d07fb32](https://github.com/bitnami/charts/commit/d07fb324bd6455bf8607f66c642ff346443199ba)) + +## 2.15.2 (2024-02-14) + +* [bitnami/common] fix: :children_crossing: Improve resource warning message (#23425) ([7593e4f](https://github.com/bitnami/charts/commit/7593e4fc69fb8c50f7d626cc305c5adc56d23f48)), closes [#23425](https://github.com/bitnami/charts/issues/23425) + +## 2.15.1 (2024-02-13) + +* [bitnami/common] fix: :bug: Check if section is enabled before printing resource warning ([262b6ee](https://github.com/bitnami/charts/commit/262b6ee64c57a5293333879ec423ad41c44f162c)) + +## 2.15.0 (2024-02-13) + +* [bitnami/*] Fix docs.bitnami.com broken links (#21901) ([f35506d](https://github.com/bitnami/charts/commit/f35506d2dadee4f097986e7792df1f53ab215b5d)), closes [#21901](https://github.com/bitnami/charts/issues/21901) +* [bitnami/*] Move documentation sections from docs.bitnami.com back to the README (#22203) ([7564f36](https://github.com/bitnami/charts/commit/7564f36ca1e95ff30ee686652b7ab8690561a707)), closes [#22203](https://github.com/bitnami/charts/issues/22203) +* [bitnami/*] Update copyright: Year and company (#21815) ([6c4bf75](https://github.com/bitnami/charts/commit/6c4bf75dec58fc7c9aee9f089777b1a858c17d5b)), closes [#21815](https://github.com/bitnami/charts/issues/21815) +* [bitnami/common] feat: :sparkles: Add support for resource presets (#23410) ([310d9f9](https://github.com/bitnami/charts/commit/310d9f9e44cb913a2e482f57107970ed5bde9a69)), closes [#23410](https://github.com/bitnami/charts/issues/23410) + +## 2.14.1 (2023-12-19) + +* [bitnami/common] Fix typo with new line in common.secrets.passwords.manage (#21653) ([7e70463](https://github.com/bitnami/charts/commit/7e704634ef564adac330f1e0a67feb2a40a271dc)), closes [#21653](https://github.com/bitnami/charts/issues/21653) + +## 2.14.0 (2023-12-19) + +* [bitnami/common] add params skipB64enc and skipQuote to common.secrets.passwords.manage (#21595) ([2070eeb](https://github.com/bitnami/charts/commit/2070eeb30bbf48639e0177a42f65a1d13f42a180)), closes [#21595](https://github.com/bitnami/charts/issues/21595) + +## 2.13.4 (2023-12-15) + +* [bitnami/*] Remove relative links to non-README sections, add verification for that and update TL;DR ([1103633](https://github.com/bitnami/charts/commit/11036334d82df0490aa4abdb591543cab6cf7d7f)), closes [#20967](https://github.com/bitnami/charts/issues/20967) +* [bitnami/*] Rename VMware Application Catalog (#20361) ([3acc734](https://github.com/bitnami/charts/commit/3acc73472beb6fb56c4d99f929061001205bc57e)), closes [#20361](https://github.com/bitnami/charts/issues/20361) +* [bitnami/common] fix failOnNew implementation in common.secrets.passwords.manage (#21342) ([76a5f24](https://github.com/bitnami/charts/commit/76a5f248fbceb3d1d948c7e60fbba74fd7eb3200)), closes [#21342](https://github.com/bitnami/charts/issues/21342) +* [bitnami/common] Standardize documentation (#20334) ([3af2426](https://github.com/bitnami/charts/commit/3af242606877aea25c623b4185e6fcd285b7308d)), closes [#20334](https://github.com/bitnami/charts/issues/20334) + +## 2.13.3 (2023-10-17) + +* [bitnami/*] Update Helm charts prerequisites (#19745) ([eb755dd](https://github.com/bitnami/charts/commit/eb755dd36a4dd3cf6635be8e0598f9a7f4c4a554)), closes [#19745](https://github.com/bitnami/charts/issues/19745) +* [bitnami/common]: Address admission configuration typo (#19840) ([9a936f1](https://github.com/bitnami/charts/commit/9a936f158646e101c2507421fdcb85b787bbaf64)), closes [#19840](https://github.com/bitnami/charts/issues/19840) + +## 2.13.2 (2023-10-05) + +* [bitnami/common] update imagePullSecrets to handle map and list format (#19702) ([1d30563](https://github.com/bitnami/charts/commit/1d30563bf53d4c0ac898cf1070af57aa28a039f1)), closes [#19702](https://github.com/bitnami/charts/issues/19702) + +## 2.13.1 (2023-10-04) + +* [bitnami/common] render labels correctly when they contains templates (#19680) ([3cb44e3](https://github.com/bitnami/charts/commit/3cb44e376a472ca6721866b09f6d0ab412338cbc)), closes [#19680](https://github.com/bitnami/charts/issues/19680) + +## 2.13.0 (2023-09-29) + +* [bitnami/common]: Add capabilities macros to manage Pod Security Standard objects (#19428) ([322b76d](https://github.com/bitnami/charts/commit/322b76d6450840f08d53ecfddb5e151cac5c9e88)), closes [#19428](https://github.com/bitnami/charts/issues/19428) + +## 2.12.1 (2023-09-29) + +* [bitnami/common] allow for empty appVersion (#19467) ([8b46a33](https://github.com/bitnami/charts/commit/8b46a3366abc7d216d16ace89675f3fc42691e8f)), closes [#19467](https://github.com/bitnami/charts/issues/19467) + +## 2.12.0 (2023-09-22) + +* [bitnami/common] new macro to checksum config resources (#19261) ([73945fe](https://github.com/bitnami/charts/commit/73945fedfa2acff03fe172430fcc4b8bcf55282f)), closes [#19261](https://github.com/bitnami/charts/issues/19261) +* Revert "Autogenerate schema files (#19194)" (#19335) ([73d80be](https://github.com/bitnami/charts/commit/73d80be525c88fb4b8a54451a55acd506e337062)), closes [#19194](https://github.com/bitnami/charts/issues/19194) [#19335](https://github.com/bitnami/charts/issues/19335) + +## 2.11.1 (2023-09-15) + +* Common - Adding app.kubernetes.io/version to common labels (#17201) ([9c497be](https://github.com/bitnami/charts/commit/9c497be9d99a98a20cd01e5858014e097ebe0eaa)), closes [#17201](https://github.com/bitnami/charts/issues/17201) + +## 2.11.0 (2023-09-12) + +* [bitnami/common] New helper to return image version (#19223) ([db46696](https://github.com/bitnami/charts/commit/db466964c6cfb3368ab87be6bb4d16f74d5c6fd0)), closes [#19223](https://github.com/bitnami/charts/issues/19223) +* Autogenerate schema files (#19194) ([a2c2090](https://github.com/bitnami/charts/commit/a2c2090b5ac97f47b745c8028c6452bf99739772)), closes [#19194](https://github.com/bitnami/charts/issues/19194) + +## 2.10.1 (2023-09-08) + +* [bitnami/common]: Compatiblity with Helm 3.2.0+ (#19177) ([e4fc03d](https://github.com/bitnami/charts/commit/e4fc03d96bef6ab0318d642fb65ba508c49844f1)), closes [#19177](https://github.com/bitnami/charts/issues/19177) + +## 2.10.0 (2023-09-04) + +* [bitnami/common] new macro to merge a list of values with rendering (#18889) ([0fb66f2](https://github.com/bitnami/charts/commit/0fb66f2c6f6828a240a0c1e6857c337bf9f4202a)), closes [#18889](https://github.com/bitnami/charts/issues/18889) + +## 2.9.2 (2023-08-31) + +* Avoid using a tpl when there is no template (#18792) ([134924a](https://github.com/bitnami/charts/commit/134924a260fe2cd758a954f34e89ccb14012f348)), closes [#18792](https://github.com/bitnami/charts/issues/18792) + +## 2.9.1 (2023-08-29) + +* [bitnami/common] Add extraLabelSelectors to affinities templates (#18127) ([b9ecfdb](https://github.com/bitnami/charts/commit/b9ecfdb3421a057b76e6f35f58c26e631c74e686)), closes [#18127](https://github.com/bitnami/charts/issues/18127) + +## 2.9.0 (2023-08-22) + +* [bitnami/common] Add support for customizing standard labels (#18154) ([9a20483](https://github.com/bitnami/charts/commit/9a20483cfd1daa6bfe08fd8116516a9bb5cd9754)), closes [#18154](https://github.com/bitnami/charts/issues/18154) + +## 2.8.0 (2023-08-07) + +* [bitnami/common] Delete app kubernetes version field (#18240) ([5fe3ee4](https://github.com/bitnami/charts/commit/5fe3ee44eed88e9b6843c70cbeb6378194b2276b)), closes [#18240](https://github.com/bitnami/charts/issues/18240) + +## 2.7.0 (2023-08-07) + +* Add app.kubernetes.io/version based on AppVersion (#18194) ([4f698f8](https://github.com/bitnami/charts/commit/4f698f8ac54fc68cd8dab433b7c2d8ffb77a4067)), closes [#18194](https://github.com/bitnami/charts/issues/18194) + +## 2.6.0 (2023-07-04) + +* [bitnami/common] Add scope for common.tplvalues.render (#17033) ([daf1b54](https://github.com/bitnami/charts/commit/daf1b5445a5e1c961ab78673899dd8007b4f1000)), closes [#17033](https://github.com/bitnami/charts/issues/17033) + +## 2.5.0 (2023-06-30) + +* [bitnami/*] Change copyright section in READMEs (#17006) ([ef986a1](https://github.com/bitnami/charts/commit/ef986a1605241102b3dcafe9fd8089e6fc1201ad)), closes [#17006](https://github.com/bitnami/charts/issues/17006) +* [bitnami/common] Update common.secrets.passwords.manage and common.secrets.lookup (#17397) ([5a73cf1](https://github.com/bitnami/charts/commit/5a73cf19f92b93d88ee766669a947375135db903)), closes [#17397](https://github.com/bitnami/charts/issues/17397) +* [bitnami/several] Change copyright section in READMEs (#16989) ([5b6a5cf](https://github.com/bitnami/charts/commit/5b6a5cfb7625a751848a2e5cd796bd7278f406ca)), closes [#16989](https://github.com/bitnami/charts/issues/16989) +* Add copyright header (#17300) ([da68be8](https://github.com/bitnami/charts/commit/da68be8e951225133c7dfb572d5101ca3d61c5ae)), closes [#17300](https://github.com/bitnami/charts/issues/17300) +* Update charts readme (#17217) ([31b3c0a](https://github.com/bitnami/charts/commit/31b3c0afd968ff4429107e34101f7509e6a0e913)), closes [#17217](https://github.com/bitnami/charts/issues/17217) + +## 2.4.0 (2023-05-18) + +* [bitnami/common] feat: :sparkles: Add apiVersions for DaemonSet and VPA ([a86cfaf](https://github.com/bitnami/charts/commit/a86cfaf0acb7cc26a7a91256f4b76db8f31797ef)) + +## 2.3.0 (2023-05-12) + +* Add wording for enterprise page (#16560) ([8f22774](https://github.com/bitnami/charts/commit/8f2277440b976d52785ba9149762ad8620a73d1f)), closes [#16560](https://github.com/bitnami/charts/issues/16560) +* Remove duplicate in image pull secrets (#16529) ([ddfea70](https://github.com/bitnami/charts/commit/ddfea70831875639cb298a555ad6dd5e68f059e4)), closes [#16529](https://github.com/bitnami/charts/issues/16529) + +## 2.2.6 (2023-05-09) + +* [bitnami/several] Adapt Chart.yaml to set desired OCI annotations (#16546) ([fc9b18f](https://github.com/bitnami/charts/commit/fc9b18f2e98805d4df629acbcde696f44f973344)), closes [#16546](https://github.com/bitnami/charts/issues/16546) + +## 2.2.5 (2023-05-02) + +* [bitnami/*] Make Helm charts 100% OCI (#15998) ([8841510](https://github.com/bitnami/charts/commit/884151035efcbf2e1b3206e7def85511073fb57d)), closes [#15998](https://github.com/bitnami/charts/issues/15998) +* [bitnami/common] Fix typo in README.md to test chart publishing from GitHub (#16143) ([5b05ec3](https://github.com/bitnami/charts/commit/5b05ec32caa73240d38135e19501ab2658397d2e)), closes [#16143](https://github.com/bitnami/charts/issues/16143) + +## 2.2.4 (2023-03-07) + +* [bitnami/*] Fix markdown linter issues (#14874) ([a51e0e8](https://github.com/bitnami/charts/commit/a51e0e8d35495b907f3e70dd2f8e7c3bcbf4166a)), closes [#14874](https://github.com/bitnami/charts/issues/14874) +* [bitnami/*] Fix markdown linter issues 2 (#14890) ([aa96572](https://github.com/bitnami/charts/commit/aa9657237ee8df4a46db0d7fdf8a23230dd6902a)), closes [#14890](https://github.com/bitnami/charts/issues/14890) +* [bitnami/common] Allow empty registry name (#15296) ([f13df7b](https://github.com/bitnami/charts/commit/f13df7b00f38e5fce67eab7a1b78afb0b064344e)), closes [#15296](https://github.com/bitnami/charts/issues/15296) + +## 2.2.3 (2023-02-03) + +* [bitnami/*] Add license annotation and remove obsolete engine parameter (#14293) ([da2a794](https://github.com/bitnami/charts/commit/da2a7943bae95b6e9b5b4ed972c15e990b69fdb0)), closes [#14293](https://github.com/bitnami/charts/issues/14293) +* [bitnami/*] Change copyright date (#14682) ([add4ec7](https://github.com/bitnami/charts/commit/add4ec701108ac36ed4de2dffbdf407a0d091067)), closes [#14682](https://github.com/bitnami/charts/issues/14682) +* [bitnami/*] Change licenses annotation format (#14377) ([0ab7608](https://github.com/bitnami/charts/commit/0ab760862c660fcc78cffadf8e1d8cdd70881473)), closes [#14377](https://github.com/bitnami/charts/issues/14377) +* [bitnami/*] Unify READMEs (#14472) ([2064fb8](https://github.com/bitnami/charts/commit/2064fb8dcc78a845cdede8211af8c3cc52551161)), closes [#14472](https://github.com/bitnami/charts/issues/14472) +* [bitnami/common] chore: Correct common.images.image global in example (#14735) ([69ada7d](https://github.com/bitnami/charts/commit/69ada7da0c9c6b7ce718faef6920c61e3632fd02)), closes [#14735](https://github.com/bitnami/charts/issues/14735) + +## 2.2.2 (2022-12-12) + +* [bitnami/common] resolve namespace using common.names.namespace macro (#13481) ([35b84e8](https://github.com/bitnami/charts/commit/35b84e8ba209681d4f160ca102188af61307fccf)), closes [#13481](https://github.com/bitnami/charts/issues/13481) + +## 2.2.1 (2022-11-25) + +* [bitnami/common] fix common topology key affinity function (#13593) ([f95dec8](https://github.com/bitnami/charts/commit/f95dec803bd138b76d67a296545974c5a644d63e)), closes [#13593](https://github.com/bitnami/charts/issues/13593) + +## 2.2.0 (2022-11-14) + +* [bitnami/common] affinity topologyKey override (#13435) ([624c14e](https://github.com/bitnami/charts/commit/624c14e7121557e6a29ff0e814cb800c2f3cf619)), closes [#13435](https://github.com/bitnami/charts/issues/13435) +* [bitnami/common] Fixed naming of common.secrets.passwords.manage function in README (#13250) ([39a8bcb](https://github.com/bitnami/charts/commit/39a8bcbb1b606cc165643ae4ddcdc15f05e91583)), closes [#13250](https://github.com/bitnami/charts/issues/13250) + +## 2.1.2 (2022-10-31) + +* [bitnami/common] Do not explicitly specify namespace in affinity term. (#12932) ([638a48e](https://github.com/bitnami/charts/commit/638a48e4d3ec7b5d160f4b525ec40218512c464b)), closes [#12932](https://github.com/bitnami/charts/issues/12932) [/kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#podaffinityterm-v1](https://github.com//kubernetes.io/docs/reference/generated/kubernetes-api/v1.23//issues/podaffinityterm-v1) [#12668](https://github.com/bitnami/charts/issues/12668) + +## 2.1.1 (2022-10-27) + +* [bitnami/common] Fix appVersion mismatch (#13189) ([42b3b3e](https://github.com/bitnami/charts/commit/42b3b3e6c68e6af8ba19f7ec42be0d71b4c21852)), closes [#13189](https://github.com/bitnami/charts/issues/13189) + +## 2.1.0 (2022-10-27) + +* [bitnami/common] Add new function 'common.secrets.lookup' (#13150) ([e848934](https://github.com/bitnami/charts/commit/e84893410321b88adbd7d2e40b891685a15ce640)), closes [#13150](https://github.com/bitnami/charts/issues/13150) + +## 2.0.4 (2022-10-24) + +* [bitnami/*] Use new default branch name in links (#12943) ([a529e02](https://github.com/bitnami/charts/commit/a529e02597d49d944eba1eb0f190713293247176)), closes [#12943](https://github.com/bitnami/charts/issues/12943) +* [bitnami/common] kubernetes.io/tls-acme Ingress annotation triggers IngressTLS array (#13054) ([2008857](https://github.com/bitnami/charts/commit/200885790b34afd6fd04ea45949c887a907b6b38)), closes [#13054](https://github.com/bitnami/charts/issues/13054) +* [bitnami/common] quote secret value when lookup (#11276) ([c8e3019](https://github.com/bitnami/charts/commit/c8e301965f05996a2ae18e0fc8dbfcbe64428356)), closes [#11276](https://github.com/bitnami/charts/issues/11276) + +## 2.0.3 (2022-09-12) + +* [bitnami/common] Revert changes in HPA context from #12282 (#12372) ([55fdc3a](https://github.com/bitnami/charts/commit/55fdc3aff3e32502abfd8f0607ac2be54e585744)), closes [#12282](https://github.com/bitnami/charts/issues/12282) [#12372](https://github.com/bitnami/charts/issues/12372) + +## 2.0.2 (2022-09-05) + +* fix context for HPA util (#12282) ([ccd54a0](https://github.com/bitnami/charts/commit/ccd54a0d47a96903f499fbcdb52a336863020efe)), closes [#12282](https://github.com/bitnami/charts/issues/12282) + +## 2.0.1 (2022-08-23) + +* [bitnami/common] Digest/Tag new approach backward compatible (#12029) ([f1c27dc](https://github.com/bitnami/charts/commit/f1c27dc5d9540c2ea192abf1245da67f5b4f8916)), closes [#12029](https://github.com/bitnami/charts/issues/12029) + +## 2.0.0 (2022-08-18) + +* [bitnami/common] MAJOR: Add support for image digest apart from tag (#11830) ([e3fee4e](https://github.com/bitnami/charts/commit/e3fee4e41d34a6584660c3b77b8521922603ccab)), closes [#11830](https://github.com/bitnami/charts/issues/11830) + +## 1.17.1 (2022-08-18) + +* Revert changes from #11797 (#11829) ([22bb033](https://github.com/bitnami/charts/commit/22bb033224176c498920596c8d8b25b5f60a277d)), closes [#11797](https://github.com/bitnami/charts/issues/11797) [#11829](https://github.com/bitnami/charts/issues/11829) + +## 1.17.0 (2022-08-18) + +* [bitnami/common] Add support for image digest apart from tag (#11797) ([b069345](https://github.com/bitnami/charts/commit/b0693450f653318ac7da64575dac389d7041b69f)), closes [#11797](https://github.com/bitnami/charts/issues/11797) + +## 1.16.1 (2022-07-13) + +* [bitnami/*] Replace Kubeapps URL in READMEs (and kubeapps Chart.yaml) and remove BKPR references (#1 ([c6a7914](https://github.com/bitnami/charts/commit/c6a7914361e5aea6016fb45bf4d621edfd111d32)), closes [#10600](https://github.com/bitnami/charts/issues/10600) +* [bitnami/common] Affinities section does not use common.names.namespace (#11137) ([b70c24c](https://github.com/bitnami/charts/commit/b70c24c82c7a9112a4288441ad1fa8c035bb68b4)), closes [#11137](https://github.com/bitnami/charts/issues/11137) + +## 1.16.0 (2022-06-03) + +* [bitnami/common] Add mysql validation (#10565) ([75ae79a](https://github.com/bitnami/charts/commit/75ae79a434137694fd82198abe1f861d6e5a04ba)), closes [#10565](https://github.com/bitnami/charts/issues/10565) + +## 1.15.2 (2022-06-02) + +* Update Redis trademark references ([2cada87](https://github.com/bitnami/charts/commit/2cada87ed4967d5cb578b0409a0bb1edee79029a)) + +## 1.15.1 (2022-06-01) + +* [bitnami/several] Replace maintainers email by url (#10523) ([ff3cf61](https://github.com/bitnami/charts/commit/ff3cf617a1680509b0f3855d17c4ccff7b29a0ff)), closes [#10523](https://github.com/bitnami/charts/issues/10523) + +## 1.15.0 (2022-06-01) + +* Add common function common.names.fullname.namespace (#10462) ([96f447c](https://github.com/bitnami/charts/commit/96f447cd8654b6db51d9301c841bacb3a13089b3)), closes [#10462](https://github.com/bitnami/charts/issues/10462) + +## 1.14.2 (2022-05-30) + +* [bitnami/common] use -d flag for base64 (#10491) ([ca8d588](https://github.com/bitnami/charts/commit/ca8d5886a1bc0fb37d1bc770ad2333acdffd7996)), closes [#10491](https://github.com/bitnami/charts/issues/10491) [#10486](https://github.com/bitnami/charts/issues/10486) + +## 1.14.1 (2022-05-20) + +* Differentiate between autoscaling v1beta1 and v1beta2 (#10331) ([16d8a4e](https://github.com/bitnami/charts/commit/16d8a4ee73705ee6db2191d84e03a2ba3ea95deb)), closes [#10331](https://github.com/bitnami/charts/issues/10331) + +## 1.14.0 (2022-05-13) + +* [bitnami/common] Add common function for HPA api version (#10174) ([4379ab5](https://github.com/bitnami/charts/commit/4379ab56bd8f4d7f7b7817bf302c683bf9087e81)), closes [#10174](https://github.com/bitnami/charts/issues/10174) + +## 1.13.1 (2022-04-19) + +* Fix affinities identifier in README.md for common chart (#9821) ([fe95640](https://github.com/bitnami/charts/commit/fe95640ce3f5ddfb0458f440959ceda3a849a3a4)), closes [#9821](https://github.com/bitnami/charts/issues/9821) + +## 1.13.0 (2022-03-24) + +* [bitnami/common] Add apiService.apiVersion function to common.capabilities (#9562) ([bba2272](https://github.com/bitnami/charts/commit/bba227223e15937bb1f29f77425f6bd7d9238c02)), closes [#9562](https://github.com/bitnami/charts/issues/9562) + +## 1.12.0 (2022-03-16) + +* [bitnami/common] Helper to allow overriding namespace name (#9396) ([794fecb](https://github.com/bitnami/charts/commit/794fecb8cb112e8e5e9d55420451752e8bd21431)), closes [#9396](https://github.com/bitnami/charts/issues/9396) + +## 1.11.3 (2022-03-03) + +* [bitnami/common] Improve docs for passwords.manage (#9269) ([0d06114](https://github.com/bitnami/charts/commit/0d061147a5b7c7cf2bf44d2b61603ffeb48a0b51)), closes [#9269](https://github.com/bitnami/charts/issues/9269) + +## 1.11.2 (2022-02-28) + +* [bitnami/common] README: Fixed the desscription for `common.labels.matchLabels` (#9062) ([7f17db7](https://github.com/bitnami/charts/commit/7f17db7e9bcdd7918bde322b3b76a62c6a86e752)), closes [#9062](https://github.com/bitnami/charts/issues/9062) [bitnami/charts#9060](https://github.com/bitnami/charts/issues/9060) [bitnami/charts#9060](https://github.com/bitnami/charts/issues/9060) + +## 1.11.1 (2022-02-02) + +* [bitnami/common] Improve "common.secrets.passwords.manage" helper (#8861) ([01477b4](https://github.com/bitnami/charts/commit/01477b42f2be362388d69da913879c52f2250ac1)), closes [#8861](https://github.com/bitnami/charts/issues/8861) + +## 1.11.0 (2022-02-01) + +* [bitnami/common] Add ingress helper to detect cert-manager annotations (#8857) ([c0c986f](https://github.com/bitnami/charts/commit/c0c986f8d5c911c09dc84d289d2993ae1779a6ca)), closes [#8857](https://github.com/bitnami/charts/issues/8857) + +## 1.10.4 (2022-01-20) + +* [bitnami/several] Add license to the README ([05f7633](https://github.com/bitnami/charts/commit/05f763372501d596e57db713dd53ff4ff3027cc4)) +* [bitnami/several] Add license to the README ([32fb238](https://github.com/bitnami/charts/commit/32fb238e60a0affc6debd3142eaa3c3d9089ec2a)) +* [bitnami/several] Add license to the README ([b87c2f7](https://github.com/bitnami/charts/commit/b87c2f7899d48a8b02c506765e6ae82937e9ba3f)) +* [bitnami/several] Change prerequisites (#8725) ([8d740c5](https://github.com/bitnami/charts/commit/8d740c566cfdb7e2d933c40128b4e919fce953a5)), closes [#8725](https://github.com/bitnami/charts/issues/8725) + +## 1.10.3 (2021-11-29) + +* [bitnami/common] fix: :bug: Add extra check for "\"\"" values in existing secrets (#8266) ([de27be6](https://github.com/bitnami/charts/commit/de27be6e649472608f076a04a36be3674fe3b84e)), closes [#8266](https://github.com/bitnami/charts/issues/8266) + +## 1.10.2 (2021-11-29) + +* [bitnami/several] Replace HTTP by HTTPS when possible (#8259) ([eafb5bd](https://github.com/bitnami/charts/commit/eafb5bd5a2cc3aaf04fc1e8ebedd73f420d76864)), closes [#8259](https://github.com/bitnami/charts/issues/8259) + +## 1.10.1 (2021-10-27) + +* [bitnami/*] Mark PodSecurityPolicy resources as deprecated (#7948) ([5cac753](https://github.com/bitnami/charts/commit/5cac7539dcb6c3baef06ed6676bfa99c16fdb5fe)), closes [#7948](https://github.com/bitnami/charts/issues/7948) + +## 1.10.0 (2021-09-30) + +* [bitnami/common] Add new capability helper for Network Policies (#7658) ([3efb1ca](https://github.com/bitnami/charts/commit/3efb1cac924409cbda3216a2300cce031c56a1f5)), closes [#7658](https://github.com/bitnami/charts/issues/7658) + +## 1.9.1 (2021-09-22) + +* [bitnami/common] fix readme for common chart (#7577) ([3f06bdd](https://github.com/bitnami/charts/commit/3f06bdd8df1c00dbdf27230bcdf925c337826abb)), closes [#7577](https://github.com/bitnami/charts/issues/7577) +* Fix typo in bitname/common README (#7529) ([fccffb3](https://github.com/bitnami/charts/commit/fccffb33391751a1bf84c53184cffe0dcac83fd6)), closes [#7529](https://github.com/bitnami/charts/issues/7529) + +## 1.9.0 (2021-09-13) + +* [bitnami/common] Add new dependency fullname template (#7471) ([7ca2a4b](https://github.com/bitnami/charts/commit/7ca2a4bb917ac6a276a6b30be12538f4c7c3a63d)), closes [#7471](https://github.com/bitnami/charts/issues/7471) + +## 1.8.0 (2021-08-04) + +* Add cronjob apiVersion capability (#7122) ([7b84a67](https://github.com/bitnami/charts/commit/7b84a674ae99fd8ddac3b5b3c859c816b87aaf51)), closes [#7122](https://github.com/bitnami/charts/issues/7122) + +## 1.7.1 (2021-07-27) + +* [bitnami/*] Adapt values.yaml of common library, Tomcat, Wavefront and ZooKeeper charts (#6970) ([fb2693b](https://github.com/bitnami/charts/commit/fb2693bfe67a154b159d3998232cc613e1706c70)), closes [#6970](https://github.com/bitnami/charts/issues/6970) +* [bitnami/several] Bump version and update READMEs (#7069) ([6340bff](https://github.com/bitnami/charts/commit/6340bff66f93c8c797bda3ca0842e4bf770059f1)), closes [#7069](https://github.com/bitnami/charts/issues/7069) +* Replace strings with ™ in the README files (#7066) ([d298b49](https://github.com/bitnami/charts/commit/d298b4996da33c9580c2594e6dc8ad665dd0ebab)), closes [#7066](https://github.com/bitnami/charts/issues/7066) + +## 1.7.0 (2021-07-02) + +* [bitnami/common] Add supportIngressClassname (#6828) ([0c8a455](https://github.com/bitnami/charts/commit/0c8a45546a219b4b4cd370daf0643543c92739b0)), closes [#6828](https://github.com/bitnami/charts/issues/6828) + +## 1.6.1 (2021-06-16) + +* [bitnami/common] extend common.labels.matchLabels with .Values.extraMatchLabels (#6589) ([66edf04](https://github.com/bitnami/charts/commit/66edf04e3e244c343a845f9c684edf4c8ea04406)), closes [#6589](https://github.com/bitnami/charts/issues/6589) + +## 1.6.0 (2021-06-15) + +* bitnami/common: add version detection for policy api (#6662) ([dcacf06](https://github.com/bitnami/charts/commit/dcacf06f6f2b6d622e2226935db22d5b8efa20b3)), closes [#6662](https://github.com/bitnami/charts/issues/6662) + +## 1.5.2 (2021-05-21) + +* [bitnami/common] Update _ingress.tpl (#6437) ([9048150](https://github.com/bitnami/charts/commit/90481508542c4da588e0d71944592e6c4e8d36e4)), closes [#6437](https://github.com/bitnami/charts/issues/6437) + +## 1.5.1 (2021-05-14) + +* Node affinity values must be quoted. (#6348) ([f73efbe](https://github.com/bitnami/charts/commit/f73efbe074436eda6276bbf32c781fa913c6a17a)), closes [#6348](https://github.com/bitnami/charts/issues/6348) + +## 1.5.0 (2021-05-13) + +* [bitnami/common] pull secrets rendering (#6286) ([dfffe74](https://github.com/bitnami/charts/commit/dfffe74c212a28e27f537dbee54c3b5a81c7d572)), closes [#6286](https://github.com/bitnami/charts/issues/6286) + +## 1.4.3 (2021-04-26) + +* [bitnami/common] Update Redis validation's helper (#6192) ([1e3bf03](https://github.com/bitnami/charts/commit/1e3bf03e3aad56fd4dc159744626e25ec24c5772)), closes [#6192](https://github.com/bitnami/charts/issues/6192) + +## 1.4.2 (2021-03-25) + +* [bitnami/common] Common credential error (#5884) ([328ca86](https://github.com/bitnami/charts/commit/328ca863515f6ef9fe188c71110be7b951719d66)), closes [#5884](https://github.com/bitnami/charts/issues/5884) + +## 1.4.1 (2021-02-23) + +* [bitnami/common] Add possibility to pull images without giving registry name (#5582) ([15ca275](https://github.com/bitnami/charts/commit/15ca27520a16b590101fa39195f55017e2935a90)), closes [#5582](https://github.com/bitnami/charts/issues/5582) + +## 1.4.0 (2021-02-22) + +* [bitnami/common] Add RBAC/CRD apiVersion support for versions 1.22+ (#5583) ([fda87aa](https://github.com/bitnami/charts/commit/fda87aabcd004f9a67549f5d22d273dd9fff6836)), closes [#5583](https://github.com/bitnami/charts/issues/5583) + +## 1.3.9 (2021-02-09) + +* Add registered icon to all the MongoDB references (#5426) ([56f2088](https://github.com/bitnami/charts/commit/56f20884267e56175695b2917f7704b9510f4ba6)), closes [#5426](https://github.com/bitnami/charts/issues/5426) + +## 1.3.8 (2021-02-03) + +* fix(common): quote namespace name (#5363) ([d27fb5e](https://github.com/bitnami/charts/commit/d27fb5e0b327728bb4304503376aaa4d2ab50619)), closes [#5363](https://github.com/bitnami/charts/issues/5363) + +## 1.3.7 (2021-01-20) + +* [bitnami/*] Change helm version in the prerequisites (#5090) ([c5e67a3](https://github.com/bitnami/charts/commit/c5e67a388743cbee28439d2cabca27884b9daf97)), closes [#5090](https://github.com/bitnami/charts/issues/5090) +* [bitnami/common] Remove helm version checker from secret helper (#5156) ([20231b1](https://github.com/bitnami/charts/commit/20231b138fae524371e6b29504acd4cbd19ce697)), closes [#5156](https://github.com/bitnami/charts/issues/5156) + +## 1.3.6 (2021-01-18) + +* [bitnami/common] same behavior with empty string when the secret obje… (#5057) ([0bae2bb](https://github.com/bitnami/charts/commit/0bae2bbb9b42c5a8dd2b8a144ffa55ace1c8a936)), closes [#5057](https://github.com/bitnami/charts/issues/5057) + +## 1.3.5 (2021-01-17) + +* [bitnami/common] fix wrong include reference (#5056) ([11efd59](https://github.com/bitnami/charts/commit/11efd59177419d4177e59800f04b4f26ab7243f8)), closes [#5056](https://github.com/bitnami/charts/issues/5056) + +## 1.3.4 (2021-01-15) + +* [bitnami/common] Fix lookup function backward compatibility and README (#5018) ([14a0042](https://github.com/bitnami/charts/commit/14a0042dc90c01fd38f814e1e43559384a3baa9f)), closes [#5018](https://github.com/bitnami/charts/issues/5018) + +## 1.3.3 (2021-01-14) + +* [bitnami/several] Add Redis trademark (#5023) ([dfa89b8](https://github.com/bitnami/charts/commit/dfa89b865989da26a3c73f397fd3c402dd56ebe8)), closes [#5023](https://github.com/bitnami/charts/issues/5023) + +## 1.3.2 (2021-01-13) + +* [bitnami/common] Add missing else statement to ingress apiversion ([22ab07a](https://github.com/bitnami/charts/commit/22ab07ac7d39d4153cc839de2b714086e99cfc04)) + +## 1.3.1 (2021-01-13) + +* [bitnami/common] Fix cases where ingress is not at the root (#4984) ([e447d9d](https://github.com/bitnami/charts/commit/e447d9d2205fc3f2f6cd990386a691fd9204b214)), closes [#4984](https://github.com/bitnami/charts/issues/4984) + +## 1.3.0 (2021-01-13) + +* [bitnami/*] POC Lookup function implementation (#4831) ([240dc1b](https://github.com/bitnami/charts/commit/240dc1bea80a3e121fd595636496d7941bdbc5e0)), closes [#4831](https://github.com/bitnami/charts/issues/4831) + +## 1.2.3 (2020-12-31) + +* [bitnami/common] Fix incorrect backend calculation for networking/v1beta1 ([c59b869](https://github.com/bitnami/charts/commit/c59b86919f47504bc8fd06f75a024f55e58ace77)) + +## 1.2.2 (2020-12-30) + +* [bitnami/common] Fix typo in common.capabilities.kubeVersion ([a371b73](https://github.com/bitnami/charts/commit/a371b734b854aa81a7dec16c40d061f5e9a14875)) + +## 1.2.1 (2020-12-30) + +* [bitnami/common] Fix issue with global kubeversion calculation ([0bbb339](https://github.com/bitnami/charts/commit/0bbb339d60b41ab978e759863709ebb1451d07a4)) + +## 1.2.0 (2020-12-30) + +* [bitnami/common] Make ingress rules compatible with all Kubernetes versions (#4859) ([2b22a21](https://github.com/bitnami/charts/commit/2b22a217020fe3d16ef98fdcdd4a562c43f9824a)), closes [#4859](https://github.com/bitnami/charts/issues/4859) + +## 1.1.4 (2020-12-23) + +* [bitnami/common] fix: moving kube version comparison (#4804) ([cdb6ae8](https://github.com/bitnami/charts/commit/cdb6ae8f00d114f0998c604416b79f62dc27f19d)), closes [#4804](https://github.com/bitnami/charts/issues/4804) + +## 1.1.3 (2020-12-18) + +* [bitnami/*] fix typos (#4699) ([49adc63](https://github.com/bitnami/charts/commit/49adc63b672da976c55af2e077aa5648a357b77f)), closes [#4699](https://github.com/bitnami/charts/issues/4699) +* [bitnami/common] Adding networking apiVersion support for versions 1.19+ (#4776) ([5ed8c54](https://github.com/bitnami/charts/commit/5ed8c54f5e0a905effc4c1ae5c4931e6669cec30)), closes [#4776](https://github.com/bitnami/charts/issues/4776) + +## 1.1.2 (2020-12-11) + +* [bitnami/common] Fix node affinity templates (#4692) ([5b51a5c](https://github.com/bitnami/charts/commit/5b51a5c004b062282849a4abaaffd6840bb6c95f)), closes [#4692](https://github.com/bitnami/charts/issues/4692) + +## 1.1.1 (2020-11-26) + +* fix: mongodb validation auth (#4506) ([ca3fdfb](https://github.com/bitnami/charts/commit/ca3fdfbeebeba5bd7dfa4805e1ca2411e5950b09)), closes [#4506](https://github.com/bitnami/charts/issues/4506) + +## 1.1.0 (2020-11-26) + +* [bitnami/common] Add mongodb validation template (#4497) ([14ece96](https://github.com/bitnami/charts/commit/14ece96c801a7326935b6269423d8854fed3a49e)), closes [#4497](https://github.com/bitnami/charts/issues/4497) + +## 1.0.1 (2020-11-19) + +* [bitnami/common] existingSecret is in auth map (#4389) ([de9b217](https://github.com/bitnami/charts/commit/de9b2177465e1c56ca2aa1c4c486bd37a7104d7a)), closes [#4389](https://github.com/bitnami/charts/issues/4389) + +## 1.0.0 (2020-11-10) + +* bitnami/common Major version. Adapt Chart to apiVersion: v2 (#4258) ([09dbc45](https://github.com/bitnami/charts/commit/09dbc45d11c5e8fe65d6eb64dbf51571ad2c7464)), closes [#4258](https://github.com/bitnami/charts/issues/4258) + +## 0.10.0 (2020-10-27) + +* [bitnami/common] feat: add cassandra passwords validations (#4110) ([b4923d4](https://github.com/bitnami/charts/commit/b4923d48018dff1673a32eefcc0d62eb484b36da)), closes [#4110](https://github.com/bitnami/charts/issues/4110) + +## 0.9.0 (2020-10-21) + +* [bitnami/common] feat: add redis passwords validations (#4070) ([0daa8d5](https://github.com/bitnami/charts/commit/0daa8d580c06e18d94dbc0e88467347a34418596)), closes [#4070](https://github.com/bitnami/charts/issues/4070) + +## 0.8.2 (2020-10-14) + +* [bitnami/common] Allow backward compatibility for existingSecret (#4006) ([aa2b3a1](https://github.com/bitnami/charts/commit/aa2b3a18610c69b2f5c76b839483db43fa3c093c)), closes [#4006](https://github.com/bitnami/charts/issues/4006) + +## 0.8.1 (2020-10-05) + +* [bitnami/common] Fix secret name bug with defaulNameSuffix. (#3888) ([d114d44](https://github.com/bitnami/charts/commit/d114d446ef86cb6e7a72de6542905ec3b07d3684)) + +## 0.8.0 (2020-10-02) + +* [bitnami/common] Add statefulset capabilities and prepare MariaDB passwords validation for new forma ([1eb4436](https://github.com/bitnami/charts/commit/1eb44366a72e39e84e33bed1a4940c1b2c6025fc)), closes [#3859](https://github.com/bitnami/charts/issues/3859) + +## 0.7.1 (2020-09-22) + +* [bitnami/common] fix: evaluate enabled as string (#3733) ([048cdae](https://github.com/bitnami/charts/commit/048cdae5488cfcfe83ec698afaa8318aa3b1d0ca)), closes [#3733](https://github.com/bitnami/charts/issues/3733) + +## 0.7.0 (2020-09-22) + +* [bitnami/metrics-server] Add source repo (#3577) ([1ed12f9](https://github.com/bitnami/charts/commit/1ed12f96af75322b46afdb2b3d9907c11b13f765)), closes [#3577](https://github.com/bitnami/charts/issues/3577) +* PoC for pods' affinity (#3713) ([9e6a915](https://github.com/bitnami/charts/commit/9e6a915392979f0c0148875f34cca1c27e399b59)), closes [#3713](https://github.com/bitnami/charts/issues/3713) + +## 0.6.2 (2020-09-01) + +* [bitnami/common] fix: wrong use of append function (#3566) ([c912fd0](https://github.com/bitnami/charts/commit/c912fd0b7378bf2d5d56182e6d2fa6bbd74df46f)), closes [#3566](https://github.com/bitnami/charts/issues/3566) + +## 0.6.1 (2020-08-31) + +* [bitnami/common] fix: mariadb checks secret fields after check enabled (#3565) ([498056a](https://github.com/bitnami/charts/commit/498056ad16a6e89aa3b7cc231da7467ab5bd3986)), closes [#3565](https://github.com/bitnami/charts/issues/3565) + +## 0.6.0 (2020-08-19) + +* [bitnami/mariadb] Require password option at secret resource (#3411) ([a8d2464](https://github.com/bitnami/charts/commit/a8d24643756470d0280fc585b01397358c1c242d)), closes [#3411](https://github.com/bitnami/charts/issues/3411) + +## 0.5.2 (2020-08-19) + +* [bitnami/common] fix: add global parameters to postgres validation (#3460) ([1c52a2a](https://github.com/bitnami/charts/commit/1c52a2a48ea65024a753eb5b32deadd46650fb18)), closes [#3460](https://github.com/bitnami/charts/issues/3460) + +## 0.5.1 (2020-08-10) + +* fix(common): missing $ in required values helpers (#3376) ([c972152](https://github.com/bitnami/charts/commit/c972152762c14c5ab5e3847a4870f4f4f2a31224)), closes [#3376](https://github.com/bitnami/charts/issues/3376) + +## 0.5.0 (2020-08-10) + +* [bitnami/common] add psql and mysql required password validations (#3374) ([1a4419e](https://github.com/bitnami/charts/commit/1a4419e15d985f67413beff98c9fc9b9f69108fb)), closes [#3374](https://github.com/bitnami/charts/issues/3374) + +## 0.4.0 (2020-08-04) + +* [bitnami/*] Fix TL;DR typo in READMEs (#3280) ([3d7ab40](https://github.com/bitnami/charts/commit/3d7ab406fecd64f1af25f53e7d27f03ec95b29a4)), closes [#3280](https://github.com/bitnami/charts/issues/3280) +* [bitnami/all] Add categories (#3075) ([63bde06](https://github.com/bitnami/charts/commit/63bde066b87a140fab52264d0522401ab3d63509)), closes [#3075](https://github.com/bitnami/charts/issues/3075) +* Add common helpers to check secrets when upgrade (#3150) ([5a5807c](https://github.com/bitnami/charts/commit/5a5807c1b1db1f2337f6aa5308d3ff73a4329e6a)), closes [#3150](https://github.com/bitnami/charts/issues/3150) + +## 0.3.1 (2020-06-05) + +* [bitnami/several] Fix table rendering in some hubs (#2770) ([fe9fd8c](https://github.com/bitnami/charts/commit/fe9fd8c261195385aae73e165ac6c1a666fef08e)), closes [#2770](https://github.com/bitnami/charts/issues/2770) + +## 0.3.0 (2020-06-02) + +* [bitnami/common]: add template function for ingress apiVersion (#2732) ([a968a50](https://github.com/bitnami/charts/commit/a968a50916ed9fa6f823a5a3ef6e4b98d615322f)), closes [#2732](https://github.com/bitnami/charts/issues/2732) + +## 0.2.4 (2020-05-29) + +* [bitnami/common] Bump chart version (#2707) ([ff2c37a](https://github.com/bitnami/charts/commit/ff2c37a576191f4523c7f69504aea669ab68aba8)), closes [#2707](https://github.com/bitnami/charts/issues/2707) +* [bitnami/several] Fix trailing spaces to make helm lint work on all of them (#2705) ([bafba3f](https://github.com/bitnami/charts/commit/bafba3fc8b8949897ad2d99d437bd8fc975223e4)), closes [#2705](https://github.com/bitnami/charts/issues/2705) + +## 0.2.3 (2020-05-26) + +* fix(common): add name attribute to imagePullSecrets helper (#2664) ([1ea21a9](https://github.com/bitnami/charts/commit/1ea21a92a8f44bd0d82d0fd4ed30108a89cf5b34)), closes [#2664](https://github.com/bitnami/charts/issues/2664) + +## 0.2.2 (2020-05-19) + +* update bitnami/common to be compatible with helm v2.12+ (#2615) ([c7751eb](https://github.com/bitnami/charts/commit/c7751eb5764e468e1854b58a1b8491d2b13e0a4a)), closes [#2615](https://github.com/bitnami/charts/issues/2615) + +## 0.2.1 (2020-05-13) + +* bump bitnami/common version number (#2580) ([1bd1e7b](https://github.com/bitnami/charts/commit/1bd1e7bc776614b6ae10f21e9c8b23fe15db5ff4)), closes [#2580](https://github.com/bitnami/charts/issues/2580) + +## 0.2.0 (2020-04-17) + +* [bitnami/common] add secrets and warnings helpers (#2347) ([a748ff8](https://github.com/bitnami/charts/commit/a748ff82259d6553a0d4ca56ca6d7d050de859f4)), closes [#2347](https://github.com/bitnami/charts/issues/2347) + +## 0.1.1 (2020-04-08) + +* [bitnami/common] bitnami common add values yaml (#2267) ([a88c902](https://github.com/bitnami/charts/commit/a88c90212021771eacc562dd38c04381e2f63d6f)), closes [#2267](https://github.com/bitnami/charts/issues/2267) + +## 0.1.0 (2020-04-03) + +* [bitnami/common]: add initial functions (#2188) ([9401e13](https://github.com/bitnami/charts/commit/9401e13316992c36b0e33de75d5f249645a2924e)), closes [#2188](https://github.com/bitnami/charts/issues/2188) diff --git a/kubernetes/common/nginx/common/Chart.yaml b/kubernetes/common/nginx/common/Chart.yaml new file mode 100644 index 0000000000..d1b6dfc116 --- /dev/null +++ b/kubernetes/common/nginx/common/Chart.yaml @@ -0,0 +1,26 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +annotations: + category: Infrastructure + licenses: Apache-2.0 +apiVersion: v2 +# Please make sure that version and appVersion are always the same. +appVersion: 2.29.1 +description: A Library Helm Chart for grouping common logic between bitnami charts. This chart is not deployable by itself. +home: https://bitnami.com +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: + - common + - helper + - template + - function + - bitnami +maintainers: + - name: Broadcom, Inc. All Rights Reserved. + url: https://github.com/bitnami/charts +name: common +sources: + - https://github.com/bitnami/charts/tree/main/bitnami/common +type: library +version: 2.29.1 diff --git a/kubernetes/common/nginx/common/README.md b/kubernetes/common/nginx/common/README.md new file mode 100644 index 0000000000..0e5f649928 --- /dev/null +++ b/kubernetes/common/nginx/common/README.md @@ -0,0 +1,235 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 2.x.x + repository: oci://registry-1.docker.io/bitnamicharts +``` + +```console +helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the commercial edition of the Bitnami catalog. + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.23+ +- Helm 3.8.0+ + +## Parameters + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy.' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +#### What changes were introduced in this major version? + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +#### Useful links + +- +- +- + +## License + +Copyright © 2025 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/kubernetes/common/nginx/common/templates/_affinities.tpl b/kubernetes/common/nginx/common/templates/_affinities.tpl new file mode 100644 index 0000000000..d387dbe632 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_affinities.tpl @@ -0,0 +1,155 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a topologyKey definition +{{ include "common.affinities.topologyKey" (dict "topologyKey" "BAR") -}} +*/}} +{{- define "common.affinities.topologyKey" -}} +{{ .topologyKey | default "kubernetes.io/hostname" -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: 1 + {{- range $extraPodAffinityTerms }} + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + weight: {{ .weight | default 1 -}} + {{- end -}} +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "customLabels" .Values.podLabels "extraMatchLabels" .Values.extraMatchLabels "topologyKey" "BAR" "extraPodAffinityTerms" .Values.extraPodAffinityTerms "extraNamespaces" (list "namespace1" "namespace2") "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $customLabels := default (dict) .customLabels -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +{{- $extraPodAffinityTerms := default (list) .extraPodAffinityTerms -}} +{{- $extraNamespaces := default (list) .extraNamespaces -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" .context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if $extraNamespaces }} + namespaces: + - {{ .context.Release.Namespace }} + {{- with $extraNamespaces }} + {{ include "common.tplvalues.render" (dict "value" . "context" $) | nindent 8 }} + {{- end }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- range $extraPodAffinityTerms }} + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" ( dict "customLabels" $customLabels "context" $.context )) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := .extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + topologyKey: {{ include "common.affinities.topologyKey" (dict "topologyKey" .topologyKey) }} + {{- end -}} +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_capabilities.tpl b/kubernetes/common/nginx/common/templates/_capabilities.tpl new file mode 100644 index 0000000000..7738f73367 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_capabilities.tpl @@ -0,0 +1,239 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- default (default .Capabilities.KubeVersion.Version .Values.kubeVersion) ((.Values.global).kubeVersion) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.7-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for job. +*/}} +{{- define "common.capabilities.job.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.21-0" $kubeVersion) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "common.capabilities.daemonset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if (.Values.ingress).apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.14-0" $kubeVersion) -}} +{{- print "extensions/v1beta1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.17-0" $kubeVersion) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.19-0" $kubeVersion) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.10-0" $kubeVersion) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Vertical Pod Autoscaler. +*/}} +{{- define "common.capabilities.vpa.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" .context -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.11-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "autoscaling/v1beta2" -}} +{{- else -}} +{{- print "autoscaling/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if PodSecurityPolicy is supported +*/}} +{{- define "common.capabilities.psp.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (semverCompare "<1.25-0" $kubeVersion) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if AdmissionConfiguration is supported +*/}} +{{- define "common.capabilities.admissionConfiguration.supported" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if or (empty $kubeVersion) (not (semverCompare "<1.23-0" $kubeVersion)) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for AdmissionConfiguration. +*/}} +{{- define "common.capabilities.admissionConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "apiserver.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiserver.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for PodSecurityConfiguration. +*/}} +{{- define "common.capabilities.podSecurityConfiguration.apiVersion" -}} +{{- $kubeVersion := include "common.capabilities.kubeVersion" . -}} +{{- if and (not (empty $kubeVersion)) (semverCompare "<1.23-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1alpha1" -}} +{{- else if and (not (empty $kubeVersion)) (semverCompare "<1.25-0" $kubeVersion) -}} +{{- print "pod-security.admission.config.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "pod-security.admission.config.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_compatibility.tpl b/kubernetes/common/nginx/common/templates/_compatibility.tpl new file mode 100644 index 0000000000..87343ca38f --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_compatibility.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return true if the detected platform is Openshift +Usage: +{{- include "common.compatibility.isOpenshift" . -}} +*/}} +{{- define "common.compatibility.isOpenshift" -}} +{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}} +{{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC +Usage: +{{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}} +*/}} +{{- define "common.compatibility.renderSecurityContext" -}} +{{- $adaptedContext := .secContext -}} + +{{- if (((.context.Values.global).compatibility).openshift) -}} + {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}} + {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}} + {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}} + {{- if not .secContext.seLinuxOptions -}} + {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{/* Remove empty seLinuxOptions object if global.compatibility.omitEmptySeLinuxOptions is set to true */}} +{{- if and (((.context.Values.global).compatibility).omitEmptySeLinuxOptions) (not .secContext.seLinuxOptions) -}} + {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}} +{{- end -}} +{{/* Remove fields that are disregarded when running the container in privileged mode */}} +{{- if $adaptedContext.privileged -}} + {{- $adaptedContext = omit $adaptedContext "capabilities" -}} +{{- end -}} +{{- omit $adaptedContext "enabled" | toYaml -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_errors.tpl b/kubernetes/common/nginx/common/templates/_errors.tpl new file mode 100644 index 0000000000..93f3ffc9be --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_errors.tpl @@ -0,0 +1,85 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Throw error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} + +{{/* +Throw error when original container images are replaced. +The error can be bypassed by setting the "global.security.allowInsecureImages" to true. In this case, +a warning message will be shown instead. + +Usage: +{{ include "common.errors.insecureImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.errors.insecureImages" -}} +{{- $relocatedImages := list -}} +{{- $replacedImages := list -}} +{{- $retaggedImages := list -}} +{{- $globalRegistry := ((.context.Values.global).imageRegistry) -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $registryName := default .registry $globalRegistry -}} + {{- $fullImageNameNoTag := printf "%s/%s" $registryName .repository -}} + {{- $fullImageName := printf "%s:%s" $fullImageNameNoTag .tag -}} + {{- if not (contains $fullImageNameNoTag $originalImages) -}} + {{- if not (contains $registryName $originalImages) -}} + {{- $relocatedImages = append $relocatedImages $fullImageName -}} + {{- else if not (contains .repository $originalImages) -}} + {{- $replacedImages = append $replacedImages $fullImageName -}} + {{- end -}} + {{- end -}} + {{- if not (contains (printf "%s:%s" .repository .tag) $originalImages) -}} + {{- $retaggedImages = append $retaggedImages $fullImageName -}} + {{- end -}} +{{- end -}} + +{{- if and (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) (((.context.Values.global).security).allowInsecureImages) -}} + {{- print "\n\n⚠ SECURITY WARNING: Verifying original container images was skipped. Please note this Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables.\n" -}} +{{- else if (or (gt (len $relocatedImages) 0) (gt (len $replacedImages) 0)) -}} + {{- $errorString := "Original containers have been substituted for unrecognized ones. Deploying this chart with non-standard containers is likely to cause degraded security and performance, broken chart features, and missing environment variables." -}} + {{- $errorString = print $errorString "\n\nUnrecognized images:" -}} + {{- range (concat $relocatedImages $replacedImages) -}} + {{- $errorString = print $errorString "\n - " . -}} + {{- end -}} + {{- if or (contains "docker.io/bitnami/" $originalImages) (contains "docker.io/bitnamiprem/" $originalImages) -}} + {{- $errorString = print "\n\n⚠ ERROR: " $errorString -}} + {{- $errorString = print $errorString "\n\nIf you are sure you want to proceed with non-standard containers, you can skip container image verification by setting the global parameter 'global.security.allowInsecureImages' to true." -}} + {{- $errorString = print $errorString "\nFurther information can be obtained at https://github.com/bitnami/charts/issues/30850" -}} + {{- print $errorString | fail -}} + {{- else if gt (len $replacedImages) 0 -}} + {{- $errorString = print "\n\n⚠ WARNING: " $errorString -}} + {{- print $errorString -}} + {{- end -}} +{{- else if gt (len $retaggedImages) 0 -}} + {{- $warnString := "\n\n⚠ WARNING: Original containers have been retagged. Please note this Helm chart was tested, and validated on multiple platforms using a specific set of Tanzu Application Catalog containers. Substituting original image tags could cause unexpected behavior." -}} + {{- $warnString = print $warnString "\n\nRetagged images:" -}} + {{- range $retaggedImages -}} + {{- $warnString = print $warnString "\n - " . -}} + {{- end -}} + {{- print $warnString -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/common/nginx/common/templates/_images.tpl b/kubernetes/common/nginx/common/templates/_images.tpl new file mode 100644 index 0000000000..76bb7ce447 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_images.tpl @@ -0,0 +1,115 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name. +If image tag and digest are not defined, termination fallbacks to chart appVersion. +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" .Values.global "chart" .Chart ) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := default .imageRoot.registry ((.global).imageRegistry) -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} + +{{- if not .imageRoot.tag }} + {{- if .chart }} + {{- $termination = .chart.AppVersion | toString -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- if $registryName }} + {{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- else -}} + {{- printf "%s%s%s" $repositoryName $separator $termination -}} +{{- end -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- range ((.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end }} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets .name -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- range (($context.Values.global).imagePullSecrets) -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- if kindIs "map" . -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" .name "context" $context)) -}} + {{- else -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) -}} +imagePullSecrets: + {{- range $pullSecrets | uniq }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion) +{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }} +*/}} +{{- define "common.images.version" -}} +{{- $imageTag := .imageRoot.tag | toString -}} +{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}} +{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}} + {{- $version := semver $imageTag -}} + {{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}} +{{- else -}} + {{- print .chart.AppVersion -}} +{{- end -}} +{{- end -}} + diff --git a/kubernetes/common/nginx/common/templates/_ingress.tpl b/kubernetes/common/nginx/common/templates/_ingress.tpl new file mode 100644 index 0000000000..7d2b87985c --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_ingress.tpl @@ -0,0 +1,73 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_labels.tpl b/kubernetes/common/nginx/common/templates/_labels.tpl new file mode 100644 index 0000000000..0a0cc5488f --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_labels.tpl @@ -0,0 +1,46 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Kubernetes standard labels +{{ include "common.labels.standard" (dict "customLabels" .Values.commonLabels "context" $) -}} +*/}} +{{- define "common.labels.standard" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{- $default := dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service -}} +{{- with .context.Chart.AppVersion -}} +{{- $_ := set $default "app.kubernetes.io/version" . -}} +{{- end -}} +{{ template "common.tplvalues.merge" (dict "values" (list .customLabels $default) "context" .context) }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Labels used on immutable fields such as deploy.spec.selector.matchLabels or svc.spec.selector +{{ include "common.labels.matchLabels" (dict "customLabels" .Values.podLabels "context" $) -}} + +We don't want to loop over custom labels appending them to the selector +since it's very likely that it will break deployments, services, etc. +However, it's important to overwrite the standard labels if the user +overwrote them on metadata.labels fields. +*/}} +{{- define "common.labels.matchLabels" -}} +{{- if and (hasKey . "customLabels") (hasKey . "context") -}} +{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }} +{{- else -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_names.tpl b/kubernetes/common/nginx/common/templates/_names.tpl new file mode 100644 index 0000000000..ba83956852 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_names.tpl @@ -0,0 +1,71 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_resources.tpl b/kubernetes/common/nginx/common/templates/_resources.tpl new file mode 100644 index 0000000000..2aaf5750d4 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_resources.tpl @@ -0,0 +1,50 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a resource request/limit object based on a given preset. +These presets are for basic testing and not meant to be used in production +{{ include "common.resources.preset" (dict "type" "nano") -}} +*/}} +{{- define "common.resources.preset" -}} +{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}} +{{- $presets := dict + "nano" (dict + "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi") + ) + "micro" (dict + "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi") + ) + "small" (dict + "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi") + ) + "medium" (dict + "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi") + ) + "large" (dict + "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi") + ) + "xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi") + ) + "2xlarge" (dict + "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi") + "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi") + ) + }} +{{- if hasKey $presets .type -}} +{{- index $presets .type | toYaml -}} +{{- else -}} +{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_secrets.tpl b/kubernetes/common/nginx/common/templates/_secrets.tpl new file mode 100644 index 0000000000..bfef46978d --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_secrets.tpl @@ -0,0 +1,192 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "honorProvidedValues" false "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets. + - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted. + - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret. + - honorProvidedValues - Boolean - Optional - Default to false. If set to true, the values in providedValues have higher priority than an existing secret +The order in which this function returns a secret password: + 1. Password provided via the values.yaml if honorProvidedValues = true + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 2. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 3. Password provided via the values.yaml if honorProvidedValues = false + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 4. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | b64dec }} + {{- else if not (eq .failOnNew false) }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- end }} + +{{- if and $providedPasswordValue .honorProvidedValues }} + {{- $password = $providedPasswordValue | toString }} +{{- end }} + +{{- if not $password }} + {{- if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString }} + {{- else }} + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- if not (eq .failOnNew false) }} + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + {{- end }} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle }} + {{- else }} + {{- $password = randAlphaNum $passwordLength }} + {{- end }} + {{- end -}} +{{- end -}} +{{- if not .skipB64enc }} +{{- $password = $password | b64enc }} +{{- end -}} +{{- if .skipQuote -}} +{{- printf "%s" $password -}} +{{- else -}} +{{- printf "%s" $password | quote -}} +{{- end -}} +{{- end -}} + +{{/* +Reuses the value from an existing secret, otherwise sets its value to a default value. + +Usage: +{{ include "common.secrets.lookup" (dict "secret" "secret-name" "key" "keyName" "defaultValue" .Values.myValue "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - defaultValue - String - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - context - Context - Required - Parent context. + +*/}} +{{- define "common.secrets.lookup" -}} +{{- $value := "" -}} +{{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data -}} +{{- if and $secretData (hasKey $secretData .key) -}} + {{- $value = index $secretData .key -}} +{{- else if .defaultValue -}} + {{- $value = .defaultValue | toString | b64enc -}} +{{- end -}} +{{- if $value -}} +{{- printf "%s" $value -}} +{{- end -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_storage.tpl b/kubernetes/common/nginx/common/templates/_storage.tpl new file mode 100644 index 0000000000..aa75856c07 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_storage.tpl @@ -0,0 +1,21 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} +{{- $storageClass := (.global).storageClass | default .persistence.storageClass | default (.global).defaultStorageClass | default "" -}} +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else -}} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_tplvalues.tpl b/kubernetes/common/nginx/common/templates/_tplvalues.tpl new file mode 100644 index 0000000000..a04f4c1eb3 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_tplvalues.tpl @@ -0,0 +1,52 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template perhaps with scope if the scope is present. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ ) }} +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $ "scope" $app ) }} +*/}} +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with http://masterminds.github.io/sprig/dicts.html#merge-mustmerge +Usage: +{{ include "common.tplvalues.merge" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | merge $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} + +{{/* +Merge a list of values that contains template after rendering them. +Merge precedence is consistent with https://masterminds.github.io/sprig/dicts.html#mergeoverwrite-mustmergeoverwrite +Usage: +{{ include "common.tplvalues.merge-overwrite" ( dict "values" (list .Values.path.to.the.Value1 .Values.path.to.the.Value2) "context" $ ) }} +*/}} +{{- define "common.tplvalues.merge-overwrite" -}} +{{- $dst := dict -}} +{{- range .values -}} +{{- $dst = include "common.tplvalues.render" (dict "value" . "context" $.context "scope" $.scope) | fromYaml | mergeOverwrite $dst -}} +{{- end -}} +{{ $dst | toYaml }} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_utils.tpl b/kubernetes/common/nginx/common/templates/_utils.tpl new file mode 100644 index 0000000000..0a5a5bc88f --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_utils.tpl @@ -0,0 +1,77 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ include "common.names.namespace" .context | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Checksum a template at "path" containing a *single* resource (ConfigMap,Secret) for use in pod annotations, excluding the metadata (see #18376). +Usage: +{{ include "common.utils.checksumTemplate" (dict "path" "/configmap.yaml" "context" $) }} +*/}} +{{- define "common.utils.checksumTemplate" -}} +{{- $obj := include (print .context.Template.BasePath .path) .context | fromYaml -}} +{{ omit $obj "apiVersion" "kind" "metadata" | toYaml | sha256sum }} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/_warnings.tpl b/kubernetes/common/nginx/common/templates/_warnings.tpl new file mode 100644 index 0000000000..62c44dfcaa --- /dev/null +++ b/kubernetes/common/nginx/common/templates/_warnings.tpl @@ -0,0 +1,109 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://techdocs.broadcom.com/us/en/vmware-tanzu/application-catalog/tanzu-application-catalog/services/tac-doc/apps-tutorials-understand-rolling-tags-containers-index.html +{{- end }} +{{- end -}} + +{{/* +Warning about replaced images from the original. +Usage: +{{ include "common.warnings.modifiedImages" (dict "images" (list .Values.path.to.the.imageRoot) "context" $) }} +*/}} +{{- define "common.warnings.modifiedImages" -}} +{{- $affectedImages := list -}} +{{- $printMessage := false -}} +{{- $originalImages := .context.Chart.Annotations.images -}} +{{- range .images -}} + {{- $fullImageName := printf (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- if not (contains $fullImageName $originalImages) }} + {{- $affectedImages = append $affectedImages (printf "%s/%s:%s" .registry .repository .tag) -}} + {{- $printMessage = true -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +⚠ SECURITY WARNING: Original containers have been substituted. This Helm chart was designed, tested, and validated on multiple platforms using a specific set of Bitnami and Tanzu Application Catalog containers. Substituting other containers is likely to cause degraded security and performance, broken chart features, and missing environment variables. + +Substituted images detected: +{{- range $affectedImages }} + - {{ . }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Warning about not setting the resource object in all deployments. +Usage: +{{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }} +Example: +{{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }} +The list in the example assumes that the following values exist: + - csiProvider.provider.resources + - server.resources + - volumePermissions.resources + - resources +*/}} +{{- define "common.warnings.resources" -}} +{{- $values := .context.Values -}} +{{- $printMessage := false -}} +{{ $affectedSections := list -}} +{{- range .sections -}} + {{- if eq . "" -}} + {{/* Case where the resources section is at the root (one main deployment in the chart) */}} + {{- if not (index $values "resources") -}} + {{- $affectedSections = append $affectedSections "resources" -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}} + {{- $keys := split "." . -}} + {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}} + {{- $section := $values -}} + {{- range $keys -}} + {{- $section = index $section . -}} + {{- end -}} + {{- if not (index $section "resources") -}} + {{/* If the section has enabled=false or replicaCount=0, do not include it */}} + {{- if and (hasKey $section "enabled") -}} + {{- if index $section "enabled" -}} + {{/* enabled=true */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else if and (hasKey $section "replicaCount") -}} + {{/* We need a casting to int because number 0 is not treated as an int by default */}} + {{- if (gt (index $section "replicaCount" | int) 0) -}} + {{/* replicaCount > 0 */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- else -}} + {{/* Default case, add it to the affected sections */}} + {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}} + {{- $printMessage = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $printMessage }} + +WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs: +{{- range $affectedSections }} + - {{ . }} +{{- end }} ++info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/validations/_cassandra.tpl b/kubernetes/common/nginx/common/templates/validations/_cassandra.tpl new file mode 100644 index 0000000000..f8fd213bcc --- /dev/null +++ b/kubernetes/common/nginx/common/templates/validations/_cassandra.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/validations/_mariadb.tpl b/kubernetes/common/nginx/common/templates/validations/_mariadb.tpl new file mode 100644 index 0000000000..6ea8c0f45b --- /dev/null +++ b/kubernetes/common/nginx/common/templates/validations/_mariadb.tpl @@ -0,0 +1,108 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/validations/_mongodb.tpl b/kubernetes/common/nginx/common/templates/validations/_mongodb.tpl new file mode 100644 index 0000000000..e678a6de82 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/validations/_mongodb.tpl @@ -0,0 +1,67 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/validations/_mysql.tpl b/kubernetes/common/nginx/common/templates/validations/_mysql.tpl new file mode 100644 index 0000000000..fbb65c338e --- /dev/null +++ b/kubernetes/common/nginx/common/templates/validations/_mysql.tpl @@ -0,0 +1,67 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/validations/_postgresql.tpl b/kubernetes/common/nginx/common/templates/validations/_postgresql.tpl new file mode 100644 index 0000000000..51d47162e7 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/validations/_postgresql.tpl @@ -0,0 +1,105 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/validations/_redis.tpl b/kubernetes/common/nginx/common/templates/validations/_redis.tpl new file mode 100644 index 0000000000..9fedfef9d1 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/validations/_redis.tpl @@ -0,0 +1,48 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + + +{{/* vim: set filetype=mustache: */}} +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/templates/validations/_validations.tpl b/kubernetes/common/nginx/common/templates/validations/_validations.tpl new file mode 100644 index 0000000000..7cdee61700 --- /dev/null +++ b/kubernetes/common/nginx/common/templates/validations/_validations.tpl @@ -0,0 +1,51 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/common/values.yaml b/kubernetes/common/nginx/common/values.yaml new file mode 100644 index 0000000000..de2cac57d0 --- /dev/null +++ b/kubernetes/common/nginx/common/values.yaml @@ -0,0 +1,8 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/kubernetes/common/nginx/templates/NOTES.txt b/kubernetes/common/nginx/templates/NOTES.txt new file mode 100644 index 0000000000..f8c92f647e --- /dev/null +++ b/kubernetes/common/nginx/templates/NOTES.txt @@ -0,0 +1,77 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information. + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ template "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ template "common.names.namespace" . }} -ti -- bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh + +{{- else }} +NGINX can be accessed through the following DNS name from within your cluster: + + {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} (port {{ .Values.service.ports.http }}) + +To access NGINX from outside the cluster, follow the steps below: + +{{- if .Values.ingress.enabled }} + +1. Get the NGINX URL and associate its hostname to your cluster external IP: + + export CLUSTER_IP=$(minikube ip) # On Minikube. Use: `kubectl cluster-info` on others K8s clusters + echo "NGINX URL: http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.hostname }}" + echo "$CLUSTER_IP {{ .Values.ingress.hostname }}" | sudo tee -a /etc/hosts + +{{- else }} + +1. Get the NGINX URL by running these commands: + +{{- if contains "LoadBalancer" .Values.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}' + + export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }}) + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo "http://${SERVICE_IP}:${SERVICE_PORT}" + +{{- else if contains "ClusterIP" .Values.service.type }} + + export SERVICE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].port}" services {{ include "common.names.fullname" . }}) + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} ${SERVICE_PORT}:${SERVICE_PORT} & + echo "http://127.0.0.1:${SERVICE_PORT}" + +{{- else if contains "NodePort" .Values.service.type }} + + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo "http://${NODE_IP}:${NODE_PORT}" + +{{- end }} +{{- end }} + +{{- include "common.warnings.rollingTag" .Values.image }} +{{- include "common.warnings.rollingTag" .Values.cloneStaticSiteFromGit.image }} +{{- include "common.warnings.rollingTag" .Values.metrics.image }} +{{- include "nginx.validateValues" . }} +{{- end }} +{{- include "common.warnings.resources" (dict "sections" (list "cloneStaticSiteFromGit.gitSync" "metrics" "") "context" $) }} +{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "context" $) }} +{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "context" $) }} diff --git a/kubernetes/common/nginx/templates/_helpers.tpl b/kubernetes/common/nginx/templates/_helpers.tpl new file mode 100644 index 0000000000..4900d9cfd1 --- /dev/null +++ b/kubernetes/common/nginx/templates/_helpers.tpl @@ -0,0 +1,123 @@ +{{/* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper NGINX image name +*/}} +{{- define "nginx.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper GIT image name +*/}} +{{- define "nginx.cloneStaticSiteFromGit.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.cloneStaticSiteFromGit.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Prometheus metrics image name +*/}} +{{- define "nginx.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "nginx.imagePullSecrets" -}} +{{ include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.cloneStaticSiteFromGit.image .Values.metrics.image) "context" $) }} +{{- end -}} + +{{/* +Return true if a static site should be mounted in the NGINX container +*/}} +{{- define "nginx.useStaticSite" -}} +{{- if or .Values.cloneStaticSiteFromGit.enabled .Values.staticSiteConfigmap .Values.staticSitePVC }} + {- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the volume to use to mount the static site in the NGINX container +*/}} +{{- define "nginx.staticSiteVolume" -}} +{{- if .Values.cloneStaticSiteFromGit.enabled }} +emptyDir: {} +{{- else if .Values.staticSiteConfigmap }} +configMap: + name: {{ printf "%s" (tpl .Values.staticSiteConfigmap $) -}} +{{- else if .Values.staticSitePVC }} +persistentVolumeClaim: + claimName: {{ printf "%s" (tpl .Values.staticSitePVC $) -}} +{{- end }} +{{- end -}} + +{{/* +Return the custom NGINX server block configmap. +*/}} +{{- define "nginx.serverBlockConfigmapName" -}} +{{- if .Values.existingServerBlockConfigmap -}} + {{- printf "%s" (tpl .Values.existingServerBlockConfigmap $) -}} +{{- else -}} + {{- printf "%s-server-block" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return the custom NGINX stream server block configmap. +*/}} +{{- define "nginx.streamServerBlockConfigmapName" -}} +{{- if .Values.existingStreamServerBlockConfigmap -}} + {{- printf "%s" (tpl .Values.existingStreamServerBlockConfigmap $) -}} +{{- else -}} + {{- printf "%s-stream-server-block" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "nginx.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "nginx.validateValues.cloneStaticSiteFromGit" .) -}} +{{- $messages := append $messages (include "nginx.validateValues.extraVolumes" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* Validate values of NGINX - Clone StaticSite from Git configuration */}} +{{- define "nginx.validateValues.cloneStaticSiteFromGit" -}} +{{- if and .Values.cloneStaticSiteFromGit.enabled (or (not .Values.cloneStaticSiteFromGit.repository) (not .Values.cloneStaticSiteFromGit.branch)) -}} +nginx: cloneStaticSiteFromGit + When enabling cloing a static site from a Git repository, both the Git repository and the Git branch must be provided. + Please provide them by setting the `cloneStaticSiteFromGit.repository` and `cloneStaticSiteFromGit.branch` parameters. +{{- end -}} +{{- end -}} + +{{/* Validate values of NGINX - Incorrect extra volume settings */}} +{{- define "nginx.validateValues.extraVolumes" -}} +{{- if and (.Values.extraVolumes) (not (or .Values.extraVolumeMounts .Values.cloneStaticSiteFromGit.extraVolumeMounts)) -}} +nginx: missing-extra-volume-mounts + You specified extra volumes but not mount points for them. Please set + the extraVolumeMounts value +{{- end -}} +{{- end -}} + +{{/* + Create the name of the service account to use + */}} +{{- define "nginx.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/nginx/templates/deployment.yaml b/kubernetes/common/nginx/templates/deployment.yaml new file mode 100644 index 0000000000..0d8b990e14 --- /dev/null +++ b/kubernetes/common/nginx/templates/deployment.yaml @@ -0,0 +1,417 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.updateStrategy }} + strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + template: + metadata: + labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }} + annotations: + {{- if .Values.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.podAnnotations "context" $) | nindent 8 }} + {{- end }} + {{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }} + checksum/server-block-configuration: {{ include (print $.Template.BasePath "/server-block-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if and .Values.streamServerBlock (not .Values.existingServerBlockConfigmap) }} + checksum/stream-server-block-configuration: {{ include (print $.Template.BasePath "/stream-server-block-configmap.yaml") . | sha256sum }} + {{- end }} + spec: + {{- include "nginx.imagePullSecrets" . | nindent 6 }} + shareProcessNamespace: {{ .Values.sidecarSingleProcessNamespace }} + serviceAccountName: {{ template "nginx.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + hostNetwork: {{ .Values.hostNetwork }} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dnsConfig "context" $) | nindent 8 }} + {{- end }} + hostIPC: {{ .Values.hostIPC }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.schedulerName }} + schedulerName: {{ .Values.schedulerName | quote }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- end }} + {{- if or .Values.containerSecurityContext.readOnlyRootFilesystem .Values.cloneStaticSiteFromGit.enabled .Values.initContainers }} + initContainers: + {{- if .Values.containerSecurityContext.readOnlyRootFilesystem }} + - name: preserve-logs-symlinks + image: {{ include "nginx.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + command: + - /bin/bash + args: + - -ec + - | + #!/bin/bash + . /opt/bitnami/scripts/libfs.sh + # We copy the logs folder because it has symlinks to stdout and stderr + if ! is_dir_empty /opt/bitnami/nginx/logs; then + cp -r /opt/bitnami/nginx/logs /emptydir/app-logs-dir + fi + volumeMounts: + - name: empty-dir + mountPath: /emptydir + {{- end }} + {{- if or .Values.cloneStaticSiteFromGit.enabled .Values.initContainers }} + {{- if .Values.cloneStaticSiteFromGit.enabled }} + - name: git-clone-repository + image: {{ include "nginx.cloneStaticSiteFromGit.image" . }} + imagePullPolicy: {{ .Values.cloneStaticSiteFromGit.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitClone.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitClone.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + - | + [[ -f "/opt/bitnami/scripts/git/entrypoint.sh" ]] && source "/opt/bitnami/scripts/git/entrypoint.sh" + git clone {{ .Values.cloneStaticSiteFromGit.repository }} --branch {{ .Values.cloneStaticSiteFromGit.branch }} /tmp/app + [[ "$?" -eq 0 ]] && shopt -s dotglob && rm -rf /app/* && mv /tmp/app/* /app/ + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitClone.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitClone.args "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /etc/ssh + subPath: etc-ssh-dir + - name: empty-dir + mountPath: /.ssh + subPath: ssh-dir + - name: staticsite + mountPath: /app + {{- if .Values.cloneStaticSiteFromGit.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVarsSecret }} + envFrom: + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + {{- end }} + {{- end }} + containers: + {{- if .Values.cloneStaticSiteFromGit.enabled }} + - name: git-repo-syncer + image: {{ include "nginx.cloneStaticSiteFromGit.image" . }} + imagePullPolicy: {{ .Values.cloneStaticSiteFromGit.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitSync.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitSync.command "context" $) | nindent 12 }} + {{- else }} + command: + - /bin/bash + - -ec + - | + [[ -f "/opt/bitnami/scripts/git/entrypoint.sh" ]] && source "/opt/bitnami/scripts/git/entrypoint.sh" + while true; do + cd /app && git -c safe.directory=/app pull origin {{ .Values.cloneStaticSiteFromGit.branch }} + sleep {{ .Values.cloneStaticSiteFromGit.interval }} + done + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitSync.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.gitSync.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.gitSync.resources }} + resources: {{- toYaml .Values.cloneStaticSiteFromGit.gitSync.resources | nindent 12 }} + {{- else if ne .Values.cloneStaticSiteFromGit.gitSync.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.cloneStaticSiteFromGit.gitSync.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /etc/ssh + subPath: etc-ssh-dir + - name: empty-dir + mountPath: /.ssh + subPath: ssh-dir + - name: staticsite + mountPath: /app + {{- if .Values.cloneStaticSiteFromGit.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVars }} + env: {{- include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.cloneStaticSiteFromGit.extraEnvVarsSecret }} + envFrom: + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.cloneStaticSiteFromGit.extraEnvVarsSecret "context" $) }} + {{- end }} + {{- end }} + - name: nginx + image: {{ include "nginx.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" .Values.image.debug | quote }} + {{- if .Values.containerPorts.http }} + - name: NGINX_HTTP_PORT_NUMBER + value: {{ .Values.containerPorts.http | quote }} + {{- end }} + {{- if .Values.containerPorts.https }} + - name: NGINX_HTTPS_PORT_NUMBER + value: {{ .Values.containerPorts.https | quote }} + {{- end }} + {{- if or .Values.streamServerBlock .Values.existingStreamServerBlockConfigmap }} + - name: NGINX_ENABLE_STREAM + value: "true" + {{- end }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + ports: + {{- if .Values.containerPorts.http }} + - name: http + containerPort: {{ .Values.containerPorts.http }} + {{- end }} + {{- if .Values.containerPorts.https }} + - name: https + containerPort: {{ .Values.containerPorts.https }} + {{- end }} + {{- if .Values.extraContainerPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraContainerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: {{ ternary "https" "http" (and (empty .Values.containerPorts.http) (not (empty .Values.containerPorts.https))) }} + {{- end }} + {{- if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled" "path") "context" $) | nindent 12 }} + httpGet: + path: {{ .Values.readinessProbe.path }} + port: {{ ternary "https" "http" (and (empty .Values.containerPorts.http) (not (empty .Values.containerPorts.https))) }} + {{- end }} + {{- if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: {{ ternary "https" "http" (and (empty .Values.containerPorts.http) (not (empty .Values.containerPorts.https))) }} + {{- end }} + {{- end }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- else if ne .Values.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }} + {{- end }} + volumeMounts: + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/conf + subPath: app-conf-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/logs + subPath: app-logs-dir + - name: empty-dir + mountPath: /opt/bitnami/nginx/tmp + subPath: app-tmp-dir + {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }} + - name: nginx-server-block + mountPath: /opt/bitnami/nginx/conf/server_blocks + {{- end }} + {{- if or .Values.streamServerBlock .Values.existingStreamServerBlockConfigmap }} + - name: nginx-stream-server-block + mountPath: /opt/bitnami/nginx/conf/stream_server_blocks + {{- end }} + {{- if (include "nginx.useStaticSite" .) }} + - name: staticsite + mountPath: /app + {{- end }} + {{- if .Values.tls.enabled }} + - name: certificate + mountPath: /certs + {{- else }} + - name: empty-dir + mountPath: /certs + subPath: app-tls-dir + {{- end }} + {{- if .Values.extraVolumeMounts }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "nginx.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.securityContext "context" $) | nindent 12 }} + {{- end }} + command: + - exporter + args: + - --nginx.scrape-uri + - {{ printf "http://127.0.0.1:%d/status" (int (default .Values.containerPorts.http .Values.metrics.port)) | quote }} + - --web.listen-address + - {{ printf ":%d" (int .Values.metrics.containerPorts.metrics) | quote }} + {{- if .Values.metrics.extraArgs }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraArgs "context" $ ) | nindent 12 }} + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + livenessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: 15 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /metrics + port: metrics + initialDelaySeconds: 5 + timeoutSeconds: 1 + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- else if ne .Values.metrics.resourcesPreset "none" }} + resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: empty-dir + emptyDir: {} + {{- if .Values.tls.enabled }} + - name: certificate + secret: + {{- if .Values.tls.existingSecret }} + secretName: {{ .Values.tls.existingSecret }} + {{- else }} + secretName: {{ printf "%s-tls" (include "common.names.fullname" .) }} + items: + - key: tls.crt + path: server.crt + - key: tls.key + path: server.key + {{- end }} + {{- end }} + {{- if or .Values.serverBlock .Values.existingServerBlockConfigmap }} + - name: nginx-server-block + configMap: + name: {{ include "nginx.serverBlockConfigmapName" . }} + {{- end }} + {{- if or .Values.streamServerBlock .Values.existingStreamServerBlockConfigmap }} + - name: nginx-stream-server-block + configMap: + name: {{ include "nginx.streamServerBlockConfigmapName" . }} + {{- end }} + {{- if (include "nginx.useStaticSite" .) }} + - name: staticsite + {{- include "nginx.staticSiteVolume" . | nindent 10 }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.extraVolumes "context" $) | nindent 8 }} + {{- end }} diff --git a/kubernetes/common/nginx/templates/extra-list.yaml b/kubernetes/common/nginx/templates/extra-list.yaml new file mode 100644 index 0000000000..329f5c653a --- /dev/null +++ b/kubernetes/common/nginx/templates/extra-list.yaml @@ -0,0 +1,9 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/health-ingress.yaml b/kubernetes/common/nginx/templates/health-ingress.yaml new file mode 100644 index 0000000000..5df37e018e --- /dev/null +++ b/kubernetes/common/nginx/templates/health-ingress.yaml @@ -0,0 +1,59 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.healthIngress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ include "common.names.fullname" . }}-health + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.healthIngress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.healthIngress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.healthIngress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.healthIngress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.healthIngress.hostname }} + - host: {{ .Values.healthIngress.hostname }} + http: + paths: + {{- if .Values.healthIngress.extraPaths }} + {{- toYaml .Values.healthIngress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.healthIngress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.healthIngress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" (ternary "http" "https" (not .Values.containerPorts.https)) "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.healthIngress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" (ternary "http" "https" (not $.Values.containerPorts.https)) "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.healthIngress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.healthIngress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.healthIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.healthIngress.annotations )) .Values.healthIngress.selfSigned (not (empty .Values.healthIngress.secrets)))) .Values.healthIngress.extraTls }} + tls: + {{- if and .Values.healthIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.healthIngress.annotations )) .Values.healthIngress.selfSigned (not (empty .Values.healthIngress.secrets))) }} + - hosts: + - {{ .Values.healthIngress.hostname | quote }} + secretName: {{ printf "%s-health-tls" .Values.healthIngress.hostname }} + {{- end }} + {{- if .Values.healthIngress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.healthIngress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/hpa.yaml b/kubernetes/common/nginx/templates/hpa.yaml new file mode 100644 index 0000000000..44b5395f20 --- /dev/null +++ b/kubernetes/common/nginx/templates/hpa.yaml @@ -0,0 +1,48 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ ) }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + scaleTargetRef: + apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} + kind: Deployment + name: {{ template "common.names.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/ingress-tls-secret.yaml b/kubernetes/common/nginx/templates/ingress-tls-secret.yaml new file mode 100644 index 0000000000..d2943767c5 --- /dev/null +++ b/kubernetes/common/nginx/templates/ingress-tls-secret.yaml @@ -0,0 +1,83 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.ingress.enabled }} +{{- if .Values.ingress.secrets }} +{{- range .Values.ingress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + namespace: {{ include "common.names.namespace" $ | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- else if and .Values.ingress.tls .Values.ingress.selfSigned }} +{{- $secretName := printf "%s-tls" .Values.ingress.hostname }} +{{- $ca := genCA "nginx-ca" 365 }} +{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} +--- +{{- end }} +{{- end }} +{{- if .Values.healthIngress.enabled }} +{{- if .Values.healthIngress.secrets }} +{{- range .Values.healthIngress.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .name }} + namespace: {{ include "common.names.namespace" $ | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .certificate | b64enc }} + tls.key: {{ .key | b64enc }} +--- +{{- end }} +{{- else if and .Values.healthIngress.tls .Values.healthIngress.selfSigned }} +{{- $secretName := printf "%s-tls" .Values.healthIngress.hostname }} +{{- $ca := genCA "nginx-health-ca" 365 }} +{{- $cert := genSignedCert .Values.healthIngress.hostname nil (list .Values.healthIngress.hostname) 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secretName }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} + tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} + ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} +--- +{{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/ingress.yaml b/kubernetes/common/nginx/templates/ingress.yaml new file mode 100644 index 0000000000..b49f86b46f --- /dev/null +++ b/kubernetes/common/nginx/templates/ingress.yaml @@ -0,0 +1,73 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.ingress.enabled }} +apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.ingress.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.ingress.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }} + ingressClassName: {{ .Values.ingress.ingressClassName | quote }} + {{- end }} + rules: + {{- if .Values.ingress.hostname }} + - host: {{ .Values.ingress.hostname | quote }} + http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- else if .Values.ingress.path }} + - http: + paths: + {{- if .Values.ingress.extraPaths }} + {{- toYaml .Values.ingress.extraPaths | nindent 10 }} + {{- end }} + - path: {{ .Values.ingress.path }} + {{- if eq "true" (include "common.ingress.supportsPathType" .) }} + pathType: {{ .Values.ingress.pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- range .Values.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default "/" .path }} + {{- if eq "true" (include "common.ingress.supportsPathType" $) }} + pathType: {{ default "ImplementationSpecific" .pathType }} + {{- end }} + backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.ingress.extraRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }} + {{- end }} + {{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned (not (empty .Values.ingress.secrets)))) .Values.ingress.extraTls }} + tls: + {{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.ingress.annotations )) .Values.ingress.selfSigned (not (empty .Values.ingress.secrets))) }} + - hosts: + - {{ .Values.ingress.hostname | quote }} + {{- if and (or (.Values.ingress.tlsWwwPrefix) (eq (index .Values.ingress.annotations "nginx.ingress.kubernetes.io/from-to-www-redirect") "true" )) (not (contains "www." .Values.ingress.hostname)) }} + - {{ printf "www.%s" (tpl .Values.ingress.hostname $) | quote }} + {{- end }} + secretName: {{ printf "%s-tls" .Values.ingress.hostname }} + {{- end }} + {{- if .Values.ingress.extraTls }} + {{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraTls "context" $) | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/networkpolicy.yaml b/kubernetes/common/nginx/templates/networkpolicy.yaml new file mode 100644 index 0000000000..327e1fa37f --- /dev/null +++ b/kubernetes/common/nginx/templates/networkpolicy.yaml @@ -0,0 +1,71 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + egress: + {{- if .Values.networkPolicy.allowExternalEgress }} + - {} + {{- else }} + - ports: + # Allow dns resolution + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.http }} + {{- if .Values.containerPorts.https }} + - port: {{ .Values.containerPorts.https }} + {{- end }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/pdb.yaml b/kubernetes/common/nginx/templates/pdb.yaml new file mode 100644 index 0000000000..821b4f9f70 --- /dev/null +++ b/kubernetes/common/nginx/templates/pdb.yaml @@ -0,0 +1,26 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.pdb.create }} +apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.pdb.minAvailable }} + minAvailable: {{ .Values.pdb.minAvailable }} + {{- end }} + {{- if or .Values.pdb.maxUnavailable (not .Values.pdb.minAvailable)}} + maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/prometheusrules.yaml b/kubernetes/common/nginx/templates/prometheusrules.yaml new file mode 100644 index 0000000000..d2d728ff24 --- /dev/null +++ b/kubernetes/common/nginx/templates/prometheusrules.yaml @@ -0,0 +1,24 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.metrics.prometheusRule.additionalLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "common.names.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/server-block-configmap.yaml b/kubernetes/common/nginx/templates/server-block-configmap.yaml new file mode 100644 index 0000000000..940c50ec79 --- /dev/null +++ b/kubernetes/common/nginx/templates/server-block-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.serverBlock (not .Values.existingServerBlockConfigmap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-server-block + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + server-block.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.serverBlock "context" $ ) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/serviceaccount.yaml b/kubernetes/common/nginx/templates/serviceaccount.yaml new file mode 100644 index 0000000000..20fb4928f3 --- /dev/null +++ b/kubernetes/common/nginx/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "nginx.serviceAccountName" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/kubernetes/common/nginx/templates/servicemonitor.yaml b/kubernetes/common/nginx/templates/servicemonitor.yaml new file mode 100644 index 0000000000..d597e06be0 --- /dev/null +++ b/kubernetes/common/nginx/templates/servicemonitor.yaml @@ -0,0 +1,45 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }} + {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} + labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel | quote }} + selector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + endpoints: + - port: metrics + path: /metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/stream-server-block-configmap.yaml b/kubernetes/common/nginx/templates/stream-server-block-configmap.yaml new file mode 100644 index 0000000000..11b39d404b --- /dev/null +++ b/kubernetes/common/nginx/templates/stream-server-block-configmap.yaml @@ -0,0 +1,19 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.streamServerBlock (not .Values.existingStreamServerBlockConfigmap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }}-stream-server-block + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + stream-server-block.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.streamServerBlock "context" $ ) | nindent 4 }} +{{- end }} diff --git a/kubernetes/common/nginx/templates/svc.yaml b/kubernetes/common/nginx/templates/svc.yaml new file mode 100644 index 0000000000..e86926fa49 --- /dev/null +++ b/kubernetes/common/nginx/templates/svc.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + annotations: + {{- if or .Values.service.annotations .Values.commonAnnotations }} + {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} + {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }} + clusterIP: {{ .Values.service.clusterIP }} + {{- end }} + {{- if .Values.service.sessionAffinity }} + sessionAffinity: {{ .Values.service.sessionAffinity }} + {{- end }} + {{- if .Values.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + {{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerClass }} + loadBalancerClass: {{ .Values.service.loadBalancerClass }} + {{- end }} + ports: + {{- if .Values.containerPorts.http }} + - name: http + port: {{ .Values.service.ports.http }} + targetPort: {{ .Values.service.targetPort.http }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.http)) }} + nodePort: {{ .Values.service.nodePorts.http }} + {{- end }} + {{- end }} + {{- if .Values.containerPorts.https }} + - name: https + port: {{ .Values.service.ports.https }} + targetPort: {{ .Values.service.targetPort.https }} + {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.https)) }} + nodePort: {{ .Values.service.nodePorts.https }} + {{- end }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + port: {{ .Values.metrics.service.port }} + targetPort: metrics + {{- end }} + {{- if .Values.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} + selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }} diff --git a/kubernetes/common/nginx/templates/tls-secret.yaml b/kubernetes/common/nginx/templates/tls-secret.yaml new file mode 100644 index 0000000000..4a265f5243 --- /dev/null +++ b/kubernetes/common/nginx/templates/tls-secret.yaml @@ -0,0 +1,35 @@ +{{- /* +Copyright Broadcom, Inc. All Rights Reserved. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) }} +{{- $ca := genCA "nginx-ca" 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-tls" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + {{- if .Values.tls.autoGenerated }} + {{- $cert := genSignedCert (include "common.names.fullname" .) nil (list (include "common.names.fullname" .) (printf "%s.%s" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc" (include "common.names.fullname" .) (include "common.names.namespace" .)) (printf "%s.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain)) 365 $ca }} + {{ .Values.tls.certFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certFilename "defaultValue" $cert.Cert "context" $) }} + {{ .Values.tls.certKeyFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certKeyFilename "defaultValue" $cert.Key "context" $) }} + {{ .Values.tls.certCAFilename }}: {{ include "common.secrets.lookup" (dict "secret" (printf "%s-tls" (include "common.names.fullname" .)) "key" .Values.tls.certCAFilename "defaultValue" $ca.Cert "context" $) }} + {{- else }} + {{- if .Values.tls.cert }} + {{ .Values.tls.certFilename }}: {{ .Values.tls.cert | b64enc }} + {{- end }} + {{- if .Values.tls.key }} + {{ .Values.tls.certKeyFilename }}: {{ .Values.tls.key | b64enc }} + {{- end }} + {{- if .Values.tls.ca }} + {{ .Values.tls.certCAFilename }}: {{ .Values.tls.ca | b64enc }} + {{- end }} + {{- end }} +{{- end }} diff --git a/kubernetes/common/nginx/values.schema.json b/kubernetes/common/nginx/values.schema.json new file mode 100644 index 0000000000..ccb7bcd848 --- /dev/null +++ b/kubernetes/common/nginx/values.schema.json @@ -0,0 +1,125 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "ingress": { + "type": "object", + "form": true, + "title": "Ingress details", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Use a custom hostname", + "description": "Enable the ingress resource that allows you to access the NGINX installation." + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "hidden": { + "value": false, + "path": "ingress/enabled" + } + } + } + }, + "service": { + "type": "object", + "form": true, + "title": "Service Configuration", + "properties": { + "type": { + "type": "string", + "form": true, + "title": "Service Type", + "description": "Allowed values: \"ClusterIP\", \"NodePort\" and \"LoadBalancer\"" + } + } + }, + "replicaCount": { + "type": "integer", + "form": true, + "title": "Number of replicas", + "description": "Number of replicas to deploy" + }, + "serverBlock": { + "type": "string", + "form": true, + "title": "Custom server block", + "description": "Custom server block to be added to NGINX configuration" + }, + "streamServerBlock": { + "type": "string", + "form": true, + "title": "Custom stream server block", + "description": "Custom stream server block to be added to NGINX configuration" + }, + "containerSecurityContext": { + "type": "object", + "form": true, + "title": "NGINX containers' Security Context", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Security Context", + "description": "Whether to enable NGINX containers' Security Context" + }, + "runAsUser": { + "type": "integer", + "form": true, + "title": "ID of the user", + "description": "The UID of the user NGINX containers will run as" + } + } + }, + "podSecurityContext": { + "type": "object", + "form": true, + "title": "NGINX pods' Security Context", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Security Context", + "description": "Whether to enable NGINX pods' Security Context" + }, + "fsGroup": { + "type": "integer", + "form": true, + "title": "ID of the group", + "description": "The GID of the group NGINX pods will run as" + } + } + }, + "metrics": { + "type": "object", + "form": true, + "title": "Prometheus metrics details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus metrics exporter", + "description": "Create a side-car container to expose Prometheus metrics", + "form": true + }, + "serviceMonitor": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Create Prometheus Operator ServiceMonitor", + "description": "Create a ServiceMonitor to track metrics using Prometheus Operator", + "form": true, + "hidden": { + "value": false, + "path": "metrics/enabled" + } + } + } + } + } + } + } +} diff --git a/kubernetes/common/nginx/values.yaml b/kubernetes/common/nginx/values.yaml new file mode 100644 index 0000000000..49e4e4c450 --- /dev/null +++ b/kubernetes/common/nginx/values.yaml @@ -0,0 +1,1094 @@ +# Copyright Broadcom, Inc. All Rights Reserved. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## Security parameters + ## + security: + ## @param global.security.allowInsecureImages Allows skipping image verification + ## + allowInsecureImages: false + ## Compatibility adaptations for Kubernetes platforms + ## + compatibility: + ## Compatibility adaptations for Openshift + ## + openshift: + ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) + ## + adaptSecurityContext: auto +## @section Common parameters + +## @param nameOverride String to partially override nginx.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override nginx.fullname template +## +fullnameOverride: "" +## @param namespaceOverride String to fully override common.names.namespace +## +namespaceOverride: "" +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the deployment(s)/statefulset(s) +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s) + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s) + ## + args: + - infinity +## @section NGINX parameters + +## Bitnami NGINX image version +## ref: https://hub.docker.com/r/bitnami/nginx/tags/ +## @param image.registry [default: REGISTRY_NAME] NGINX image registry +## @param image.repository [default: REPOSITORY_NAME/nginx] NGINX image repository +## @skip image.tag NGINX image tag (immutable tags are recommended) +## @param image.digest NGINX image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy NGINX image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Set to true if you would like to see extra information on logs +## +image: + registry: docker.io + repository: bitnami/nginx + tag: 1.27.3-debian-12-r5 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## E.g.: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false +## @param hostAliases Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] +## Command and args for running the container (set to default if not set). Use array form +## @param command Override default container command (useful when using custom images) +## @param args Override default container args (useful when using custom images) +## +command: [] +args: [] +## @param extraEnvVars Extra environment variables to be set on NGINX containers +## E.g: +## extraEnvVars: +## - name: FOO +## value: BAR +## +extraEnvVars: [] +## @param extraEnvVarsCM ConfigMap with extra environment variables +## +extraEnvVarsCM: "" +## @param extraEnvVarsSecret Secret with extra environment variables +## +extraEnvVarsSecret: "" +## @section NGINX deployment parameters + +## @param replicaCount Number of NGINX replicas to deploy +## +replicaCount: 1 +## @param revisionHistoryLimit The number of old history to retain to allow rollback +## +revisionHistoryLimit: 1 +## @param updateStrategy.type NGINX deployment strategy type +## @param updateStrategy.rollingUpdate NGINX deployment rolling update configuration parameters +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +## +updateStrategy: + type: RollingUpdate + rollingUpdate: {} +## @param podLabels Additional labels for NGINX pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} +## @param podAnnotations Annotations for NGINX pods +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} +## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAffinityPreset: "" +## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## +podAntiAffinityPreset: soft +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## +nodeAffinityPreset: + ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] +## @param affinity Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set +## +affinity: {} +## @param hostNetwork Specify if host network should be enabled for NGINX pod +## +hostNetwork: false +## @param hostIPC Specify if host IPC should be enabled for NGINX pod +## +hostIPC: false +## DNS-Pod services +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## @param dnsPolicy Specifies the DNS policy for the NGINX pod +## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies. +## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +dnsPolicy: "" +## @param dnsConfig Allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None` +## The dnsConfig field is optional and it can work with any dnsPolicy settings. +## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +## E.g. +## dnsConfig: +## nameservers: +## - 192.0.2.1 # this is an example +## searches: +## - ns1.svc.cluster-domain.example +## - my.dns.search.suffix +## options: +## - name: ndots +## value: "2" +## - name: edns0 +dnsConfig: {} +## @param nodeSelector Node labels for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +## +nodeSelector: {} +## @param tolerations Tolerations for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] +## @param priorityClassName NGINX pods' priorityClassName +## +priorityClassName: "" +## @param schedulerName Name of the k8s scheduler (other than default) +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +schedulerName: "" +## @param terminationGracePeriodSeconds In seconds, time the given to the NGINX pod needs to terminate gracefully +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods +## +terminationGracePeriodSeconds: "" +## @param topologySpreadConstraints Topology Spread Constraints for pod assignment +## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## The value is evaluated as a template +## +topologySpreadConstraints: [] +## TLS settings +## +tls: + ## @param tls.enabled Enable TLS transport + ## + enabled: false + ## @param tls.autoGenerated Auto-generate self-signed certificates + ## + autoGenerated: true + ## @param tls.existingSecret Name of a secret containing the certificates + ## + existingSecret: "" + ## @param tls.certFilename Path of the certificate file when mounted as a secret + ## + certFilename: tls.crt + ## @param tls.certKeyFilename Path of the certificate key file when mounted as a secret + ## + certKeyFilename: tls.key + ## @param tls.certCAFilename Path of the certificate CA file when mounted as a secret + ## + certCAFilename: ca.crt + ## @param tls.cert Content of the certificate to be added to the secret + ## + cert: "" + ## @param tls.key Content of the certificate key to be added to the secret + ## + key: "" + ## @param tls.ca Content of the certificate CA to be added to the secret + ## + ca: "" +## NGINX pods' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## @param podSecurityContext.enabled Enabled NGINX pods' Security Context +## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy +## @param podSecurityContext.supplementalGroups Set filesystem extra groups +## @param podSecurityContext.fsGroup Set NGINX pod's Security Context fsGroup +## @param podSecurityContext.sysctls sysctl settings of the NGINX pods +## +podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + supplementalGroups: [] + fsGroup: 1001 + ## sysctl settings + ## Example: + ## sysctls: + ## - name: net.core.somaxconn + ## value: "10000" + ## + sysctls: [] +## NGINX containers' Security Context. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## @param containerSecurityContext.enabled Enabled containers' Security Context +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container +## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser +## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup +## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot +## @param containerSecurityContext.privileged Set container's Security Context privileged +## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem +## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation +## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped +## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile +## +containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsUser: 1001 + runAsGroup: 1001 + runAsNonRoot: true + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" +## Configures the ports NGINX listens on +## @param containerPorts.http Sets http port inside NGINX container +## @param containerPorts.https Sets https port inside NGINX container +## +containerPorts: + http: 8080 + https: 8443 +## @param extraContainerPorts Array of additional container ports for the Nginx container +## e.g: +## extraContainerPorts: +## - name: grpc +## containerPort: 4317 +## +extraContainerPorts: [] +## NGINX containers' resource requests and limits +## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +## We usually recommend not to specify default resources and to leave this as a conscious +## choice for the user. This also increases chances charts run on environments with little +## resources, such as Minikube. If you do want to specify resources, uncomment the following +## lines, adjust them as necessary, and remove the curly braces after 'resources:'. +## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). +## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 +## +resourcesPreset: "nano" +## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) +## Example: +## resources: +## requests: +## cpu: 2 +## memory: 512Mi +## limits: +## cpu: 3 +## memory: 1024Mi +## +resources: {} +## NGINX containers' lifecycleHooks +## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ +## If you do want to specify lifecycleHooks, uncomment the following +## lines, adjust them as necessary, and remove the curly braces on 'lifecycle:{}'. +## @param lifecycleHooks Optional lifecycleHooks for the NGINX container +lifecycleHooks: {} +## Example: +## postStart: +## exec: +## command: ["/bin/sh", "-c", "echo Hello from the postStart handler > /usr/share/message"] +## Example: +## preStop: +## exec: +## command: ["/bin/sleep", "20"] +## command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"] + +## NGINX containers' startup probe. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param startupProbe.enabled Enable startupProbe +## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe +## @param startupProbe.periodSeconds Period seconds for startupProbe +## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe +## @param startupProbe.failureThreshold Failure threshold for startupProbe +## @param startupProbe.successThreshold Success threshold for startupProbe +## +startupProbe: + enabled: false + initialDelaySeconds: 30 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## NGINX containers' liveness probe. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param livenessProbe.enabled Enable livenessProbe +## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe +## @param livenessProbe.periodSeconds Period seconds for livenessProbe +## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe +## @param livenessProbe.failureThreshold Failure threshold for livenessProbe +## @param livenessProbe.successThreshold Success threshold for livenessProbe +## +livenessProbe: + enabled: true + initialDelaySeconds: 30 + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 6 + successThreshold: 1 +## NGINX containers' readiness probe. +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +## @param readinessProbe.enabled Enable readinessProbe +## @param readinessProbe.path Request path for livenessProbe +## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe +## @param readinessProbe.periodSeconds Period seconds for readinessProbe +## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe +## @param readinessProbe.failureThreshold Failure threshold for readinessProbe +## @param readinessProbe.successThreshold Success threshold for readinessProbe +## +readinessProbe: + enabled: true + path: / + initialDelaySeconds: 5 + timeoutSeconds: 3 + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 +## @param customStartupProbe Custom liveness probe for the Web component +## +customStartupProbe: {} +## @param customLivenessProbe Override default liveness probe +## +customLivenessProbe: {} +## @param customReadinessProbe Override default readiness probe +## +customReadinessProbe: {} +## Autoscaling parameters +## @param autoscaling.enabled Enable autoscaling for NGINX deployment +## @param autoscaling.minReplicas Minimum number of replicas to scale back +## @param autoscaling.maxReplicas Maximum number of replicas to scale out +## @param autoscaling.targetCPU Target CPU utilization percentage +## @param autoscaling.targetMemory Target Memory utilization percentage +## +autoscaling: + enabled: false + minReplicas: "" + maxReplicas: "" + targetCPU: "" + targetMemory: "" +## @param extraVolumes Array to add extra volumes +## +extraVolumes: [] +## @param extraVolumeMounts Array to add extra mount +## +extraVolumeMounts: [] +## Pods Service Account +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for nginx pod + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the `common.names.fullname` template + name: "" + ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. + ## Only used if `create` is `true`. + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod + ## + automountServiceAccountToken: false +## @param sidecars Sidecar parameters +## e.g: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: [] +## @param sidecarSingleProcessNamespace Enable sharing the process namespace with sidecars +## This will switch pod.spec.shareProcessNamespace parameter +## +sidecarSingleProcessNamespace: false +## @param initContainers Extra init containers +## +initContainers: [] +## Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Created a PodDisruptionBudget + ## + create: true + ## @param pdb.minAvailable Min number of pods that must still be available after the eviction. + ## You can specify an integer or a percentage by setting the value to a string representation of a percentage (eg. "50%"). It will be disabled if set to 0 + ## + minAvailable: "" + ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction. + ## You can specify an integer or a percentage by setting the value to a string representation of a percentage (eg. "50%"). It will be disabled if set to 0. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty. + ## + maxUnavailable: "" +## @section Custom NGINX application parameters + +## Get the server static content from a git repository +## NOTE: This will override staticSiteConfigmap and staticSitePVC +## +cloneStaticSiteFromGit: + ## @param cloneStaticSiteFromGit.enabled Get the server static content from a Git repository + ## + enabled: false + ## Bitnami Git image version + ## ref: https://hub.docker.com/r/bitnami/git/tags/ + ## @param cloneStaticSiteFromGit.image.registry [default: REGISTRY_NAME] Git image registry + ## @param cloneStaticSiteFromGit.image.repository [default: REPOSITORY_NAME/git] Git image repository + ## @skip cloneStaticSiteFromGit.image.tag Git image tag (immutable tags are recommended) + ## @param cloneStaticSiteFromGit.image.digest Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param cloneStaticSiteFromGit.image.pullPolicy Git image pull policy + ## @param cloneStaticSiteFromGit.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/git + tag: 2.48.0-debian-12-r0 + digest: "" + ## Specify a imagePullPolicy + ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param cloneStaticSiteFromGit.repository Git Repository to clone static content from + ## + repository: "" + ## @param cloneStaticSiteFromGit.branch Git branch to checkout + ## + branch: "" + ## @param cloneStaticSiteFromGit.interval Interval for sidecar container pull from the Git repository + ## + interval: 60 + ## Additional configuration for git-clone-repository initContainer + ## + gitClone: + ## @param cloneStaticSiteFromGit.gitClone.command Override default container command for git-clone-repository + ## + command: [] + ## @param cloneStaticSiteFromGit.gitClone.args Override default container args for git-clone-repository + ## + args: [] + ## Additional configuration for the git-repo-syncer container + ## + gitSync: + ## @param cloneStaticSiteFromGit.gitSync.command Override default container command for git-repo-syncer + ## + command: [] + ## @param cloneStaticSiteFromGit.gitSync.args Override default container args for git-repo-syncer + ## + args: [] + ## git-repo-syncer resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## @param cloneStaticSiteFromGit.gitSync.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneStaticSiteFromGit.gitSync.resources is set (cloneStaticSiteFromGit.gitSync.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param cloneStaticSiteFromGit.gitSync.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## @param cloneStaticSiteFromGit.extraEnvVars Additional environment variables to set for the in the containers that clone static site from git + ## E.g: + ## extraEnvVars: + ## - name: FOO + ## value: BAR + ## + extraEnvVars: [] + ## @param cloneStaticSiteFromGit.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param cloneStaticSiteFromGit.extraVolumeMounts Add extra volume mounts for the Git containers + ## Useful to mount keys to connect through ssh. (normally used with extraVolumes) + ## E.g: + ## extraVolumeMounts: + ## - name: ssh-dir + ## mountPath: /root/.ssh/ + ## + extraVolumeMounts: [] +## @param serverBlock Custom server block to be added to NGINX configuration +## PHP-FPM example server block: +## serverBlock: |- +## server { +## listen 0.0.0.0:8080; +## root /app; +## location / { +## index index.html index.php; +## } +## location ~ \.php$ { +## fastcgi_pass phpfpm-server:9000; +## fastcgi_index index.php; +## include fastcgi.conf; +## } +## } +## +serverBlock: "" +## @param streamServerBlock Custom stream server block to be added to NGINX configuration +## streamServerBlock: |- +## server { +## listen 0.0.0.0:8080 udp; +## proxy_pass localhost:9000; +## } +## +streamServerBlock: "" +## @param existingServerBlockConfigmap ConfigMap with custom server block to be added to NGINX configuration +## NOTE: This will override serverBlock +## +existingServerBlockConfigmap: "" +## @param existingStreamServerBlockConfigmap ConfigMap with custom stream server block to be added to NGINX configuration +## NOTE: This will override streamServerBlock +## +existingStreamServerBlockConfigmap: "" +## @param staticSiteConfigmap Name of existing ConfigMap with the server static site content +## +staticSiteConfigmap: "" +## @param staticSitePVC Name of existing PVC with the server static site content +## NOTE: This will override staticSiteConfigmap +## +staticSitePVC: "" +## @section Traffic Exposure parameters + +## NGINX Service properties +## +service: + ## @param service.type Service type + ## + type: ClusterIP + ## @param service.ports.http Service HTTP port + ## @param service.ports.https Service HTTPS port + ## + ports: + http: 80 + https: 443 + ## + ## @param service.nodePorts [object] Specify the nodePort(s) value(s) for the LoadBalancer and NodePort service types. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + http: "" + https: "" + ## @param service.targetPort [object] Target port reference value for the Loadbalancer service types can be specified explicitly. + ## Listeners for the Loadbalancer can be custom mapped to the http or https service. + ## Example: Mapping the https listener to targetPort http [http: https] + ## + targetPort: + http: http + https: https + ## @param service.clusterIP NGINX service Cluster IP + ## e.g.: + ## clusterIP: None + ## + clusterIP: "" + ## @param service.loadBalancerIP LoadBalancer service IP address + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param service.loadBalancerSourceRanges NGINX service Load Balancer sources + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g: + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param service.loadBalancerClass service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer + ## + loadBalancerClass: "" + ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param service.annotations Service annotations + ## This can be used to set the LoadBalancer service type to internal only. + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + annotations: {} + ## @param service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster +## Network Policies +## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## Configure the ingress resource that allows you to access the +## Nginx installation. Set up the URL +## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +## +ingress: + ## @param ingress.enabled Set to true to enable ingress record generation + ## + enabled: false + ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param ingress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set) + ## + apiVersion: "" + ## @param ingress.hostname Default host for the ingress resource + ## + hostname: nginx.local + ## @param ingress.path The Path to Nginx. You may need to set this to '/*' in order to use this with ALB ingress controllers. + ## + path: / + ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param ingress.ingressClassName Set the ingerssClassName on the ingress record for k8s 1.18+ + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param ingress.tls Create TLS Secret + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} + ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it + ## + tls: false + ## @param ingress.tlsWwwPrefix Adds www subdomain to default cert + ## Creates tls host with ingress.hostname: {{ print "www.%s" .Values.ingress.hostname }} + ## Is enabled if "nginx.ingress.kubernetes.io/from-to-www-redirect" is "true" + tlsWwwPrefix: false + ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. + ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array + ## extraHosts: + ## - name: nginx.local + ## path: / + ## + extraHosts: [] + ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host. + ## For example: The ALB ingress controller requires a special rule for handling SSL redirection. + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## extraTls: + ## - hosts: + ## - nginx.local + ## secretName: nginx.local-tls + ## + extraTls: [] + ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or + ## -----BEGIN RSA PRIVATE KEY----- + ## + ## name should line up with a tlsSecret set further up + ## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set + ## + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## e.g: + ## - name: nginx.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template + ## Useful when looking for additional customization, such as using different backend + ## + extraRules: [] +## Health Ingress parameters +## +healthIngress: + ## @param healthIngress.enabled Set to true to enable health ingress record generation + ## + enabled: false + ## @param healthIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm + ## + selfSigned: false + ## @param healthIngress.pathType Ingress path type + ## + pathType: ImplementationSpecific + ## @param healthIngress.hostname When the health ingress is enabled, a host pointing to this will be created + ## + hostname: example.local + ## @param healthIngress.path Default path for the ingress record + ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers + ## + path: / + ## @param healthIngress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. + ## For a full list of possible ingress annotations, please see + ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md + ## Use this parameter to set the required annotations for cert-manager, see + ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations + ## + ## e.g: + ## annotations: + ## kubernetes.io/ingress.class: nginx + ## cert-manager.io/cluster-issuer: cluster-issuer-name + ## + annotations: {} + ## @param healthIngress.tls Enable TLS configuration for the hostname defined at `healthIngress.hostname` parameter + ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.healthIngress.hostname }} + ## You can use the healthIngress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or + ## let the chart create self-signed certificates for you + ## + tls: false + ## @param healthIngress.extraHosts An array with additional hostname(s) to be covered with the ingress record + ## e.g: + ## extraHosts: + ## - name: example.local + ## path: / + ## + extraHosts: [] + ## @param healthIngress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host + ## e.g: + ## extraPaths: + ## - path: /* + ## backend: + ## serviceName: ssl-redirect + ## servicePort: use-annotation + ## + extraPaths: [] + ## @param healthIngress.extraTls TLS configuration for additional hostnames to be covered + ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls + ## E.g. + ## extraTls: + ## - hosts: + ## - example.local + ## secretName: example.local-tls + ## + extraTls: [] + ## @param healthIngress.secrets TLS Secret configuration + ## If you're providing your own certificates, please use this to add the certificates as secrets + ## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY----- + ## name should line up with a secretName set further up + ## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you + ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created + ## It is also possible to create and manage the certificates outside of this helm chart + ## Please see README.md for more information + ## + ## E.g. + ## secrets: + ## - name: example.local-tls + ## key: + ## certificate: + ## + secrets: [] + ## @param healthIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) + ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster . + ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ + ## + ingressClassName: "" + ## @param healthIngress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template + ## Useful when looking for additional customization, such as using different backend + ## + extraRules: [] +## @section Metrics parameters + +## Prometheus Exporter / Metrics +## +metrics: + ## @param metrics.enabled Start a Prometheus exporter sidecar container + ## + enabled: false + ## Bitnami NGINX Prometheus Exporter image + ## ref: https://hub.docker.com/r/bitnami/nginx-exporter/tags/ + ## @param metrics.image.registry [default: REGISTRY_NAME] NGINX Prometheus exporter image registry + ## @param metrics.image.repository [default: REPOSITORY_NAME/nginx-exporter] NGINX Prometheus exporter image repository + ## @skip metrics.image.tag NGINX Prometheus exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest NGINX Prometheus exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy NGINX Prometheus exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + registry: docker.io + repository: bitnami/nginx-exporter + tag: 1.4.1-debian-12-r0 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.port NGINX Container Status Port scraped by Prometheus Exporter + ## Defaults to specified http port + ## + port: "" + ## @param metrics.extraArgs Extra arguments for Prometheus exporter + ## e.g: + ## extraArgs: + ## - --nginx.timeout + ## - 5s + ## + extraArgs: [] + ## @param metrics.containerPorts.metrics Prometheus exporter container port + ## + containerPorts: + metrics: 9113 + ## @param metrics.podAnnotations Additional annotations for NGINX Prometheus exporter pod(s) + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param metrics.securityContext.enabled Enabled NGINX Exporter containers' Security Context + ## @param metrics.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container + ## @param metrics.securityContext.runAsUser Set NGINX Exporter container's Security Context runAsUser + ## + securityContext: + enabled: false + seLinuxOptions: {} + runAsUser: 1001 + ## Prometheus exporter service parameters + ## + service: + ## @param metrics.service.port NGINX Prometheus exporter service port + ## + port: 9113 + ## @param metrics.service.annotations [object] Annotations for the Prometheus exporter service + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.port }}" + ## NGINX Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production). + ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15 + ## + resourcesPreset: "nano" + ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) + ## Example: + ## resources: + ## requests: + ## cpu: 2 + ## memory: 512Mi + ## limits: + ## cpu: 3 + ## memory: 1024Mi + ## + resources: {} + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`) + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## interval: 10s + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## e.g: + ## scrapeTimeout: 10s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.labels Additional labels that can be used so PodMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels + ## + honorLabels: false + ## Prometheus Operator PrometheusRule configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Prometheus Rule definitions + ## - alert: LowInstance + ## expr: up{service="{{ template "common.names.fullname" . }}"} < 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: Service {{ template "common.names.fullname" . }} Tomcat is down since 1m. + ## summary: Tomcat instance is down. + ## + rules: [] diff --git a/kubernetes/common/postgres-init/.helmignore b/kubernetes/common/postgres-init/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/postgres-init/.helmignore +++ b/kubernetes/common/postgres-init/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/postgres-init/Chart.yaml b/kubernetes/common/postgres-init/Chart.yaml index 9fe2eaedc8..2f1971c77a 100644 --- a/kubernetes/common/postgres-init/Chart.yaml +++ b/kubernetes/common/postgres-init/Chart.yaml @@ -1,5 +1,6 @@ # Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,13 +17,18 @@ apiVersion: v2 description: Chart for Postgres init job name: postgres-init -version: 12.0.0 - +version: 13.0.6 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/postgres-init/templates/configmap.yaml b/kubernetes/common/postgres-init/templates/configmap.yaml index 66c28a0c69..e6a67448c7 100644 --- a/kubernetes/common/postgres-init/templates/configmap.yaml +++ b/kubernetes/common/postgres-init/templates/configmap.yaml @@ -20,10 +20,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/common/postgres-init/templates/job.yaml b/kubernetes/common/postgres-init/templates/job.yaml index d9a7386f83..c7b1cb2052 100644 --- a/kubernetes/common/postgres-init/templates/job.yaml +++ b/kubernetes/common/postgres-init/templates/job.yaml @@ -19,35 +19,22 @@ kind: Job metadata: name: {{ include "common.fullname" . }}-config-job namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + {{- if .Values.jobPodAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobPodAnnotations "context" $) | nindent 8 }} + {{- end }} + labels: {{- include "common.labels" . | nindent 8 }} name: {{ include "common.name" . }} spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.global.postgres.container.name }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - command: - sh @@ -80,26 +67,17 @@ spec: value: "{{ .Values.config.pgDatabase }}" - name: PG_ROOT_PASSWORD_INPUT {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input/setup.sql - name: config - subPath: setup.sql - - mountPath: /config - name: pgconf image: {{ include "repositoryGenerator.image.postgres" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /config-input/setup.sql name: config subPath: setup.sql - mountPath: /config name: pgconf - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -109,16 +87,14 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config configMap: name: {{ include "common.fullname" . }} - name: pgconf emptyDir: + sizeLimit: 64Mi medium: Memory restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/postgres-init/values.yaml b/kubernetes/common/postgres-init/values.yaml index d6d51f0b51..103ef047da 100644 --- a/kubernetes/common/postgres-init/values.yaml +++ b/kubernetes/common/postgres-init/values.yaml @@ -19,6 +19,7 @@ global: postgres: service: name: pgset + name2: tcp-pgset-primary container: name: postgres @@ -76,20 +77,57 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: postgres-init + roles: + - read + +securityContext: + user_id: 26 + group_id: 26 + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.postgres.service.name2 }}' + wait_for_job_container: containers: - - '{{ include "common.name" . }}-update-config' \ No newline at end of file + - '{{ include "common.name" . }}-update-config' + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" + +jobPodAnnotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" diff --git a/kubernetes/common/postgres/.helmignore b/kubernetes/common/postgres/.helmignore index f0c1319444..0bab41b6b1 100644 --- a/kubernetes/common/postgres/.helmignore +++ b/kubernetes/common/postgres/.helmignore @@ -19,3 +19,14 @@ .project .idea/ *.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/postgres/Chart.yaml b/kubernetes/common/postgres/Chart.yaml index d09f412311..562b69fd0e 100644 --- a/kubernetes/common/postgres/Chart.yaml +++ b/kubernetes/common/postgres/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP Postgres Server name: postgres -version: 12.0.0 +version: 13.1.0 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/postgres/configs/pg_hba.conf b/kubernetes/common/postgres/configs/pg_hba.conf index 580185c6f0..d8918409e8 100644 --- a/kubernetes/common/postgres/configs/pg_hba.conf +++ b/kubernetes/common/postgres/configs/pg_hba.conf @@ -65,4 +65,3 @@ #local all all trust # IPv4 local connections: host all all 0.0.0.0/0 md5 - diff --git a/kubernetes/common/postgres/templates/_deployment.tpl b/kubernetes/common/postgres/templates/_deployment.tpl index 1051aaff0b..ff701a2c10 100644 --- a/kubernetes/common/postgres/templates/_deployment.tpl +++ b/kubernetes/common/postgres/templates/_deployment.tpl @@ -27,6 +27,12 @@ metadata: namespace: {{ include "common.namespace" $dot }} labels: app: {{ include "common.name" $dot }}-{{ $pgMode }} + app.kubernetes.io/name: {{ include "common.name" $dot }}-{{ $pgMode }} + {{- if $dot.Chart.AppVersion }} + version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ $dot.Chart.Version | replace "+" "_" }}" + {{- end }} chart: {{ $dot.Chart.Name }}-{{ $dot.Chart.Version | replace "+" "_" }} release: {{ include "common.release" $dot }} heritage: {{ $dot.Release.Service }} @@ -42,11 +48,16 @@ spec: metadata: labels: app: {{ include "common.name" $dot }}-{{ $pgMode }} + app.kubernetes.io/name: {{ include "common.name" $dot }}-{{ $pgMode }} + {{- if $dot.Chart.AppVersion }} + version: "{{ $dot.Chart.AppVersion | replace "+" "_" }}" + {{- else }} + version: "{{ $dot.Chart.Version | replace "+" "_" }}" + {{- end }} release: {{ include "common.release" $dot }} name: "{{ index $dot.Values "container" "name" $pgMode }}" spec: - imagePullSecrets: - - name: "{{ include "common.namespace" $dot }}-docker-registry-key" + {{- include "common.imagePullSecrets" $dot | nindent 6 }} initContainers: - command: - sh @@ -158,7 +169,50 @@ spec: - mountPath: /backup name: {{ include "common.fullname" $dot }}-backup readOnly: true - resources: {{ include "common.resources" $dot | nindent 12 }} + resources: {{ include "common.resources" $dot | nindent 10 }} + {{- if (default false $dot.Values.metrics.enabled) }} + - name: {{ include "common.name" $dot }}-metrics + image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ $dot.Values.metrics.image }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.metrics.pullPolicy | quote}} + env: + - name: POSTGRES_METRICS_EXTRA_FLAGS + value: {{ default "" (join " " $dot.Values.metrics.extraFlags) | quote }} + - name: DATA_SOURCE_USER + value: "{{ $dot.Values.metrics.postgresUser }}" + - name: DATA_SOURCE_PASS + {{- include "common.secret.envFromSecretFast" (dict "global" $dot "uid" (include "common.postgres.secret.rootPassUID" .) "key" "password") | indent 12 }} + command: + - sh + - -c + - | + DATA_SOURCE_URI="127.0.0.1:5432/?sslmode=disable" ./bin/postgres_exporter $POSTGRES_METRICS_EXTRA_FLAGS + ports: + {{- range $index, $metricPort := $dot.Values.metrics.ports }} + - name: {{ $metricPort.name }} + containerPort: {{ $metricPort.port }} + protocol: TCP + {{- end }} + livenessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ $dot.Values.metrics.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.metrics.livenessProbe.periodSeconds }} + timeoutSeconds: {{ $dot.Values.metrics.livenessProbe.timeoutSeconds }} + successThreshold: {{ $dot.Values.metrics.livenessProbe.successThreshold }} + failureThreshold: {{ $dot.Values.metrics.livenessProbe.failureThreshold }} + readinessProbe: + httpGet: + path: /metrics + port: tcp-metrics + initialDelaySeconds: {{ $dot.Values.metrics.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ $dot.Values.metrics.readinessProbe.periodSeconds }} + timeoutSeconds: {{ $dot.Values.metrics.readinessProbe.timeoutSeconds }} + successThreshold: {{ $dot.Values.metrics.readinessProbe.successThreshold }} + failureThreshold: {{ $dot.Values.metrics.readinessProbe.failureThreshold }} + {{ include "common.containerSecurityContext" $dot | indent 10 | trim }} + resources: {{- toYaml $dot.Values.metrics.resources | nindent 12 }} + {{ end }} {{- if $dot.Values.nodeSelector }} nodeSelector: {{ toYaml $dot.Values.nodeSelector | indent 10 }} @@ -168,9 +222,6 @@ spec: {{ toYaml $dot.Values.affinity | indent 10 }} {{- end }} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: {{ include "common.fullname" $dot }}-backup emptyDir: {} - name: {{ include "common.fullname" $dot }}-data diff --git a/kubernetes/common/postgres/templates/configmap.yaml b/kubernetes/common/postgres/templates/configmap.yaml index e8bfd1194a..ff4f976bf0 100644 --- a/kubernetes/common/postgres/templates/configmap.yaml +++ b/kubernetes/common/postgres/templates/configmap.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: ConfigMap metadata: @@ -26,4 +27,4 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "configs/*").AsConfig . | indent 2 }} - +{{- end }} diff --git a/kubernetes/common/postgres/templates/deployment-primary.yaml b/kubernetes/common/postgres/templates/deployment-primary.yaml index c8a000142e..7947559211 100644 --- a/kubernetes/common/postgres/templates/deployment-primary.yaml +++ b/kubernetes/common/postgres/templates/deployment-primary.yaml @@ -13,4 +13,6 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "primary") }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/deployment-replica.yaml b/kubernetes/common/postgres/templates/deployment-replica.yaml index dc19c2d985..246e1e9a07 100644 --- a/kubernetes/common/postgres/templates/deployment-replica.yaml +++ b/kubernetes/common/postgres/templates/deployment-replica.yaml @@ -13,4 +13,6 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{ include "common.postgres.deployment" (dict "dot" . "pgMode" "replica") }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/metrics-svc-primary.yaml b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml new file mode 100644 index 0000000000..b8d7912210 --- /dev/null +++ b/kubernetes/common/postgres/templates/metrics-svc-primary.yaml @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if not .Values.global.postgres.useOperator }} +{{- if default false .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name2 }}-metrics + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.metrics.service.annotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.metrics.service.annotations "context" .) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type2 }} + ports: + - name: tcp-metrics + port: {{ .Values.metrics.service.port2 }} + targetPort: tcp-metrics + selector: + name: {{ .Values.container.name.primary }} + release: {{ include "common.release" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/metrics-svc-replica.yaml b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml new file mode 100644 index 0000000000..6d9990a7bc --- /dev/null +++ b/kubernetes/common/postgres/templates/metrics-svc-replica.yaml @@ -0,0 +1,38 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if not .Values.global.postgres.useOperator }} +{{- if default false .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.service.name3 }}-metrics + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} + {{- if .Values.metrics.service.annotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.metrics.service.annotations "context" .) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metrics.service.type3 }} + ports: + - name: tcp-metrics + port: {{ .Values.metrics.service.port3 }} + targetPort: tcp-metrics + selector: + name: {{ .Values.container.name.replica }} + release: {{ include "common.release" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/postgres.yaml b/kubernetes/common/postgres/templates/postgres.yaml new file mode 100644 index 0000000000..0dad7f5886 --- /dev/null +++ b/kubernetes/common/postgres/templates/postgres.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.global.postgres.useOperator }} +{{ include "common.postgresOpInstance" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pv-primary.yaml b/kubernetes/common/postgres/templates/pv-primary.yaml index e1ff1f9f4e..9e73ceb8e3 100644 --- a/kubernetes/common/postgres/templates/pv-primary.yaml +++ b/kubernetes/common/postgres/templates/pv-primary.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if include "common.needPV" . -}} kind: PersistentVolume @@ -37,3 +38,4 @@ spec: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/primary {{- end -}} {{- end -}} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pv-replica.yaml b/kubernetes/common/postgres/templates/pv-replica.yaml index d553c36680..af46f611c8 100644 --- a/kubernetes/common/postgres/templates/pv-replica.yaml +++ b/kubernetes/common/postgres/templates/pv-replica.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} {{- if include "common.needPV" . -}} kind: PersistentVolume @@ -35,5 +36,6 @@ spec: persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} hostPath: path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/replica -{{- end -}} -{{- end -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pvc-primary.yaml b/kubernetes/common/postgres/templates/pvc-primary.yaml index a47d3ed56e..6aaa52913e 100644 --- a/kubernetes/common/postgres/templates/pvc-primary.yaml +++ b/kubernetes/common/postgres/templates/pvc-primary.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -41,4 +42,5 @@ spec: {{- else }} storageClassName: {{ include "common.storageClass" . }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/pvc-replica.yaml b/kubernetes/common/postgres/templates/pvc-replica.yaml index 1e453fbcfd..e71284fcec 100644 --- a/kubernetes/common/postgres/templates/pvc-replica.yaml +++ b/kubernetes/common/postgres/templates/pvc-replica.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} kind: PersistentVolumeClaim apiVersion: v1 @@ -41,4 +42,5 @@ spec: {{- else }} storageClassName: {{ include "common.storageClass" . }} {{- end }} -{{- end -}} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-common.yaml b/kubernetes/common/postgres/templates/service-common.yaml index 6e74a06616..6ec83dc0f4 100644 --- a/kubernetes/common/postgres/templates/service-common.yaml +++ b/kubernetes/common/postgres/templates/service-common.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-primary.yaml b/kubernetes/common/postgres/templates/service-primary.yaml index 2965b7df81..bc60d27f44 100644 --- a/kubernetes/common/postgres/templates/service-primary.yaml +++ b/kubernetes/common/postgres/templates/service-primary.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: name: "{{.Values.container.name.primary}}" release: {{ include "common.release" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/service-replica.yaml b/kubernetes/common/postgres/templates/service-replica.yaml index d92a0833af..878a02ef66 100644 --- a/kubernetes/common/postgres/templates/service-replica.yaml +++ b/kubernetes/common/postgres/templates/service-replica.yaml @@ -13,6 +13,7 @@ # # See the License for the specific language governing permissions and # # limitations under the License. */}} +{{- if not .Values.global.postgres.useOperator }} apiVersion: v1 kind: Service metadata: @@ -39,3 +40,4 @@ spec: selector: name: "{{.Values.container.name.replica}}" release: {{ include "common.release" . }} +{{- end }} diff --git a/kubernetes/common/postgres/templates/servicemonitor.yaml b/kubernetes/common/postgres/templates/servicemonitor.yaml new file mode 100644 index 0000000000..3fb716b133 --- /dev/null +++ b/kubernetes/common/postgres/templates/servicemonitor.yaml @@ -0,0 +1,20 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if not .Values.global.postgres.useOperator }} +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/postgres/values.yaml b/kubernetes/common/postgres/values.yaml index 93f6d66385..c0cdfef2d2 100644 --- a/kubernetes/common/postgres/values.yaml +++ b/kubernetes/common/postgres/values.yaml @@ -19,6 +19,9 @@ global: nodePortPrefix: 302 persistence: {} + postgres: + # flag to enable the DB creation via mariadb-operator + useOperator: false ################################################################# # Secrets metaconfig @@ -38,6 +41,27 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.pgPrimaryPasswordExternalSecret) . }}' password: '{{ .Values.config.pgPrimaryPassword }}' +################################################################# +# Postgres Operator configuration defaults. +# Example: https://github.com/CrunchyData/postgres-operator-examples/tree/main/helm/postgres +################################################################# +postgresOperator: + postgresVersion: 16 + # Possibility to override images + #imagePostgres: + #imagePgBouncer: + #imageExporter: + #imagePgBackRest: + instanceName: instance1 + instanceReplicas: 2 + #instanceStorageClassName: + instanceSize: 1Gi + #instanceCPU: + #instanceMemory: + bouncerReplicas: 2 + monitoring: true + #monitoringConfig: {} + ################################################################# # Application configuration defaults. ################################################################# @@ -136,16 +160,114 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} + +metrics: + enabled: false + ## Bitnami Postgres Prometheus exporter image + ## ref: https://hub.docker.com/r/bitnami/postgres-exporter/tags/ + ## + image: bitnami/postgres-exporter:0.11.1 + pullPolicy: Always + ports: + - name: tcp-metrics + port: 9187 + ## Postgres exporter additional command line flags + ## Can be used to specify command line flags + ## E.g.: + ## extraFlags: + ## - --collect.binlog_size + ## + extraFlags: [] + ## Postgres Prometheus exporter containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: "0.5" + memory: "200Mi" + requests: + cpu: "0.5" + memory: "200Mi" + ## Postgres metrics container's liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## + postgresUser: "postgres" + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 180 + successThreshold: 1 + failureThreshold: 3 + ## Postgres Prometheus exporter service parameters + ## + service: + type2: ClusterIP + port2: 9187 + type3: ClusterIP + port3: 9187 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9187" + serviceMonitor: + enabled: false + basicAuth: + enabled: false + ## Namespace in which Prometheus is running + ## + ## namespace: monitoring + ## + ## Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + ## interval: 10s + ## + ## Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + ## scrapeTimeout: 10s + ## Add your label under which prometheus is discovering resources + ## labels: + ## release: kube-prometheus-stack + ## + ## ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/master/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## monitoring: enabled + ## + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + relabelings: [] + ## + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + ## + metricRelabelings: [] diff --git a/kubernetes/common/readinessCheck/.helmignore b/kubernetes/common/readinessCheck/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/readinessCheck/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/readinessCheck/Chart.yaml b/kubernetes/common/readinessCheck/Chart.yaml index 6caea5f899..2214c8aae8 100644 --- a/kubernetes/common/readinessCheck/Chart.yaml +++ b/kubernetes/common/readinessCheck/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: Template used to wait for other deployment/sts/jobs in onap name: readinessCheck -version: 12.0.0 +version: 13.1.4 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' + version: ~13.x-0 + repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl index 90c278e4c5..c09285e1fa 100644 --- a/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl +++ b/kubernetes/common/readinessCheck/templates/_readinessCheck.tpl @@ -35,6 +35,28 @@ - aaf-cm - aaf-service + the powerful one allows also to wait for pod names with this + (has to start with the given pod name): + wait_for: + name: myname + pods: + - test-pod + + the powerful one allows also to wait for a service to be + available, which means all pods are deployed, which are + selected by the service definition: + wait_for: + name: myservice + services: + - mariadb-galera-service + + the powerful one allows also to wait for pods with the + given "app" label: + wait_for: + name: myname + apps: + - mariadb-galera + the powerful one allows also to wait for jobs with this: wait_for: name: myname @@ -48,8 +70,8 @@ - .dot : environment (.) - .initRoot : the root dictionary of readinessCheck submodule (default to .Values.readinessCheck) - - .wait_for : list of containers / jobs to wait for (default to - .Values.wait_for) + - .wait_for : list of service / containers / pods /apps / jobs to wait for + (default to .Values.wait_for) Example calls: {{ include "common.readinessCheck.waitFor" . }} @@ -62,14 +84,26 @@ {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{- $wait_for := default $initRoot.wait_for .wait_for -}} {{- $containers := index (ternary (dict "containers" $wait_for) $wait_for (kindIs "slice" $wait_for)) "containers" -}} +{{- $services := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "services" -}} +{{- $serviceMeshes := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "serviceMeshes" -}} +{{- $pods := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "pods" -}} +{{- $apps := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "apps" -}} {{- $namePart := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "name" -}} {{- $jobs := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "jobs" -}} +{{- $timeout := index (ternary (dict) $wait_for (kindIs "slice" $wait_for)) "timeout" -}} - name: {{ include "common.name" $dot }}{{ ternary "" (printf "-%s" $namePart) (empty $namePart) }}-readiness image: {{ include "repositoryGenerator.image.readiness" $subchartDot }} imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} securityContext: runAsUser: {{ $subchartDot.Values.user }} runAsGroup: {{ $subchartDot.Values.group }} + readOnlyRootFilesystem: true + privileged: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW command: - /app/ready.py args: @@ -77,10 +111,30 @@ - --container-name - {{ tpl $container $dot }} {{- end }} + {{- range $pod := default (list) $pods }} + - --pod-name + - {{ tpl $pod $dot }} + {{- end }} + {{- range $service := default (list) $services }} + - --service-name + - {{ tpl $service $dot }} + {{- end }} + {{- range $serviceMesh := default (list) $serviceMeshes }} + - --service-mesh-check + - {{ tpl $serviceMesh $dot }} + {{- end }} + {{- range $app := default (list) $apps }} + - --app-name + - {{ tpl $app $dot }} + {{- end }} {{- range $job := $jobs }} - --job-name - {{ tpl $job $dot }} {{- end }} + {{- if hasKey $wait_for "timeout" }} + - -t + - {{ $timeout | quote }} + {{- end }} env: - name: NAMESPACE {{- if $subchartDot.Values.namespace }} diff --git a/kubernetes/common/readinessCheck/values.yaml b/kubernetes/common/readinessCheck/values.yaml index 128c5057cc..d769fcdd3d 100644 --- a/kubernetes/common/readinessCheck/values.yaml +++ b/kubernetes/common/readinessCheck/values.yaml @@ -13,14 +13,14 @@ # limitations under the License. global: - pullPolicy: Always + pullPolicy: IfNotPresent user: 100 group: 65533 limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" diff --git a/kubernetes/common/repository-wrapper/Chart.yaml b/kubernetes/common/repository-wrapper/Chart.yaml index 3823e64cc5..c9894d2130 100644 --- a/kubernetes/common/repository-wrapper/Chart.yaml +++ b/kubernetes/common/repository-wrapper/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: Wrapper chart to allow docker secret to be shared all instances name: repository-wrapper -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../repositoryGenerator' \ No newline at end of file diff --git a/kubernetes/common/repositoryGenerator/.helmignore b/kubernetes/common/repositoryGenerator/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/repositoryGenerator/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/repositoryGenerator/Chart.yaml b/kubernetes/common/repositoryGenerator/Chart.yaml index 52a2793963..d1c2240942 100644 --- a/kubernetes/common/repositoryGenerator/Chart.yaml +++ b/kubernetes/common/repositoryGenerator/Chart.yaml @@ -16,4 +16,4 @@ apiVersion: v2 description: Template used to generate the right repository link name: repositoryGenerator -version: 12.0.0 +version: 13.0.3 diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 1b99285a80..14b8cc7783 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -2,6 +2,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2021 AT&T # Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -58,6 +59,16 @@ {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "elasticRepository") .) }} {{- end -}} +{{/* + Resolve the name of the quay.io Repository image repository. + + - .Values.global.quayRepository : default image quayRepository for all images using quay repository + - .Values.quayRepositoryOverride : override global quayRepository repository on a per chart basis +*/}} +{{- define "repositoryGenerator.quayRepository" -}} + {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "quayRepository") .) }} +{{- end -}} + {{/* Resolve the name of the googleK8sRepository image repository. @@ -77,6 +88,16 @@ {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "githubContainerRegistry") .) }} {{- end -}} +{{/* + Resolve the name of the mariadbRepository image repository. + + - .Values.global.mariadbContainerRegistry : default image mariadbContainerRegistry for all images used by mariadb.operator + - .Values.mariadbContainerRegistryOverride : override global mariadbContainerRegistry repository on a per chart basis +*/}} +{{- define "repositoryGenerator.mariadbContainerRegistry" -}} + {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "mariadbContainerRegistry") .) }} +{{- end -}} + {{- define "repositoryGenerator.image._helper" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.repositoryGenerator .initRoot -}} @@ -129,6 +150,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "nginxImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.mongodbImage" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "mongodbImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.postgres" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "postgresImage") .) }} {{- end -}} @@ -137,8 +162,8 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "readinessImage") .) }} {{- end -}} -{{- define "repositoryGenerator.image.dbcClient" -}} - {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dbcClientImage") .) }} +{{- define "repositoryGenerator.image.drProvClient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "drProvClientImage") .) }} {{- end -}} {{- define "repositoryGenerator.image.quitQuit" -}} @@ -219,5 +244,17 @@ {{- $repoCreds = printf "%s, %s" $repoCreds $ghcrRepoCreds }} {{- end }} {{- end }} + {{- if $subchartDot.Values.global.mariadbContainerRegistryCred }} + {{- $mariadbRepo := $subchartDot.Values.global.mariadbContainerRegistry }} + {{- $mariadbCred := $subchartDot.Values.global.mariadbContainerRegistryCred }} + {{- $mariadbMail := default "@" $mariadbCred.mail }} + {{- $mariadbAuth := printf "%s:%s" $mariadbCred.user $mariadbCred.password | b64enc }} + {{- $mariadbRepoCreds := printf "\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}" $mariadbRepo $mariadbCred.user $mariadbCred.password $mariadbMail $mariadbAuth }} + {{- if eq "" $repoCreds }} + {{- $repoCreds = $mariadbRepoCreds }} + {{- else }} + {{- $repoCreds = printf "%s, %s" $repoCreds $mariadbRepoCreds }} + {{- end }} + {{- end }} {{- printf "{%s}" $repoCreds | b64enc -}} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index aa6159c2b2..a4791f762b 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -21,11 +21,13 @@ global: elasticRepository: docker.elastic.co googleK8sRepository: k8s.gcr.io githubContainerRegistry: ghcr.io + mariadbContainerRegistry: docker-registry3.mariadb.com + quayRepository: quay.io # common global images - busyboxImage: busybox:1.34.1 - curlImage: curlimages/curl:7.80.0 - envsubstImage: dibi/envsubst:1 + busyboxImage: busybox:1.37.0 + curlImage: curlimages/curl:8.14.1 + envsubstImage: dibi/envsubst:latest # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest # if you change jetty image, you'll also need to update jar file which is @@ -35,13 +37,14 @@ global: jreImage: onap/integration-java11:10.0.0 kubectlImage: bitnami/kubectl:1.22.4 loggingImage: beats/filebeat:5.5.0 - mariadbImage: bitnami/mariadb:10.5.8 - nginxImage: bitnami/nginx:1.21.4 + mariadbImage: mariadb:11.7.2 + mongodbImage: percona/percona-server-mongodb:7.0.16-10 + nginxImage: bitnami/nginx:1.29.0 postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.2.0 dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 - dbcClientImage: onap/dmaap/dbc-client:2.0.10 - quitQuitImage: onap/oom/readiness:4.1.0 + drProvClientImage: onap/dmaap/datarouter-prov-client:2.1.15 + quitQuitImage: onap/oom/readiness:6.2.0 # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -70,9 +73,10 @@ imageRepoMapping: kubectlImage: dockerHubRepository loggingImage: elasticRepository mariadbImage: dockerHubRepository + mongodbImage: dockerHubRepository nginxImage: dockerHubRepository postgresImage: dockerHubRepository readinessImage: repository dcaePolicySyncImage: repository - dbcClientImage: repository + drProvClientImage: repository quitQuitImage: repository diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml index 717d12a2a4..5de7b72299 100644 --- a/kubernetes/common/roles-wrapper/Chart.yaml +++ b/kubernetes/common/roles-wrapper/Chart.yaml @@ -16,9 +16,9 @@ apiVersion: v2 description: Wrapper chart to allow default roles to be shared among onap instances name: roles-wrapper -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../common' \ No newline at end of file diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml index 0be6c7bbd6..3438b6e36e 100644 --- a/kubernetes/common/roles-wrapper/templates/role.yaml +++ b/kubernetes/common/roles-wrapper/templates/role.yaml @@ -30,6 +30,9 @@ rules: - batch - extensions resources: + - endpoints + - services + - nodes - pods - deployments - deployments/status diff --git a/kubernetes/common/serviceAccount/.helmignore b/kubernetes/common/serviceAccount/.helmignore new file mode 100644 index 0000000000..0bab41b6b1 --- /dev/null +++ b/kubernetes/common/serviceAccount/.helmignore @@ -0,0 +1,32 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml index 2de9036315..3e0e6c2eaa 100644 --- a/kubernetes/common/serviceAccount/Chart.yaml +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,9 +18,9 @@ apiVersion: v2 description: Template used to create the right Service Accounts / Role / RoleBinding name: serviceAccount -version: 12.0.0 +version: 13.0.2 dependencies: - name: common - version: ~12.x-0 - repository: 'file://../common' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml index 7c272aecda..11593ccccb 100644 --- a/kubernetes/common/serviceAccount/templates/role-binding.yaml +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ {{- range $role_type := $dot.Values.roles }} {{/* retrieve the names for generic roles */}} {{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }} -{{- if not (has $role_type $dot.Values.defaultRoles) }} +{{- if or (not (has $role_type $dot.Values.defaultRoles)) ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} {{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} {{- end }} --- @@ -36,4 +37,3 @@ roleRef: name: {{ $name }} apiGroup: rbac.authorization.k8s.io {{- end }} - diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 2055885f2a..90708854ff 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,5 +38,34 @@ rules: verbs: - create {{- end }} +{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +{{- with $dot.Values.role.read }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- else }} +{{- if eq $role_type "create" }} +{{- with $dot.Values.role.create }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} {{- end }} {{- end }} diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml index 20bd94f49a..683d5d2984 100644 --- a/kubernetes/common/serviceAccount/templates/service-account.yaml +++ b/kubernetes/common/serviceAccount/templates/service-account.yaml @@ -21,4 +21,4 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml index 22faeb6904..5d20e45f58 100644 --- a/kubernetes/common/serviceAccount/values.yaml +++ b/kubernetes/common/serviceAccount/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 Samsung Electronics +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -12,13 +13,21 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Default roles will be created by roles wrapper -# It won't work if roles wrapper is disabled. +# Global flag to enable the creation of default roles instead of using +# common roles-wrapper +global: + createDefaultRoles: false + +# Default roles will be created by roles wrapper, +# if "createDefaultRoles=false" roles: - nothing -# - read -# - create + # - read + # - create +# Flag to enable the creation of default roles instead of using +# common roles-wrapper +createDefaultRoles: false defaultRoles: - nothing - read @@ -34,3 +43,116 @@ new_roles_definitions: {} # - "get" # - "watch" # - "list" + +role: + read: + - apiGroups: + - "" # "" indicates the core API group + resources: + - services + - pods + - endpoints + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs + verbs: + - get + - watch + - list + - apiGroups: + - batch + resources: + - jobs/status + verbs: + - get + - apiGroups: + - apps + resources: + - statefulsets + - replicasets + - deployments + - statefulsets + - daemonsets + verbs: + - get + - watch + - list + - apiGroups: + - apps + resources: + - replicasets/status + - deployments/status + - statefulsets/status + verbs: + - get + create: + - apiGroups: + - "" # "" indicates the core API group + - apps + - batchs + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete + - apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create + - get + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete diff --git a/kubernetes/common/timescaledb/.helmignore b/kubernetes/common/timescaledb/.helmignore index 50af031725..0bab41b6b1 100644 --- a/kubernetes/common/timescaledb/.helmignore +++ b/kubernetes/common/timescaledb/.helmignore @@ -19,4 +19,14 @@ .project .idea/ *.tmproj -.vscode/ +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ diff --git a/kubernetes/common/timescaledb/Chart.yaml b/kubernetes/common/timescaledb/Chart.yaml index cb9965f6b6..07762d4677 100644 --- a/kubernetes/common/timescaledb/Chart.yaml +++ b/kubernetes/common/timescaledb/Chart.yaml @@ -22,15 +22,15 @@ apiVersion: v2 appVersion: "1.0" description: ONAP timescaledb name: timescaledb -version: 12.0.0 +version: 13.0.2 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: 'file://../repositoryGenerator' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/common/timescaledb/templates/configmap-init.yaml b/kubernetes/common/timescaledb/templates/configmap-init.yaml index 82c1de6255..6cb5c60629 100644 --- a/kubernetes/common/timescaledb/templates/configmap-init.yaml +++ b/kubernetes/common/timescaledb/templates/configmap-init.yaml @@ -23,11 +23,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-init namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: init-schema.sh: |- {{ .Files.Get "resources/init/init-schema.sh" | indent 4}} diff --git a/kubernetes/common/timescaledb/templates/statefulset.yaml b/kubernetes/common/timescaledb/templates/statefulset.yaml index 2e83c5b1b0..031241dbaf 100644 --- a/kubernetes/common/timescaledb/templates/statefulset.yaml +++ b/kubernetes/common/timescaledb/templates/statefulset.yaml @@ -29,27 +29,12 @@ spec: metadata: {{- include "common.templateMetadata" (dict "ignoreHelmChart" true "dot" . ) | nindent 6 }} spec: serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} - {{ include "common.podSecurityContext" . | indent 10 | trim}} - initContainers: - # we shouldn't need this but for unknown reason, it's fsGroup is not - # applied - - name: fix-permission - command: - - /bin/sh - args: - - -c - - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} /var/lib/postgresql/data - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /var/lib/postgresql/data - name: {{ include "common.fullname" . }} + {{ include "common.podSecurityContext" . | indent 6 | trim}} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim}} ports: {{ include "common.containerPorts" . | nindent 12 }} livenessProbe: exec: @@ -74,17 +59,21 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "root-creds" "key" "password") | indent 14 }} - name: PGDATA value: /var/lib/postgresql/data/pgdata - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} volumeMounts: - name: {{ include "common.fullname" . }}-init mountPath: /docker-entrypoint-initdb.d - name: {{ include "common.fullname" . }} mountPath: /var/lib/postgresql/data + - name: var-run + mountPath: /var/run/postgresql volumes: - name: {{ include "common.fullname" . }}-init configMap: name: {{ include "common.fullname" . }}-init + - name: var-run + emptyDir: + sizeLimit: {{ .Values.dirSizes.varDir.sizeLimit }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -95,9 +84,9 @@ spec: {{- end }} {{- with .Values.tolerations }} tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} volumeClaimTemplates: - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "data" "persistenceInfos" .Values.persistence "ignoreHelmChart" true) | indent 6 | trim }} -{{- end }} + {{- end }} diff --git a/kubernetes/common/timescaledb/values.yaml b/kubernetes/common/timescaledb/values.yaml index 72a4b6ffd0..35beab7ea1 100644 --- a/kubernetes/common/timescaledb/values.yaml +++ b/kubernetes/common/timescaledb/values.yaml @@ -21,9 +21,9 @@ global: persistence: {} ################################################################# -# Secrets. +# Image ############################################################## -image: timescale/timescaledb:2.5.1-pg14 +image: timescale/timescaledb:2.16.1-pg14 pullPolicy: Always containerPorts: 5432 @@ -41,11 +41,6 @@ securityContext: # Uid and gid to run the entrypoint of the container process (uid 70 is postgres user and gid 70 is postgres group) user_id: 70 group_id: 70 - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true flavor: small @@ -63,18 +58,18 @@ flavor: small resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 90Mi + cpu: "10m" + memory: "90Mi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} nodeSelector: {} @@ -114,6 +109,10 @@ config: pgRootUserName: postgres pgDatabase: timescaledb +dirSizes: + varDir: + sizeLimit: 64Mi + secrets: - uid: root-creds type: basicAuth diff --git a/kubernetes/consul/Chart.yaml b/kubernetes/consul/Chart.yaml deleted file mode 100644 index 0000463560..0000000000 --- a/kubernetes/consul/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Consul Agent -name: consul -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: consul-server - version: ~12.x-0 - repository: 'file://components/consul-server' - condition: consul-server.enabled - - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/consul/Makefile b/kubernetes/consul/Makefile deleted file mode 100644 index c483a02eab..0000000000 --- a/kubernetes/consul/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/consul/components/Makefile b/kubernetes/consul/components/Makefile deleted file mode 100644 index fa3c4b9af9..0000000000 --- a/kubernetes/consul/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/consul/components/consul-server/Chart.yaml b/kubernetes/consul/components/consul-server/Chart.yaml deleted file mode 100644 index 8eb28ce1d4..0000000000 --- a/kubernetes/consul/components/consul-server/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Consul Server -name: consul-server -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/consul/components/consul-server/templates/NOTES.txt b/kubernetes/consul/components/consul-server/templates/NOTES.txt deleted file mode 100644 index 157fe92427..0000000000 --- a/kubernetes/consul/components/consul-server/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/consul/components/consul-server/templates/service.yaml b/kubernetes/consul/components/consul-server/templates/service.yaml deleted file mode 100644 index c24ddfb7e4..0000000000 --- a/kubernetes/consul/components/consul-server/templates/service.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - clusterIP: None ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-ui - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName2 }} - {{- else -}} - - port: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/consul/components/consul-server/templates/statefulset.yaml b/kubernetes/consul/components/consul-server/templates/statefulset.yaml deleted file mode 100644 index 8e872b9c87..0000000000 --- a/kubernetes/consul/components/consul-server/templates/statefulset.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - command: ["/usr/local/bin/docker-entrypoint.sh"] - args: - - "agent" - - "-bootstrap-expect={{ .Values.replicaCount }}" - - "-enable-script-checks" -{{- $fullname := include "common.fullname" . -}} -{{- $servname := include "common.servicename" . -}} -{{- range $i,$t := until (int .Values.replicaCount)}} - - "-retry-join={{ $fullname }}-{{$i}}.{{ $servname }}" -{{- end }} - - "-client=0.0.0.0" - - "-server" - - "-ui" - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} diff --git a/kubernetes/consul/components/consul-server/values.yaml b/kubernetes/consul/components/consul-server/values.yaml deleted file mode 100644 index d4e649444a..0000000000 --- a/kubernetes/consul/components/consul-server/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - repository: nexus3.onap.org:10001 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/oom/consul:2.1.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 5 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 5 - -service: - type: ClusterIP - name: consul-server - portName: consul-join - internalPort: 8301 - type2: ClusterIP - portName2: consul-ui - internalPort2: 8500 - nodePort2: 70 - -ingress: - enabled: false - -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 30m - memory: 25Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -securityContext: - fsGroup: 1000 - runAsUser: 100 - runAsGroup: 1000 - -#Pods Service Account -serviceAccount: - nameOverride: consul-server - roles: - - read diff --git a/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json b/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json deleted file mode 100755 index cd715f8b6a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aaf-service-health.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "service": { - "name": "Health Check: Application Authorization Framework", - "checks": [ - { - "id": "aaf-service", - "name": "AAF Service Health Check", - "http": "https://aaf-service:8100/authz/perms/user/demo@people.osaaf.org", - "header": { - "Authorization": ["Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh"], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "20s", - "timeout": "5s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json b/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json deleted file mode 100644 index 965732da5d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aaf-sms-health.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "service": { - "name": "Health Check: Secret Management Service (sms)", - "check":[ - { - "id" : "aaf-sms-health", - "name": "SMS Health Check", - "http": "https://aaf-sms.{{ .Release.Namespace }}:10443/v1/sms/healthcheck", - "tls_skip_verify": true, - "method": "GET", - "interval": "20s", - "timeout": "5s" - } - ] - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json deleted file mode 100644 index be41934e77..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-data-router-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI Synapse Data Routing Service", - "checks": [ - { - "id": "data-router-process", - "name": "Synapse Presence", - "script": "/consul/scripts/data-router-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json deleted file mode 100644 index 044a844e35..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-model-loader-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI Model Loader", - "checks": [ - { - "id": "model-loader-process", - "name": "Model Loader Presence", - "script": "/consul/scripts/model-loader-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json deleted file mode 100644 index 0817a19cf0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-search-data-service-health.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "service": { - "name": "A&AI Search Data Service", - "checks": [ - { - "id": "elasticsearch", - "name": "Search Data Service Document Store", - "http": "http://aai-elasticsearch:9200/_cat/indices?v", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "elasticsearch-write-health", - "name": "Search Data Service Document Store Write Test", - "script": "/consul/scripts/aai-search-storage-write-script.sh", - "interval": "60s" - }, - { - "id": "search-data-service-availability", - "name": "Search Data Service Availability", - "script": "curl -k --cert /consul/certs/client-cert-onap.crt.pem --cert-type PEM --key /consul/certs/client-cert-onap.key.pem --key-type PEM https://search-data-service:9509/services/search-data-service/v1/jaxrsExample/jaxrs-services/echo/up 2>&1 | grep 'Up'", - "interval": "15s" - }, - { - "id": "search-data-service-api", - "name": "Search Data Service Operational Test", - "script": "/consul/scripts/search-data-service-availability.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json deleted file mode 100644 index 99acff4e61..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-services-health.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "service": { - "name": "Active and Available Inventory", - "checks": [ - { - "id": "aai-service", - "name": "Core A&AI", - "http": "https://aai.{{ .Release.Namespace }}:8443/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "aai-resources", - "name": "Resources Microservice", - "http": "https://aai-resources.{{ .Release.Namespace }}:8447/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "aai-traversal", - "name": "Traversal Microservice", - "http": "https://aai-traversal.{{ .Release.Namespace }}:8446/aai/util/echo", - "header": { - "Authorization": ["Basic QUFJOkFBSQ=="], - "X-TransactionId": ["ConsulHealthCheck"], - "X-FromAppId": ["healthcheck"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json b/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json deleted file mode 100644 index bf6305c1d0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/aai-sparky-be-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "A&AI UI Backend Service", - "checks": [ - { - "id": "sparky-be-process", - "name": "UI Backend Presence", - "script": "/consul/scripts/sparky-be-script.sh", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json b/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json deleted file mode 100644 index c86361743a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-dbbuilder.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC - Dgbuilder", - "checks": [ - { - "id": "appc-dgbuilder", - "name": "APPC-Dgbuilder Server Health Check", - "http": "http://appc-dgbuilder:3000/", - "method": "HEAD", - "header": { - "Authorization": ["Basic ZGd1c2VyOnRlc3QxMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-health.json b/kubernetes/consul/resources/config/consul-agent-config/appc-health.json deleted file mode 100644 index 86f2ce8da0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC", - "checks": [ - { - "id": "appc-dbhost-healthcheck", - "name": "APPC DBHost Health Check", - "script": "/consul/scripts/appc-dbhost-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json deleted file mode 100644 index 230d31f509..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb01-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC-SDN-CTL-DB-01", - "checks": [ - { - "id": "appc-sdnctldb01", - "name": "APPC SDNCTLDB01 Health Check", - "tcp": "appc-sdnctldb01:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json deleted file mode 100644 index da669e3ac0..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnctldb02-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC-SDN-CTL-DB-02", - "checks": [ - { - "id": "appc-sdnctldb02", - "name": "APPC SDNCTLDB02 Health Check", - "tcp": "appc-sdnctldb02:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json b/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json deleted file mode 100644 index 1548cab909..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/appc-sdnhost.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: APPC - SDN Host", - "checks": [ - { - "id": "appc-sdnhost", - "name": "APPC SDN Host Health Check", - "http": "http://appc-sdnhost:8282/apidoc/explorer/index.html", - "method": "HEAD", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem b/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem deleted file mode 100644 index b842710c11..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.crt.pem +++ /dev/null @@ -1,25 +0,0 @@ -Bag Attributes - friendlyName: tomcat - localKeyID: 54 69 6D 65 20 31 34 39 33 33 32 33 39 32 32 37 35 31 -subject=/C=CA/ST=Ontario/L=Ottawa/O=ONAP/OU=ONAP/CN=ONAP -issuer=/C=CA/ST=Ontario/L=Ottawa/O=ONAP/OU=ONAP/CN=ONAP ------BEGIN CERTIFICATE----- -MIIDWTCCAkGgAwIBAgIERWHcIzANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJD -QTEQMA4GA1UECBMHT250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMQ0wCwYDVQQKEwRP -TkFQMQ0wCwYDVQQLEwRPTkFQMQ0wCwYDVQQDEwRPTkFQMB4XDTE3MDQyNzIwMDUz -N1oXDTM3MDExMjIwMDUzN1owXTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFy -aW8xDzANBgNVBAcTBk90dGF3YTENMAsGA1UEChMET05BUDENMAsGA1UECxMET05B -UDENMAsGA1UEAxMET05BUDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AJsQpjB5U0exZHWKVt6xDzmBBhLiAtv7Qb8zsbAcIZPxuKsieOJykWDCaf+Ip7oe -+b86nf4LmKrNm4KMsDNnlU7Bg7+3HFa7m+tZgfILORv2HPMRXgvcqPFr1dxgTBkp -xtlcGXHhA8oBpmqTmOCitE+ngVH+FBVxN93aHEDz+Dgc06PyzoP/xWI0GjvlOsv/ -qZeXCj6K4Hpu/FSPNk06Piq9M+rDwUMuyaRtY9FWjYMvkMCrRvlZUoAasrC0BGyR -UAboHdk5aW3AZ0cVR6NMSlELcvCUFqzacAOWLgffX3b5vhkOaAsmnnzmxANV6s0t -SqrD6Mmjg5OcYJW4VFKrwjUCAwEAAaMhMB8wHQYDVR0OBBYEFNji+IU70Qgptn4i -boq/rOKNAg8tMA0GCSqGSIb3DQEBCwUAA4IBAQBc5mJLeeUUzJ4MujZjn0DS3Lvv -THJTE54Id1euT3ddzfX3htF0Ewd90YzmLuj1y8r8PXj7b/8Bq+cvoKbmJ42c8h3X -If0tqde+gYWx1X3NAWHwz00Cje9R0KY4Bx1Cvr39jTw/ESnuSQDKPHBnn8WyAS9K -08ZhvrVSK54d3U7tDVut9UVva8Scdi12utTAWaOIlusLo3bU9Z6t+tgg7AnQBYc0 -N9oCMbq/MACFlLSdc1J6NITYS8XHY2RS8u88eLbWkCcEEx1glYz/PMX3+V1Ow9Uy -MjenEx8ifl96ZSOe9XsI2gl2TCaevCY/QuREu4LZB9XmO0gncH7gF5w9Bw2b ------END CERTIFICATE----- diff --git a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem b/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem deleted file mode 100644 index 95de561981..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/certs/client-cert-onap.key.pem +++ /dev/null @@ -1,32 +0,0 @@ -Bag Attributes - friendlyName: tomcat - localKeyID: 54 69 6D 65 20 31 34 39 33 33 32 33 39 32 32 37 35 31 -Key Attributes: ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbEKYweVNHsWR1 -ilbesQ85gQYS4gLb+0G/M7GwHCGT8birInjicpFgwmn/iKe6Hvm/Op3+C5iqzZuC -jLAzZ5VOwYO/txxWu5vrWYHyCzkb9hzzEV4L3Kjxa9XcYEwZKcbZXBlx4QPKAaZq -k5jgorRPp4FR/hQVcTfd2hxA8/g4HNOj8s6D/8ViNBo75TrL/6mXlwo+iuB6bvxU -jzZNOj4qvTPqw8FDLsmkbWPRVo2DL5DAq0b5WVKAGrKwtARskVAG6B3ZOWltwGdH -FUejTEpRC3LwlBas2nADli4H3192+b4ZDmgLJp585sQDVerNLUqqw+jJo4OTnGCV -uFRSq8I1AgMBAAECggEANFs6wcM1S0+qC8XZ7vb5nQDjfByzunLrkBN0O3JEJB/J -qn7JMixcyb7a61zIxR8QVHEGR3DC62jgyQOXusOOtjjAs0qwVtihnKVsKr1/WuGO -hMOobXjj0iAG5ZHeH+DrMxjVvo2rKdnExtdvFunY18xG7dhMD7Fam525THUTql4K -yxhT7X6MrfS1eFjbR6oAIGNjoNTwyyEjEm4yvHO3PnG2NeyIeu7zIO2k+GimAAXT -tN3AK30lmr3+35k6o+XQAhDE4/6msn6jBVSdLfK35ATFGwrojD0bCgALR4SUNEyd -i33nuNLGyeI7DPWbqmjyWQW9uWLFJD85We2HzqBZQQKBgQDIrJ4PLvYE75dFWnSa -lBr1HZbl/x5mP56MVEiwTabRbUsJoXKlX44lm9hwQaPbuoUAflb1ZtNKbyiRVsuN -Ft5RToU9PWXyFtc2eyLCJToxHI4MhsuGRAaEeic5+l12wdpRxl74eeXdKJK4P/iU -8wdhSxDG2ekkj6lyye5l5iwcBwKBgQDF0Pptcs+yPCz9FRqCmHT/I4QTK1VSD6mW -F2Yd2KEUa4aocIb+L56ghJfYR+enIe9hHmb0ulomJaLLTicZJk6ffDfaQpCFBiS7 -BirDqHX8zlnBHePrBzZPyA5EfGMLxlP4uUk4g28JMFBJaZTEXAnQLUH0mIm0o0YR -mbsaVo/Y4wKBgFsG8iuxAaf7hoLPJVV5GUFWyrxJnWCEO0csdEyE7MbS7NbRhU++ -qJwmtWc2Xz2svegbZxaqLe31vlEvLeYyGWaIV6gP0c6ezcDI2lt2x46/hS/pdSjS -cqJlRqXmC79y77VoZmwP31USsnshiYEHPLHFeza4YilTgWmwb5OJdTjBAoGBAJBC -0P7UhedjvyNqKoUnDdurWPxp07Ueuvw8YDpP61jq+a8JMUlaDQLe76XI+oWGV/6p -n0fGR0weklRV0Gmk6B2jB1BizuZUDqFd4/4ActtE2WvekoKqJc+VA+KqG8lQf5iZ -924BXA6Fb2e6WcXBoV5yQvFP9M0JbWYUiMCydAElAoGBAKof78r8POfTPq9fQA9I -0zsQGnxqnSqyIu5yobM3GyXHBPOKdevlxyXxuMnGTr7upSNZrDrrA+f5Czlu7Fas -qdt/5PmqYQjRsVoHNQFatUzHWwx2vU2Pr1jBpZFBpnjnLwn3A35+UEWn13nCjkla -TrDniEcyId4ya5cMLDnM7Zgw ------END PRIVATE KEY----- diff --git a/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json b/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json deleted file mode 100644 index 5fb57b4b6b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/clamp-health.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "service": { - "name": "Health Check: CLAMP", - "check":[ - { - "id" : "clamp-health", - "name": "Clamp Health Check", - "http": "http://clamp:8080/restservices/clds/v1/clds/healthcheck", - "tls_skip_verify": true, - "method": "GET", - "interval": "10s", - "timeout": "1s" - } - ] - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json b/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json deleted file mode 100644 index f5ae467d74..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/clamp-mariadb-health.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "service": { - "name": "Health Check: CLAMP - MariaDb", - "checks": [ - { - "id": "clamp-mariadb", - "name": "CLAMP Mariadb Health Check", - "script": "/consul/scripts/clamp-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - - } -} - diff --git a/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json b/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json deleted file mode 100644 index 81e55cb871..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/cli-health-check.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "service": { - "name": "Health Check: ONAP CLI", - "checks": [ - { - "id": "cli", - "name": "CLI Health Check", - "http": "http://cli.{{include "common.namespace" .}}:8080", - "method": "GET", - "interval": "3600s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json b/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json deleted file mode 100644 index 6e580579e1..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-elastic-search.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Elastic Search", - "checks": [ - { - "id": "log-elasticsearch-server", - "name": "Log Elastic Search Health Check", - "http": "http://log-es:9200/_cluster/health?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-elasticsearch-tcp", - "name": "Log Elastic Search TCP Health Check", - "tcp": "log-es-tcp:9300", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json b/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json deleted file mode 100644 index 6bca63f7bf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-kibana.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Kibana", - "checks": [ - { - "id": "log-kibana-server", - "name": "Log kibana Health Check", - "http": "http://log-kibana:5601/status", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json b/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json deleted file mode 100644 index ea32ecfe2a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/log-logstash.json +++ /dev/null @@ -1,95 +0,0 @@ -{ - "service": { - "name": "Health Check: Log - Log Stash", - "checks": [ - { - "id": "log-logstash-internal-server-gi", - "name": "Log Stash Health Check - General Information", - "http": "http://log-ls-http:9600/?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-node-info", - "name": "Log Stash Health Check - Node Information", - "http": "http://log-ls-http:9600/_node/?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-os-info", - "name": "Log Stash Health Check - OS Information", - "http": "http://log-ls-http:9600/_node/os?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-jvm-info", - "name": "Log Stash Health Check - JVM Information", - "http": "http://log-ls-http:9600/_node/jvm?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-plugin-info", - "name": "Log Stash Health Check - Plugin Information", - "http": "http://log-ls-http:9600/_node/plugins?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-node-stat", - "name": "Log Stash Health Check - Node Stats", - "http": "http://log-ls-http:9600/_node/stats?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-jvm-stat", - "name": "Log Stash Health Check - JVM Stats", - "http": "http://log-ls-http:9600/_node/stats/jvm?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-process-stat", - "name": "Log Stash Health Check - Process Stats", - "http": "http://log-ls-http:9600/_node/stats/process?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-internal-server-os-stat", - "name": "Log Stash Health Check - OS Stats", - "http": "http://log-ls-http:9600/_node/stats/os?pretty", - "method": "GET", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "log-logstash-tcp", - "name": "Log Stash File Beat TCP Health Check", - "tcp": "log-ls:5044", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties b/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties deleted file mode 100644 index aae18b1e98..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/model-loader.properties +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Model Loader Distribution Client Configuration -ml.distribution.ACTIVE_SERVER_TLS_AUTH=false -ml.distribution.ASDC_ADDRESS=c2.vm1.sdc.simpledemo.openecomp.org:8443 -ml.distribution.CONSUMER_GROUP=aai-ml-group -ml.distribution.CONSUMER_ID=aai-ml -ml.distribution.ENVIRONMENT_NAME=AUTO -ml.distribution.KEYSTORE_PASSWORD= -ml.distribution.KEYSTORE_FILE=asdc-client.jks -ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp -ml.distribution.POLLING_INTERVAL=30 -ml.distribution.POLLING_TIMEOUT=20 -ml.distribution.USER=aai -ml.distribution.ARTIFACT_TYPES=MODEL_INVENTORY_PROFILE,MODEL_QUERY_SPEC,VNF_CATALOG - -# Model Loader AAI REST Client Configuration -ml.aai.BASE_URL=https://c1.vm1.aai.simpledemo.openecomp.org:8443 -ml.aai.MODEL_URL=/aai/v10/service-design-and-creation/models/model/ -ml.aai.NAMED_QUERY_URL=/aai/v10/service-design-and-creation/named-queries/named-query/ -ml.aai.VNF_IMAGE_URL=/aai/v8/service-design-and-creation/vnf-images -ml.aai.KEYSTORE_FILE=aai-os-cert.p12 -ml.aai.KEYSTORE_PASSWORD=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -ml.aai.AUTH_USER=ModelLoader -ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw diff --git a/kubernetes/consul/resources/config/consul-agent-config/mr-health.json b/kubernetes/consul/resources/config/consul-agent-config/mr-health.json deleted file mode 100644 index d8c056f006..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/mr-health.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "service": { - "name": "Health Check: DMaaP", - "checks":[ - { - "id": "dmaap", - "name": "Health Check: Message Router", - "http": "http://message-router:3904/topics", - "tls_skip_verify": true, - "interval": "30s", - "timeout": "1s" - }, - { - "id": "mr-zookeeper", - "name": "Health Check: Message Router - ZooKeeper", - "script": "/consul/scripts/mr-zookeeper-health.sh", - "interval": "10s", - "timeout": "5s" - }, - { - "id": "mr-kafka", - "name": "Health Check: Message Router - Kafka", - "script": "/consul/scripts/mr-kafka-health.sh", - "interval": "30s", - "timeout": "5s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/msb-health.json b/kubernetes/consul/resources/config/consul-agent-config/msb-health.json deleted file mode 100644 index ad4e422be1..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/msb-health.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "service": { - "name": "Health Check: MSB", - "checks": [ - { - "id": "msb-eag", - "name": "MSB eag Health Check", - "http": "http://msb-eag:80/iui/microservices/default.html", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-iag", - "name": "MSB iag Health Check", - "http": "http://msb-iag:80/iui/microservices/default.html", - "method": "HEAD", - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-consul", - "name": "MSB consul Health Check", - "tcp": "msb-consul:8500", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "msb-discovery", - "name": "MSB discovery Health Check", - "tcp": "msb-discovery:10081", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json b/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json deleted file mode 100644 index f6e48fac6b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/multicloud-health-check.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "service": { - "name": "Health Check: MULTICLOUD", - "checks": [ - { - "id": "framework", - "name": "Framework Health Check", - "http": "http://framework:9001/api/multicloud/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-pike", - "name": "Multicloud Pike Health Check", - "http": "http://multicloud-pike:9007/api/multicloud-pike/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-starlingx", - "name": "Multicloud Starlingx Health Check", - "http": "http://multicloud-starlingx:9009/api/multicloud-starlingx/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-vio", - "name": "Multicloud Vio Health Check", - "http": "http://multicloud-vio:9004/api/multicloud-vio/v0/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "multicloud-windriver", - "name": "Multicloud Windriver Health Check", - "http": "http://multicloud-windriver:9005/api/multicloud-titaniumcloud/v1/swagger.json", - "method": "HEAD", - "header": { - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/policy-health.json b/kubernetes/consul/resources/config/consul-agent-config/policy-health.json deleted file mode 100644 index 9cad9dc1d5..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/policy-health.json +++ /dev/null @@ -1,111 +0,0 @@ -{ - "service": { - "name": "Health Check: Policy", - "checks": [ - { - "id": "Policy-mariadb-healthcheck", - "name": "Policy Mariadb Health Check", - "script": "/consul/scripts/policy-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "policy-nexus-local-status", - "name": "Policy Nexus Local Status", - "http": "http://nexus:8081/nexus/service/local/status", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "policy-nexus-internal-metrics", - "name": "Policy Nexus Internal Metrics", - "http": "http://nexus:8081/nexus/internal/metrics", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "policy-nexus-internal-healthcheck", - "name": "Policy Nexus Internal Healthcheck", - "http": "http://nexus:8081/nexus/internal/healthcheck", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46YWRtaW4xMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "brmsgw-tcp", - "name": "BRMSGW Health Check", - "tcp": "brmsgw:9989", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "drools", - "name": "Drools Health Check", - "http": "https://drools:6969/healthcheck", - "method": "GET", - "header": { - "Authorization": ["Basic ZGVtb0BwZW9wbGUub3NhYWYub3JnOmRlbW8xMjM0NTYh"], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "pap", - "name": "PAP Health Check", - "http": "https://pap:9091/pap/test", - "method": "GET", - "header": { - "Authorization": ["Basic dGVzdHBhcDphbHBoYTEyMw=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "pdp", - "name": "PDP Health Check", - "http": "https://pdp:8081/pdp/test", - "method": "GET", - "header": { - "Authorization": ["Basic dGVzdHBkcDphbHBoYTEyMw=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt b/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt deleted file mode 100644 index a6e084cfea..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-doc.txt +++ /dev/null @@ -1,9 +0,0 @@ -{ - "vnfId" : "testwrite", - "device" : "10.198.1.31", - "timestamp" : "2017-08-23T19:13:56Z", - "jdmTotalMem" : "2097152", - "jdmAvailableMem" : "1877272", - "jdmUserCpu" : "16", - "jdmSystemCpu" : "3" -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh deleted file mode 100755 index 91223f527e..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/aai-search-storage-write-script.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -if curl -s -X PUT http://aai-elasticsearch:9200/searchhealth/stats/testwrite -d @/consul/scripts/aai-search-storage-write-doc.txt | grep '\"created\":true'; then - if curl -s -X DELETE http://aai-elasticsearch:9200/searchhealth/stats/testwrite | grep '\"failed\":0'; then - if curl -s -X GET http://aai-elasticsearch:9200/searchhealth/stats/testwrite | grep '\"found\":false'; then - echo Successful PUT, DELETE, GET from Search Document Storage 2>&1 - exit 0 - else - echo Failed GET from Search Document Storage 2>&1 - exit 1 - fi - else - echo Failed DELETE from Search Document Storage 2>&1 - exit 1 - fi -else - echo Failed PUT from Search Document Storage 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh deleted file mode 100755 index 96e4864514..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/appc-dbhost-script.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -APPC_DBHOST_POD=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "appc-dbhost-[^[:space:]]*") -if [ -n "$APPC_DBHOST_POD" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $APPC_DBHOST_POD -- ./healthcheck.sh |grep -i "mysqld is alive"; then - echo Success. APPC DBHost is running. 2>&1 - exit 0 - else - echo Failed. APPC DBHost is not running. 2>&1 - exit 1 - fi -else - echo Failed. APPC DBHost is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh deleted file mode 100644 index 1b721b363c..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/clamp-mariadb-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-clampdb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. CLAMP DBHost is running. 2>&1 - exit 0 - else - echo Failed. CLAMP DBHost is not running. 2>&1 - exit 1 - fi - else - echo Failed. CLAMP DBHost is offline. 2>&1 - exit 1 - fi - diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh deleted file mode 100755 index 2e0078c72f..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/data-router-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-data-router[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'data-router' > /dev/null; then - - echo Success. Synapse process is running. 2>&1 - exit 0 - else - echo Failed. Synapse process is not running. 2>&1 - exit 1 - fi -else - echo Failed. Synapse container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh deleted file mode 100755 index e049402578..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/model-loader-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-model-loader[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'model-loader' > /dev/null; then - - echo Success. Model Loader process is running. 2>&1 - exit 0 - else - echo Failed. Model Loader process is not running. 2>&1 - exit 1 - fi -else - echo Failed. Model Loader container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh deleted file mode 100755 index 816a0103f6..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-kafka-health.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -kafkapod=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-message-router-kafka-[^[:space:]]*") -if [ -n "$kafkapod" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $kafkapod -- ps ef | grep -i kafka; then - echo Success. Kafka process is running. 2>&1 - exit 0 - else - echo Failed. Kafka is not running. 2>&1 - exit 1 - fi -else - echo Failed. Kafka container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh deleted file mode 100755 index debcfd1868..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/mr-zookeeper-health.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -zkpod=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-message-router-zookeeper-[^[:space:]]*") -if [ -n "$zkpod" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $zkpod -- ps aux | grep -i zookeeper; then - echo Success. Zookeeper process is running. 2>&1 - exit 0 - else - echo Failed. Zookeeper is not running. 2>&1 - exit 1 - fi -else - echo Failed. Zookeeper container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh deleted file mode 100644 index 865d477b7d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/policy-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-policydb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh deleted file mode 100755 index c362ffed34..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-be-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component BE) and check to see if -## the BE component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "BE" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh deleted file mode 100755 index 18b5b9d4bd..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-cs-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component CASSANDRA) and check to see if -## the CASSANDRA component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "CASSANDRA" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh deleted file mode 100755 index 21a2b80a3d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-fe-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component FE) and check to see if -## the FE component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "FE" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh deleted file mode 100755 index fad3ddb293..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdc-titan-script.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://sdc-fe:8181/sdc1/rest/healthCheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -## Strip out the ON_BOARDING section from the response XML (otherwise we will -## get duplicate results when we search for component TITAN) and check to see if -## the TITAN component is reported as up. -READY=$(echo "$HEALTH_CHECK_RESPONSE" | sed '/ON_BOARDING/,/]/d' | grep -A 1 "TITAN" | grep "UP") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh deleted file mode 100755 index ed7aefc0cf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-cluster-health.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2018 Amdocs -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# query ODL cluster state -USERNAME="{{.Values.odl.jolokia.username}}" -PASSWORD="{{.Values.odl.jolokia.password}}" - -count=${SDNC_ODL_COUNT:-1} -siteId=0 -if [ "$SDNC_IS_PRIMARY_CLUSTER" = "false" ];then - siteId=1 -fi - -for instance in $(seq $count);do - shard=member-$(( $siteId*$count + $instance ))-shard-default-config - mbean=Category=Shards,name=$shard,type=DistributedConfigDatastore - url=http://{{ include "common.release" . }}-sdnc-$(( $instance-1 )).sdnc-cluster.{{.Release.Namespace}}:8181/jolokia/read/org.opendaylight.controller:$mbean - - response=$( curl -s -u $USERNAME:$PASSWORD $url ) - rc=$? - if [ $rc -ne 0 ];then - # failed to contact SDN-C instance - try another - echo "Unable to connect to $shard [rc=$?]" - continue - fi - - status=$( echo "$response" | jq -r ".status" ) - if [ "$status" != "200" ];then - # query failed, try another instance - echo "$shard query failed [http-status=$status]" - continue - fi - - raftState=$( echo "$response" | jq -r ".value.RaftState" ) - if [ "$raftState" = "Leader" -o "$raftState" = "Follower" ];then - # cluster has a leader and is healthy - echo "$shard is healthy [RaftState=$raftState]" - exit 0 - else - echo "$shard is not healthy [RaftState=$raftState]" - fi -done - -# ODL cluster is not healthy -exit 2 diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh deleted file mode 100755 index c0fbcfbbe3..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sdnc-dbhost-script.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -SDNC_DBHOST_POD=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "sdnc-dbhost-[^[:space:]]*") -if [ -n "$SDNC_DBHOST_POD" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $SDNC_DBHOST_POD -- ./healthcheck.sh |grep -i "mysqld is alive"; then - echo Success. SDNC DBHost is running. 2>&1 - exit 0 - else - echo Failed. SDNC DBHost is not running. 2>&1 - exit 1 - fi -else - echo Failed. SDNC DBHost is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh deleted file mode 100644 index 68ab27dbc9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/search-data-service-availability.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -{{/* - -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -SEARCH_SERVICE_NAME="search-data-service.{{ include "common.namespace" . }}" -SEARCH_SERVICE_PORT=9509 -HEALTH_CHECK_INDEX="healthcheck" - -# 'Document Index' REST Endpoint -INDEX_URL="https://$SEARCH_SERVICE_NAME:$SEARCH_SERVICE_PORT/services/search-data-service/v1/search/indexes/$HEALTH_CHECK_INDEX" -INDEX_SCHEMA="{\"fields\":[{\"name\": \"field1\", \"data-type\": \"string\"}]}" - -SEARCH_CERT_FILE="/consul/certs/client-cert-onap.crt.pem" -SEARCH_KEY_FILE="/consul/certs/client-cert-onap.key.pem" - -## Try to create an index via the Search Data Service API. -CREATE_INDEX_RESP=$(curl -s -o /dev/null -w "%{http_code}" -k --cert $SEARCH_CERT_FILE --cert-type PEM --key $SEARCH_KEY_FILE --key-type PEM -d "$INDEX_SCHEMA" --header "Content-Type: application/json" --header "X-TransactionId: ConsulHealthCheck" -X PUT $INDEX_URL) - -RESULT_STRING=" " - -if [ $CREATE_INDEX_RESP -eq 201 ]; then - RESULT_STRING="Service Is Able To Communicate With Back End" -elif [ $CREATE_INDEX_RESP -eq 400 ]; then - # A 400 response could mean that the index already exists (ie: we didn't - # clean up after ourselves on a previous check), so log the response but - # don't exit yet. If we fail on the delete then we can consider the - # check a failure, otherwise, we are good. - RESULT_STRING="$RESULT_STRING Create Index [FAIL - 400 (possible index already exists)] " -else - RESULT_STRING="Service API Failure - $CREATE_INDEX_RESP" - echo $RESULT_STRING - exit 1 -fi - -## Now, clean up after ourselves. -DELETE_INDEX_RESP=$(curl -s -o /dev/null -w "%{http_code}" -k --cert $SEARCH_CERT_FILE --cert-type PEM --key $SEARCH_KEY_FILE --key-type PEM -d "{ }" --header "Content-Type: application/json" --header "X-TransactionId: ConsulHealthCheck" -X DELETE $INDEX_URL) - -if [ $DELETE_INDEX_RESP -eq 200 ]; then - RESULT_STRING="Service Is Able To Communicate With Back End" -else - RESULT_STRING="Service API Failure - $DELETE_INDEX_RESP" - echo $RESULT_STRING - exit 1 -fi - -echo $RESULT_STRING -return 0 diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh deleted file mode 100755 index e0acea7ce9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-api-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/ecomp/mso/infra/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh deleted file mode 100755 index 2ef5f8c4dd..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-camunda-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/mso/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh deleted file mode 100755 index deee34c001..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-jra-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -## Query the health check API. -HEALTH_CHECK_ENDPOINT="http://so:8080/networks/rest/healthcheck" -HEALTH_CHECK_RESPONSE=$(curl -s $HEALTH_CHECK_ENDPOINT) - -READY=$(echo $HEALTH_CHECK_RESPONSE | grep "Application ready") - -if [ -n $READY ]; then - echo "Query against health check endpoint: $HEALTH_CHECK_ENDPOINT" - echo "Produces response: $HEALTH_CHECK_RESPONSE" - echo "Application is not in an available state" - return 2 -else - echo "Application is available." - return 0 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh deleted file mode 100755 index a0974c0a45..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/so-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-so-db[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh deleted file mode 100755 index 19134cfa76..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/sparky-be-script.sh +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "aai-sparky-be[^[:space:]]*") - -if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- ps -efww | grep 'java' | grep 'sparky' > /dev/null; then - - echo Success. UI Backend Service process is running. 2>&1 - exit 0 - else - echo Failed. UI Backend Service process is not running. 2>&1 - exit 1 - fi -else - echo Failed. UI Backend Service container is offline. 2>&1 - exit 1 -fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh b/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh deleted file mode 100755 index 7b0bc246f6..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/scripts/vid-mariadb-script.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -NAME=$(/consul/bin/kubectl -n {{ include "common.namespace" . }} get pod | grep -o "[^[:space:]]*-vid-mariadb[^[:space:]]*") - - if [ -n "$NAME" ]; then - if /consul/bin/kubectl -n {{ include "common.namespace" . }} exec -it $NAME -- sh -c 'mysqladmin status -u root -p$MYSQL_ROOT_PASSWORD' > /dev/null; then - echo Success. mariadb process is running. 2>&1 - exit 0 - else - echo Failed. mariadb process is not running. 2>&1 - exit 1 - fi - else - echo Failed. mariadb container is offline. 2>&1 - exit 1 - fi diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json deleted file mode 100644 index 105635b592..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdc-health.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "service": { - "name": "Health Check: SDC", - "checks": [ - { - "id": "sdc-fe-healthcheck", - "name": "SDC Front End Health Check", - "script": "/consul/scripts/sdc-fe-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-be-healthcheck", - "name": "SDC Back End Health Check", - "script": "/consul/scripts/sdc-be-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-titan-healthcheck", - "name": "SDC Titan Health Check", - "script": "/consul/scripts/sdc-titan-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-cs-healthcheck", - "name": "SDC Cassandra Health Check", - "script": "/consul/scripts/sdc-cs-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "sdc-catalog-healthcheck", - "name": "SDC Catalog Health Check", - "http": "https://sdc-be:8443/asdc/v1/catalog/services", - "header": { - "Authorization": ["Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU="], - "X-ECOMP-InstanceID": ["VID"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json deleted file mode 100644 index 86a7630392..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-cluster-health.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC ODL Cluster", - "checks": [ - { - "id": "sdnc-odl-cluster-healthcheck", - "name": "SDNC ODL Cluster Health Check", - "script": "/consul/scripts/sdnc-cluster-health.sh", - "interval": "15s", - "timeout": "10s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json deleted file mode 100644 index ea0ae562e9..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dbhost.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - DB Host", - "checks": [ - { - "id": "sdnc-dbhost-healthcheck", - "name": "SDNC DBHOST Health Check", - "script": "/consul/scripts/sdnc-dbhost-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json deleted file mode 100644 index 72e6be9093..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-dgbuilder.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - DGBuilder", - "checks": [ - { - "id": "sdnc-dgbuilder", - "name": "SDNC-DGbuilder Health Check", - "http": "http://sdnc-dgbuilder:3000/", - "method": "HEAD", - "header": { - "Authorization": ["Basic ZGd1c2VyOnRlc3QxMjM="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json deleted file mode 100644 index 5f42835cf7..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-health.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC", - "checks": [ - { - "id": "odl-api-healthcheck", - "name": "SDNC API Health Check", - "http": "http://sdnc:8282/restconf/operations/SLI-API:healthcheck", - "method": "POST", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json deleted file mode 100644 index ed196bd0cf..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb01-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC-SDN-CTL-DB-01", - "checks": [ - { - "id": "sdnctldb01", - "name": "SDNC SDNCTLDB01 Health Check", - "tcp": "sdnc-sdnctldb01:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json deleted file mode 100644 index b63329f544..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnctldb02-healthcheck.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC-SDN-CTL-DB-02", - "checks": [ - { - "id": "sdnctldb02", - "name": "SDNC SDNCTLDB02 Health Check", - "tcp": "sdnc-sdnctldb02:3306", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json b/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json deleted file mode 100644 index db84164fc7..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/sdnc-sdnhost.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "service": { - "name": "Health Check: SDNC - SDN Host", - "checks": [ - { - "id": "sdnc-sdnhost", - "name": "SDNC SDN Host Health Check", - "http": "http://sdnc:8282/apidoc/explorer/index.html", - "method": "HEAD", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/so-health.json b/kubernetes/consul/resources/config/consul-agent-config/so-health.json deleted file mode 100644 index 565c4a4a7a..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/so-health.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "service": { - "name": "Health Check: SO", - "checks": [ - { - "id": "so-api-healthcheck", - "name": "SO API Health Check", - "script": "/consul/scripts/so-api-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "so-camunda-healthcheck", - "name": "SO Camunda Health Check", - "script": "/consul/scripts/so-camunda-script.sh", - "interval": "10s", - "timeout": "1s" - }, - { - "id": "so-jra-healthcheck", - "name": "SO JRA Health Check", - "script": "/consul/scripts/so-jra-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json b/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json deleted file mode 100644 index fb554208e4..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/so-mariabdb.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "service": { - "name": "Health Check: SO - MariaDb", - "checks": [ - { - "id": "so-mariadb", - "name": "SO Mariadb Health Check", - "script": "/consul/scripts/so-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json b/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json deleted file mode 100644 index 3661ac708b..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/vfc-health.json +++ /dev/null @@ -1,119 +0,0 @@ -{ - "service": { - "name": "Health Check: VFC", - "checks": [ - { - "id": "vfc-catalog", - "name": "VFC catalog Health Check", - "tcp": "vfc-catalog:8806", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-emsdriver", - "name": "VFC emsdriver Health Check", - "tcp": "vfc-ems-driver:8206", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-gvnfmdriver", - "name": "VFC gvnfmdriver Health Check", - "tcp": "vfc-generic-vnfm-driver:8484", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-hwvnfmdriver", - "name": "VFC hwvnfmdriver Health Check", - "tcp": "vfc-huawei-vnfm-driver:8482", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-jujudriver", - "name": "VFC jujudriver Health Check", - "tcp": "vfc-juju-vnfm-driver:8483", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nokiavnfmdriver", - "name": "VFC nokiavnfmdriver Health Check", - "tcp": "vfc-nokia-vnfm-driver:8486", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nokiav2vnfmdriver", - "name": "VFC nokiav2vnfmdriver Health Check", - "tcp": "vfc-nokia-v2vnfm-driver:8089", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-nslcm", - "name": "VFC nslcm Health Check", - "tcp": "vfc-nslcm:8403", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-resmgr", - "name": "VFC resmgr Health Check", - "tcp": "vfc-resmgr:8480", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnflcm", - "name": "VFC vnflcm Health Check", - "tcp": "vfc-vnflcm:8801", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnfmgr", - "name": "VFC vnfmgr Health Check", - "tcp": "vfc-vnfmgr:8803", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-vnfres", - "name": "VFC vnfres Health Check", - "tcp": "vfc-vnfres:8802", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-workflow", - "name": "VFC workflow Health Check", - "tcp": "vfc-workflow:10550", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-workflowengineactiviti", - "name": "VFC workflow-engine Health Check", - "tcp": "vfc-workflow-engine:8080", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-ztesdncdriver", - "name": "VFC ztesdncdriver Health Check", - "tcp": "vfc-zte-sdnc-driver:8411", - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vfc-ztevnfmdriver", - "name": "VFC ztevnfmdriver Health Check", - "tcp": "vfc-zte-vnfm-driver:8410", - "interval": "15s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/resources/config/consul-agent-config/vid-health.json b/kubernetes/consul/resources/config/consul-agent-config/vid-health.json deleted file mode 100644 index d6d8d4c03d..0000000000 --- a/kubernetes/consul/resources/config/consul-agent-config/vid-health.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "service": { - "name": "Health Check: VID", - "checks": [ - { - "id": "vid-server", - "name": "VID Server Health Check", - "http": "http://vid:8080/vid/healthCheck", - "method": "GET", - "header": { - "Authorization": ["Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ=="], - "Cache-Control": ["no-cache"], - "Content-Type": ["application/json"], - "Accept": ["application/json"] - }, - "tls_skip_verify": true, - "interval": "15s", - "timeout": "1s" - }, - { - "id": "vid-mariadb", - "name": "Vid Mariadb Health Check", - "script": "/consul/scripts/vid-mariadb-script.sh", - "interval": "10s", - "timeout": "1s" - } - ] - } -} diff --git a/kubernetes/consul/templates/configmap.yaml b/kubernetes/consul/templates/configmap.yaml deleted file mode 100644 index 42c8cba6b4..0000000000 --- a/kubernetes/consul/templates/configmap.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-scripts-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/scripts/*").AsConfig . | indent 2 }} diff --git a/kubernetes/consul/templates/deployment.yaml b/kubernetes/consul/templates/deployment.yaml deleted file mode 100644 index c5d12a4693..0000000000 --- a/kubernetes/consul/templates/deployment.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-chown - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} - command: - - sh - args: - - -c - - | - cp -r -L /tmp/consul/config/* /consul/config/ - chown -R {{ .Values.consulUID }}:{{ .Values.consulGID }} /consul/config - ls -la /consul/config - volumeMounts: - - mountPath: /tmp/consul/config - name: consul-agent-config - - mountPath: /consul/config - name: consul-agent-config-dir - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - command: - - docker-entrypoint.sh - args: - - agent - - -client - - 0.0.0.0 - - -enable-script-checks - - -retry-join - - {{ .Values.consulServer.nameOverride }} - name: {{ include "common.name" . }} - env: - - name: SDNC_ODL_COUNT - value: "{{ .Values.sdnc.replicaCount }}" - - name: SDNC_IS_PRIMARY_CLUSTER - value: "{{ .Values.sdnc.config.isPrimaryCluster }}" - volumeMounts: - - mountPath: /consul/config - name: consul-agent-config-dir - - mountPath: /consul/scripts - name: consul-agent-scripts-config - - mountPath: /consul/certs - name: consul-agent-certs-config - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: consul-agent-config-dir - emptyDir: {} - - configMap: - name: {{ include "common.fullname" . }}-configmap - name: consul-agent-config - - configMap: - name: {{ include "common.fullname" . }}-scripts-configmap - defaultMode: 0755 - name: consul-agent-scripts-config - - secret: - secretName: {{ include "common.fullname" . }}-certs-secret - name: consul-agent-certs-config diff --git a/kubernetes/consul/templates/secrets.yaml b/kubernetes/consul/templates/secrets.yaml deleted file mode 100644 index 27cfbf00d0..0000000000 --- a/kubernetes/consul/templates/secrets.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/consul-agent-config/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/consul/values.yaml b/kubernetes/consul/values.yaml deleted file mode 100644 index 9036606377..0000000000 --- a/kubernetes/consul/values.yaml +++ /dev/null @@ -1,117 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - busyboxRepository: registry.hub.docker.com - busyboxImage: library/busybox:latest - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/oom/consul:2.1.0 -pullPolicy: Always - -#subchart name -consulServer: - nameOverride: consul-server - -consulUID: 100 -consulGID: 1000 - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 90 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 90 - periodSeconds: 10 - -service: {} - -ingress: - enabled: false - service: - - baseaddr: "consul-api" - name: "consul-server" - port: 8800 - config: - ssl: "none" - -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 1 - memory: 1500Mi - requests: - cpu: 650m - memory: 530Mi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -odl: - jolokia: - username: admin - password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - -sdnc: - config: - isPrimaryCluster: true - replicaCount: 1 - -securityContext: - fsGroup: 1000 - runAsUser: 100 - runAsGroup: 1000 - -#Pods Service Account -serviceAccount: - nameOverride: consul - roles: - - read diff --git a/kubernetes/contrib/.gitignore b/kubernetes/contrib/.gitignore deleted file mode 100644 index 7020381894..0000000000 --- a/kubernetes/contrib/.gitignore +++ /dev/null @@ -1 +0,0 @@ -components/dist diff --git a/kubernetes/contrib/Chart.yaml b/kubernetes/contrib/Chart.yaml deleted file mode 100755 index b8e3f69c0e..0000000000 --- a/kubernetes/contrib/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright © 2017 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP optional tools -name: contrib -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: awx - version: ~12.x-0 - repository: 'file://components/awx' - condition: awx.enabled - - name: ejbca - version: ~12.x-0 - repository: 'file://components/ejbca' - condition: global.cmpv2Enabled - - name: netbox - version: ~12.x-0 - repository: 'file://components/netbox' - condition: netbox.enabled - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/Makefile b/kubernetes/contrib/Makefile deleted file mode 100644 index c3bbfa57b9..0000000000 --- a/kubernetes/contrib/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dns-server-for-vhost-ingress-testing ingress-nginx-post-inst metallb-loadbalancer-inst tools -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/Chart.yaml b/kubernetes/contrib/components/awx/Chart.yaml deleted file mode 100755 index 38689dee53..0000000000 --- a/kubernetes/contrib/components/awx/Chart.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright © 2019 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Ansible AWX -name: awx -sources: - - https://github.com/ansible/awx -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: awx-postgres - version: ~12.x-0 - repository: 'file://components/awx-postgres' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/Makefile b/kubernetes/contrib/components/awx/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/contrib/components/awx/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/components/Makefile b/kubernetes/contrib/components/awx/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/contrib/components/awx/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml deleted file mode 100755 index 7d6045642f..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2019 Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Ansible AWX database -name: awx-postgres -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt b/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt deleted file mode 100755 index 3ab092e848..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml deleted file mode 100755 index 3b4dad55ec..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml +++ /dev/null @@ -1,90 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - readinessProbe: - exec: - command: - - /bin/sh - - -i - - -c - - psql -h 127.0.0.1 -U $POSTGRES_USER -q -d {{ .Values.config.postgresDB }} - -c 'SELECT 1' - initialDelaySeconds: 5 - timeoutSeconds: 1 - env: - - name: POSTGRES_USER - value: "{{ .Values.config.postgresUser }}" - - name: POSTGRES_PASSWORD - value: "{{ .Values.config.postgresPassword }}" - - name: POSTGRES_DB - value: "{{ .Values.config.postgresDB }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/ - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml deleted file mode 100755 index bfe63abafe..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml deleted file mode 100755 index e12dabf175..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml deleted file mode 100755 index f560417425..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml deleted file mode 100755 index a6dc5ff90a..0000000000 --- a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -# application image -image: postgres:10.4-alpine -pullPolicy: Always - -# application configuration -config: - postgresUser: awx - postgresPassword: awx - postgresDB: awx - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 1Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: awx/pgdata - -service: - type: ClusterIP - name: awx-postgresql - portName: tcp-postgresql - internalPort: 5432 - externalPort: 5432 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: awx-postgres - roles: - - read diff --git a/kubernetes/contrib/components/awx/resources/config/credentials.py b/kubernetes/contrib/components/awx/resources/config/credentials.py deleted file mode 100644 index 85808d10d4..0000000000 --- a/kubernetes/contrib/components/awx/resources/config/credentials.py +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DATABASES = { - 'default': { - 'ATOMIC_REQUESTS': True, - 'ENGINE': 'awx.main.db.profiled_pg', - 'NAME': "{{ .Values.config.postgresDB }}", - 'USER': "{{ .Values.config.postgresUser }}", - 'PASSWORD': "{{ .Values.config.postgresPassword }}", - 'HOST': "awx-postgresql", - 'PORT': "5432", - } -} -BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format( - "{{ .Values.config.rabbitmqUser }}", - "{{ .Values.config.rabbitmqPassword }}", - "localhost", - "5672", - "{{ .Values.config.rabbitmqVhost }}") -CHANNEL_LAYERS = { - 'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer', - 'ROUTING': 'awx.main.routing.channel_routing', - 'CONFIG': {'url': BROKER_URL}} -} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/resources/config/environment.sh b/kubernetes/contrib/components/awx/resources/config/environment.sh deleted file mode 100644 index cbfe2857ba..0000000000 --- a/kubernetes/contrib/components/awx/resources/config/environment.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/sh - -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DATABASE_USER={{ .Values.config.postgresUser }} -DATABASE_NAME={{ .Values.config.postgresDB }} -DATABASE_HOST=awx-postgresql -DATABASE_PORT=5432 -DATABASE_PASSWORD={{ .Values.config.postgresPassword }} -MEMCACHED_HOST=localhost -RABBITMQ_HOST=localhost -AWX_ADMIN_USER={{ .Values.config.awxAdminUser }} -AWX_ADMIN_PASSWORD={{ .Values.config.awxAdminPassword }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/configmap.yaml b/kubernetes/contrib/components/awx/templates/configmap.yaml deleted file mode 100644 index 59900f1c64..0000000000 --- a/kubernetes/contrib/components/awx/templates/configmap.yaml +++ /dev/null @@ -1,238 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-init-mgnt - namespace: {{ include "common.namespace" . }} -data: - entrypoint: | - #/bin/sh - - awx-manage migrate --noinput - if [[ `echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell` > 0 ]] - then - echo 'from django.contrib.auth.models import User; User.objects.create_superuser('{{ .Values.config.awxAdminUser }}', '{{ .Values.config.awxAdminEmail }}', '{{ .Values.config.awxAdminPassword }}')' | awx-manage shell - awx-manage update_password --username='{{ .Values.config.awxAdminUser }}' --password='{{ .Values.config.awxAdminPassword }}' - fi ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-settings - namespace: {{ include "common.namespace" . }} -data: - awx_settings: | - import os - import socket - ADMINS = () - - AWX_PROOT_ENABLED = True - - # Automatically deprovision pods that go offline - AWX_AUTO_DEPROVISION_INSTANCES = True - - SYSTEM_TASK_ABS_CPU = 6 - SYSTEM_TASK_ABS_MEM = 20 - - INSIGHTS_URL_BASE = "https://example.org" - - #Autoprovisioning should replace this - CLUSTER_HOST_ID = socket.gethostname() - SYSTEM_UUID = '00000000-0000-0000-0000-000000000000' - - SESSION_COOKIE_SECURE = False - CSRF_COOKIE_SECURE = False - - REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR'] - - STATIC_ROOT = '/var/lib/awx/public/static' - PROJECTS_ROOT = '/var/lib/awx/projects' - JOBOUTPUT_ROOT = '/var/lib/awx/job_status' - SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip() - ALLOWED_HOSTS = ['*'] - INTERNAL_API_URL = 'http://127.0.0.1:8052' - SERVER_EMAIL = 'root@localhost' - DEFAULT_FROM_EMAIL = 'webmaster@localhost' - EMAIL_SUBJECT_PREFIX = '[AWX] ' - EMAIL_HOST = 'localhost' - EMAIL_PORT = 25 - EMAIL_HOST_USER = '' - EMAIL_HOST_PASSWORD = '' - EMAIL_USE_TLS = False - - LOGGING['handlers']['console'] = { - '()': 'logging.StreamHandler', - 'level': 'DEBUG', - 'formatter': 'simple', - } - - LOGGING['loggers']['django.request']['handlers'] = ['console'] - LOGGING['loggers']['rest_framework.request']['handlers'] = ['console'] - LOGGING['loggers']['awx']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console'] - LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console'] - LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console'] - LOGGING['loggers']['social']['handlers'] = ['console'] - LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console'] - LOGGING['loggers']['rbac_migrations']['handlers'] = ['console'] - LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console'] - LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'} - LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'} - - CACHES = { - 'default': { - 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', - 'LOCATION': '{}:{}'.format("localhost", "11211") - }, - 'ephemeral': { - 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', - }, - } - - USE_X_FORWARDED_PORT = True ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-rabbitmq - namespace: {{ include "common.namespace" . }} -data: - enabled_plugins: | - [rabbitmq_management,rabbitmq_peer_discovery_k8s]. - rabbitmq.conf: | - ## Clustering - management.load_definitions = /etc/rabbitmq/rabbitmq_definitions.json - cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s - cluster_formation.k8s.host = kubernetes.default.svc - cluster_formation.k8s.address_type = ip - cluster_formation.node_cleanup.interval = 10 - cluster_formation.node_cleanup.only_log_warning = false - cluster_partition_handling = autoheal - ## queue master locator - queue_master_locator=min-masters - ## enable guest user - loopback_users.guest = false - rabbitmq_definitions.json: | - { - "users":[{"name": "{{ .Values.config.rabbitmqUser }}", "password": "{{ .Values.config.rabbitmqPassword }}", "tags": ""}], - "permissions":[ - {"user":"{{ .Values.config.rabbitmqUser }}","vhost":"{{ .Values.config.rabbitmqVhost }}","configure":".*","write":".*","read":".*"} - ], - "vhosts":[{"name":"{{ .Values.config.rabbitmqVhost }}"}], - "policies":[ - {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}} - ] - } ---- - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx-conf - namespace: {{ include "common.namespace" . }} - labels: - app.kubernetes.io/name: {{ include "common.name" . }} - helm.sh/chart: {{ include "common.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -data: - nginx.conf: | - worker_processes 1; - pid /tmp/nginx.pid; - events { - worker_connections 1024; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - server_tokens off; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /dev/stdout main; - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - sendfile on; - #tcp_nopush on; - #gzip on; - upstream uwsgi { - server 127.0.0.1:8050; - } - upstream daphne { - server 127.0.0.1:8051; - } - server { - listen 8052 default_server; - # If you have a domain name, this is where to add it - server_name _; - keepalive_timeout 65; - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/"; - # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) - add_header X-Frame-Options "DENY"; - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } - location /static/ { - alias /var/lib/awx/public/static/; - } - location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } - location /websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } - location / { - # Add trailing / if missing - rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - proxy_set_header X-Forwarded-Port 443; - } - } - } diff --git a/kubernetes/contrib/components/awx/templates/job.yaml b/kubernetes/contrib/components/awx/templates/job.yaml deleted file mode 100644 index 1ebe340a68..0000000000 --- a/kubernetes/contrib/components/awx/templates/job.yaml +++ /dev/null @@ -1,130 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - backoffLimit: 5 - template: - metadata: - labels: - app: {{ include "common.name" . }}-mgnt - release: {{ include "common.release" . }} - spec: - serviceAccount: {{ include "common.fullname" . }} - serviceAccountName: {{ include "common.fullname" . }} - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - awx-postgres - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-mgnt - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /etc/tower/job-entrypoint.sh - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.task }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - requests: - cpu: 1500m - memory: 2Gi - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/tower/job-entrypoint.sh - name: awx-mgnt - readOnly: true - subPath: job-entrypoint.py - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - volumes: - - configMap: - defaultMode: 0777 - items: - - key: entrypoint - path: job-entrypoint.py - name: {{ include "common.fullname" . }}-init-mgnt - name: awx-mgnt - - configMap: - defaultMode: 420 - items: - - key: awx_settings - path: settings.py - name: {{ include "common.fullname" . }}-settings - name: awx-application-config - - name: awx-application-credentials - secret: - defaultMode: 420 - items: - - key: credentials_py - path: credentials.py - - key: environment_sh - path: environment.sh - secretName: {{ include "common.fullname" . }}-secrets - - name: awx-secret-key - secret: - defaultMode: 420 - items: - - key: secret_key - path: SECRET_KEY - secretName: {{ include "common.fullname" . }}-secrets - - configMap: - defaultMode: 420 - items: - - key: rabbitmq.conf - path: rabbitmq.conf - - key: enabled_plugins - path: enabled_plugins - - key: rabbitmq_definitions.json - path: rabbitmq_definitions.json - name: {{ include "common.fullname" . }}-rabbitmq - name: rabbitmq-config - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/templates/secret.yaml b/kubernetes/contrib/components/awx/templates/secret.yaml deleted file mode 100644 index 642f779214..0000000000 --- a/kubernetes/contrib/components/awx/templates/secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: Secret -type: Opaque -metadata: - name: {{ include "common.fullname" . }}-secrets - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: - credentials_py: {{ tpl (.Files.Get "resources/config/credentials.py") . | b64enc }} - environment_sh: {{ tpl (.Files.Get "resources/config/environment.sh") . | b64enc }} - rabbitmq_erlang_cookie: {{ .Values.config.rabbitmqErlangCookie | b64enc | quote }} - secret_key: {{ .Values.config.secretKey | b64enc | quote }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/service.yaml b/kubernetes/contrib/components/awx/templates/service.yaml deleted file mode 100755 index 85ec8c8428..0000000000 --- a/kubernetes/contrib/components/awx/templates/service.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-rmq-mgmt - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.rmqmgmt.type }} - ports: - - port: {{ .Values.service.rmqmgmt.externalPort }} - targetPort: {{ .Values.service.rmqmgmt.internalPort }} - name: {{ .Values.service.rmqmgmt.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-web - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.web.type }} - ports: - - port: {{ .Values.service.web.externalPort }} - targetPort: {{ .Values.service.web.internalPort }} - name: {{ .Values.service.web.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-rabbitmq - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - type: LoadBalancer -spec: - type: {{ .Values.service.rabbitmq.type }} - ports: - - port: {{ .Values.service.rabbitmq.http.externalPort }} - targetPort: {{ .Values.service.rabbitmq.http.internalPort }} - name: {{ .Values.service.rabbitmq.http.portName }} - - port: {{ .Values.service.rabbitmq.amqp.externalPort }} - targetPort: {{ .Values.service.rabbitmq.amqp.internalPort }} - name: {{ .Values.service.rabbitmq.amqp.portName }} - selector: - app: {{ include "common.fullname" . }} - release: {{ include "common.release" . }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/serviceaccount.yaml b/kubernetes/contrib/components/awx/templates/serviceaccount.yaml deleted file mode 100644 index 15baf0e308..0000000000 --- a/kubernetes/contrib/components/awx/templates/serviceaccount.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "common.fullname" . }}-endpoint-reader - namespace: {{ include "common.namespace" . }} -rules: -- apiGroups: ["", "extensions", "apps", "batch"] - resources: ["endpoints", "deployments", "pods", "replicasets/status", "jobs/status"] - verbs: ["get", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "common.fullname" . }}-endpoint-reader - namespace: {{ include "common.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "common.fullname" . }}-endpoint-reader -subjects: -- kind: ServiceAccount - name: {{ include "common.fullname" . }} \ No newline at end of file diff --git a/kubernetes/contrib/components/awx/templates/statefulset.yaml b/kubernetes/contrib/components/awx/templates/statefulset.yaml deleted file mode 100644 index 1f2c093742..0000000000 --- a/kubernetes/contrib/components/awx/templates/statefulset.yaml +++ /dev/null @@ -1,227 +0,0 @@ -{{/* -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - podManagementPolicy: OrderedReady - replicas: {{ .Values.replicaCount }} - serviceName: {{ include "common.fullname" . }} - selector: - matchLabels: - app: {{ include "common.fullname" . }} - name: {{ include "common.name" . }}-web-deploy - service: django - template: - metadata: - labels: - app: {{ include "common.fullname" . }} - name: {{ include "common.name" . }}-web-deploy - release: {{ include "common.release" . }} - service: django - spec: - - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.name" . }}-mgnt - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - containers: - - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.web }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-web - ports: - - containerPort: {{ .Values.service.web.internalPort }} - protocol: TCP - resources: - requests: - cpu: 500m - memory: 1Gi - volumeMounts: - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - - mountPath: /etc/nginx/nginx.conf - name: awx-nginx-conf - subPath: "nginx.conf" - - - command: ["/bin/sh","-c"] - args: ["/usr/bin/launch_awx_task.sh"] - env: - - name: AWX_SKIP_MIGRATIONS - value: "1" - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.task }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-celery - resources: - requests: - cpu: 1500m - memory: 2Gi - securityContext: - privileged: true - volumeMounts: - - mountPath: /etc/tower/settings.py - name: awx-application-config - readOnly: true - subPath: settings.py - - mountPath: /etc/tower/conf.d/ - name: awx-application-credentials - readOnly: true - - mountPath: /etc/tower/SECRET_KEY - name: awx-secret-key - readOnly: true - subPath: SECRET_KEY - - mountPath: /etc/nginx/nginx.conf - name: awx-nginx-conf - subPath: "nginx.conf" - - env: - - name: MY_POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: RABBITMQ_USE_LONGNAME - value: "true" - - name: RABBITMQ_NODENAME - value: rabbit@$(MY_POD_IP) - - name: RABBITMQ_ERLANG_COOKIE - valueFrom: - secretKeyRef: - key: rabbitmq_erlang_cookie - name: {{ include "common.fullname" . }}-secrets - - name: K8S_SERVICE_NAME - value: {{ include "common.servicename" . }}-rabbitmq - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.rabbitmq }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-rabbit - livenessProbe: - exec: - command: - - rabbitmqctl - - status - failureThreshold: 3 - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - successThreshold: 1 - timeoutSeconds: 10 - ports: - - containerPort: {{ .Values.service.rabbitmq.http.internalPort }} - name: {{ .Values.service.rabbitmq.http.portName }} - protocol: TCP - - containerPort: {{ .Values.service.rabbitmq.amqp.internalPort }} - name: {{ .Values.service.rabbitmq.amqp.portName }} - protocol: TCP - readinessProbe: - exec: - command: - - rabbitmqctl - - status - failureThreshold: 3 - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - successThreshold: 1 - timeoutSeconds: 10 - resources: - requests: - cpu: 500m - memory: 2Gi - volumeMounts: - - mountPath: /etc/rabbitmq - name: rabbitmq-config - - - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-memcached - resources: - requests: - cpu: 500m - memory: 1Gi - serviceAccount: {{ include "common.fullname" . }} - serviceAccountName: {{ include "common.fullname" . }} - volumes: - - configMap: - defaultMode: 420 - items: - - key: awx_settings - path: settings.py - name: {{ include "common.fullname" . }}-settings - name: awx-application-config - - name: awx-application-credentials - secret: - defaultMode: 420 - items: - - key: credentials_py - path: credentials.py - - key: environment_sh - path: environment.sh - secretName: {{ include "common.fullname" . }}-secrets - - name: awx-secret-key - secret: - defaultMode: 420 - items: - - key: secret_key - path: SECRET_KEY - secretName: {{ include "common.fullname" . }}-secrets - - configMap: - defaultMode: 420 - items: - - key: rabbitmq.conf - path: rabbitmq.conf - - key: enabled_plugins - path: enabled_plugins - - key: rabbitmq_definitions.json - path: rabbitmq_definitions.json - name: {{ include "common.fullname" . }}-rabbitmq - name: rabbitmq-config - - configMap: - defaultMode: 420 - items: - - key: nginx.conf - path: nginx.conf - name: {{ include "common.fullname" . }}-nginx-conf - name: awx-nginx-conf - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml deleted file mode 100755 index c30999fa6d..0000000000 --- a/kubernetes/contrib/components/awx/values.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - commonConfigPrefix: awx - persistence: {} - -# application image -image: - web: ansible/awx_web:9.0.1 - task: ansible/awx_task:9.0.1 - rabbitmq: ansible/awx_rabbitmq:3.7.4 - memcached: memcached:1.5.20 -pullPolicy: Always - -# application configuration -config: - postgresUser: awx - postgresPassword: awx - postgresDB: awx -# RabbitMQ Configuration - rabbitmqUser: awx - rabbitmqPassword: awxpass - rabbitmqVhost: awx - rabbitmqErlangCookie: cookiemonster3 -# This will create or update a default admin (superuser) account in AWX, if not provided -# then these default values are used - awxAdminUser: admin - awxAdminPassword: password - awxAdminEmail: cds@onap.org -# AWX Secret key -# It's *very* important that this stay the same between upgrades or you will lose the ability to decrypt -# your credentials - secretKey: awxsecret - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - enabled: true - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 5Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: awx/pgdata - -service: - rmqmgmt: - type: ClusterIP - portName: http-rmqmgmt - internalPort: 15672 - externalPort: 15672 - web: - type: ClusterIP - portName: http-web - internalPort: 8052 - externalPort: 8052 - rabbitmq: - type: ClusterIP - http: - portName: http-rmq - internalPort: 15672 - externalPort: 15672 - amqp: - portName: tcp-amqp - internalPort: 5672 - externalPort: 5672 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: awx - roles: - - read - -wait_for_job_container: - containers: - - '{{ include "common.name" . }}-mgnt' diff --git a/kubernetes/contrib/components/ejbca/Chart.yaml b/kubernetes/contrib/components/ejbca/Chart.yaml deleted file mode 100644 index e8a0134298..0000000000 --- a/kubernetes/contrib/components/ejbca/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2020 Nokia -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP EJBCA test server -name: ejbca -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: cmpv2Config - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml b/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml deleted file mode 100644 index e163aed82a..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/certprofile_CUSTOM_ENDUSER-1834889499.xml +++ /dev/null @@ -1,595 +0,0 @@ - - - - - version - 46.0 - - - type - 1 - - - certversion - X509v3 - - - encodedvalidity - 2y - - - usecertificatevalidityoffset - false - - - certificatevalidityoffset - -10m - - - useexpirationrestrictionforweekdays - false - - - expirationrestrictionforweekdaysbefore - true - - - expirationrestrictionweekdays - - - true - - - true - - - false - - - false - - - false - - - true - - - true - - - - - allowvalidityoverride - false - - - allowextensionoverride - false - - - allowdnoverride - false - - - allowdnoverridebyeei - false - - - allowbackdatedrevokation - false - - - usecertificatestorage - true - - - storecertificatedata - true - - - storesubjectaltname - true - - - usebasicconstrants - true - - - basicconstraintscritical - true - - - usesubjectkeyidentifier - true - - - subjectkeyidentifiercritical - false - - - useauthoritykeyidentifier - true - - - authoritykeyidentifiercritical - false - - - usesubjectalternativename - true - - - subjectalternativenamecritical - false - - - useissueralternativename - true - - - issueralternativenamecritical - false - - - usecrldistributionpoint - false - - - usedefaultcrldistributionpoint - false - - - crldistributionpointcritical - false - - - crldistributionpointuri - - - - usefreshestcrl - false - - - usecadefinedfreshestcrl - false - - - freshestcrluri - - - - crlissuer - - - - usecertificatepolicies - false - - - certificatepoliciescritical - false - - - certificatepolicies - - - - availablekeyalgorithms - - - DSA - - - ECDSA - - - RSA - - - - - availableeccurves - - - ANY_EC_CURVE - - - - - availablebitlengths - - - 0 - - - 192 - - - 224 - - - 239 - - - 256 - - - 384 - - - 512 - - - 521 - - - 1024 - - - 1536 - - - 2048 - - - 3072 - - - 4096 - - - 6144 - - - 8192 - - - - - minimumavailablebitlength - 0 - - - maximumavailablebitlength - 8192 - - - signaturealgorithm - - - - usekeyusage - true - - - keyusage - - - true - - - true - - - true - - - false - - - false - - - false - - - false - - - false - - - false - - - - - allowkeyusageoverride - false - - - keyusagecritical - true - - - useextendedkeyusage - true - - - extendedkeyusage - - - 1.3.6.1.5.5.7.3.2 - - - 1.3.6.1.5.5.7.3.4 - - - 1.3.6.1.5.5.7.3.1 - - - - - extendedkeyusagecritical - false - - - usedocumenttypelist - false - - - documenttypelistcritical - false - - - documenttypelist - - - - availablecas - - - -1 - - - - - usedpublishers - - - - useocspnocheck - false - - - useldapdnorder - true - - - usecustomdnorder - false - - - usemicrosofttemplate - false - - - microsofttemplate - - - - usecardnumber - false - - - usecnpostfix - false - - - cnpostfix - - - - usesubjectdnsubset - false - - - subjectdnsubset - - - - usesubjectaltnamesubset - false - - - subjectaltnamesubset - - - - usepathlengthconstraint - false - - - pathlengthconstraint - 0 - - - useqcstatement - false - - - usepkixqcsyntaxv2 - false - - - useqcstatementcritical - false - - - useqcstatementraname - - - - useqcsematicsid - - - - useqcetsiqccompliance - false - - - useqcetsisignaturedevice - false - - - useqcetsivaluelimit - false - - - qcetsivaluelimit - 0 - - - qcetsivaluelimitexp - 0 - - - qcetsivaluelimitcurrency - - - - useqcetsiretentionperiod - false - - - qcetsiretentionperiod - 0 - - - useqccustomstring - false - - - qccustomstringoid - - - - qccustomstringtext - - - - qcetsipds - - - - qcetsitype - - - - usecertificatetransparencyincerts - false - - - usecertificatetransparencyinocsp - false - - - usecertificatetransparencyinpublisher - false - - - usesubjectdirattributes - false - - - usenameconstraints - false - - - useauthorityinformationaccess - false - - - caissuers - - - - usedefaultcaissuer - false - - - usedefaultocspservicelocator - false - - - ocspservicelocatoruri - - - - cvcaccessrights - 3 - - - usedcertificateextensions - - - - approvals - - - - org.cesecore.certificates.ca.ApprovalRequestType - REVOCATION - - -1 - - - - org.cesecore.certificates.ca.ApprovalRequestType - KEYRECOVER - - -1 - - - - org.cesecore.certificates.ca.ApprovalRequestType - ADDEDITENDENTITY - - -1 - - - - - useprivkeyusageperiodnotbefore - false - - - useprivkeyusageperiod - false - - - useprivkeyusageperiodnotafter - false - - - privkeyusageperiodstartoffset - 0 - - - privkeyusageperiodlength - 63072000 - - - usesingleactivecertificateconstraint - false - - - overridableextensionoids - - - - nonoverridableextensionoids - - - - allowcertsnoverride - false - - - usecustomdnorderldap - false - - - diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh deleted file mode 100755 index a538238151..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh - -waitForEjbcaToStart() { - until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail) - do - sleep 5 - done -} - -configureEjbca() { - ejbca.sh ca init \ - --caname ManagementCA \ - --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ - --tokenType soft \ - --keyspec 3072 \ - --keytype RSA \ - -v 3652 \ - --policy null \ - -s SHA256WithRSA \ - -type "x509" - ejbca.sh config cmp addalias --alias cmpRA - ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra - ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature - ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' - ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' - ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true - #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) - ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles - #Profile name taken from certprofile filename (certprofile_-.xml) - ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER - #ID taken from entityprofile filename (entityprofile_-.xml) - ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 - caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') - ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" - ejbca.sh config cmp dumpalias --alias cmpRA - ejbca.sh config cmp addalias --alias cmp - ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true - ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe - ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password ${CLIENT_IAK} --type 1 --token USERGENERATED - ejbca.sh ra setclearpwd --username Node123 --password ${CLIENT_IAK} - ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN - ejbca.sh config cmp dumpalias --alias cmp - ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem - #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) - ejbca.sh roles addrole "Certificate Update Admin" - ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT - ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT - ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" - # workarround to exit successfully, as a reexecution of "addrolemember" returns an error - exit 0 -} - - -waitForEjbcaToStart -configureEjbca diff --git a/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml b/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml deleted file mode 100644 index ec51a80d5e..0000000000 --- a/kubernetes/contrib/components/ejbca/resources/entityprofile_Custom_EndEntity-1356531849.xml +++ /dev/null @@ -1,1107 +0,0 @@ - - - - - version - 14.0 - - - NUMBERARRAY - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - 1 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 1 - - - 3 - - - 3 - - - 3 - - - 0 - - - 3 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 0 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 0 - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 0 - - - 1 - - - 1 - - - 0 - - - 1 - - - 0 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 1 - - - 0 - - - 0 - - - 0 - - - - - SUBJECTDNFIELDORDER - - - 500 - - - 1100 - - - 1200 - - - 1300 - - - 1400 - - - 1600 - - - - - SUBJECTALTNAMEFIELDORDER - - - 1800 - - - 1801 - - - 1802 - - - 1700 - - - 1701 - - - 1702 - - - 1900 - - - 1901 - - - 1902 - - - 2100 - - - 2101 - - - 2102 - - - - - SUBJECTDIRATTRFIELDORDER - - - - 0 - - - - 20000 - true - - - 10000 - true - - - 30000 - true - - - 1 - - - - 20001 - true - - - 10001 - true - - - 30001 - true - - - 95 - - - - 20095 - false - - - 10095 - true - - - 30095 - true - - - 96 - - - - 20096 - false - - - 10096 - true - - - 30096 - true - - - 5 - - - - 20005 - true - - - 10005 - true - - - 30005 - true - - - 26 - - - - 20026 - false - - - 10026 - true - - - 30026 - true - - - 29 - 1834889499 - - - 20029 - true - - - 10029 - true - - - 30029 - true - - - 30 - 1834889499 - - - 20030 - true - - - 10030 - true - - - 30030 - true - - - 31 - 1 - - - 20031 - true - - - 10031 - true - - - 30031 - true - - - 32 - 1;2;3;4 - - - 20032 - true - - - 10032 - true - - - 30032 - true - - - 33 - - - - 20033 - true - - - 10033 - true - - - 30033 - true - - - 34 - - - - 20034 - true - - - 10034 - false - - - 30034 - true - - - 38 - 1 - - - 20038 - true - - - 10038 - true - - - 30038 - true - - - 37 - -29939301 - - - 20037 - true - - - 10037 - true - - - 30037 - true - - - 98 - - - - 20098 - false - - - 10098 - false - - - 30098 - true - - - 99 - - - - 20099 - false - - - 10099 - false - - - 30099 - true - - - 97 - - - - 20097 - false - - - 10097 - false - - - 30097 - true - - - 91 - false - - - 20091 - false - - - 10091 - false - - - 30091 - true - - - 94 - -1 - - - 20094 - true - - - 10094 - false - - - 30094 - false - - - 93 - -1 - - - 20093 - false - - - 10093 - false - - - 30093 - false - - - 89 - - - - 20089 - false - - - 10089 - false - - - 30089 - true - - - 88 - - - - 20088 - false - - - 10088 - false - - - 30088 - true - - - ALLOW_MERGEDN_WEBSERVICES - false - - - 2 - - - - 20002 - false - - - 10002 - false - - - 10090 - true - - - 90 - 0 - - - REVERSEFFIELDCHECKS - false - - - 28 - false - - - 20028 - false - - - 10028 - false - - - REUSECERTIFICATE - false - - - 35 - false - - - 20035 - false - - - 10035 - false - - - 10092 - false - - - USEEXTENSIONDATA - false - - - PRINTINGUSE - false - - - PRINTINGDEFAULT - false - - - PRINTINGREQUIRED - false - - - PRINTINGCOPIES - 1 - - - PRINTINGPRINTERNAME - - - - PRINTINGSVGDATA - - - - PRINTINGSVGFILENAME - - - - 11 - - - - 20011 - false - - - 10011 - true - - - 30011 - true - - - 12 - - - - 20012 - true - - - 10012 - true - - - 30012 - true - - - 13 - - - - 20013 - false - - - 10013 - true - - - 30013 - true - - - 14 - - - - 20014 - true - - - 10014 - true - - - 30014 - true - - - 16 - - - - 20016 - true - - - 10016 - true - - - 30016 - true - - - 18 - - - - 20018 - false - - - 10018 - true - - - 30018 - true - - - 118 - - - - 20118 - false - - - 10118 - true - - - 30118 - true - - - 218 - - - - 20218 - false - - - 10218 - true - - - 30218 - true - - - 17 - - - - 20017 - false - - - 10017 - false - - - 30017 - true - - - 117 - - - - 20117 - false - - - 10117 - false - - - 30117 - true - - - 217 - - - - 20217 - false - - - 10217 - false - - - 30217 - true - - - 19 - - - - 20019 - false - - - 10019 - true - - - 30019 - true - - - 119 - - - - 20119 - false - - - 10119 - true - - - 30119 - true - - - 219 - - - - 20219 - false - - - 10219 - true - - - 30219 - true - - - 21 - - - - 20021 - false - - - 10021 - true - - - 30021 - true - - - 121 - - - - 20121 - false - - - 10121 - true - - - 30121 - true - - - 221 - - - - 20221 - false - - - 10221 - true - - - 30221 - true - - - diff --git a/kubernetes/contrib/components/ejbca/templates/configmap.yaml b/kubernetes/contrib/components/ejbca/templates/configmap.yaml deleted file mode 100644 index 093657dfe0..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ include "common.fullname" . }}-config-script" -data: -{{ tpl (.Files.Glob "resources/ejbca-config.sh").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: "{{ include "common.fullname" . }}-profiles" -data: -{{ tpl (.Files.Glob "resources/certprofile_CUSTOM_ENDUSER-1834889499.xml").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/entityprofile_Custom_EndEntity-1356531849.xml").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml deleted file mode 100644 index a36dcacb23..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ /dev/null @@ -1,120 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - {{- if (include "common.onServiceMesh" . ) }} - annotations: - {{- if eq ( .Values.global.serviceMesh.engine ) "linkerd" }} - linkerd.io/inject: disabled - {{- end }} - {{- if eq ( .Values.global.serviceMesh.engine ) "istio" }} - sidecar.istio.io/rewriteAppHTTPProbers: "false" - proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }' - {{- end }} - {{- end }} - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-db-readiness - command: - - /app/ready.py - args: - - --container-name - {{- if .Values.global.mariadbGalera.localCluster }} - - ejbca-galera - {{- else }} - - ejbca-config - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - containers: - - name: {{ include "common.name" . }}-ejbca - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.ejbca.image }} - imagePullPolicy: {{ .Values.pullPolicy }} - lifecycle: - postStart: - exec: - command: - - sh - - -c - - | - sleep 60; /opt/primekey/scripts/ejbca-config.sh - volumeMounts: - - name: "{{ include "common.fullname" . }}-volume" - mountPath: /opt/primekey/scripts/ - - name: "{{ include "common.fullname" . }}-profiles-volume" - mountPath: /opt/primekey/custom_profiles/ - ports: {{ include "common.containerPorts" . | nindent 10 }} - env: - - name: INITIAL_ADMIN - value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" - - name: NO_CREATE_CA - value: "true" - - name: DATABASE_JDBC_URL - value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - - name: DATABASE_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "login") | indent 10 }} - - name: DATABASE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "password") | indent 10 }} - - name: RA_IAK - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-ra-iak" "key" "password") | indent 10 }} - - name: CLIENT_IAK - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-client-iak" "key" "password") | indent 10 }} - livenessProbe: - httpGet: - port: {{ .Values.liveness.port }} - path: {{ .Values.liveness.path }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - readinessProbe: - httpGet: - port: {{ .Values.readiness.port }} - path: {{ .Values.readiness.path }} - scheme: HTTPS - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - resources: {{ include "common.resources" . | nindent 10 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - configMap: - name: "{{ include "common.fullname" . }}-config-script" - defaultMode: 0755 - name: "{{ include "common.fullname" . }}-volume" - - configMap: - name: "{{ include "common.fullname" . }}-profiles" - defaultMode: 0755 - name: "{{ include "common.fullname" . }}-profiles-volume" diff --git a/kubernetes/contrib/components/ejbca/templates/secret.yaml b/kubernetes/contrib/components/ejbca/templates/secret.yaml deleted file mode 100644 index 837da0959b..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/contrib/components/ejbca/templates/service.yaml b/kubernetes/contrib/components/ejbca/templates/service.yaml deleted file mode 100644 index 46eed4264c..0000000000 --- a/kubernetes/contrib/components/ejbca/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020, Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml deleted file mode 100644 index b777a7d388..0000000000 --- a/kubernetes/contrib/components/ejbca/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright © 2020, Nordix Foundation, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -global: - mariadbGalera: &mariadbGalera - #This flag allows EJBCA to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -secrets: - - uid: ejbca-db-secret - name: &ejbca-db-secret '{{ include "common.release" . }}-ejbca-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - - uid: ejbca-server-ra-iak - name: '{{ include "common.release" . }}-ejbca-ra-iak' - type: password - password: '{{ .Values.config.ejbca.raIak }}' - - uid: ejbca-server-client-iak - name: '{{ include "common.release" . }}-ejbca-client-iak' - type: password - password: '{{ .Values.config.ejbca.clientIak }}' - -# application configuration -config: - db: - userName: ejbca - # userPassword: password - # userCredentialsExternalSecret: some-secret - ejbca: {} - # raIak: mypassword - # clientIak: mypassword - -mysqlDatabase: &dbName ejbca - -################################################################# -# Application configuration defaults. -################################################################# -# application configuration -replicaCount: 1 - -ejbca: - image: primekey/ejbca-ce:7.4.3.2 -pullPolicy: Always - -mariadb-galera: - db: - externalSecret: *ejbca-db-secret - name: *dbName - nameOverride: &ejbca-galera ejbca-galera - service: - name: ejbca-galera - portName: ejbca-galera - internalPort: 3306 - replicaCount: 1 - persistence: - enabled: true - mountSubPath: ejbca/maria/data - serviceAccount: - nameOverride: *ejbca-galera - -mariadb-init: - config: - userCredentialsExternalSecret: *ejbca-db-secret - mysqlDatabase: *dbName - nameOverride: ejbca-config - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - path: /ejbca/publicweb/healthcheck/ejbcahealth - port: 8443 - initialDelaySeconds: 180 - periodSeconds: 30 - -readiness: - path: /ejbca/publicweb/healthcheck/ejbcahealth - port: 8443 - initialDelaySeconds: 180 - periodSeconds: 30 - -service: - type: ClusterIP - both_tls_and_plain: true - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - -# Resource Limit flavor -By Default using small -flavor: unlimited -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1500m - memory: 1536Mi - requests: - cpu: 10m - memory: 750Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 20m - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: ejbca - roles: - - read diff --git a/kubernetes/contrib/components/netbox/Chart.yaml b/kubernetes/contrib/components/netbox/Chart.yaml deleted file mode 100755 index 2454db227b..0000000000 --- a/kubernetes/contrib/components/netbox/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox IPAM -name: netbox -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: netbox-app - version: ~12.x-0 - repository: 'file://components/netbox-app' - - name: netbox-nginx - version: ~12.x-0 - repository: 'file://components/netbox-nginx' - - name: netbox-postgres - version: ~12.x-0 - repository: 'file://components/netbox-postgres' \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/Makefile b/kubernetes/contrib/components/netbox/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/contrib/components/netbox/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/netbox/components/Makefile b/kubernetes/contrib/components/netbox/components/Makefile deleted file mode 100644 index 79ba2fb47e..0000000000 --- a/kubernetes/contrib/components/netbox/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml deleted file mode 100755 index 0bbe2d2e3c..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox - Application (WSGI + Gunicorn) -name: netbox-app -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py deleted file mode 100755 index 7d704ae762..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/configuration.py +++ /dev/null @@ -1,156 +0,0 @@ -import os -import socket - -# For reference see http://netbox.readthedocs.io/en/latest/configuration/mandatory-settings/ -# Based on https://github.com/digitalocean/netbox/blob/develop/netbox/netbox/configuration.example.py - -# Read secret from file -def read_secret(secret_name): - try: - f = open('/run/secrets/' + secret_name, 'r', encoding='utf-8') - except EnvironmentError: - return '' - else: - with f: - return f.readline().strip() - -BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) - -######################### -# # -# Required settings # -# # -######################### - -# This is a list of valid fully-qualified domain names (FQDNs) for the NetBox server. NetBox will not permit write -# access to the server via any other hostnames. The first FQDN in the list will be treated as the preferred name. -# -# Example: ALLOWED_HOSTS = ['netbox.example.com', 'netbox.internal.local'] -ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS', socket.gethostname()).split(' ') - -# PostgreSQL database configuration. -DATABASE = { - 'NAME': os.environ.get('DB_NAME', 'netbox'), # Database name - 'USER': os.environ.get('DB_USER', ''), # PostgreSQL username - 'PASSWORD': os.environ.get('DB_PASSWORD', read_secret('db_password')), - # PostgreSQL password - 'HOST': os.environ.get('DB_HOST', 'localhost'), # Database server - 'PORT': os.environ.get('DB_PORT', ''), # Database port (leave blank for default) -} - -# This key is used for secure generation of random numbers and strings. It must never be exposed outside of this file. -# For optimal security, SECRET_KEY should be at least 50 characters in length and contain a mix of letters, numbers, and -# symbols. NetBox will not run without this defined. For more information, see -# https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-SECRET_KEY -SECRET_KEY = os.environ.get('SECRET_KEY', read_secret('secret_key')) - -######################### -# # -# Optional settings # -# # -######################### - -# Specify one or more name and email address tuples representing NetBox administrators. These people will be notified of -# application errors (assuming correct email settings are provided). -ADMINS = [ - # ['John Doe', 'jdoe@example.com'], -] - -# Optionally display a persistent banner at the top and/or bottom of every page. HTML is allowed. To display the same -# content in both banners, define BANNER_TOP and set BANNER_BOTTOM = BANNER_TOP. -BANNER_TOP = os.environ.get('BANNER_TOP', '') -BANNER_BOTTOM = os.environ.get('BANNER_BOTTOM', '') - -# Text to include on the login page above the login form. HTML is allowed. -BANNER_LOGIN = os.environ.get('BANNER_LOGIN', '') - -# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: -# BASE_PATH = 'netbox/' -BASE_PATH = os.environ.get('BASE_PATH', '') - -# API Cross-Origin Resource Sharing (CORS) settings. If CORS_ORIGIN_ALLOW_ALL is set to True, all origins will be -# allowed. Otherwise, define a list of allowed origins using either CORS_ORIGIN_WHITELIST or -# CORS_ORIGIN_REGEX_WHITELIST. For more information, see https://github.com/ottoyiu/django-cors-headers -CORS_ORIGIN_ALLOW_ALL = os.environ.get('CORS_ORIGIN_ALLOW_ALL', 'False').lower() == 'true' -CORS_ORIGIN_WHITELIST = os.environ.get('CORS_ORIGIN_WHITELIST', '').split(' ') -CORS_ORIGIN_REGEX_WHITELIST = [ - # r'^(https?://)?(\w+\.)?example\.com$', -] - -# Set to True to enable server debugging. WARNING: Debugging introduces a substantial performance penalty and may reveal -# sensitive information about your installation. Only enable debugging while performing testing. Never enable debugging -# on a production system. -DEBUG = os.environ.get('DEBUG', 'False').lower() == 'true' - -# Email settings -EMAIL = { - 'SERVER': os.environ.get('EMAIL_SERVER', 'localhost'), - 'PORT': int(os.environ.get('EMAIL_PORT', 25)), - 'USERNAME': os.environ.get('EMAIL_USERNAME', ''), - 'PASSWORD': os.environ.get('EMAIL_PASSWORD', read_secret('email_password')), - 'TIMEOUT': int(os.environ.get('EMAIL_TIMEOUT', 10)), # seconds - 'FROM_EMAIL': os.environ.get('EMAIL_FROM', ''), -} - -# Enforcement of unique IP space can be toggled on a per-VRF basis. -# To enforce unique IP space within the global table (all prefixes and IP addresses not assigned to a VRF), -# set ENFORCE_GLOBAL_UNIQUE to True. -ENFORCE_GLOBAL_UNIQUE = os.environ.get('ENFORCE_GLOBAL_UNIQUE', 'False').lower() == 'true' - -# Enable custom logging. Please see the Django documentation for detailed guidance on configuring custom logs: -# https://docs.djangoproject.com/en/1.11/topics/logging/ -LOGGING = {} - -# Setting this to True will permit only authenticated users to access any part of NetBox. By default, anonymous users -# are permitted to access most data in NetBox (excluding secrets) but not make any changes. -LOGIN_REQUIRED = os.environ.get('LOGIN_REQUIRED', 'False').lower() == 'true' - -# Base URL path if accessing NetBox within a directory. For example, if installed at http://example.com/netbox/, set: -# BASE_PATH = 'netbox/' -BASE_PATH = os.environ.get('BASE_PATH', '') - -# Setting this to True will display a "maintenance mode" banner at the top of every page. -MAINTENANCE_MODE = os.environ.get('MAINTENANCE_MODE', 'False').lower() == 'true' - -# An API consumer can request an arbitrary number of objects =by appending the "limit" parameter to the URL (e.g. -# "?limit=1000"). This setting defines the maximum limit. Setting it to 0 or None will allow an API consumer to request -# all objects by specifying "?limit=0". -MAX_PAGE_SIZE = int(os.environ.get('MAX_PAGE_SIZE', 1000)) - -# The file path where uploaded media such as image attachments are stored. A trailing slash is not needed. Note that -# the default value of this setting is derived from the installed location. -MEDIA_ROOT = os.environ.get('MEDIA_ROOT', os.path.join(BASE_DIR, 'media')) - -# Credentials that NetBox will use to access live devices. -NAPALM_USERNAME = os.environ.get('NAPALM_USERNAME', '') -NAPALM_PASSWORD = os.environ.get('NAPALM_PASSWORD', read_secret('napalm_password')) - -# NAPALM timeout (in seconds). (Default: 30) -NAPALM_TIMEOUT = int(os.environ.get('NAPALM_TIMEOUT', 30)) - -# NAPALM optional arguments (see http://napalm.readthedocs.io/en/latest/support/#optional-arguments). Arguments must -# be provided as a dictionary. -NAPALM_ARGS = {} - -# Determine how many objects to display per page within a list. (Default: 50) -PAGINATE_COUNT = int(os.environ.get('PAGINATE_COUNT', 50)) - -# When determining the primary IP address for a device, IPv6 is preferred over IPv4 by default. Set this to True to -# prefer IPv4 instead. -PREFER_IPV4 = os.environ.get('PREFER_IPV4', 'False').lower() == 'true' - -# The file path where custom reports will be stored. A trailing slash is not needed. Note that the default value of -# this setting is derived from the installed location. -REPORTS_ROOT = os.environ.get('REPORTS_ROOT', '/etc/netbox/reports') - -# Time zone (default: UTC) -TIME_ZONE = os.environ.get('TIME_ZONE', 'UTC') - -# Date/time formatting. See the following link for supported formats: -# https://docs.djangoproject.com/en/dev/ref/templates/builtins/#date -DATE_FORMAT = os.environ.get('DATE_FORMAT', 'N j, Y') -SHORT_DATE_FORMAT = os.environ.get('SHORT_DATE_FORMAT', 'Y-m-d') -TIME_FORMAT = os.environ.get('TIME_FORMAT', 'g:i a') -SHORT_TIME_FORMAT = os.environ.get('SHORT_TIME_FORMAT', 'H:i:s') -DATETIME_FORMAT = os.environ.get('DATETIME_FORMAT', 'N j, Y g:i a') -SHORT_DATETIME_FORMAT = os.environ.get('SHORT_DATETIME_FORMAT', 'Y-m-d H:i') diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py deleted file mode 100755 index c7d9f7b725..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/gunicorn_config.py +++ /dev/null @@ -1,8 +0,0 @@ -command = '/usr/bin/gunicorn' -pythonpath = '/opt/netbox/netbox' -bind = '0.0.0.0:{{ .Values.service.internalPort }}' -workers = 3 -errorlog = '-' -accesslog = '-' -capture_output = False -loglevel = 'debug' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py deleted file mode 100755 index c7e0d3bee9..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/configuration/ldap_config.py +++ /dev/null @@ -1,55 +0,0 @@ -import ldap -import os - -from django_auth_ldap.config import LDAPSearch, GroupOfNamesType - -# Server URI -AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '') - -# The following may be needed if you are binding to Active Directory. -AUTH_LDAP_CONNECTION_OPTIONS = { - ldap.OPT_REFERRALS: 0 -} - -# Set the DN and password for the NetBox service account. -AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '') -AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '') - -# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert. -# Note that this is a NetBox-specific setting which sets: -# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) -LDAP_IGNORE_CERT_ERRORS = os.environ.get('LDAP_IGNORE_CERT_ERRORS', 'False').lower() == 'true' - -AUTH_LDAP_USER_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''), - ldap.SCOPE_SUBTREE, - "(sAMAccountName=%(user)s)") - -# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group -# heirarchy. -AUTH_LDAP_GROUP_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE, - "(objectClass=group)") -AUTH_LDAP_GROUP_TYPE = GroupOfNamesType() - -# Define a group required to login. -AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '') - -# Define special user types using groups. Exercise great caution when assigning superuser status. -AUTH_LDAP_USER_FLAGS_BY_GROUP = { - "is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''), - "is_staff": os.environ.get('AUTH_LDAP_IS_ADMIN_DN', ''), - "is_superuser": os.environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '') -} - -# For more granular permissions, we can map LDAP groups to Django groups. -AUTH_LDAP_FIND_GROUP_PERMS = os.environ.get('AUTH_LDAP_FIND_GROUP_PERMS', 'True').lower() == 'true' - -# Cache groups for one hour to reduce LDAP traffic -AUTH_LDAP_CACHE_GROUPS = os.environ.get('AUTH_LDAP_CACHE_GROUPS', 'True').lower() == 'true' -AUTH_LDAP_GROUP_CACHE_TIMEOUT = int(os.environ.get('AUTH_LDAP_CACHE_GROUPS', 3600)) - -# Populate the Django user from the LDAP directory. -AUTH_LDAP_USER_ATTR_MAP = { - "first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'), - "last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'), - "email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail') -} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml deleted file mode 100755 index 05bbfc7738..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -external-key: - description: "The external-key uniquely identify the resources to a service within ONAP." - filterable: true - label: ONAP external key - on_objects: - - ipam.models.IPAddress - required: true - type: text - weight: 0 -resource-name: - description: "The resource-name of the element using this IP." - filterable: true - label: ONAP resource name - on_objects: - - ipam.models.IPAddress - required: true - type: text - weight: 0 \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml deleted file mode 100755 index 1f4a5a7a6e..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/groups.yml +++ /dev/null @@ -1,9 +0,0 @@ -# applications: -# users: -# - technical_user -# readers: -# users: -# - reader -# writers: -# users: -# - writer diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml deleted file mode 100755 index 77d330beac..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/users.yml +++ /dev/null @@ -1,9 +0,0 @@ -onap: - first_name: Steve - last_name: McQueen - email: steve.mcqueen@onap.org - password: onap123$ - api_token: onceuponatimeiplayedwithnetbox20180814 # This API KEY is used by SDNC, if you edit it, make sure to change it in the netbox.properties file - is_staff: true # whether user is admin or not, default = false - is_active: true # whether user is active, default = true - is_superuser: true # Whether user has all edit rights or not, default = false \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh deleted file mode 100755 index 984801decb..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/provisioning/provision.sh +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/sh - -# Create region - -echo "Create region: RegionOne" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/dcim/regions/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "RegionOne", - "slug": "RegionOne" -}' - -# Create tenant group - -echo "Create tenant group: ONAP group" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/tenancy/tenant-groups/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "ONAP group", - "slug": "onap-group" -}' - -# Create tenant - -echo "Create tenant ONAP in ONAP group" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/tenancy/tenants/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "ONAP", - "slug": "onap", - "group": 1, - "description": "ONAP tenant", - "comments": "Tenant for ONAP demo use cases" -}' - -# Create site - -echo "Create ONAP demo site: Montreal Lab" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/dcim/sites/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "name": "Montreal Lab D3", - "slug": "mtl-lab-d3", - "region": 1, - "tenant": 1, - "facility": "Campus", - "time_zone": "Canada/Atlantic", - "description": "Site hosting the ONAP use cases", - "physical_address": "1 Graham Bell", - "shipping_address": "1 Graham Bell", - "contact_name": "Alexis", - "contact_phone": "0000000000", - "contact_email": "adetalhouet89@gmail.com", - "comments": "ONAP lab" -}' - -# Create prefixes - -echo "Create Prefix for vFW protected network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.private2 }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for private network 2" -}' - -echo "Create Prefix for vFW unprotected network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.private1 }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for private network 1" -}' - -echo "Create Prefix for ONAP general purpose network" -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' \ - -d '{ - "prefix": "{{ .Values.service.management }}", - "site": 1, - "tenant": 1, - "is_pool": false, - "description": "IP Pool for ONAP - general purpose" -}' - -# Reserve ports, gateway and dhcp, for each protected and unprotected networks. - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/1/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/1/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/2/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/2/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/3/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' - -curl --silent -X POST \ - http://{{ .Values.service.name }}:{{ .Values.service.internalPort }}/api/ipam/prefixes/3/available-ips/ \ - -H 'Authorization: Token onceuponatimeiplayedwithnetbox20180814' \ - -H 'Content-Type: application/json' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py deleted file mode 100755 index 7626058357..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/00_users.py +++ /dev/null @@ -1,26 +0,0 @@ -from django.contrib.auth.models import Group, User -from users.models import Token - -from ruamel.yaml import YAML - -with open('/opt/netbox/initializers/users.yml', 'r') as stream: - yaml=YAML(typ='safe') - users = yaml.load(stream) - - if users is not None: - for username, user_details in users.items(): - if not User.objects.filter(username=username): - user = User.objects.create_user( - username = username, - password = user_details.get('password', 0) or User.objects.make_random_password, - is_staff = user_details.get('is_staff', 0) or false, - is_superuser = user_details.get('is_superuser', 0) or false, - is_active = user_details.get('is_active', 0) or true, - first_name = user_details.get('first_name', 0), - last_name = user_details.get('last_name', 0), - email = user_details.get('email', 0)) - - print("👤 Created user ",username) - - if user_details.get('api_token', 0): - Token.objects.create(user=user, key=user_details['api_token']) \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py deleted file mode 100755 index 7932874704..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/10_groups.py +++ /dev/null @@ -1,19 +0,0 @@ -from django.contrib.auth.models import Group, User -from ruamel.yaml import YAML - -with open('/opt/netbox/initializers/groups.yml', 'r') as stream: - yaml=YAML(typ='safe') - groups = yaml.load(stream) - - if groups is not None: - for groupname, group_details in groups.items(): - group, created = Group.objects.get_or_create(name=groupname) - - if created: - print("👥 Created group", groupname) - - for username in group_details['users']: - user = User.objects.get(username=username) - - if user: - user.groups.add(group) diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py deleted file mode 100755 index 5c40e37bf2..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/startup_scripts/20_custom_fields.py +++ /dev/null @@ -1,68 +0,0 @@ -from extras.constants import CF_TYPE_TEXT, CF_TYPE_INTEGER, CF_TYPE_BOOLEAN, CF_TYPE_DATE, CF_TYPE_URL, CF_TYPE_SELECT -from extras.models import CustomField, CustomFieldChoice - -from ruamel.yaml import YAML - -text_to_fields = { - 'boolean': CF_TYPE_BOOLEAN, - 'date': CF_TYPE_DATE, - 'integer': CF_TYPE_INTEGER, - 'selection': CF_TYPE_SELECT, - 'text': CF_TYPE_TEXT, - 'url': CF_TYPE_URL, -} - -def get_class_for_class_path(class_path): - import importlib - from django.contrib.contenttypes.models import ContentType - - module_name, class_name = class_path.rsplit(".", 1) - module = importlib.import_module(module_name) - clazz = getattr(module, class_name) - return ContentType.objects.get_for_model(clazz) - -with open('/opt/netbox/initializers/custom_fields.yml', 'r') as stream: - yaml = YAML(typ='safe') - customfields = yaml.load(stream) - - if customfields is not None: - for cf_name, cf_details in customfields.items(): - custom_field, created = CustomField.objects.get_or_create(name = cf_name) - - if created: - if cf_details.get('default', 0): - custom_field.default = cf_details['default'] - - if cf_details.get('description', 0): - custom_field.description = cf_details['description'] - - if cf_details.get('filterable', 0): - custom_field.is_filterables = cf_details['filterable'] - - if cf_details.get('label', 0): - custom_field.label = cf_details['label'] - - for object_type in cf_details.get('on_objects', []): - custom_field.obj_type.add(get_class_for_class_path(object_type)) - - if cf_details.get('required', 0): - custom_field.required = cf_details['required'] - - if cf_details.get('type', 0): - custom_field.type = text_to_fields[cf_details['type']] - - if cf_details.get('weight', 0): - custom_field.weight = cf_details['weight'] - - custom_field.save() - - for choice_details in cf_details.get('choices', []): - choice = CustomFieldChoice.objects.create( - field=custom_field, - value=choice_details['value']) - - if choice_details.get('weight', 0): - choice.weight = choice_details['weight'] - choice.save() - - print("🔧 Created custom field", cf_name) diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt deleted file mode 100755 index e70c418864..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.fullname" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml deleted file mode 100755 index f785478e1b..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/configmap.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-provisioning-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/provisioning/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configuration-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/configuration/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-initializers-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/initializers/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-startupscripts-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/startup_scripts/*").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml deleted file mode 100755 index 302166fcd6..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml +++ /dev/null @@ -1,159 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: DB_PASSWORD - - name: EMAIL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: EMAIL_PASSWORD - - name: NAPALM_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: NAPALM_PASSWORD - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SECRET_KEY - - name: SUPERUSER_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SUPERUSER_PASSWORD - - name: SUPERUSER_API_TOKEN - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }}-pass - key: SUPERUSER_API_TOKEN - - name: ALLOWED_HOSTS - value: {{ .Values.config.allowedHosts | quote }} - - name: DB_NAME - value: {{ .Values.config.dbName }} - - name: DB_USER - value: {{ .Values.config.dbUser }} - - name: DB_HOST - value: {{ .Values.config.dbHost }} - - name: EMAIL_SERVER - value: {{ .Values.config.emailServer }} - - name: EMAIL_PORT - value: {{ .Values.config.emailPort | quote }} - - name: EMAIL_USERNAME - value: {{ .Values.config.emailUsername }} - - name: EMAIL_TIMEOUT - value: {{ .Values.config.emailTimeout | quote }} - - name: EMAIL_FROM - value: {{ .Values.config.emailFrom }} - - name: MEDIA_ROOT - value: {{ .Values.config.mediaRoot }} - - name: NAPALM_USERNAME - value: {{ .Values.config.napalmUsername }} - - name: NAPALM_TIMEOUT - value: {{ .Values.config.napalmTimeout | quote }} - - name: MAX_PAGE_SIZE - value: {{ .Values.config.maxPageSize | quote }} - - name: SUPERUSER_NAME - value: {{ .Values.config.superuserName }} - - name: SUPERUSER_EMAIL - value: {{ .Values.config.superuserEmail }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/netbox/startup_scripts - name: {{ include "common.fullname" . }}-startupscripts-config - - mountPath: /opt/netbox/initializers - name: {{ include "common.fullname" . }}-initializers-config - - mountPath: /etc/netbox/config - name: {{ include "common.fullname" . }}-configuration-config - - name: {{ include "common.fullname" . }} - mountPath: /opt/netbox/netbox/static - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }} - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - - name: {{ include "common.fullname" . }}-startupscripts-config - configMap: - name: {{ include "common.fullname" . }}-startupscripts-configmap - - name: {{ include "common.fullname" . }}-initializers-config - configMap: - name: {{ include "common.fullname" . }}-initializers-configmap - - name: {{ include "common.fullname" . }}-configuration-config - configMap: - name: {{ include "common.fullname" . }}-configuration-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml deleted file mode 100644 index 3b367a3d4a..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/job.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -# Copyright © 2018 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-provisioning - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - backoffLimit: 5 - template: - metadata: - labels: - app: {{ include "common.name" . }}-provisioning-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - netbox-app - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-provisioning-job - image: {{ include "repositoryGenerator.image.curl" . }} - volumeMounts: - - name: {{ include "common.fullname" . }}-provisioning - mountPath: /tmp - command: - - /bin/sh - - ./tmp/provision.sh - volumes: - - name: {{ include "common.fullname" . }}-provisioning - configMap: - name: {{ include "common.fullname" . }}-provisioning-configmap - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml deleted file mode 100755 index a61217fb94..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if not .Values.persistence.storageClass -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }}/app -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml deleted file mode 100755 index 7e25a0f1ef..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - {{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} - {{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml deleted file mode 100755 index c06bc5a333..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/secrets.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2018 Bell Canada, Amdocs -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-pass - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - DB_PASSWORD: {{ .Values.config.dbPassword | b64enc | quote }} - EMAIL_PASSWORD: {{ .Values.config.emailPassword | b64enc | quote }} - NAPALM_PASSWORD: {{ .Values.config.napalmPassword | b64enc | quote }} - SECRET_KEY: {{ .Values.config.secretKey | b64enc | quote }} - SUPERUSER_PASSWORD: {{ .Values.config.superuserPassword | b64enc | quote }} - SUPERUSER_API_TOKEN: {{ .Values.config.superuserAPIToken | b64enc | quote }} \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml deleted file mode 100755 index 74d1116f50..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - name: {{ include "common.name" . }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - name: {{ include "common.name" . }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml deleted file mode 100755 index 27cd811ec1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml +++ /dev/null @@ -1,120 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -config: - # Secrets configuration values - dbPassword: J5brHrAXFLQSif0K - emailPassword: password - napalmPassword: password - secretKey: r8OwDznj!!dci#P9ghmRfdu1Ysxm0AiPeDCQhKE+N_rClfWNj - superuserPassword: admin - superuserAPIToken: 0123456789abcdef0123456789abcdef01234567 - - # Remaining environment configuration values - allowedHosts: "*" - dbName: netbox - dbUser: netbox - dbHost: netbox-postgres - emailServer: localhost - emailPort: 25 - emailUsername: netbox - emailTimeout: 5 - emailFrom: netbox@bar.com - mediaRoot: /opt/netbox/netbox/media - napalmUsername: napalm - napalmTimeout: 10 - maxPageSize: 0 - superuserName: admin - superuserEmail: admin@onap.org - -image: netboxcommunity/netbox:v2.5.8 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: false - -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - -service: - type: ClusterIP - name: netbox-app - externalPort: 8001 - internalPort: 8001 - portName: netbox-app - - # The following subnet pool will be - # configured in Netbox by provisioning script. - private1: 192.168.10.0/24 - private2: 192.168.20.0/24 - management: 10.0.101.0/24 - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteMany - size: 100Mi - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - staticPvName: netbox-static - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: netbox/app - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-app - roles: - - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml deleted file mode 100755 index 3d5987928b..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox - Nginx web server -name: netbox-nginx -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf b/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf deleted file mode 100755 index 2ef2aca3a1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/resources/config/nginx.conf +++ /dev/null @@ -1,34 +0,0 @@ -worker_processes 1; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - sendfile on; - tcp_nopush on; - keepalive_timeout 65; - gzip on; - server_tokens off; - client_max_body_size 10M; - - server { - listen {{ .Values.service.internalPort }}; - server_name {{ .Values.service.portName }}; - access_log off; - - location /static/ { - alias /opt/netbox/netbox/static/; - } - - location / { - proxy_pass http://netbox-app:8001; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - add_header P3P 'CP="ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV"'; - } - } -} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt deleted file mode 100755 index bd74a42cd5..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml deleted file mode 100755 index 26242be8e2..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-config-configmap - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml deleted file mode 100755 index 2d115f74bf..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["nginx"] - args: ["-c", "/etc/netbox-nginx/nginx.conf","-g", "daemon off;"] - ports: - - containerPort: {{ .Values.service.internalPort }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }} - mountPath: /opt/netbox/netbox/static - - name: {{ include "common.fullname" . }}-config - mountPath: /etc/netbox-nginx - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-config-configmap - - name: {{ include "common.fullname" . }} - persistentVolumeClaim: - claimName: {{ include "common.release" . }}-{{ .Values.persistence.staticPvName }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml deleted file mode 100755 index c01612e0f4..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml deleted file mode 100755 index a7d0dadbf1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml +++ /dev/null @@ -1,89 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - pullPolicy: Always - -# application image -image: nginx:1.15-alpine -pullPolicy: Always - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteMany - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: netbox/nginx/data - - # Names used for shared pv/pvcs across App & Nginx containers - staticPvName: netbox-static - -service: - type: ClusterIP - name: netbox-nginx - portName: netbox-nginx - internalPort: 8080 - nodePort: 20 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-nginx - roles: - - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml deleted file mode 100755 index e0bf081960..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Netbox Posgres database -name: netbox-postgres -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt deleted file mode 100755 index bd74a42cd5..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml deleted file mode 100755 index 9bc530577a..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-docker-entry-initd - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/cassandra/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml deleted file mode 100755 index 8e05524fd1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - env: - - name: POSTGRES_USER - value: "{{ .Values.config.postgresUser }}" - - name: POSTGRES_PASSWORD - value: "{{ .Values.config.postgresPassword }}" - - name: POSTGRES_DB - value: "{{ .Values.config.postgresDB }}" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/postgresql/ - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml deleted file mode 100755 index 37d07f05a1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pv.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml deleted file mode 100755 index 30da3add0d..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/pvc.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - resources: - requests: - storage: {{ .Values.persistence.size }} - storageClassName: {{ include "common.storageClass" . }} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml deleted file mode 100755 index 75335884df..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml deleted file mode 100755 index 7e0a324aa1..0000000000 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml +++ /dev/null @@ -1,88 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: # global defaults - nodePortPrefixExt: 304 - persistence: {} - -# application image -image: postgres:10.4-alpine -pullPolicy: Always - -# application configuration -config: - postgresUser: netbox - postgresPassword: J5brHrAXFLQSif0K - postgresDB: netbox - -ingress: - enabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - - # Uncomment the storageClass parameter to use an existing PV - # that will match the following class. - # When uncomment the storageClass, the PV is not created anymore. - - # storageClass: "nfs-dev-sc" - - accessMode: ReadWriteOnce - size: 1Gi - - # When using storage class, mountPath and mountSubPath are - # simply ignored. - - mountPath: /dockerdata-nfs - mountSubPath: netbox/postgres/data - -service: - type: ClusterIP - name: netbox-postgres - portName: netbox-postgres - internalPort: 5432 - externalPort: 5432 - -resources: {} - -#Pods Service Account -serviceAccount: - nameOverride: netbox-postgres - roles: - - read diff --git a/kubernetes/contrib/components/netbox/templates/ingress.yaml b/kubernetes/contrib/components/netbox/templates/ingress.yaml deleted file mode 100755 index 6f604a79ba..0000000000 --- a/kubernetes/contrib/components/netbox/templates/ingress.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.ingress.enabled -}} -{{- $serviceName := include "common.fullname" . -}} -{{- $servicePort := .Values.service.externalPort -}} -apiVersion: networking.k8s.io/v1beta1 -kind: Ingress -metadata: - name: {{ $serviceName }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - {{- range $key, $value := .Values.ingress.annotations }} - {{ $key }}: {{ $value | quote }} - {{- end }} -spec: - rules: - {{- range $host := .Values.ingress.hosts }} - - host: {{ $host }} - http: - paths: - - path: / - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end -}} - {{- if .Values.ingress.tls }} - tls: -{{ toYaml .Values.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} diff --git a/kubernetes/contrib/components/netbox/values.yaml b/kubernetes/contrib/components/netbox/values.yaml deleted file mode 100755 index 04d2f27c7c..0000000000 --- a/kubernetes/contrib/components/netbox/values.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefixExt: 304 - commonConfigPrefix: netbox - -################################################################# -# Application configuration defaults. -################################################################# -# application image -pullPolicy: Always - -# default number of instances -replicaCount: 1 -nodeSelector: {} -affinity: {} - -ingress: - enabled: false - -resources: {} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md deleted file mode 100644 index 72f522a000..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/README.md +++ /dev/null @@ -1,23 +0,0 @@ -# Motivations -Ingress controller implementation in the ONAP cluster is based on the virtual host routing. -Testing ONAP cluster requires a lot of entries on the target machines in the /etc/hosts. -Adding many entries into the configuration files on testing machines is quite problematic and error prone. -The better wait is to create central DNS server with entries for all virtual host pointed to simpledemo.onap.org and add custom DNS server as a target DNS server for testing machines and/or as external DNS for kubernetes cluster. - -# How to deploy test DNS server: -Run script ./deploy\_dns.sh - -# How to add DNS address on testing machines: -See post deploy info - -# Test DNS inside cluster (optional) -1. You can add the following entry after DNS deploy on running cluster at the end of cluster.yaml file (rke) -~~~yaml -dns: - provider: coredns - upstreamnameservers: - - :31555 -~~~ -2. You can edit coredns configuration with command: - kubectl -n kube-system edit configmap coredns - diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore deleted file mode 100644 index dacad44a66..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/.helmignore +++ /dev/null @@ -1,37 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml deleted file mode 100644 index dede98e707..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -apiVersion: v2 -appVersion: "1.0" -description: bind9 DNS server for kubernetes cluster -name: bind9dns -version: 0.1.0 diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt deleted file mode 100644 index 7211966b89..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/NOTES.txt +++ /dev/null @@ -1,21 +0,0 @@ -1. Get the installed DNS host and port by running this commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range $.Values.ingress.paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}{{ . }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bind9dns.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo DNS host: $NODE_IP dns port: $NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "bind9dns.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bind9dns.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bind9dns.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:80 -{{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl deleted file mode 100644 index 3efbbbf831..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/_helpers.tpl +++ /dev/null @@ -1,49 +0,0 @@ -{{/* - - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "bind9dns.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "bind9dns.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "bind9dns.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml deleted file mode 100644 index 7640be64a6..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/deployment.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "bind9dns.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - spec: - containers: - - name: {{ .Chart.Name }} - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: DNS_FORWARDER - value: {{ .Values.dnsconf.forwarder }} - - name: WILDCARD_DNS - value: {{ .Values.dnsconf.wildcard }} - - name: ALLOW_RECURSION - value: any - - name: ALLOW_QUERY - value: any - ports: - - name: dnsport - containerPort: {{ .Values.service.port }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.port }} - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - tcpSocket: - port: {{ .Values.service.port }} - initialDelaySeconds: 5 - periodSeconds: 10 - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml deleted file mode 100644 index 715f2ff78e..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/service.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "bind9dns.fullname" . }} - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - nodePort: {{ .Values.service.nodePort }} - protocol: TCP - name: dnstcp - - port: {{ .Values.service.port }} - nodePort: {{ .Values.service.nodePort }} - protocol: UDP - name: dnsudp - selector: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml deleted file mode 100644 index 4fe5d05b02..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/templates/tests/test-connection.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{/* - Copyright 2020 Samsung Electronics Co., Ltd. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - -*/}} -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "bind9dns.fullname" . }}-test-connection" - labels: - app.kubernetes.io/name: {{ include "bind9dns.name" . }} - helm.sh/chart: {{ include "bind9dns.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - annotations: - "helm.sh/hook": test-success -spec: - containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "bind9dns.fullname" . }}:{{ .Values.service.port }}'] - restartPolicy: Never diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml deleted file mode 100644 index c9e19f41d0..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/bind9dns/values.yaml +++ /dev/null @@ -1,46 +0,0 @@ -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -replicaCount: 1 - -image: - repository: luccksam/docker-bind - tag: 0.1.0 - pullPolicy: IfNotPresent - -nameOverride: "" -fullnameOverride: "" - -service: - type: NodePort - port: 53 - nodePort: 31555 - -ingress: - enabled: false - annotations: {} - paths: [] - hosts: - - dnsserver.local - tls: [] - -resources: {} -nodeSelector: {} -tolerations: [] -affinity: {} - -dnsconf: - forwarder: "8.8.8.8,8.8.4.4" - wildcard: "simpledemo.onap.org=0.0.0.0" diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh deleted file mode 100755 index 294ae0a55e..0000000000 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/sh -e - -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -DNS_PORT=31555 -CLUSTER_CONTROL=$( kubectl get no -l node-role.kubernetes.io/controlplane=true -o jsonpath='{.items..metadata.name}') -CLUSTER_IP=$(kubectl get no $CLUSTER_CONTROL -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') -SPATH="$( dirname "$( which "$0" )" )" - - - -usage() { -cat << ==usage -$0 [cluster_domain] [lb_ip] [helm_chart_args] ... - [cluster_domain] Default value simpledemo.onap.org - [lb_ip] Default value LoadBalancer IP - [helm_chart_args] ... Optional arguments passed to helm install command -$0 --help This message -$0 --info Display howto configure target machine -==usage -} - - -target_machine_notice_info() -{ -cat << ==infodeploy -Extra DNS server already deployed: -1. You can add the DNS server to the target machine using following commands: - sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo iptables -t nat -A OUTPUT -p udp -d 192.168.211.211 --dport 53 -j DNAT --to-destination $CLUSTER_IP:$DNS_PORT - sudo sysctl -w net.ipv4.conf.all.route_localnet=1 - sudo sysctl -w net.ipv4.ip_forward=1 -2. Update /etc/resolv.conf file with nameserver 192.168.211.211 entry on your target machine -==infodeploy -} - - -list_node_with_external_addrs() -{ - local WORKER_NODES - WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip - external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip - internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - break - fi - done -} - -ingress_controller_ip() { - local metal_ns - metal_ns=$(kubectl get ns --no-headers --output=custom-columns=NAME:metadata.name |grep metallb-system) - if [ -z $metal_ns ]; then - echo $CLUSTER_IP - else - list_node_with_external_addrs - fi -} - -deploy() { - local ingress_ip - ingress_ip=$(ingress_controller_ip) - initdir = $(pwd) - cd $SPATH/bind9dns - if [ $# -eq 0 ]; then - local cl_domain - cl_domain="simpledemo.onap.org" - else - local cl_domain - cl_domain=$1 - shift - fi - if [ $# -ne 0 ]; then - ingress_ip=$1 - shift - fi - helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@ - cd $initdir - target_machine_notice_info -} - -if [ $# -eq 1 ] && [ "$1" = "-h" ]; then - usage -elif [ $# -eq 1 ] && [ "$1" = "--help" ]; then - usage -elif [ $# -eq 1 ] && [ "$1" = "--info" ]; then - target_machine_notice_info -else - deploy $@ -fi diff --git a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml deleted file mode 100644 index d579333157..0000000000 --- a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_cluster_config.yaml +++ /dev/null @@ -1,296 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - -kind: ConfigMap -apiVersion: v1 -data: - enable-underscores-in-headers: "true" -metadata: - name: nginx-configuration - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ingress-role - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: nginx-ingress-clusterrole-nisa-binding - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress-controller - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - annotations: - prometheus.io/port: "10254" - prometheus.io/scrape: "true" - spec: - serviceAccountName: nginx-ingress-serviceaccount - containers: - - name: nginx-ingress-controller - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.1 - args: - - /nginx-ingress-controller - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - - --publish-service=$(POD_NAMESPACE)/ingress-nginx - - --annotations-prefix=nginx.ingress.kubernetes.io - - --enable-ssl-passthrough=true - securityContext: - allowPrivilegeEscalation: true - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - # www-data -> 33 - runAsUser: 33 - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 10 - ---- - -apiVersion: v1 -kind: Service -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - type: NodePort - ports: - - name: http - port: 80 - targetPort: 80 - protocol: TCP - - name: https - port: 443 - targetPort: 443 - protocol: TCP - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ---- - diff --git a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml b/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml deleted file mode 100644 index 57c0034775..0000000000 --- a/kubernetes/contrib/ingress-nginx-post-inst/nginx_ingress_enable_optional_load_balacer_service.yaml +++ /dev/null @@ -1,22 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: ingress-nginx - namespace: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx -spec: - externalTrafficPolicy: Local - type: LoadBalancer - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - ports: - - name: http - port: 80 - targetPort: http - - name: https - port: 443 - targetPort: https - diff --git a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh deleted file mode 100755 index 495d540905..0000000000 --- a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh -e - -# -# Copyright 2020 Samsung Electronics Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -usage() -{ -cat << ==usage -$0 Automatic configuration using external addresess from nodes -$0 --help This message -$0 -h This message -$0 [cluster_ip1] ... [cluster_ipn] Cluster address or ip ranges -==usage -} - - -find_nodes_with_external_addrs() -{ - local WORKER_NODES - WORKER_NODES=$(kubectl get no -l node-role.kubernetes.io/worker=true -o jsonpath='{.items..metadata.name}') - for worker in $WORKER_NODES; do - local external_ip - external_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/external-ip }') - local internal_ip - internal_ip=$(kubectl get no $worker -o jsonpath='{.metadata.annotations.rke\.cattle\.io/internal-ip }') - if [ $internal_ip != $external_ip ]; then - echo $external_ip - fi - done -} - -generate_config_map() -{ -cat <""".format(arg0)) - print(( - "\n" - "Options:\n" - "-h, --help Show this help message and exit\n" - "-t, --table Use the specified format to display the result table.\n" - " Valid formats are those from the python `tabulate'\n" - " module. When not available, a basic builtin tabular\n" - " function is used and this field has no effect\n" - "-f, --fields Comma separated list of resources fields to display.\n" - " You may use wildcard patterns, eg small.*. Implicit\n" - " value is *, ie all available fields will be used\n" - "Examples:\n" - " # {0} /opt/oom/kubernetes\n" - " # {0} -f small.\\* /opt/oom/kubernetes\n" - " # {0} -f '*requests.*' -t fancy_grid /opt/oom/kubernetes\n" - " # {0} -f small.requests.cpu,small.requests.memory /opt/oom/kubernetes\n" - ).format(arg0)) - if status is not None: - sys.exit(status) - - -def getopts(): - """ read options from cmdline """ - opts, args = getopt.getopt(sys.argv[1:], - "hf:t:", - ["help", "fields=", "table="]) - if len(args) != 1: - usage(1) - - root = args[0] - table = None - fields = ['*'] - patterns = [] - - for opt, arg in opts: - if opt in ("-h", '--help'): - usage(0) - elif opt in ("-f", "--fields"): - fields = arg.split(',') - elif opt in ("-t", "--table"): - table = arg - - return root, table, fields, patterns - - -def main(): - """ main """ - try: - root, table, fields, patterns = getopts() - except getopt.GetoptError as e: - print("Error: {}".format(e)) - usage(1) - - if not os.path.isdir(root): - info("Cannot open {}: Not a directory".format(root)) - return - - # find projects - projects = [] - for dirname, filename in values(root): - projects.append(Project(dirname, filename)) - if not projects: - info("No projects found in {} directory".format(root)) - return - - # check if we want to use pattern matching (wildcard only) - if fields and reduce(lambda x, y: x or y, - map(lambda string: '*' in string, fields)): - patterns = fields - fields = [] - - # if fields are not specified or patterns are used, discover available fields - # and use them (sort for readability) - if patterns or not fields: - avail = sorted(set(reduce(lambda x, y: x+y, - map(lambda p: p.keys(), projects)))) - if patterns: - for pattern in patterns: - fields += filter(lambda string: match(string, pattern), avail) - else: - fields = avail - - # collect values for each project - results = map(lambda project: [project.name] + map(project.get, - fields), - projects) - - # and then print - if results: - headers = ['project'] + fields - print(tabulate(sorted(results), headers, tablefmt=table)) - - -main() diff --git a/kubernetes/contrib/tools/registry-initialize.sh b/kubernetes/contrib/tools/registry-initialize.sh deleted file mode 100755 index 798f375509..0000000000 --- a/kubernetes/contrib/tools/registry-initialize.sh +++ /dev/null @@ -1,152 +0,0 @@ -#!/bin/sh -x - -# Copyright (c) 2021 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Pre-requisite -# 1. Chart packages available under local directory provided as input/argument -# 2. helm client installed with push plugin -# 3. ONAP chartmuseum service deployed - -usage() -{ - echo "Chart Base directory or helm chart from local repo must be provided as input!!" - echo "Usage: registry-initialize.sh -d chartdirectory \ -<-n namespace override> <-r helmrelease override> <-p chart name prefix> | <-h helm charts from local repo>" - exit 1 -} - -if [ $# -eq 0 ]; then - usage -fi - -# defaults -NAMESPACE=onap -RLS_NAME=onap -LOGIN="" -PASSWORD="" -PREF="" -HELM_REPO=local - -while getopts ":d:n:r:p:h:c:" opt; do - case $opt in - d) BASEDIR="$OPTARG" - ;; - n) NAMESPACE="$OPTARG" - ;; - r) RLS_NAME="$OPTARG" - ;; - p) PREF="$OPTARG" - ;; - h) HELM_CHART="$OPTARG" - ;; - c) HELM_REPO="$OPTARG" - ;; - \?) echo "Invalid option -$OPTARG" >&2 - usage - ;; - esac -done - - -if [ -z "$BASEDIR" ] && [ -z "$HELM_CHART" ] ; then - echo "Chart base directory provided $BASEDIR and helm chart from local repo is empty" - exit -fi - -if [ -n "$BASEDIR" ] && [ -n "$HELM_CHART" ] ; then - echo "Both chart base directory $BASEDIR and helm chart from local repo $HELM_CHART cannot be used at the same time " - exit -fi - -if [ -n "$BASEDIR" ]; then - if [ "$(find $BASEDIR -maxdepth 1 -name '*tgz' -print -quit)" ]; then - echo "$BASEDIR valid" - else - echo "No chart package on $BASEDIR provided" - exit - fi -fi - -if [ -n "$HELM_CHART" ]; then - tmp_location=$(mktemp -d) - helm pull $HELM_REPO/$HELM_CHART -d $tmp_location - if [ $? -eq 0 ]; then - echo "Helm chart $HELM_CHART has been pulled out from in $HELM_REPO repo" - BASEDIR=$tmp_location - else - echo "No chart package $HELM_CHART on $HELM_REPO repo" - exit - fi -fi - -if [ -z "$PREF" ] && [ -z "$HELM_CHART" ] ; then - PREF=dcae -fi - -LOGIN=$(kubectl -n "$NAMESPACE" get secret \ - "${RLS_NAME}-chartmuseum-registrycred" \ - -o jsonpath='{.data.login}' | base64 -d) - -PASSWORD=$(kubectl -n "$NAMESPACE" get secret \ - "${RLS_NAME}-chartmuseum-registrycred" \ - -o jsonpath='{.data.password}' | base64 -d) - -if [ -z "$LOGIN" ] || [ -z "$PASSWORD" ]; then - echo "Login/Password credential for target registry cannot be retrieved" - exit 1 -fi - -# Expose cluster port via port-forwarding -kubectl -n $NAMESPACE port-forward service/chart-museum 27017:80 & -if [ $? -ne 0 ]; then - echo "Error in port forwarding; registry cannot be added!!" - exit 1 -fi - -sleep 5 - -# Add chartmuseum repo as helm repo -# Credentials should match config defined in -# oom\kubernetes\platform\components\chartmuseum\values.yaml -helm repo add k8s-registry http://127.0.0.1:27017 --username "$LOGIN" \ - --password "$PASSWORD" -if [ $? -ne 0 ]; then - echo "registry cannot be added!!" - pkill -f "port-forward service/chart-museum" - exit 1 -fi - -# Initial scope is pushing only dcae charts -# can be expanded to include all onap charts if required -for file in $BASEDIR/$PREF*tgz; do - # use helm plugin to push charts - helm cm-push -f $file k8s-registry - if [ $? -eq 0 ]; then - echo "$file uploaded to registry successfully" - else - echo "registry upload failed!!" - pkill -f "port-forward service/chart-museum" - helm repo remove k8s-registry - exit 1 - fi -done - -echo "All Helm charts successfully uploaded into internal repository" - -# Remove the port-forwarding process -pkill -f "port-forward service/chart-museum" - -# Remove helm registry from local -helm repo remove k8s-registry diff --git a/kubernetes/contrib/tools/rke/rke_setup.sh b/kubernetes/contrib/tools/rke/rke_setup.sh deleted file mode 100755 index a8938a96ee..0000000000 --- a/kubernetes/contrib/tools/rke/rke_setup.sh +++ /dev/null @@ -1,353 +0,0 @@ -#!/bin/sh - -############################################################################# -# Copyright © 2019 Bell. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -############################################################################# -# -# This installation is for an RKE install of kubernetes -# after this run the standard oom install -# this installation can be run on any ubuntu 16.04/18.04 VM, RHEL 7.6 (root only), physical or cloud azure/aws host -# https://wiki.onap.org/display/DW/OOM+RKE+Kubernetes+Deployment -# source from https://jira.onap.org/browse/OOM-1598 -# -# master/dublin -# RKE 0.1.16 Kubernetes 1.11.6, kubectl 1.11.6, Helm 2.9.1, Docker 18.06 -# 20190428 RKE 0.2.1, Kubernetes 1.13.5, kubectl 1.13.5, Helm 2.12.3, Docker 18.09.5 -# single node install, HA pending - -usage() { -cat < cluster.yml <> /etc/hosts - echo "Install docker - If you must install as non-root - comment out the docker install below - run it separately, run the user mod, logout/login and continue this script" - curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh - sudo usermod -aG docker $USERNAME - - echo "Install RKE" - sudo wget https://github.com/rancher/rke/releases/download/v$RKE_VERSION/rke_linux-amd64 - mv rke_linux-amd64 rke - sudo chmod +x rke - sudo mv ./rke /usr/local/bin/rke - - echo "Install make - required for beijing+ - installed via yum groupinstall Development Tools in RHEL" - # ubuntu specific - sudo apt-get install make -y - - sudo curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl - sudo chmod +x ./kubectl - sudo mv ./kubectl /usr/local/bin/kubectl - sudo mkdir ~/.kube - wget http://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz - sudo tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz - sudo mv linux-amd64/helm /usr/local/bin/helm - - echo "Bringing RKE up - using supplied cluster.yml" - sudo rke up - echo "wait 2 extra min for the cluster" - sleep 60 - echo "1 more min" - sleep 60 - echo "copy kube_config_cluter.yaml generated - to ~/.kube/config" - sudo cp kube_config_cluster.yml ~/.kube/config - # avoid using sudo for kubectl - sudo chmod 777 ~/.kube/config - echo "Verify all pods up on the kubernetes system - will return localhost:8080 until a host is added" - echo "kubectl get pods --all-namespaces" - kubectl get pods --all-namespaces - echo "install tiller/helm" - kubectl -n kube-system create serviceaccount tiller - kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller - helm init --service-account tiller - kubectl -n kube-system rollout status deploy/tiller-deploy - echo "upgrade server side of helm in kubernetes" - if [ "$USERNAME" = "root" ]; then - helm version - else - sudo helm version - fi - echo "sleep 30" - sleep 30 - if [ "$USERNAME" = "root" ]; then - helm init --upgrade - else - sudo helm init --upgrade - fi - echo "sleep 30" - sleep 30 - echo "verify both versions are the same below" - if [ "$USERNAME" = "root" ]; then - helm version - else - sudo helm version - fi - echo "start helm server" - if [ "$USERNAME" = "root" ]; then - helm serve & - else - sudo helm serve & - fi - echo "sleep 30" - sleep 30 - echo "add local helm repo" - if [ "$USERNAME" = "root" ]; then - helm repo add local http://127.0.0.1:8879 - helm repo list - else - sudo helm repo add local http://127.0.0.1:8879 - sudo helm repo list - fi - echo "To enable grafana dashboard - do this after running cd.sh which brings up onap - or you may get a 302xx port conflict" - echo "kubectl expose -n kube-system deployment monitoring-grafana --type=LoadBalancer --name monitoring-grafana-client" - echo "to get the nodeport for a specific VM running grafana" - echo "kubectl get services --all-namespaces | grep graf" - sudo docker version - helm version - kubectl version - kubectl get services --all-namespaces - kubectl get pods --all-namespaces - echo "finished!" -} - -BRANCH= -SERVER= -ENVIRON= -VALIDATE=false -USERNAME=ubuntu -SSHPATH_PREFIX=~/.ssh - -while getopts ":b:s:e:u:l:k:v" PARAM; do - case $PARAM in - u) - usage - exit 1 - ;; - b) - BRANCH=${OPTARG} - ;; - e) - ENVIRON=${OPTARG} - ;; - s) - SERVER=${OPTARG} - ;; - l) - USERNAME=${OPTARG} - ;; - k) - SSHKEY=${OPTARG} - ;; - v) - VALIDATE=${OPTARG} - ;; - ?) - usage - exit - ;; - esac -done - -if [ -z $BRANCH ]; then - usage - exit 1 -fi - -install_onap $BRANCH $SERVER $ENVIRON $USERNAME $SSHPATH_PREFIX $SSHKEY $VALIDATE diff --git a/kubernetes/contrib/values.yaml b/kubernetes/contrib/values.yaml deleted file mode 100644 index 8a44934d8f..0000000000 --- a/kubernetes/contrib/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright © 2019 Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - cmpv2Enabled: true - -awx: - enabled: true -netbox: - enabled: true diff --git a/kubernetes/cps/Chart.yaml b/kubernetes/cps/Chart.yaml index 63f65a59b6..06fdcf0305 100644 --- a/kubernetes/cps/Chart.yaml +++ b/kubernetes/cps/Chart.yaml @@ -17,25 +17,25 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) name: cps -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: roles-wrapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: standaloneDeployment - name: cps-core - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cps-core.enabled - name: cps-temporal - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cps-temporal.enabled - name: ncmp-dmi-plugin - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: ncmp-dmi-plugin.enabled diff --git a/kubernetes/cps/components/cps-core/Chart.yaml b/kubernetes/cps/components/cps-core/Chart.yaml index c9638b2d05..b1aa1046dd 100644 --- a/kubernetes/cps/components/cps-core/Chart.yaml +++ b/kubernetes/cps/components/cps-core/Chart.yaml @@ -18,26 +18,26 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - Core name: cps-core -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster - name: postgres-init - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: postgres.postgresInit - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml index f9bb230161..e9d4df5fe3 100644 --- a/kubernetes/cps/components/cps-core/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-core/resources/config/application-helm.yml @@ -1,8 +1,9 @@ {{/* # Copyright (C) 2021 Pantheon.tech # Modifications Copyright (C) 2020 Bell Canada. -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # Modifications Copyright (C) 2021 Orange +# Modifications Copyright (C) 2024 TechMahindra Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -30,19 +31,25 @@ spring: initialization-mode: always liquibase: change-log: classpath:changelog/changelog-master.yaml - labels: {{ .Values.config.liquibaseLabels }} + label-filter: {{ .Values.config.liquibaseLabels }} kafka: producer: client-id: cps-core security: - # comma-separated uri patterns which do not require authorization - permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/api-docs +# comma-separated uri patterns which do not require authorization + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs/** auth: username: ${CPS_USERNAME} password: ${CPS_PASSWORD} +# Actuator +management: + tracing: + propagation: + produce: {{ .Values.management.tracing.propagation.produce }} + logging: level: org: @@ -54,18 +61,41 @@ ncmp: username: ${DMI_USERNAME} password: ${DMI_PASSWORD} -{{- if .Values.config.useStrimziKafka }} -spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} +{{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 spring.kafka.security.protocol: SASL_PLAINTEXT -spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 -spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} + +# Kafka Topics +{{- if .Values.topics.config }} +{{ toYaml .Values.topics.config | nindent 2 }} {{- end }} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} {{- end }} +# cps tracing +{{- if .Values.tracing }} + {{ toYaml .Values.tracing | nindent 2 }} +{{- end }} + +# Custom Hazelcast config. +hazelcast: + cluster-name: {{ .Values.hazelcast.config.clusterName }} + mode: + kubernetes: + enabled: {{ .Values.hazelcast.config.kubernetesDiscovery }} + service-name: {{ .Values.hazelcast.config.kubernetesServiceName }} + +otel: + exporter: + otlp: + traces: + protocol: {{ .Values.otel.config.otlp.traces.protocol }} + # Last empty line is required otherwise the last property will be missing from application.yml file in the pod. diff --git a/kubernetes/cps/components/cps-core/templates/deployment.yaml b/kubernetes/cps/components/cps-core/templates/deployment.yaml index 3684aab3ac..daf6fd3dfa 100644 --- a/kubernetes/cps/components/cps-core/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-core/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # Copyright (C) 2021 Pantheon.tech, Orange # Modifications Copyright (C) 2021 Bell Canada. -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -57,10 +57,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "login") | indent 12 }} - name: DMI_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -111,10 +112,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "login") | indent 12 }} - name: DMI_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmi-plugin-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} @@ -140,5 +142,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml b/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml new file mode 100644 index 0000000000..7274ee02b2 --- /dev/null +++ b/kubernetes/cps/components/cps-core/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/templates/kafkauser.yaml b/kubernetes/cps/components/cps-core/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/cps-core/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-core/templates/service.yaml b/kubernetes/cps/components/cps-core/templates/service.yaml index 97657bfc0b..52263a87ac 100644 --- a/kubernetes/cps/components/cps-core/templates/service.yaml +++ b/kubernetes/cps/components/cps-core/templates/service.yaml @@ -15,3 +15,5 @@ */}} {{ include "common.service" . }} +--- +{{ include "common.headlessService" . }} diff --git a/kubernetes/cps/components/cps-core/values.yaml b/kubernetes/cps/components/cps-core/values.yaml index 8e5e314aca..2c251ee344 100644 --- a/kubernetes/cps/components/cps-core/values.yaml +++ b/kubernetes/cps/components/cps-core/values.yaml @@ -1,6 +1,7 @@ # Copyright (C) 2021 Pantheon.tech, Orange, Bell Canada. # Modifications Copyright (C) 2022 Bell Canada -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation +# Modifications Copyright © 2024 TechMahindra Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,13 +44,6 @@ secrets: login: '{{ .Values.config.dmiPluginUserName }}' password: '{{ .Values.config.dmiPluginUserPassword }}' passwordPolicy: generate - - uid: cps-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate ################################################################# # Global configuration defaults. @@ -75,30 +69,30 @@ global: container: name: postgres -image: onap/cps-and-ncmp:3.1.5 -containerPort: &svc_port 8080 -managementPort: &mgt_port 8081 +image: onap/cps-and-ncmp:3.5.4 service: type: ClusterIP + headless: {} name: cps-core + internalPort: &svc_port 8080 ports: - name: &port http port: *svc_port - - name: http-management - port: *mgt_port - targetPort: *mgt_port + headlessPorts: + - name: tcp-hazelcast + port: 5701 prometheus: enabled: false metrics: serviceMonitor: - port: http-management + port: http ## specify target port if name is not given to the port in the service definition ## # targetPort: 8080 - path: /manage/prometheus + path: /actuator/prometheus interval: 60s basicAuth: enabled: false @@ -116,18 +110,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1.5Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1.5Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "3Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "3Gi" unlimited: {} # probe configuration parameters liveness: @@ -136,20 +130,20 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port readiness: initialDelaySeconds: 15 periodSeconds: 15 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port startup: failureThreshold: 5 periodSeconds: 60 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port ingress: enabled: true @@ -173,8 +167,7 @@ securityContext: ################################################################# config: - - # Set it for pre loading xnfdata, else set to null + # Set it for preloading xnfdata, else set to null liquibaseLabels: xnf-data-preload # REST API basic authentication credentials (passsword is generated if not provided) @@ -189,22 +182,8 @@ config: # spring.config.max-size: 200 # spring.config.min-size: 10 -# kafka config - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. - -# eventPublisher: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: SASL_PLAINTEXT -# spring.kafka.properties.sasl.mechanism: PLAIN -# spring.kafka.properties.sasl.jaas.config: org.apache.kafka.common.security.plain.PlainLoginModule required username=admin password=admin_secret; - additional: - notification.data-updated.enabled: true - notification.data-updated.topic: cps.data-updated-events + notification.enabled: true notification.data-updated.filters.enabled-dataspaces: "" notification.async.enabled: false notification.async.executor.core-pool-size: 2 @@ -212,11 +191,91 @@ config: notification.async.executor.queue-capacity: 500 notification.async.executor.wait-for-tasks-to-complete-on-shutdown: true notification.async.executor.thread-name-prefix: Async- + app.cps.data-updated.change-event-notifications-enabled: true + +# Strimzi KafkaUser and Topic config +kafkaTopic: + - name: &dmiCmEventsTopic dmi-cm-events + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &dataUpdatedTopic cps-data-updated-events + retentionMs: 7200000 + segmentBytes: 1073741824 + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: cps-core-group + type: group + operations: [Read] + - name: *dataUpdatedTopic + type: topic + operations: [Write] + - name: *dmiCmEventsTopic + type: topic + operations: [Read] + - name: &ncmpAsyncM2MTopic ncmp-async-m2m + type: topic + operations: [Read] + - name: &cmAvcSubscriptionTopic cm-avc-subscription + type: topic + operations: [Read] + - name: &ncmpCmSubscriptionIn subscription + type: topic + operations: [Read] + - name: &ncmpCmSubscriptionDmiIn ncmp-dmi-cm-avc-subscription + type: topic + operations: [Read] + - name: &ncmpCmSubscriptionDmiOut dmi-ncmp-cm-avc-subscription + type: topic + operations: [Read] + - name: &ncmpCmSubscriptionOut subscription-response + type: topic + operations: [Read] + - name: &ncmpCmEventsTopic cm-events + type: topic + operations: [Read] + - name: &dmiDeviceHeartbeatTopic dmi-device-heartbeat + type: topic + operations: [Read] + - name: &lcmEventsTopic ncmp-events + type: topic + operations: [Read] + +topics: + config: + app.ncmp.async-m2m.topic: *ncmpAsyncM2MTopic + app.ncmp.avc.cm-subscription-ncmp-in: *ncmpCmSubscriptionIn + app.ncmp.avc.cm-subscription-dmi-in: *ncmpCmSubscriptionDmiIn + app.ncmp.avc.cm-subscription-dmi-out: *ncmpCmSubscriptionDmiOut + app.ncmp.avc.cm-subscription-ncmp-out: *ncmpCmSubscriptionOut + app.ncmp.avc.cm-events-topic: *ncmpCmEventsTopic + app.lcm.events.topic: *lcmEventsTopic + app.dmi.cm-events.topic: *dmiCmEventsTopic + app.dmi.device-heartbeat.topic: *dmiDeviceHeartbeatTopic + app.cps.data-updated.topic: *dataUpdatedTopic logging: level: INFO path: /tmp +management: + tracing: + propagation: + produce: [W3C] + +tracing: + cps: + tracing: + sampler: + jaeger_remote: + endpoint: http://onap-otel-collector:14250 + exporter: + endpoint: http://onap-otel-collector:4317 + protocol: grpc + enabled: false + excluded-observation-names: tasks.scheduled.execution + ################################################################# # Postgres overriding defaults in the postgres ################################################################# @@ -250,6 +309,8 @@ postgres-init: pgDatabase: cpsdb pgDataPath: data pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: cps-postgres-init # pgPrimaryPassword: password # pgUserPassword: password @@ -257,10 +318,25 @@ postgres-init: readinessCheck: wait_for: - - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' + services: + - '{{ .Values.global.postgres.service.name2 }}' minReadySeconds: 10 updateStrategy: type: RollingUpdate maxUnavailable: 0 maxSurge: 1 + +# Hazlecast custom configurations. +hazelcast: + config: + kubernetesDiscovery: true + kubernetesServiceName: cps-core-headless + clusterName: cps-and-ncmp-common-cache-cluster + +otel: + config: + otlp: + traces: + protocol: grpc + diff --git a/kubernetes/cps/components/cps-temporal/Chart.yaml b/kubernetes/cps/components/cps-temporal/Chart.yaml index 39347a9938..4f3f317b29 100644 --- a/kubernetes/cps/components/cps-temporal/Chart.yaml +++ b/kubernetes/cps/components/cps-temporal/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - Temporal name: cps-temporal -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: timescaledb - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml index 6e80843949..bede7f1fdc 100644 --- a/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml +++ b/kubernetes/cps/components/cps-temporal/resources/config/application-helm.yml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,23 +25,18 @@ spring: username: ${DB_USERNAME} password: ${DB_PASSWORD} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} - app: listener: data-updated: topic: {{ .Values.config.app.listener.dataUpdatedTopic }} -{{- if .Values.config.useStrimziKafka }} -spring.kafka.bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -spring.kafka.security.protocol: SASL_PLAINTEXT -spring.kafka.properties.sasl.mechanism: SCRAM-SHA-512 -spring.kafka.properties.sasl.jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventPublisher | nindent 2 }} +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} {{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml index 71ff37193b..143740d191 100644 --- a/kubernetes/cps/components/cps-temporal/templates/deployment.yaml +++ b/kubernetes/cps/components/cps-temporal/templates/deployment.yaml @@ -1,7 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -54,10 +54,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }} - name: APP_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }} - {{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-kafka-user" "key" "sasl.jaas.config") | indent 12 }} - {{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -113,6 +114,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml b/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml b/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/cps-temporal/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/cps-temporal/values.yaml b/kubernetes/cps/components/cps-temporal/values.yaml index 1c57a4a512..97ffb3342f 100644 --- a/kubernetes/cps/components/cps-temporal/values.yaml +++ b/kubernetes/cps/components/cps-temporal/values.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (c) 2021 Bell Canada. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -40,13 +40,6 @@ secrets: login: '{{ .Values.config.appUserName }}' password: '{{ .Values.config.appUserPassword }}' passwordPolicy: generate - - uid: cps-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate image: onap/cps-temporal:1.2.1 containerPort: &svc_port 8080 @@ -90,18 +83,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "3" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "4Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "4Gi" unlimited: {} # probe configuration parameters liveness: @@ -146,24 +139,9 @@ config: spring: profile: helm #appUserPassword: - -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: cps-temporal-group app: listener: - dataUpdatedTopic: cps.data-updated-events -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. - -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: cps-temporal-group + dataUpdatedTopic: &dataUpdatedTopic cps.data-updated-events # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. @@ -171,6 +149,17 @@ config: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: cps-temporal-group + type: group + operations: [Read] + - name: *dataUpdatedTopic + type: topic + operations: [Read] + logging: level: INFO path: /tmp @@ -194,7 +183,8 @@ timescaledb: readinessCheck: wait_for: - - cps-temporal-db + services: + - cps-temporal-db minReadySeconds: 10 updateStrategy: diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml index b75bbb3d36..fb578590e0 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/Chart.yaml @@ -21,18 +21,18 @@ apiVersion: v2 description: ONAP Configuration Persistance Service (CPS) - NCMP-DMI-Plugin name: ncmp-dmi-plugin -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml index 8e71114c8c..2b68b6c04f 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/resources/config/application-helm.yml @@ -37,7 +37,7 @@ sdnc: security: # comma-separated uri patterns which do not require authorization - permit-uri: /manage/**,/swagger-ui/**,/swagger-resources/**,/v3/api-docs + permit-uri: /actuator/**,/swagger-ui.html,/swagger-ui/**,/swagger-resources/**,/api-docs/**,/v3/api-docs auth: username: ${DMI_PLUGIN_USERNAME} password: ${DMI_PLUGIN_PASSWORD} @@ -49,6 +49,18 @@ logging: onap: cps: {{ .Values.logging.cps }} +{{- with (first .Values.kafkaUser.acls) }} +spring.kafka.consumer.group-id: {{ .name }} +{{- end }} +spring.kafka.bootstrap-servers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 +spring.kafka.security.protocol: SASL_PLAINTEXT +spring.kafka.properties.sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} +spring.kafka.properties.sasl.jaas.config: ${SASL_JAAS_CONFIG} + +# Kafka Topics +{{- if .Values.topics.config }} +{{ toYaml .Values.topics.config | nindent 2 }} +{{- end }} {{- if .Values.config.additional }} {{ toYaml .Values.config.additional | nindent 2 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml index 3d154dba64..351f8834a4 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/deployment.yaml @@ -31,10 +31,7 @@ spec: maxSurge: {{ index .Values.updateStrategy.maxSurge }} selector: {{- include "common.selectors" . | nindent 4 }} template: - metadata: - labels: - app.kubernetes.io/name: {{ include "common.name" . }} - app.kubernetes.io/instance: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} @@ -60,6 +57,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-core-creds" "key" "login") | indent 12 }} - name: CPS_CORE_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cps-core-creds" "key" "password") | indent 12 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: init-data-input @@ -90,6 +92,11 @@ spec: env: - name: SPRING_PROFILES_ACTIVE value: {{ .Values.config.spring.profile }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }} @@ -112,5 +119,4 @@ spec: medium: Memory - name: init-temp emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml new file mode 100644 index 0000000000..7274ee02b2 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml new file mode 100644 index 0000000000..708e99dfe0 --- /dev/null +++ b/kubernetes/cps/components/ncmp-dmi-plugin/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} \ No newline at end of file diff --git a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml index c35519b5fc..439fdb91eb 100644 --- a/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml +++ b/kubernetes/cps/components/ncmp-dmi-plugin/values.yaml @@ -47,9 +47,8 @@ global: virtualhost: baseurl: "simpledemo.onap.org" -image: onap/ncmp-dmi-plugin:1.2.2 +image: onap/ncmp-dmi-plugin:1.5.0 containerPort: &svc_port 8080 -managementPort: &mgt_port 8081 prometheus: enabled: false @@ -60,17 +59,14 @@ service: ports: - name: &port http port: *svc_port - - name: http-management - port: *mgt_port - targetPort: *mgt_port metrics: serviceMonitor: - port: http-management + port: http ## specify target port if name is not given to the port in the service definition ## # targetPort: 8080 - path: /manage/prometheus + path: /actuator/prometheus interval: 60s basicAuth: enabled: false @@ -88,18 +84,18 @@ replicaCount: 1 resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} # probe configuration parameters liveness: @@ -108,14 +104,14 @@ liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port readiness: initialDelaySeconds: 15 periodSeconds: 15 - path: /manage/health - port: *mgt_port + path: /actuator/health + port: *svc_port ingress: enabled: true @@ -164,16 +160,51 @@ config: # spring.config.min-size: 10 logging: - level: INFO + level: DEBUG cps: DEBUG path: /tmp readinessCheck: wait_for: - - cps-core + services: + - cps-core minReadySeconds: 10 updateStrategy: type: RollingUpdate maxUnavailable: 0 maxSurge: 1 + +# Strimzi KafkaUser and Topic config +kafkaTopic: + - name: &ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &dmiNcmpCmAvcSubscriptionTopic dmi-ncmp-cm-avc-subscription + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: &ncmpAsyncM2MTopic ncmp-async-m2m + retentionMs: 7200000 + segmentBytes: 1073741824 + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: ncmp-dmi-plugin-group + type: group + operations: [Read] + - name: *ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic + type: topic + operations: [Read] + - name: *dmiNcmpCmAvcSubscriptionTopic + type: topic + operations: [Write] + - name: *ncmpAsyncM2MTopic + type: topic + operations: [Write] + +topics: + config: + app.ncmp.async.topic: *ncmpAsyncM2MTopic + app.dmi.avc.subscription-topic: *ncmpDmiCmAvcSubscriptionNcmpDmiPluginTopic + app.dmi.avc.subscription-response-topic: *dmiNcmpCmAvcSubscriptionTopic diff --git a/kubernetes/cps/templates/cps-kafka-topic.yaml b/kubernetes/cps/templates/cps-kafka-topic.yaml deleted file mode 100644 index b4ecfcd9c4..0000000000 --- a/kubernetes/cps/templates/cps-kafka-topic.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.dataUpdatedTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: {{ .Values.config.dataUpdatedTopic.partitions }} - config: - retention.ms: {{ .Values.config.dataUpdatedTopic.retentionMs }} - segment.bytes: {{ .Values.config.dataUpdatedTopic.segmentBytes }} ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.ncmpEventsTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - config: - retention.ms: {{ .Values.config.ncmpEventsTopic.retentionMs }} ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.ncmpAsyncM2MTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - config: - retention.ms: {{ .Values.config.ncmpAsyncM2MTopic.retentionMs }} -{{- end }} \ No newline at end of file diff --git a/kubernetes/cps/templates/cps-kafka-user.yaml b/kubernetes/cps/templates/cps-kafka-user.yaml deleted file mode 100644 index fafc8c3369..0000000000 --- a/kubernetes/cps/templates/cps-kafka-user.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.cpsKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: group - name: {{ .Values.config.dataUpdatedTopic.consumer.groupId }} - operation: Read - - resource: - type: topic - name: {{ .Values.config.dataUpdatedTopic.name }} - operation: Read - - resource: - type: topic - name: {{ .Values.config.dataUpdatedTopic.name }} - operation: Write - - resource: - type: group - name: {{ .Values.config.ncmpEventsTopic.consumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.config.ncmpEventsTopic.name }} - operation: All - - resource: - type: group - name: {{ .Values.config.ncmpAsyncM2MTopic.consumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.config.ncmpAsyncM2MTopic.name }} - operation: All -{{- end }} \ No newline at end of file diff --git a/kubernetes/cps/values.yaml b/kubernetes/cps/values.yaml index f3e6198ac1..a08690ed53 100755 --- a/kubernetes/cps/values.yaml +++ b/kubernetes/cps/values.yaml @@ -1,5 +1,5 @@ # Copyright (C) 2021 Bell Canada -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -48,13 +48,6 @@ config: coreUserName: cpsuser dmiPluginUserName: dmiuser useStrimziKafka: true - dataUpdatedTopic: - name: cps.data-updated-events - partitions: 10 - retentionMs: 7200000 - segmentBytes: 1073741824 - consumer: - groupId: cps-temporal-group ncmpEventsTopic: name: ncmp-events retentionMs: 7200000 @@ -65,6 +58,31 @@ config: retentionMs: 600000 consumer: groupId: ncmp-group + dmiCmEventsTopic: + name: dmi-cm-events + retentionMs: 7200000 + consumer: + groupId: ncmp-group + ncmpCmAvcSubscriptionTopic: + name: cm-avc-subscription + retentionMs: 7200000 + consumer: + groupId: ncmp-group + ncmpCmEventsTopic: + name: cm-events + retentionMs: 7200000 + consumer: + groupId: ncmp-group + dmiCmAvcSubscriptionTopic: + name: ncmp-dmi-cm-avc-subscription-ncmp-dmi-plugin + retentionMs: 7200000 + consumer: + groupId: ncmp-group + dmiCmAvcSubscriptionResponseTopic: + name: dmi-ncmp-cm-avc-subscription + retentionMs: 7200000 + consumer: + groupId: ncmp-group # Enable all CPS components by default cps-core: diff --git a/kubernetes/dcaegen2-services/Chart.yaml b/kubernetes/dcaegen2-services/Chart.yaml index a112fa6f59..83732e8298 100644 --- a/kubernetes/dcaegen2-services/Chart.yaml +++ b/kubernetes/dcaegen2-services/Chart.yaml @@ -1,8 +1,9 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2020 J. F. Lucas. All rights reserved. +# Copyright (c) 2020, 2024 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,88 +19,44 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "Oslo" description: DCAE Microservices name: dcaegen2-services -version: 12.0.0 +version: 15.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: dcae-datafile-collector - version: ~12.x-0 - repository: '@local' - condition: dcae-datafile-collector.enabled - name: dcae-datalake-admin-ui - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-admin-ui.enabled - name: dcae-datalake-des - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-des.enabled - name: dcae-datalake-feeder - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-datalake-feeder.enabled - - name: dcae-heartbeat - version: ~12.x-0 - repository: '@local' - condition: dcae-heartbeat.enabled - name: dcae-hv-ves-collector - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-hv-ves-collector.enabled - - name: dcae-kpi-ms - version: ~12.x-0 - repository: '@local' - condition: dcae-kpi-ms.enabled - name: dcae-ms-healthcheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ms-healthcheck.enabled - - name: dcae-pm-mapper - version: ~12.x-0 - repository: '@local' - condition: dcae-pm-mapper.enabled - - name: dcae-pmsh - version: ~12.x-0 - repository: '@local' - condition: dcae-pmsh.enabled - name: dcae-prh - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-prh.enabled - - name: dcae-restconf-collector - version: ~12.x-0 - repository: '@local' - condition: dcae-restconf-collector.enabled - - name: dcae-slice-analysis-ms - version: ~12.x-0 - repository: '@local' - condition: dcae-slice-analysis-ms.enabled - - name: dcae-snmptrap-collector - version: ~12.x-0 - repository: '@local' - condition: dcae-snmptrap-collector.enabled - - name: dcae-son-handler - version: ~12.x-0 - repository: '@local' - condition: dcae-son-handler.enabled - - name: dcae-tcagen2 - version: ~12.x-0 - repository: '@local' - condition: dcae-tcagen2.enabled - name: dcae-ves-collector - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: dcae-ves-collector.enabled - - name: dcae-ves-mapper - version: ~12.x-0 - repository: '@local' - condition: dcae-ves-mapper.enabled - name: dcae-ves-openapi-manager - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/dcae-ves-openapi-manager' condition: dcae-ves-openapi-manager.enabled diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml index 518e782d82..64fee4bba7 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/Chart.yaml @@ -21,9 +21,9 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Microservices Common templates name: dcaegen2-services-common -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl index afd3c38f31..bb35e80848 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_configmap.tpl @@ -1,7 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2019 AT&T -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -33,14 +33,10 @@ The template always produces a configMap containing the microservice's initial configuration data. (See the documentation for dcaegen2-services-common.microserviceDeployment for more details.) -If the microservice is using one or more Data Router (DR) feeds, the +If the microservice is publishing to one or more Data Router (DR) feeds, the template produces a configMap containing the information needed to provision the feed(s). An init container performs the provisioning. -If the microservice acts as a DR publisher for one or more feeds, the -template produces a configMap containing the information needed to -provision the publisher(s). An init container performs the provisioning. - If the microservice acts as a DR subscriber for one or more feeds, the template produces a configMap containing the information needed to provision the subscribeer(s). An init container performs the provisioning. @@ -70,22 +66,22 @@ metadata: data: {{- range $i, $feed := .Values.drFeedConfig }} feedConfig-{{$i}}.json: |- - {{ $feed | toJson | indent 2 }} - {{- end }} -{{- end }} - -{{- if .Values.drPubConfig }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-drpub-config - namespace: {{ include "common.namespace" . }} - labels: {{ include "common.labels" . | nindent 6 }} -data: - {{- range $i, $drpub := .Values.drPubConfig }} - drpubConfig-{{$i}}.json: |- - {{ $drpub | toJson | indent 2 }} + { + "name": {{ $feed.feedName | quote }}, + "version": {{ $feed.feedVersion | quote }}, + "description": {{ $feed.feedDescription | default "None" | quote }}, + "authorization": { + "classification": {{ $feed.classification | quote }}, + "endpoint_addrs": [ + ], + "endpoint_ids": [ + { + "id": {{ $feed.publisher.username | quote }}, + "password": {{ $feed.publisher.password | quote }} + } + ] + } + } {{- end }} {{- end }} @@ -100,7 +96,23 @@ metadata: data: {{- range $i, $drsub := .Values.drSubConfig }} drsubConfig-{{$i}}.json: |- - {{ $drsub | toJson | indent 2 }} + { + "feed": { + "name": {{ $drsub.feedName | quote }}, + "version": {{ $drsub.feedVersion | quote }} + }, + "delivery": { + "url": {{ $drsub.deliveryURL | quote }}, + "user": {{ $drsub.username | quote }}, + "password": {{ $drsub.userpwd | quote }}, + "use100": {{ $drsub.use100 | default false }} + }, + "metadataOnly": {{ $drsub.metadataOnly | default false }}, + "groupid": {{ $drsub.groupId | default 0 }}, + "follow_redirect": {{ $drsub.followRedirect | default true }}, + "privileged_subscriber": {{ $drsub.privilegedSubscriber | default false }}, + "decompress": {{ $drsub.decompress | default false }} + } {{- end }} {{- end }} {{- end }} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 93efe98846..eefee769bd 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -1,7 +1,7 @@ {{/* #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. # Copyright (c) 2021 Nokia. All rights reserved. # Copyright (c) 2021 Nordix Foundation. @@ -60,11 +60,19 @@ the the literal string "An example value". - name: {{ $envName }} value: {{ tpl $envValue $global | quote }} {{- else }} - {{ if or (not $envValue.secretUid) (not $envValue.key) }} - {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} - {{- end }} + {{- if and (hasKey $envValue "externalSecret") ($envValue.externalSecret) }} +- name: {{ $envName }} + valueFrom: + secretKeyRef: + name: {{ tpl $envValue.externalSecretUid $global | quote }} + key: {{ tpl $envValue.key $global | quote }} + {{- else }} + {{ if or (not $envValue.secretUid) (not $envValue.key) }} + {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }} + {{- end }} - name: {{ $envName }} {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }} + {{- end }} {{- end -}} {{- end }} {{- end }} @@ -77,7 +85,7 @@ This template generates a list of volumes associated with the pod, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumeMounts to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This implementation supports ConfigMaps & EmptyDirs only, as this is the only external volume mounting required by current microservices. .Values.externalVolumes is a list of objects. Each object has 3 required fields and 2 optional fields: @@ -86,7 +94,7 @@ external volume mounting required by current microservices. names of resources are sometimes set at deployment time (for instance, to prefix the Helm release to the name), the string can be a Helm template fragment that will be expanded at deployment time. - - type: the type of the resource (in the current implementation, only "ConfigMap" is supported). + - type: the type of the resource (in the current implementation, only "ConfigMap" & "emptyDir" is supported). The value is a case-INsensitive string. - mountPoint: the path to the mount point for the volume in the container file system. The value is a case-sensitive string. @@ -105,7 +113,7 @@ externalVolumes: type: configmap mountPath: /opt/app/config - name: '{{ include "common.release" . }}-another-example' - type: configmap + type: emptyDir mountPath: /opt/app/otherconfig optional: false */}} @@ -113,14 +121,18 @@ externalVolumes: {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $opt := hasKey $vol "optional" | ternary $vol.optional true }} - configMap: defaultMode: 420 name: {{ $vname }} optional: {{ $opt }} name: {{ $vname }} + {{- else if eq (lower $vol.type) "emptydir" }} +- name: {{ $vname }} + emptyDir: + sizeLimit: {{ $vol.sizeLimit }} {{- end }} {{- end }} {{- end }} @@ -133,7 +145,7 @@ This template generates a list of volume mounts for the microservice container, based on information provided in .Values.externalVolumes. This template works in conjunction with dcaegen2-services-common._externalVolumes to give the microservice access to data in volumes created else. -This initial implementation supports ConfigMaps only, as this is the only +This initial implementation supports ConfigMaps & EmptyDirs, as this is the only external volume mounting required by current microservices. See the documentation for dcaegen2-services-common._externalVolumes for @@ -144,16 +156,20 @@ the microservice. {{- $global := . -}} {{- if .Values.externalVolumes }} {{- range $vol := .Values.externalVolumes }} + {{- $vname := (tpl $vol.name $global) -}} {{- if eq (lower $vol.type) "configmap" }} - {{- $vname := (tpl $vol.name $global) -}} {{- $readOnly := $vol.readOnly | default false }} - mountPath: {{ $vol.mountPath }} name: {{ $vname }} readOnly: {{ $readOnly }} + {{- else if eq (lower $vol.type) "emptydir" }} +- mountPath: {{ $vol.mountPath }} + name: {{ $vname }} {{- end }} {{- end }} {{- end }} {{- end }} + {{/* dcaegen2-services-common.microserviceDeployment: This template produces a Kubernetes Deployment for a DCAE microservice. @@ -220,16 +236,6 @@ process into the microservice's configuration. See the documentation for the common DMaaP provisioning template (oom/kubernetes/common/common/templates/_dmaapProvisioning.tpl). -If the microservice acts as a TLS client or server, the Deployment will -include an initContainer that retrieves certificate information from -the AAF certificate manager. The information is mounted at the -mount point specified in .Values.certDirectory. If the microservice is -a TLS server (indicated by setting .Values.tlsServer to true), the -certificate information will include a server cert and key, in various -formats. It will also include the AAF CA cert. If the microservice is -a TLS client only (indicated by setting .Values.tlsServer to false), the -certificate information includes only the AAF CA cert. - If the microservice uses certificates from an external CMPv2 provider, the Deployment will include an initContainer that performs certificate post-processing. @@ -238,14 +244,17 @@ post-processing. {{- define "dcaegen2-services-common.microserviceDeployment" -}} {{- $log := default dict .Values.log -}} {{- $logDir := default "" $log.path -}} +{{- $tmp := default dict .Values.tmpDir -}} +{{- $tmpDir := default false $tmp.enabled -}} +{{- $ves := default false .Values.ves -}} {{- $certDir := (eq "true" (include "common.needTLS" .)) | ternary (default "" .Values.certDirectory . ) "" -}} -{{- $tlsServer := default "" .Values.tlsServer -}} {{- $commonRelease := print (include "common.release" .) -}} {{- $policy := default dict .Values.policies -}} {{- $policyRls := default $commonRelease $policy.policyRelease -}} -{{- $drFeedConfig := default "" .Values.drFeedConfig -}} +{{- $drNeedProvisioning := or .Values.drFeedConfig .Values.drSubConfig -}} {{- $dcaeName := print (include "common.fullname" .) }} {{- $dcaeLabel := (dict "dcaeMicroserviceName" $dcaeName) -}} +{{- $podLabels := default .Values.podLabels .labels -}} {{- $dot := . -}} apiVersion: apps/v1 kind: Deployment @@ -254,56 +263,30 @@ spec: replicas: 1 selector: {{- include "common.selectors" . | nindent 4 }} template: + {{- if $podLabels}} + metadata: {{- include "common.templateMetadata" (dict "dot" . "labels" $podLabels) | nindent 6 }} + {{- else }} metadata: {{- include "common.templateMetadata" . | nindent 6 }} + {{- end }} spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: + + {{- if $ves }} + {{- include "dcaegen2-ves-collector.vesCollectorCopyEtc" . | nindent 6 }} + {{- end }} {{- if .Values.readinessCheck }} - {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} {{- end }} {{- include "common.dmaap.provisioning.initContainer" . | nindent 6 }} - {{- if $certDir }} - - name: {{ include "common.name" . }}-aaf-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - aaf-cm - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - - name: init-tls - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.tlsImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: TLS_SERVER - value: {{ $tlsServer | quote }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - resources: {{ include "common.resources" . | nindent 2 }} - volumeMounts: - - mountPath: /opt/app/osaaf - name: tls-info - {{- end }} {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- range $cred := .Values.credentials }} - name: {{ $cred.name }} @@ -348,12 +331,36 @@ spec: {{- end }} {{- end }} {{- end }} - resources: {{ include "common.resources" . | nindent 2 }} + {{- if .Values.liveness }} + livenessProbe: + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds | default 5 }} + periodSeconds: {{ .Values.liveness.periodSeconds | default 15 }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds | default 1 }} + {{- $probeType := .Values.liveness.type | default "httpGet" -}} + {{- if eq $probeType "httpGet" }} + httpGet: + scheme: {{ .Values.liveness.scheme }} + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + {{- end }} + {{- if eq $probeType "exec" }} + exec: + command: + {{- range $cmd := .Values.liveness.command }} + - {{ $cmd }} + {{- end }} + {{- end }} + {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /app-config - name: {{ ternary "app-config-input" "app-config" (not $drFeedConfig) }} + name: {{ ternary "app-config-input" "app-config" (not $drNeedProvisioning) }} - mountPath: /app-config-input name: app-config-input + {{- if $tmpDir }} + - mountPath: /tmp + name: tmp + {{- end }} {{- if $logDir }} - mountPath: {{ $logDir}} name: logs @@ -411,14 +418,10 @@ spec: - name: POLICY_SYNC_DURATION value: "{{ $policy.duration }}" {{- end }} - resources: {{ include "common.resources" . | nindent 2 }} + resources: {{ include "common.resources" . | nindent 10 }} volumeMounts: - mountPath: /etc/policies name: policy-shared - {{- if $certDir }} - - mountPath: /opt/ca-certificates/ - name: tls-info - {{- end }} {{- end }} hostname: {{ include "common.name" . }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} @@ -430,9 +433,15 @@ spec: - emptyDir: medium: Memory name: app-config + {{- if $tmpDir }} + - name: tmp + emptyDir: + sizeLimit: 128Mi + {{- end }} {{- if $logDir }} - - emptyDir: {} - name: logs + - name: logs + emptyDir: + sizeLimit: 128Mi {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} {{- end }} {{- if $certDir }} @@ -448,8 +457,7 @@ spec: {{- end }} {{- include "common.dmaap.provisioning._volumes" . | nindent 6 -}} {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end -}} {{/* diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl new file mode 100644 index 0000000000..a3a724741f --- /dev/null +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/ves-collector/_copyEtc.tpl @@ -0,0 +1,26 @@ +{{- define "dcaegen2-ves-collector.vesCollectorCopyEtc" -}} +- name: dcae-ves-collector-copy-etc + command: ["cp", "-R", "/opt/app/VESCollector/etc/.", "/opt/app/VESCollector/etc_rw/"] + image: {{ default ( include "repositoryGenerator.repository" . ) .Values.imageRepositoryOverride }}/{{ .Values.image }} + imagePullPolicy: Always + resources: + limits: + cpu: {{ .Values.copyEtc.resources.limits.cpu }} + memory: {{ .Values.copyEtc.resources.limits.memory }} + requests: + cpu: {{ .Values.copyEtc.resources.requests.cpu }} + memory: {{ .Values.copyEtc.resources.requests.memory }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/app/VESCollector/etc_rw + name: ves-collector-etc +{{- end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml deleted file mode 100644 index eaabfa3808..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/Chart.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (C) 2021 Nordix Foundation. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE DataFile Collector Helm charts -name: dcae-datafile-collector -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certManagerCertificate - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml deleted file mode 100644 index cbe02a1bf9..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml +++ /dev/null @@ -1,227 +0,0 @@ -# ================================ LICENSE_START ========================== -# ========================================================================= -# Copyright (c) 2021 Nordix Foundation. -# Copyright (c) 2022 Nokia. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ========================================================================= -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END =========================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &drPubCredsUID drpubcreds - type: basicAuth - login: '{{ .Values.drPubscriberCreds.username }}' - password: '{{ .Values.drPubscriberCreds.password }}' - passwordPolicy: required - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.9.0 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /var/log/ONAP -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datafile/etc/cert - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -# CMPv2 certificate -# It is used only when: -# - certDirectory is set -# - global cmpv2Enabled flag is set to true -# - flag useCmpv2Certificates is set to true -# Disabled by default -useCmpv2Certificates: false -certificates: - - mountPath: /opt/app/datafile/etc/cert/external - commonName: dcae-datafile-collector - dnsNames: - - dcae-datafile-collector - - datafile-collector - - datafile - keystore: - outputType: - - p12 - passwordSecretRef: - name: datafile-collector-cmpv2-keystore-password - key: password - create: true - -# Dependencies -readinessCheck: - wait_for: - containers: - - aaf-cm - - dmaap-bc - - dmaap-provisioning-job - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 10 - periodSeconds: 15 - timeoutSeconds: 1 - path: /heartbeat - scheme: HTTP - port: 8100 - -# Service Configuration -service: - type: ClusterIP - name: datafile-collector - ports: - - name: http - port: 8443 - plain_port: 8100 - port_protocol: http - -ingress: - enabled: false - service: - - baseaddr: "dcae-datafile-collector-api" - name: "datafile-collector" - port: 8443 - plain_port: 8100 - config: - ssl: "redirect" - -# Data Router Publisher Credentials -drPubscriberCreds: - username: username - password: password - -credentials: -- name: DR_USERNAME - uid: *drPubCredsUID - key: login -- name: DR_PASSWORD - uid: *drPubCredsUID - key: password - -# Initial Application Configuration -applicationConfig: - dmaap.certificateConfig.keyCert: /opt/app/datafile/etc/cert/cert.p12 - dmaap.certificateConfig.keyPasswordPath: /opt/app/datafile/etc/cert/p12.pass - dmaap.certificateConfig.trustedCa: /opt/app/datafile/etc/cert/trust.jks - dmaap.certificateConfig.trustedCaPasswordPath: /opt/app/datafile/etc/cert/trust.pass - dmaap.certificateConfig.enableCertAuth: true - dmaap.dmaapConsumerConfiguration.consumerGroup: OpenDcae-c12 - dmaap.dmaapConsumerConfiguration.consumerId: C12 - dmaap.dmaapConsumerConfiguration.timeoutMs: -1 - dmaap.security.enableDmaapCertAuth: true - dmaap.security.keyStorePasswordPath: /opt/app/datafile/etc/cert/jks.pass - dmaap.security.keyStorePath: /opt/app/datafile/etc/cert/cert.jks - dmaap.security.trustStorePasswordPath: /opt/app/datafile/etc/cert/trust.pass - dmaap.security.trustStorePath: /opt/app/datafile/etc/cert/trust.jks - service_calls: [] - sftp.security.strictHostKeyChecking: true - streams_publishes: - PM_MEAS_FILES: - dmaap_info: - publisher_id: ${DR_FILES_PUBLISHER_ID_0} - location: loc00 - log_url: ${DR_LOG_URL_0} - publish_url: ${DR_FILES_PUBLISHER_URL_0} - username: ${DR_USERNAME} - password: ${DR_PASSWORD} - type: data_router - streams_subscribes: - dmaap_subscriber: - dmaap_info: - topic_url: "http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT" - type: message_router - -# DataRouter Feed Configuration -drFeedConfig: - - feedName: bulk_pm_feed - owner: dcaecm - feedVersion: "0.0" - asprClassification: unclassified - feedDescription: DFC Feed Creation - -# DataRouter Publisher Configuration -drPubConfig: - - feedName: bulk_pm_feed - username: ${DR_USERNAME} - userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 - -# ConfigMap Configuration for Feed, Dr_Publisher -volumes: - - name: feeds-config - path: /opt/app/config/feeds - - name: drpub-config - path: /opt/app/config/dr_pubs - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 500m - memory: 768Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcae-datafile-collector - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml index dc19527be6..b997fbeb27 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE datalake-admin-ui helm chart name: dcae-datalake-admin-ui -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml index e18ea04ee1..f7c9381611 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-admin-ui/values.yaml @@ -1,7 +1,7 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,21 +31,6 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - -################################aafcreds################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -59,19 +44,11 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake-admin-ui logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake-admin-ui/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Dependencies readinessCheck: wait_for: - - dcae-datalake-feeder + services: + - dl-feeder # Probe Configuration readiness: @@ -91,10 +68,9 @@ service: port: 8088 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] # Initial Application Configuration applicationConfig: @@ -106,18 +82,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml index 6f3a9aff06..317695ecfc 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/Chart.yaml @@ -21,21 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Datalake DES MS charts name: dcae-datalake-des -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml index cab2a953ec..f45905cd12 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-des/values.yaml @@ -1,7 +1,7 @@ # ============= LICENSE_START ================================================ # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,22 +36,12 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds externalSecret: '{{ include "common.release" . }}-datalake-pg-user-creds' type: basicAuth login: '{{ .Values.postgres.config.pgUserName }}' passwordPolicy: required -################################aafcreds################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -65,19 +55,11 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - # Dependencies readinessCheck: wait_for: - - dcae-datalake-feeder + services: + - dl-feeder # Probe Configuration readiness: @@ -97,10 +79,9 @@ service: port: 1681 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] #postgres configuration postgres: @@ -136,18 +117,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml index 3b890d001b..4f085d5504 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/Chart.yaml @@ -21,24 +21,24 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE Datalake feeder MS charts name: dcae-datalake-feeder -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..30d173c2d8 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/templates/authorizationpolicy.yaml @@ -0,0 +1,136 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "primary" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsPostgres := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsPostgres -}} +{{- $defaultOperationPorts := list "5432" -}} +{{- $relName := include "common.release" . -}} +{{- $postgresName := $dot.Values.postgres.service.name -}} +{{- $pgHost := "replica" -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ $relName }}-{{ $postgresName }}-{{ $pgHost }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: {{ $postgresName }}-{{ $pgHost }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsPostgres }} +{{- range $principal := $authorizedPrincipalsPostgres }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + ports: +{{- range $port := $defaultOperationPorts }} + - "{{ $port }}" +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml index 25b74d7502..36e1d7bda6 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datalake-feeder/values.yaml @@ -1,7 +1,7 @@ # ================================ LICENSE_START ============================= # ============================================================================ # Copyright (C) 2021 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2022-2023 J. F. Lucas. All rights reserved. # ============================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,11 +35,6 @@ filebeatConfig: # Secrets Configuration. ################################################################# secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - uid: &pgUserCredsSecretUid pg-user-creds name: &pgUserCredsSecretName '{{ include "common.release" . }}-datalake-pg-user-creds' type: basicAuth @@ -48,11 +43,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application Configuration Defaults. ################################################################# @@ -67,20 +57,6 @@ log: path: /var/log/ONAP/dcaegen2/services/datalake logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/datalake/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-datalake-postgres - # Probe Configuration readiness: initialDelaySeconds: 90 @@ -99,10 +75,14 @@ service: port: 1680 port_protocol: http -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + authorizedPrincipalsPostgres: + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read credentials: - name: PG_USER @@ -141,25 +121,25 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} ################################################################# # Application configuration Overriding Defaults in the Postgres. ################################################################# postgres: - nameOverride: *postgresName + nameOverride: &postgresName dcae-datalake-postgres service: name: *postgresName name2: dcae-datalake-pg-primary @@ -176,6 +156,11 @@ postgres: pgDatabase: datalake pgUserExternalSecret: *pgUserCredsSecretName +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + #Pods Service Account serviceAccount: nameOverride: dcae-datalake-feeder diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml deleted file mode 100644 index ecde5e6c3d..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/Chart.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE Heartbeat Microservice -name: dcae-heartbeat -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml b/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml deleted file mode 100644 index 0198a7ddbd..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-heartbeat/values.yaml +++ /dev/null @@ -1,201 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - - uid: &pgUserCredsSecretUid pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-heartbeat-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "heartbeat-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.services.heartbeat:2.5.0 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /var/log/ONAP/dcaegen2/services/heartbeat -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/heartbeat/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-heartbeat-postgres - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 10 - periodSeconds: 15 - timeoutSeconds: 1 - path: / - scheme: HTTP - port: 10002 - -# Service Configuration -service: - type: ClusterIP - name: dcae-heartbeat - ports: - - name: http - port: 10002 - port_protocol: http - -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password -- name: HEARTBEAT_PG_USERNAME - uid: *pgUserCredsSecretUid - key: login -- name: HEARTBEAT_PG_PASSWORD - uid: *pgUserCredsSecretUid - key: password - - -# Initial Application Configuration -applicationConfig: - CBS_polling_allowed: "True" - CBS_polling_interval: "300" - consumerID: "1" - groupID: "hbgrpID" - pg_ipAddress: dcae-heartbeat-pg-primary - pg_passwd: ${HEARTBEAT_PG_PASSWORD} - pg_portNum: 5432 - pg_userName: ${HEARTBEAT_PG_USERNAME} - pg_dbName: heartbeat - heartbeat_config: '{"vnfs": [{"eventName": "Heartbeat_vDNS","heartbeatcountmissed": 3,"heartbeatinterval": 60,"closedLoopControlName": "ControlLoopEvent1", "policyVersion": "1.0.0.5", "policyName":"vFireWall","policyScope": "resource=sampleResource,type=sampletype,CLName=sampleCLName","target_type": "VNF", "target": "genVnfName", "version": "1.0"}, {"eventName": "Heartbeat_vFW","heartbeatcountmissed": 3, "heartbeatinterval": 60,"closedLoopControlName": "ControlLoopEvent1","policyVersion": "1.0.0.5","policyName": "vFireWall","policyScope": "resource=sampleResource,type=sampletype,CLName=sampleCLName", "target_type":"VNF", "target": "genVnfName", "version": "1.0"}, {"eventName": "Heartbeat_xx","heartbeatcountmissed": 3, "heartbeatinterval": 60,"closedLoopControlName": "ControlLoopEvent1","policyVersion": "1.0.0.5","policyName": "vFireWall", "policyScope": "resource=sampleResource,type=sampletype,CLName=sampleCLName","target_type": "VNF","target": "genVnfName","version": "1.0"}]}' - streams_publishes: - dcae_cl_out: - dmaap_info: - topic_url: "http://message-router.onap.svc.cluster.local:3904/events/unauthenticated.DCAE_CL_OUTPUT" - type: message_router - streams_subscribes: - ves-heartbeat: - dmaap_info: - topic_url: "http://message-router:3904/events/unauthenticated.SEC_HEARTBEAT_OUTPUT" - type: message_router - -#applicationEnv: -# HEARTBEAT_PG_URL: &dcaeheartbeatPgPrimary dcae-heartbeat-pg-primary -# HEARTBEAT_PG_USERNAME: -# secretUid: *pgUserCredsSecretUid -# key: login -# HEARTBEAT_PG_PASSWORD: -# secretUid: *pgUserCredsSecretUid -# key: password - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -################################################################# -# Application configuration Overriding Defaults in the Postgres. -################################################################# -postgres: - nameOverride: *postgresName - service: - name: *postgresName - name2: dcae-heartbeat-pg-primary - name3: dcae-heartbeat-pg-replica - container: - name: - primary: dcae-heartbeat-pg-primary - replica: dcae-heartbeat-pg-replica - persistence: - mountSubPath: heartbeat/data - mountInitPath: heartbeat - config: - pgUserName: heartbeat - pgDatabase: heartbeat - pgUserExternalSecret: *pgUserCredsSecretName - -#Pods Service Account -serviceAccount: - nameOverride: dcae-heartbeat - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml index 59fda72e2a..48ffbd2c71 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/Chart.yaml @@ -21,24 +21,21 @@ apiVersion: v2 appVersion: "Kohn" description: DCAE HV VES collector name: dcae-hv-ves-collector -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml deleted file mode 100644 index ff977aaa32..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-kafka-user.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.hvVesKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: scram-sha-512 - authorization: - type: simple - acls: - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-fault-supervision" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-provisioning" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-heartbeat" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-performance-assurance" "kafka_info" "topic_name" }} - operation: Write - - resource: - type: topic - name: {{ .Values.applicationConfig.streams_publishes.perf3gpp.kafka_info.topic_name }} - operation: Write diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml deleted file mode 100644 index e40775833a..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/hv-ves-topics.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-fault-supervision - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-fault-supervision" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-provisioning - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-provisioning" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-heartbeat - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-heartbeat" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: ves-3gpp-performance-assurance - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ index .Values "applicationConfig" "streams_publishes" "ves-3gpp-performance-assurance" "kafka_info" "topic_name" }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: perf3gpp - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ .Values.applicationConfig.streams_publishes.perf3gpp.kafka_info.topic_name }} - partitions: 10 - config: - retention.ms: 7200000 - segment.bytes: 1073741824 diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml new file mode 100644 index 0000000000..d1d21a6dbc --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index da3f47358b..e77d31859b 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -1,8 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2021-2022 Nokia. All rights reserved. -# Copyright © 2022 Nordix Foundation +# Modifications Copyright (C) 2022-2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,7 +35,6 @@ filebeatConfig: ################################################################# # initContainer images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# @@ -45,33 +44,24 @@ certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice- image: onap/org.onap.dcaegen2.collectors.hv-ves.hv-collector-main:1.11.0 pullPolicy: Always +commonName: &commonName dcae-hv-ves-collector +containerPort: &containerPort 6061 + # log directory where logging sidecar should look for log files # if path is set to null sidecar won't be deployed in spite of # global.centralizedLoggingEnabled setting. log: path: /var/log/ONAP/dcae-hv-ves-collector logConfigMapNamePrefix: '{{ include "common.fullname" . }}' +# a tmp volume is needed by the tomcat server of the app +# when the filesystem is set to read-only +tmpDir: + enabled: true # directory where TLS certs should be stored # if absent, no certs will be retrieved and stored certDirectory: /etc/ves-hv/ssl -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - -secrets: - - uid: hv-ves-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate -config: - someConfig: blah - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -81,9 +71,9 @@ config: useCmpv2Certificates: false certificates: - mountPath: /etc/ves-hv/ssl/external - commonName: dcae-hv-ves-collector + commonName: *commonName dnsNames: - - dcae-hv-ves-collector + - *commonName - hv-ves-collector - hv-ves keystore: @@ -94,11 +84,6 @@ certificates: key: password create: true -# dependencies -readinessCheck: - wait_for: - - aaf-cm - # probe configuration readiness: type: exec @@ -108,75 +93,119 @@ readiness: command: - /opt/ves-hv-collector/healthcheck.sh +# since there are problems receiving binary data via the sidecar +# the service port is excluded in the sidecar processing +podAnnotations: + traffic.sidecar.istio.io/excludeOutboundPorts: '6061' + traffic.sidecar.istio.io/excludeInboundPorts: '6061' + traffic.sidecar.istio.io/includeInboundPorts: '*' + +podLabels: + sidecar.istio.io/inject: "false" + # service configuration service: type: NodePort - name: dcae-hv-ves-collector + name: *commonName ports: - - name: http - port: 6061 - port_protocol: http + - name: tcp + port: *containerPort + port_protocol: tcp + app_protocol: tcp nodePort: 22 ingress: enabled: false service: - baseaddr: "dcae-hv-ves-collector-api" - name: "dcae-hv-ves-collector" - port: 6061 + name: *commonName + port: *containerPort config: ssl: "redirect" -#strimzi kafka config -hvVesKafkaUser: dcae-hv-ves-kafka-user +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress # initial application configuration applicationConfig: logLevel: INFO server.idleTimeoutSec: 300 - server.listenPort: 6061 + server.listenPort: *containerPort cbs.requestIntervalSec: 5 - security.sslDisable: false + security.sslDisable: true security.keys.keyStoreFile: /etc/ves-hv/ssl/cert.jks security.keys.keyStorePasswordFile: /etc/ves-hv/ssl/jks.pass security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass streams_publishes: ves-3gpp-fault-supervision: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_FAULTSUPERVISION_OUTPUT + topic_name: &ves3gppFaultSupervision SEC_3GPP_FAULTSUPERVISION_OUTPUT ves-3gpp-provisioning: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_PROVISIONING_OUTPUT + topic_name: &ves3gppProvisioning SEC_3GPP_PROVISIONING_OUTPUT ves-3gpp-heartbeat: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_HEARTBEAT_OUTPUT + topic_name: &ves3gppHeartbeat SEC_3GPP_HEARTBEAT_OUTPUT ves-3gpp-performance-assurance: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + topic_name: &ves3gppPerformanceAssurance SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT perf3gpp: - type: kafka + type: ${MESSAGING_TYPE} kafka_info: bootstrap_servers: ${KAFKA_BOOTSTRAP_SERVERS} - topic_name: HV_VES_PERF3GPP + topic_name: &perf3gpp HV_VES_PERF3GPP + +# Strimzi Kafka config +kafkaUser: + acls: + - name: SEC_3GPP + type: topic + patternType: prefix + operations: [Write, DescribeConfigs] + - name: *perf3gpp + type: topic + operations: [Write, DescribeConfigs] + +kafkaTopic: + - name: *ves3gppFaultSupervision + strimziTopicName: dcae-ves-3gpp-fault-supervision + # the default retention values below can be updated + # to meet use case requirements for each topic. + retentionMs: 7200000 + segmentBytes: 1073741824 + - name: *ves3gppProvisioning + strimziTopicName: dcae-ves-3gpp-provisioning + - name: *ves3gppHeartbeat + strimziTopicName: dcae-ves-3gpp-heartbeat + - name: *ves3gppPerformanceAssurance + strimziTopicName: dcae-ves-3gpp-performance-assurance + - name: *perf3gpp + strimziTopicName: dcae-ves-3gpp-perf + applicationEnv: JAVA_OPTS: '-Dlogback.configurationFile=/etc/ONAP/dcae-hv-ves-collector/logback.xml' CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' #Temporary Dummy CBS Port Value until internal SDK library is updated CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' + MESSAGING_TYPE: 'kafka' KAFKA_BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' USE_SCRAM: 'true' JAAS_CONFIG: - secretUid: hv-ves-kafka-secret + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' key: sasl.jaas.config # Resource Limit flavor -By Default using small @@ -185,22 +214,22 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account serviceAccount: - nameOverride: dcae-hv-ves-collector + nameOverride: *commonName roles: - read diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml deleted file mode 100644 index b47d717cbe..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 Wipro Limited. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE KPI MS chart -name: dcae-kpi-ms -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml deleted file mode 100644 index 19ff61fa96..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-kpi-ms/values.yaml +++ /dev/null @@ -1,169 +0,0 @@ -# ============= LICENSE_START ================================================ -# ============================================================================ -# Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============= LICENSE_END ================================================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.services.components.kpi-ms:1.0.11 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /var/log/ONAP/dcaegen2/services/kpims -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/kpims/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false -enable_tls: false - -# Optional Policy configuration properties -# if present, policy-sync side car will be deployed -#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 -#policies: -# policyID: | -# '["com.Config_KPIMS_CONFIG_POLICY"]' - -# Dependencies -readinessCheck: - wait_for: - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 10 - periodSeconds: 15 - timeoutSeconds: 1 - path: /healthcheck - scheme: HTTP - port: 8080 - -# Service Configuration -service: - type: ClusterIP - name: dcae-kpi-ms - ports: - - name: http - port: 8080 - port_protocol: http - -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - -# Initial Application Configuration -applicationConfig: - trust_store_path: '/opt/app/kpims/etc/cert/trust.jks' - trust_store_pass_path: '/opt/app/kpims/etc/cert/trust.pass' - pollingInterval: 20 - pollingTimeout: 60 - cbsPollingInterval: 60 - dmaap.server: ["message-router"] - cg: kpi-cg - cid: kpi-cid - streams_subscribes: - performance_management_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS - streams_publishes: - kpi_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.DCAE_KPI_OUTPUT - kpi.policy: '{"domain":"measurementsForKpi","methodForKpi":[{"eventName":"perf3gpp_CORE-AMF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"AMFRegNbr","operation":"SUM","operands":"RM.RegisteredSubNbrMean"}]},{"eventName":"perf3gpp_CORE-UPF_pmMeasResult","controlLoopSchemaType":"SLICE","policyScope":"resource=networkSlice;type=configuration","policyName":"configuration.dcae.microservice.kpi-computation","policyVersion":"v0.0.1","kpis":[{"measType":"UpstreamDownstreamThr","operation":"SUM","operands":["GTP.InDataOctN3UPF","GTP.OutDataOctN3UPF"]}]}]' - -applicationEnv: - CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' - #Temporary Dummy CBS Port Value until internal SDK library is updated - CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' - STANDALONE: 'false' - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcae-kpi-ms - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml index 39d7c1ab04..e293252f66 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/Chart.yaml @@ -23,15 +23,15 @@ apiVersion: v2 appVersion: "Kohn" description: ONAP DCAE Microservice Health Check name: dcae-ms-healthcheck -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml index 4a51c7f9d8..f6d179428a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/templates/deployment.yaml @@ -31,8 +31,7 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -65,5 +64,4 @@ spec: - name: {{ include "common.fullname" . }}-expected-components configMap: name: {{ include "common.release" . }}-dcae-expected-microservices - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml index 3b47e7f70e..8b8f928c39 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ms-healthcheck/values.yaml @@ -31,6 +31,10 @@ service: - port: 8080 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + # Label on DCAE microservice deployments # (Used by healthcheck code to find deployments # created after initial DCAE installation) @@ -48,7 +52,7 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 # application image -image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.0 +image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.1 # Resource Limit flavor -By Default using small flavor: small @@ -56,18 +60,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "500Mi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "1Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml deleted file mode 100644 index 8f28dcaa25..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (C) 2021 Nordix Foundation. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE PM-Mapper Helm charts -name: dcae-pm-mapper -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: 'file://../../common/dcaegen2-services-common' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml deleted file mode 100644 index a2479b62e2..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-pm-mapper/values.yaml +++ /dev/null @@ -1,213 +0,0 @@ -# ================================ LICENSE_START ========================== -# ========================================================================= -# Copyright (C) 2021 Nordix Foundation. -# Copyright (c) 2022 Nokia. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ========================================================================= -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END =========================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - - uid: &drSubCredsUID drsubcreds - type: basicAuth - login: '{{ .Values.drSubscriberCreds.username }}' - password: '{{ .Values.drSubscriberCreds.password }}' - passwordPolicy: required - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.services.pm-mapper:1.9.0 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /var/log/ONAP/dcaegen2/services/pm-mapper -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/pm-mapper/etc/cert - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - containers: - - dmaap-bc - - dmaap-provisioning-job - - dcae-datafile-collector - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 10 - periodSeconds: 15 - timeoutSeconds: 1 - path: /healthcheck - scheme: HTTP - port: 8081 - -# Service Configuration -service: - type: ClusterIP - name: dcae-pm-mapper - both_tls_and_plain: true - ports: - - name: http - port: 8443 - plain_port: 8081 - port_protocol: http - -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -# Data Router Subscriber Credentials -drSubscriberCreds: - username: username - password: password - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password -- name: DR_USERNAME - uid: *drSubCredsUID - key: login -- name: DR_PASSWORD - uid: *drSubCredsUID - key: password - -# Initial Application Configuration -applicationConfig: - enable_tls: false - enable_http: true - aaf_identity: "" - aaf_password: "" - pm-mapper-filter: "{ \"filters\":[] }" - key_store_path: /opt/app/pm-mapper/etc/cert/cert.jks - key_store_pass_path: /opt/app/pm-mapper/etc/cert/jks.pass - trust_store_path: /opt/app/pm-mapper/etc/cert/trust.jks - trust_store_pass_path: /opt/app/pm-mapper/etc/cert/trust.pass - dmaap_dr_delete_endpoint: https://dmaap-dr-node:8443/delete - streams_publishes: - dmaap_publisher: - type: message_router - dmaap_info: - client_id: ${MR_FILES_PUBLISHER_CLIENT_ID_0} - location: san-francisco - client_role: org.onap.dcae.pmPublisher - topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS - streams_subscribes: - dmaap_subscriber: - type: data_router - dmaap_info: - subscriber_id: ${DR_FILES_SUBSCRIBER_ID_0} - decompress: true - privileged: true - username: ${DR_USERNAME} - password: ${DR_PASSWORD} - location: san-francisco - delivery_url: http://dcae-pm-mapper:8081/delivery - -# DataRouter Feed Configuration -drFeedConfig: - - feedName: bulk_pm_feed - owner: dcaecm - feedVersion: "0.0" - asprClassification: unclassified - feedDescription: DFC Feed Creation - -# DataRouter Subscriber Configuration -drSubConfig: - - feedName: bulk_pm_feed - decompress: true - username: ${DR_USERNAME} - userpwd: ${DR_PASSWORD} - dcaeLocationName: loc00 - privilegedSubscriber: true - deliveryURL: http://dcae-pm-mapper:8081/delivery - -# ConfigMap Configuration for Dr Feed, Subscriber, MR Topics -volumes: - - name: feeds-config - path: /opt/app/config/feeds - - name: drsub-config - path: /opt/app/config/dr_subs - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcae-pm-mapper - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml deleted file mode 100644 index 75ebdde7e7..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-pmsh/Chart.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (C) 2021 Nordix Foundation. -# Copyright (c) 2021 AT&T. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE PMSH Service -name: dcae-pmsh -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml deleted file mode 100644 index 7f306542b4..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-pmsh/values.yaml +++ /dev/null @@ -1,206 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (C) 2021 Nordix Foundation. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - - uid: &pgUserCredsSecretUid pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-pmsh-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "pmsh-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.services.pmsh:2.2.2 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /var/log/ONAP/dcaegen2/services/pmsh -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/pmsh/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-pmsh-postgres - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 10 - periodSeconds: 15 - timeoutSeconds: 1 - path: /healthcheck - scheme: HTTP - port: 8080 - -# Service Configuration -service: - type: ClusterIP - name: dcae-pmsh - ports: - - name: http - port: 8080 - plain_port: 8080 - port_protocol: http - -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password - -# Initial Application Configuration -applicationConfig: - enable_tls: false - aaf_identity: ${AAF_IDENTITY} - aaf_password: ${AAF_PASSWORD} - key_path: /opt/app/pmsh/etc/certs/key.pem - cert_path: /opt/app/pmsh/etc/certs/cert.pem - ca_cert_path: /opt/app/pmsh/etc/certs/cacert.pem - control_loop_name: pmsh-control-loop - operational_policy_name: pmsh-operational-policy - pmsh_policy: - subscription: - subscriptionName: ExtraPM-All-gNB-R2B - administrativeState: LOCKED - fileBasedGP: 15 - fileLocation: "/pm/pm.xml" - nfFilter: { "nfNames": [ "^pnf.*","^vnf.*" ],"modelInvariantIDs": [ ],"modelVersionIDs": [ ],"modelNames": [ ] } - measurementGroups: [ { "measurementGroup": { "measurementTypes": [ { "measurementType": "countera" },{ "measurementType": "counterb" } ],"managedObjectDNsBasic": [ { "DN": "dna" },{ "DN": "dnb" } ] } },{ "measurementGroup": { "measurementTypes": [ { "measurementType": "counterc" },{ "measurementType": "counterd" } ],"managedObjectDNsBasic": [ { "DN": "dnc" },{ "DN": "dnd" } ] } } ] - streams_publishes: - policy_pm_publisher: - type: message_router - dmaap_info: - topic_url: "http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT" - streams_subscribes: - policy_pm_subscriber: - type: message_router - dmaap_info: - topic_url: "http://message-router:3904/events/unauthenticated.PMSH_CL_INPUT" - aai_subscriber: - type: message_router - dmaap_info: - topic_url: "http://message-router:3904/events/AAI-EVENT" - -applicationEnv: - PMSH_PG_URL: &dcaePmshPgPrimary dcae-pmsh-pg-primary - PMSH_PG_USERNAME: - secretUid: *pgUserCredsSecretUid - key: login - PMSH_PG_PASSWORD: - secretUid: *pgUserCredsSecretUid - key: password - PMSH_API_PORT: '8080' - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -################################################################# -# Application configuration Overriding Defaults in the Postgres. -################################################################# -postgres: - nameOverride: *postgresName - service: - name: *postgresName - name2: *dcaePmshPgPrimary - name3: dcae-pmsh-pg-replica - container: - name: - primary: dcae-pmsh-pg-primary - replica: dcae-pmsh-pg-replica - persistence: - mountSubPath: pmsh/data - mountInitPath: pmsh - config: - pgUserName: pmsh - pgDatabase: pmsh - pgUserExternalSecret: *pgUserCredsSecretName - -#Pods Service Account -serviceAccount: - nameOverride: dcae-pmsh - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml index 9c7a980932..408c0a9300 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,24 +19,21 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "Oslo" description: DCAE PRH name: dcae-prh -version: 12.0.0 +version: 13.1.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-prh/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml index 80154c781f..d8b2b20ffb 100644 --- a/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-prh/values.yaml @@ -1,7 +1,8 @@ #============LICENSE_START======================================================== # ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2022 Nokia. All rights reserved. +# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,16 +32,11 @@ filebeatConfig: logstashServiceName: log-ls logstashPort: 5044 -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.8.1 +image: onap/org.onap.dcaegen2.services.prh.prh-app-server:1.10.1 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -50,14 +46,10 @@ log: path: /opt/app/prh/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/prh/etc/cert - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false +# a tmp volume is needed by the tomcat server of the app +# when the filesystem is set to read-only +tmpDir: + enabled: true secrets: - uid: &aaiCredsUID aaicreds @@ -66,14 +58,16 @@ secrets: password: '{{ .Values.aaiCreds.password }}' passwordPolicy: required -# dependencies -readinessCheck: - wait_for: - - message-router - # probe configuration readiness: - initialDelaySeconds: 5 + initialDelaySeconds: 25 + periodSeconds: 15 + path: /heartbeat + scheme: HTTP + port: 8100 + timeoutSeconds: 30 +liveness: + initialDelaySeconds: 25 periodSeconds: 15 path: /heartbeat scheme: HTTP @@ -87,6 +81,11 @@ service: - port: 8100 name: http +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: message-router-read + aaiCreds: user: AAI password: AAI @@ -148,6 +147,42 @@ applicationConfig: applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' AUTH_HDR: '{{ printf "Basic %s" (print .Values.aaiCreds.user ":" .Values.aaiCreds.password | b64enc) }}' + BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' + JAAS_CONFIG: + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' + key: sasl.jaas.config + +# Strimzi Kafka User config +kafkaUser: + acls: + - name: OpenDCAE-c12 + type: group + patternType: literal + operations: [Read] + - name: \"*\" + type: topic + patternType: literal + operations: [DescribeConfigs] + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_READY + type: topic + patternType: literal + operations: [Write] + - name: unauthenticated.PNF_UPDATE + type: topic + patternType: literal + operations: [Write] + +# Strimzi Kafka Topics +kafkaTopic: + - name: unauthenticated.PNF_READY + strimziTopicName: unauthenticated.pnf-ready + - name: unauthenticated.PNF_UPDATE + strimziTopicName: unauthenticated.pnf-update # Resource Limit flavor -By Default using small flavor: small @@ -155,18 +190,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "3Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "3" + memory: "6Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "1" + memory: "6Gi" unlimited: {} #Pods Service Account @@ -174,3 +209,32 @@ serviceAccount: nameOverride: dcae-prh roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1414 + runAsUser: 1414 + fsGroup: 1414 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# PRH volumes +externalVolumes: + - name: prh-logs + mountPath: /var/log/ONAP/prh/prh-app-server/ + type: emptyDir + sizeLimit: 64Mi + +# PRH pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml deleted file mode 100644 index 10ce14028a..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE RESTConf Collector -name: dcae-restconf-collector -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml deleted file mode 100644 index d9fd33ff18..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-restconf-collector/values.yaml +++ /dev/null @@ -1,183 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: false - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &controllerCredsUID controllercreds - type: basicAuth - login: '{{ .Values.controllerCreds.username }}' - password: '{{ .Values.controllerCreds.password }}' - passwordPolicy: required - - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.collectors.restconfcollector:1.3.4 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: null # /opt/app/restconfcollector/logs -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/dcae-certificate - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 100 - periodSeconds: 60 - timeoutSeconds: 5 - path: /healthcheck - scheme: HTTP - port: 8080 - - -# service configuration -service: - type: NodePort - name: dcae-restconf-collector - ports: - - name: http - port: 8443 - plain_port: 8080 - port_protocol: http - nodePort: 16 - useNodePortExt: true - -ingress: - enabled: false - service: - - baseaddr: "dcae-restconf-collector-api" - name: "dcae-restconf-collector" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# AAF Credentials -controllerCreds: - username: access - password: Huawei@123 - -credentials: -- name: CONTROLLER_USERNAME - uid: *controllerCredsUID - key: login -- name: CONTROLLER_PASSWORD - uid: *controllerCredsUID - key: password - -# application environments -applicationEnv: - LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' - -# Initial Application Configuration -applicationConfig: - collector.rcc.appDescription: DCAE RestConf Collector Application - collector.rcc.appName: dcae-rcc - collector.rcc.dmaap.streamid: notification=device-registration - collector.rcc.inputQueue.maxPending: '8096' - tomcat.maxthreads: '200' - collector.rcc.service.port: '8080' - collector.rcc.service.secure.port: '8687' - collector.rcc.keystore.file.location: /opt/app/dcae-certificate/cert.jks - collector.rcc.keystore.passwordfile: /opt/app/dcae-certificate/jks.pass - collector.rcc.keystore.alias: dynamically generated - collector.rcc.truststore.file.location: /opt/app/dcae-certificate/trust.jks - collector.rcc.truststore.passwordfile: /opt/app/dcae-certificate/trust.pass - #collector.keystore.file.location: /opt/app/dcae-certificate/external/cert.jks - #collector.keystore.passwordfile: /opt/app/dcae-certificate/external/jks.pass - collector.header.authflag: '0' - collector.header.authlist: sample1,c2FtcGxlMQ== - collector.rcc.service.secure.clientauth: '0' - streams_publishes: - device-registration: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.DCAE_RCC_OUTPUT - type: message_router - rcc_policy: '[{"controller_name":"AccessM&C","controller_restapiUrl":"172.30.0.55:26335","controller_restapiUser":"${CONTROLLER_USERNAME}","controller_restapiPassword":"${CONTROLLER_PASSWORD}","controller_accessTokenUrl":"/rest/plat/smapp/v1/oauth/token","controller_accessTokenFile":"./etc/access-token.json","controller_accessTokenMethod":"put","controller_subsMethod":"post","controller_subscriptionUrl":"/restconf/v1/operations/huawei-nce-notification-action:establish-subscription","controller_disableSsl":"true","event_details":[{"event_name":"ONT_registration","event_description":"ONTregistartionevent","event_sseventUrlEmbed":"true","event_sseventsField":"output.url","event_sseventsUrl":"null","event_subscriptionTemplate":"./etc/ont_registartion_subscription_template.json","event_unSubscriptionTemplate":"./etc/ont_registartion_unsubscription_template.json","event_ruleId":"12345678","modifyData":"true","modifyMethod": "modifyOntEvent","userData": "remote_id=AC9.0234.0337;svlan=100;cvlan=10;"}]}]' - -#applicationEnv: -# CONTROLLER_IP: "172.30.0.55" -# CONTROLLER_PORT: "26335" - - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcae-restconf-collector - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml deleted file mode 100644 index ed555b28a2..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/Chart.yaml +++ /dev/null @@ -1,44 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 Wipro Limited. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE SliceAnalysis MS charts -name: dcae-slice-analysis-ms -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml b/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml deleted file mode 100644 index 3fdd251110..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-slice-analysis-ms/values.yaml +++ /dev/null @@ -1,262 +0,0 @@ -# ============= LICENSE_START ================================================ -# ============================================================================ -# Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# Copyright (C) 2022 Huawei Canada Limited. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============= LICENSE_END ================================================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - - uid: &pgUserCredsSecretUid pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-sliceanalysisms-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "sliceanalysisms-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################aafcreds################################# -# InitContainer Image -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.services.components.slice-analysis-ms:1.1.5 -pullPolicy: IfNotPresent - -################################################################# -# Policy Sync Container Image. -################################################################# -# optional Policy configuration properties -# if present, policy-sync side car will be deployed -# policy sync is used for provide runtime configuration for slicems -# policy id is originally set to "onap.dcae.slicems.config" - -#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 -#pullPolicy: IfNotPresent -#policies: -# duration: -# 10 -# policyID: | -# '["onap.dcae.slicems.config"]' - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /var/log/ONAP/dcaegen2/services/sliceanalysisms -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/sliceanalysisms/etc/cert/ - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-sliceanalysisms-postgres - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 60 - periodSeconds: 15 - timeoutSeconds: 1 - path: /healthcheck - scheme: HTTP - port: 8080 - -# Service Configuration -service: - type: ClusterIP - name: dcae-slice-analysis-ms - ports: - - name: http - port: 8080 - port_protocol: http - -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password -- name: PG_USERNAME - uid: *pgUserCredsSecretUid - key: login -- name: PG_PASSWORD - uid: *pgUserCredsSecretUid - key: password - -# Initial Application Configuration -applicationConfig: - postgres.host: dcae-sliceanalysisms-pg-primary - postgres.port: 5432 - postgres.username: ${PG_USERNAME} - postgres.password: ${PG_PASSWORD} - trust_store_path: /opt/app/sliceanalysisms/etc/cert/trust.jks - trust_store_pass_path: /opt/app/sliceanalysisms/etc/cert/trust.pass - sliceanalysisms.pollingInterval: 20 - sliceanalysisms.pollingTimeout: 60 - cbsPollingInterval: 60 - sliceanalysisms.namespace: onap - sliceanalysisms.dmaap.server: ["message-router"] - sliceanalysisms.bufferTime: 60 - sliceanalysisms.cg: sliceanalysisms-cg - sliceanalysisms.cid: sliceanalysisms-cid - sliceanalysisms.configDb.service: http://config-db:8080 - sliceanalysisms.configDbEnabled: true - sliceanalysisms.aai.url: http://aai-internal.onap.svc.cluster.local:80/aai/v21 - sliceanalysisms.cps.url: http://cps:8080 - sliceanalysisms.samples: 3 - sliceanalysisms.minPercentageChange: 5 - sliceanalysisms.initialDelaySeconds: 120000 - sliceanalysisms.rannfnssiDetailsTemplateId: get-rannfnssiid-details - sliceanalysisms.desUrl: http://dl-des:1681/datalake/v1/exposure/pm_data - sliceanalysisms.pmDataDurationInWeeks: 4 - sliceanalysisms.vesNotifPollingInterval: 15 - sliceanalysisms.vesNotifChangeIdentifier: PM_BW_UPDATE - sliceanalysisms.vesNotifChangeType: BandwidthChanged - sliceanalysisms.aaiNotif.targetAction: UPDATE - sliceanalysisms.aaiNotif.targetSource: UUI - sliceanalysisms.aaiNotif.targetEntity: service-instance - sliceanalysisms.ccvpnEvalInterval: 5 - sliceanalysisms.ccvpnEvalUpperThreshold: 0.8 - sliceanalysisms.ccvpnEvalLowerThreshold: 0.3 - sliceanalysisms.ccvpnEvalPrecision: 100.0 - sliceanalysisms.ccvpnEvalPeriodicCheckOn: true - sliceanalysisms.ccvpnEvalOnDemandCheckOn: true - sliceanalysisms.ccvpnEvalStrategy: FlexibleThresholdStrategy - streams_publishes: - CL_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT - streams_subscribes: - performance_management_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.PERFORMANCE_MEASUREMENTS - intelligent_slicing_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.ML_RESPONSE_TOPIC - dcae_cl_response_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/DCAE_CL_RSP - ves_ccvpn_notification_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT - aai_subscriber: - type: message-router - servers : ["message-router:3904"] - consumer_group: dcae_ccvpn_cl - consumer_instance: dcae_ccvpn_cl_aaievent - fetch_timeout: 15000 - fetch_limit: 100 - dmaap_info: - topic_url: http://message-router:3904/events/AAI-EVENT - -applicationEnv: - CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' - #Temporary Dummy CBS Port Value until internal SDK library is updated - CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' - STANDALONE: 'false' - -# Resource Limit Flavor -By Default Using Small -flavor: small -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -################################################################# -# Application configuration Overriding Defaults in the Postgres. -################################################################# -postgres: - nameOverride: *postgresName - service: - name: *postgresName - name2: dcae-sliceanalysisms-pg-primary - name3: dcae-sliceanalysisms-pg-replica - container: - name: - primary: dcae-sliceanalysisms-pg-primary - replica: dcae-sliceanalysisms-pg-replica - persistence: - mountSubPath: sliceanalysisms/data - mountInitPath: sliceanalysisms - config: - pgUserName: sliceanalysisms - pgDatabase: sliceanalysisms - pgUserExternalSecret: *pgUserCredsSecretName - -#Pods Service Account -serviceAccount: - nameOverride: dcae-slice-analysis-ms - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml deleted file mode 100644 index 4ffa58ed13..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE SNMPTrap Collector -name: dcae-snmptrap-collector -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml deleted file mode 100644 index 5340f35770..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-snmptrap-collector/values.yaml +++ /dev/null @@ -1,158 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.collectors.snmptrap:2.0.7 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /opt/app/snmptrap/logs -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - - -# Dependencies -readinessCheck: - wait_for: - - message-router - -# Probe Configuration -readiness: - type: exec - command: - - /opt/app/snmptrap/bin/snmptrapd.sh - - status - -# service configuration -service: - type: NodePort - name: dcae-snmptrap-collector - ports: - - name: udp - port: 6162 - l4_protocol: UDP # default to TCP if not set - port_protocol: udp #used in svn name - nodePort: 70 - useNodePortExt: true - -# Initial Application Configuration -applicationConfig: - StormWatchPolicy: '' - cache: - dns_cache_ttl_seconds: 60 - services_calls: {} - snmptrapd: - version: '2.0.4' - title: ONAP SNMP Trap Receiver - sw_interval_in_seconds: 60 - streams_publishes: - sec_fault_unsecure: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP - type: message_router - aaf_password: null - aaf_username: null - files: - runtime_base_dir: "/opt/app/snmptrap" - log_dir: logs - data_dir: data - pid_dir: tmp - arriving_traps_log: snmptrapd_arriving_traps.log - snmptrapd_diag: snmptrapd_prog_diag.log - traps_stats_log: snmptrapd_stats.csv - perm_status_file: snmptrapd_status.log - eelf_base_dir: "/opt/app/snmptrap/logs" - eelf_error: error.log - eelf_debug: debug.log - eelf_audit: audit.log - eelf_metrics: metrics.log - roll_frequency: hour - minimum_severity_to_log: 3 - protocols: - transport: udp - ipv4_interface: 0.0.0.0 - ipv4_port: 6162 - ipv6_interface: "::1" - ipv6_port: 6162 - publisher: - http_milliseconds_timeout: 1500 - http_retries: 3 - http_milliseconds_between_retries: 750 - http_primary_publisher: 'true' - http_peer_publisher: unavailable - max_traps_between_publishes: 10 - max_milliseconds_between_publishes: 10000 - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcae-snmptrap-collector - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml deleted file mode 100644 index 57a182b8f4..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-son-handler/Chart.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# ============= LICENSE_START ================================================ -# ============================================================================ -# Copyright (C) 2021 Wipro Limited. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============= LICENSE_END ================================================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE Son-handler helm chart -name: dcae-son-handler -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml b/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml deleted file mode 100644 index bd684e3db5..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-son-handler/values.yaml +++ /dev/null @@ -1,269 +0,0 @@ -# ============= LICENSE_START ================================================ -# ============================================================================ -# Copyright (C) 2021-2022 Wipro Limited. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============= LICENSE_END ================================================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# Secrets Configuration. -################################################################# -secrets: - - uid: &aafCredsUID aafcreds - type: basicAuth - login: '{{ .Values.aafCreds.identity }}' - password: '{{ .Values.aafCreds.password }}' - passwordPolicy: required - - uid: &cpsCredsUID cpscreds - type: basicAuth - login: '{{ .Values.cpsCreds.identity }}' - password: '{{ .Values.cpsCreds.password }}' - passwordPolicy: required - - uid: &pgUserCredsSecretUid pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-sonhms-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "sonhms-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.services.son-handler:2.1.11 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /var/log/ONAP/dcaegen2/services/sonhms -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /opt/app/sonhms/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -# Optional Policy configuration properties -# if present, policy-sync side car will be deployed -#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 -#policies: -# policyID: | -# '["com.Config_PCIMS_CONFIG_POLICY"]' - -# Dependencies -readinessCheck: - wait_for: - - &postgresName dcae-sonhms-postgres - - message-router - -# Probe Configuration -readiness: - initialDelaySeconds: 10 - periodSeconds: 15 - timeoutSeconds: 1 - path: /healthcheck - scheme: HTTP - port: 8080 - -# Service Configuration -service: - type: ClusterIP - name: dcae-son-handler - ports: - - name: http - port: 8080 - port_protocol: http - -# AAF Credentials -aafCreds: - identity: dcae@dcae.onap.org - password: demo123456! -cpsCreds: - identity: cps - password: cpsr0cks! - -credentials: -- name: AAF_IDENTITY - uid: *aafCredsUID - key: login -- name: AAF_PASSWORD - uid: *aafCredsUID - key: password -- name: CPS_IDENTITY - uid: *cpsCredsUID - key: login -- name: CPS_PASSWORD - uid: *cpsCredsUID - key: password -- name: PG_USERNAME - uid: *pgUserCredsSecretUid - key: login -- name: PG_PASSWORD - uid: *pgUserCredsSecretUid - key: password - - -# Initial Application Configuration -applicationConfig: - postgres.host: &dcaeSonhmsPgPrimary dcae-sonhms-pg-primary - postgres.port: 5432 - postgres.username: ${PG_USERNAME} - postgres.password: ${PG_PASSWORD} - cps.username: ${CPS_IDENTITY} - cps.password: ${CPS_PASSWORD} - sonhandler.pollingInterval: 20 - sonhandler.pollingTimeout: 60 - cbsPollingInterval: 60 - sonhandler.numSolutions: 5 - sonhandler.minCollision: 5 - sonhandler.minConfusion: 5 - sonhandler.maximumClusters: 5 - sonhandler.badThreshold: 50 - sonhandler.poorThreshold: 70 - sonhandler.namespace: onap - sonhandler.sourceId: SONHMS - sonhandler.dmaap.server: ["message-router"] - sonhandler.bufferTime: 60 - sonhandler.cg: sonhms-cg - sonhandler.cid: sonhms-cid - sonhandler.clientType: cps - sonhandler.nearRtricUrl: "https://a1-policy-management:30294/a1-policy/v2/policies" - cps.service.url: http://cps-tbdmt:8080 - cps.get.celldata: execute/cps-ran-schemaset/get-cell-data - cps.get.nbr.list.url: execute/cps-ran-schemaset/get-nbr-list - cps.get.pci.url: execute/ran-network-schemaset/get-pci - cps.get.pnf.url: execute/ran-network-schemaset/get-pnf - sonhandler.configDb.service: http://configdb:8080 - sonhandler.oof.service: https://oof-osdf:8698 - sonhandler.oof.endpoint: /api/oof/v1/pci - sonhandler.pciOptimizer: pci - sonhandler.pciAnrOptimizer: pci_anr - sonhandler.poorCountThreshold: 3 - sonhandler.badCountThreshold: 3 - sonhandler.oofTriggerCountTimer: 30 - sonhandler.oofTriggerCountThreshold: 5 - sonhandler.policyRespTimer: 10 - sonhandler.policyNegativeAckThreshold: 3 - sonhandler.policyFixedPciTimeInterval: 30000 - sonhandler.nfNamingCode: RansimAgent - streams_publishes: - CL_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT - streams_subscribes: - performance_management_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT - fault_management_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.SEC_FAULT_OUTPUT - nbr_list_change_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/PCI-NOTIF-TOPIC-NGHBR-LIST-CHANGE-INFO - dcae_cl_response_topic: - type: message-router - dmaap_info: - topic_url: http://message-router:3904/events/DCAE_CL_RSP - service_calls: - sdnr-getpnfname: [] - sdnr-getpci: [] - sdnr-getnbrlist: [] - sdnr-getcelllist: [] - oof-req: [] - policy-req: [] - -applicationEnv: - CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' - #Temporary Dummy CBS Port Value until internal SDK library is updated - CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' - STANDALONE: 'false' - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -################################################################# -# Application configuration Overriding Defaults in the Postgres. -################################################################# -postgres: - nameOverride: *postgresName - service: - name: *postgresName - name2: *dcaeSonhmsPgPrimary - name3: dcae-sonhms-pg-replica - container: - name: - primary: dcae-sonhms-pg-primary - replica: dcae-sonhms-pg-replica - persistence: - mountSubPath: sonhms/data - mountInitPath: sonhms - config: - pgUserName: sonhms - pgDatabase: sonhms - pgUserExternalSecret: *pgUserCredsSecretName - -#Pods Service Account -serviceAccount: - nameOverride: dcae-son-handler - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml deleted file mode 100644 index 25a54014d6..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/Chart.yaml +++ /dev/null @@ -1,47 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE TCA (Gen 2) -name: dcae-tcagen2 -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: mongo - version: ~12.x-0 - repository: '@local' \ No newline at end of file diff --git a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml b/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml deleted file mode 100644 index 08ca865aff..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-tcagen2/values.yaml +++ /dev/null @@ -1,190 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat configuration defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/org.onap.dcaegen2.analytics.tca-gen2.dcae-analytics-tca-web:1.3.4 -pullPolicy: Always - -# log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /opt/logs/dcae-analytics-tca -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -certDirectory: /etc/tca-gen2/ssl - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: false - -secrets: - - uid: &aaiCredsUID aaicreds - type: basicAuth - login: '{{ .Values.aaiCreds.user }}' - password: '{{ .Values.aaiCreds.password }}' - passwordPolicy: required - -# dependencies -readinessCheck: - wait_for: - - message-router - -# probe configuration -readiness: - initialDelaySeconds: 10 - periodSeconds: 30 - path: /actuator/health - scheme: HTTP - port: 9091 - -# service configuration -service: - type: ClusterIP - name: dcae-tcagen2 - ports: - - port: 9091 - name: http - -# mongoDB overrides -mongo: - nameOverride: dcae-mongo - config: - dbName: dcaecommondb - service: - name: dcae-mongohost - internalPort: 27017 - nfsprovisionerPrefix: dcaemongo - sdnctlPrefix: tcagen2 - persistence: - mountSubPath: dcae/mongo/data - enabled: true - disableNfsProvisioner: true - -# Policy configuraiton properties -# if enabled, policy-sync side car will be deployed -#dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 -#policies: -# duration: 300 -# policyRelease: "onap" -# policyID: | -# '["onap.vfirewall.tca","onap.vdns.tca"]' - - -aaiCreds: - user: DCAE - password: DCAE - -credentials: -- name: AAI_USERNAME - uid: *aaiCredsUID - key: login -- name: AAI_PASSWORD - uid: *aaiCredsUID - key: password - -# initial application configuration -applicationConfig: - service_calls: [] - streams_publishes: - tca_handle_out: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.DCAE_CL_OUTPUT - type: message_router - streams_subscribes: - tca_handle_in: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.VES_MEASUREMENT_OUTPUT - type: message_router - spring.data.mongodb.uri: mongodb://dcae-mongohost/dcae-tcagen2 - streams_subscribes.tca_handle_in.consumer_group: cg1 - streams_subscribes.tca_handle_in.consumer_ids[0]: c0 - streams_subscribes.tca_handle_in.consumer_ids[1]: c1 - streams_subscribes.tca_handle_in.message_limit: 50000 - streams_subscribes.tca_handle_in.polling.auto_adjusting.max: 60000 - streams_subscribes.tca_handle_in.polling.auto_adjusting.min: 30000 - streams_subscribes.tca_handle_in.polling.auto_adjusting.step_down: 30000 - streams_subscribes.tca_handle_in.polling.auto_adjusting.step_up: 10000 - streams_subscribes.tca_handle_in.polling.fixed_rate: 0 - streams_subscribes.tca_handle_in.timeout: -1 - tca.aai.enable_enrichment: true - tca.aai.generic_vnf_path: aai/v11/network/generic-vnfs/generic-vnf - tca.aai.node_query_path: aai/v11/search/nodes-query - tca.aai.password: ${AAI_PASSWORD} - tca.aai.url: http://aai-internal:80 - tca.aai.username: ${AAI_USERNAME} - tca.policy: "[{\"domain\":\"measurementsForVfScaling\",\"violatedMetricsPerEventName\":[{\"eventName\":\"Mfvs_eNodeB_RANKPI\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"resource=vFirewall;type=configuration\",\"policyName\":\"configuration.dcae.microservice.tca.xml\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"CL-FRWL-LOW-TRAFFIC-SIG-d925ed73-8231-4d02-9545-db4e101f88f8\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":4000,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\"},{\"closedLoopControlName\":\"CL-FRWL-HIGH-TRAFFIC-SIG-EA36FE84-9342-5E13-A656-EC5F21309A09\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":20000,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\"}]},{\"eventName\":\"vLoadBalancer\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"resource=vLoadBalancer;type=configuration\",\"policyName\":\"configuration.dcae.microservice.tca.xml\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"CL-LBAL-LOW-TRAFFIC-SIG-FB480F95-A453-6F24-B767-FD703241AB1A\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":500,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\"},{\"closedLoopControlName\":\"CL-LBAL-LOW-TRAFFIC-SIG-0C5920A6-B564-8035-C878-0E814352BC2B\",\"closedLoopEventStatus\":\"ONSET\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementsForVfScalingFields.vNicPerformanceArray[*].receivedBroadcastPacketsAccumulated\",\"thresholdValue\":5000,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\"}]}]},{\"domain\":\"measurement\",\"metricsPerEventName\":[{\"eventName\":\"vFirewallBroadcastPackets\",\"controlLoopSchemaType\":\"VM\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":300,\"direction\":\"LESS_OR_EQUAL\",\"severity\":\"MAJOR\",\"closedLoopEventStatus\":\"ABATED\"},{\"closedLoopControlName\":\"ControlLoop-vFirewall-d0a1dfc6-94f5-4fd4-a5b5-4630b438850a\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":700,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]},{\"eventName\":\"vLoadBalancer\",\"controlLoopSchemaType\":\"VM\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.nicPerformanceArray[*].receivedTotalPacketsDelta\",\"thresholdValue\":300,\"direction\":\"GREATER_OR_EQUAL\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]},{\"eventName\":\"Measurement_vGMUX\",\"controlLoopSchemaType\":\"VNF\",\"policyScope\":\"DCAE\",\"policyName\":\"DCAE.Config_tca-hi-lo\",\"policyVersion\":\"v0.0.1\",\"thresholds\":[{\"closedLoopControlName\":\"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.additionalMeasurements[*].arrayOfFields[0].value\",\"thresholdValue\":0,\"direction\":\"EQUAL\",\"severity\":\"MAJOR\",\"closedLoopEventStatus\":\"ABATED\"},{\"closedLoopControlName\":\"ControlLoop-vCPE-48f0c2c3-a172-4192-9ae3-052274181b6e\",\"version\":\"1.0.2\",\"fieldPath\":\"$.event.measurementFields.additionalMeasurements[*].arrayOfFields[0].value\",\"thresholdValue\":0,\"direction\":\"GREATER\",\"severity\":\"CRITICAL\",\"closedLoopEventStatus\":\"ONSET\"}]}]}]" - tca.processing_batch_size: 10000 - tca.enable_abatement: true - tca.enable_ecomp_logging: true - -applicationEnv: - #Temporary Dummy CBS Port Value until internal SDK library is updated - CONFIG_BINDING_SERVICE_SERVICE_PORT: '0000' - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcae-tcagen2 - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml index 9c63dcf315..6c03c1a6b2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/Chart.yaml @@ -3,6 +3,7 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,24 @@ # ============LICENSE_END========================================================= apiVersion: v2 -appVersion: "Kohn" +appVersion: "Oslo" description: DCAE VES Collector name: dcae-ves-collector -version: 12.0.0 +version: 13.1.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: dcaegen2-services-common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml new file mode 100644 index 0000000000..4d82cf3b47 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index e0b2b12087..fb2a761e39 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -1,8 +1,9 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021-2022 Nokia. All rights reserved. -# Copyright (c) 2021-2022 J. F. Lucas. All rights reserved. +# Copyright (c) 2021-2023 J. F. Lucas. All rights reserved. # Copyright (c) 2022 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2024 Deutsche Telekom Intellectual Property. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,14 +36,13 @@ filebeatConfig: ################################################################# # initContainer images. ################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.5.0 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.11.1 +image: onap/org.onap.dcaegen2.collectors.ves.vescollector:1.12.4 pullPolicy: Always # log directory where logging sidecar should look for log files @@ -52,15 +52,15 @@ log: path: /opt/app/VESCollector/logs logConfigMapNamePrefix: '{{ include "common.fullname" . }}' +# a tmp volume is needed by the tomcat server of the app +# when the filesystem is set to read-only +tmpDir: + enabled: true + # directory where TLS certs should be stored # if absent, no certs will be retrieved and stored certDirectory: /opt/app/dcae-certificate -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -tlsServer: true - # CMPv2 certificate # It is used only when: # - certDirectory is set @@ -83,13 +83,14 @@ certificates: key: password create: true -# dependencies -readinessCheck: - wait_for: - - aaf-cm - - message-router - # probe configuration +readiness: + initialDelaySeconds: 5 + periodSeconds: 15 + path: /healthcheck + scheme: HTTP + port: 8080 +liveness: initialDelaySeconds: 5 periodSeconds: 15 path: /healthcheck @@ -118,10 +119,87 @@ ingress: config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + # application environments applicationEnv: CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' + BOOTSTRAP_SERVERS: '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' + JAAS_CONFIG: + externalSecret: true + externalSecretUid: '{{ include "common.name" . }}-ku' + key: sasl.jaas.config + +# Strimzi Kafka config +kafkaUser: + acls: + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_OTHER_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_FAULT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + type: topic + patternType: literal + operations: [Write, DescribeConfigs] + +kafkaTopic: + - name: unauthenticated.VES_PNFREG_OUTPUT + strimziTopicName: unauthenticated.ves-pnfreg-output + - name: unauthenticated.VES_NOTIFICATION_OUTPUT + strimziTopicName: unauthenticated.ves-notification-output + - name: unauthenticated.SEC_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-heartbeat-output + - name: unauthenticated.SEC_OTHER_OUTPUT + strimziTopicName: unauthenticated.sec-other-output + - name: unauthenticated.SEC_FAULT_OUTPUT + strimziTopicName: unauthenticated.sec-fault-output + - name: unauthenticated.VES_MEASUREMENT_OUTPUT + strimziTopicName: unauthenticated.ves-measurment-output + - name: unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-faultsupervision-output + - name: unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-provisioning-output + - name: unauthenticated.SEC_3GPP_HEARTBEAT_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-heartbeat-output + - name: unauthenticated.SEC_3GPP_PERFORMANCEASSURANCE_OUTPUT + strimziTopicName: unauthenticated.sec-3gpp-performanceassurance-output # initial application configuration applicationConfig: @@ -141,7 +219,7 @@ applicationConfig: collector.service.port: "8080" collector.service.secure.port: "8443" event.transform.flag: "0" - auth.method: "certBasicAuth" + auth.method: "noAuth" header.authlist: "sample1,$2a$10$0buh.2WeYwN868YMwnNNEuNEAMNYVU9.FSMJGyIKV3dGET/7oGOi6|demouser,$2a$10$1cc.COcqV/d3iT2N7BjPG.S6ZKv2jpb9a5MV.o7lMih/GpjJRX.Ce" services_calls: [] streams_publishes: @@ -202,18 +280,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1.5Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1.5Gi" large: limits: - cpu: 4 - memory: 4Gi + cpu: "4" + memory: "3Gi" requests: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "3Gi" unlimited: {} #Pods Service Account @@ -221,3 +299,45 @@ serviceAccount: nameOverride: dcae-ves-collector roles: - read + +# Pod Security context +podSecurityContext: + runAsGroup: 1000 + runAsUser: 100 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault + +# Container Security context +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + - CAP_NET_RAW + readOnlyRootFilesystem: true + runAsNonRoot: true + +# Flag which can be used to put VES-COLLECTOR specific properties in template +ves: true + +# VES-COLLECTOR volumes +externalVolumes: + - name: ves-collector-etc + type: emptyDir + sizeLimit: 50Mi + mountPath: /opt/app/VESCollector/etc + +# VES-COLLECTOR pod annotations +podAnnotations: + sidecar.istio.io/rewriteAppHTTPProbers: "false" + +# Resources for init container copy-etc +copyEtc: + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 30m + memory: 32Mi diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml deleted file mode 100644 index 1978ae4df4..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021 AT&T Intellectual Property -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -apiVersion: v2 -appVersion: "Kohn" -description: DCAE VES-Mapper Microservice -name: dcae-ves-mapper -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml deleted file mode 100644 index 47eb5f1f20..0000000000 --- a/kubernetes/dcaegen2-services/components/dcae-ves-mapper/values.yaml +++ /dev/null @@ -1,206 +0,0 @@ -# ================================ LICENSE_START ============================= -# ============================================================================ -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2022 J. F. Lucas. All rights reserved. -# ============================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ================================= LICENSE_END ============================== - -################################################################# -# Global Configuration Defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - centralizedLoggingEnabled: true - -################################################################# -# Filebeat Configuration Defaults. -################################################################# -filebeatConfig: - logstashServiceName: log-ls - logstashPort: 5044 - -################################################################# -# InitContainer Images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 - -################################################################# -# Application Configuration Defaults. -################################################################# -# Application Image -image: onap/org.onap.dcaegen2.services.mapper.vesadapter.universalvesadaptor:1.4.0 -pullPolicy: Always - -# Log directory where logging sidecar should look for log files -# if path is set to null sidecar won't be deployed in spite of -# global.centralizedLoggingEnabled setting. -log: - path: /opt/app/VESAdapter/logs -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# Directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -#certDirectory: /opt/app/ves-mapper/etc/certs - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -#tlsServer: false - -# Dependencies -readinessCheck: - wait_for: - - message-router - -# Service Configuration -service: - type: ClusterIP - name: dcae-ves-mapper - ports: - - name: http - port: 80 - port_protocol: http - -# application environments -applicationEnv: - LOG4J_FORMAT_MSG_NO_LOOKUPS: 'true' - CONFIG_BINDING_SERVICE_SERVICE_PORT: '10000' # Workaround until DCAEGEN2-3098 is addressed - CBS_CLIENT_CONFIG_PATH: '/app-config-input/application_config.yaml' - - -# Initial Application Configuration -applicationConfig: - app_preferences: - collectors: - - identifier: notification-id - mapping-files: - - defaultMappingFile-rcc-notification: "org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.Version._4_0_1'pnfRegistration'org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.VesEventListenerVersion._7_0_1'registration_'+commonEventHeader.ts1'VESMapper'org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.Domain.PNF_REGISTRATIONcommonEventHeader.domaincommonEventHeader.ts1commonEventHeader.ts1org.onap.dcaegen2.ves.domain.ves70.CommonEventHeader.Priority.NORMALpnfRegistrationFields.vendorName+'-'+pnfRegistrationFields.serialNumberorg.onap.dcaegen2.ves.domain.ves70.PnfRegistrationFields.PnfRegistrationFieldsVersion._2_0" - stream_publisher: ves-pnfRegistration - stream_subscriber: rcc-notification - - identifier: notify OID - mapping-files: - - defaultMappingFile-snmp-notification: "'3.0''FaultField''XXXX''VESMapper'org.onap.dcaegen2.ves.domain.ves54.CommonEventHeader.Domain.FAULTcommonEventHeader.domainorg.onap.dcaegen2.ves.domain.ves54.CommonEventHeader.Priority.NORMAL'VesAdapter''SNMP Fault'org.onap.dcaegen2.ves.domain.ves54.FaultFields.VfStatus.ACTIVEorg.onap.dcaegen2.ves.domain.ves54.FaultFields.EventSeverity.MINOR" - stream_publisher: ves-fault - stream_subscriber: snmp-notification - streams_publishes: - ves-fault: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.SEC_FAULT_OUTPUT - type: message_router - ves-pnfRegistration: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.VES_PNFREG_OUTPUT - type: message_router - streams_subscribes: - rcc-notification: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.DCAE_RCC_OUTPUT - type: message_router - snmp-notification: - dmaap_info: - topic_url: http://message-router:3904/events/unauthenticated.ONAP-COLLECTOR-SNMPTRAP - type: message_router - -# Resource Limit Flavor -By Default Using Small -flavor: small - -# Segregation for Different Environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcae-ves-mapper - roles: - - read diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml index 33b129555f..afcb14aeaa 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/Chart.yaml @@ -20,18 +20,21 @@ apiVersion: v2 description: ONAP DCAE VES OpenApi Manager name: dcae-ves-openapi-manager -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: dcaegen2-services-common + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml new file mode 100644 index 0000000000..7253125d50 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{/* +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2022 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +{{ include "dcaegen2-services-common.configMap" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml index 1c6e3593ac..64d88119a8 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/deployment.yaml @@ -2,6 +2,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 Nokia. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,13 +46,20 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} env: - - name: ASDC_ADDRESS - value: {{ .Values.externalServices.sdc_be_https }} - - name: SCHEMA_MAP_PATH - value: {{ .Values.schemaMap.directory }}/{{ .Values.schemaMap.filename }} + - name: SDC_ADDRESS + value: sdc-be.{{include "common.namespace" .}}:8080 + - name: SCHEMA_MAP_PATH + value: {{ .Values.schemaMap.directory }}/{{ .Values.schemaMap.filename }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - name: schema-map mountPath: {{ .Values.schemaMap.directory }} + - name: app-config + mountPath: /app/config/ serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: schema-map @@ -61,5 +69,9 @@ spec: items: - key: {{ .Values.schemaMap.filename }} path: {{ .Values.schemaMap.filename }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + - name: app-config + configMap: + name: {{ include "common.fullname" . }}-application-config-configmap + defaultMode: 420 + optional: true + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml new file mode 100644 index 0000000000..6ff81501a4 --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/templates/secrets.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml index c07bd529cc..c5d9b18336 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-openapi-manager/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== #================================================================================= # Copyright (c) 2021-2022 Nokia. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,7 @@ # Global values global: pullPolicy: Always -image: onap/org.onap.dcaegen2.platform.ves-openapi-manager:1.2.0 +image: onap/org.onap.dcaegen2.platform.ves-openapi-manager:1.3.1 containerPort: &svc_port 8080 service: @@ -26,8 +27,9 @@ service: - name: &port http port: *svc_port -externalServices: - sdc_be_https: "sdc-be:8443" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] schemaMap: filename: "schema-map.json" @@ -45,25 +47,26 @@ liveness: readinessCheck: wait_for: - - message-router - - sdc-be + timeout: 30 + services: + - sdc-be flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 512Mi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "2" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -71,3 +74,34 @@ serviceAccount: nameOverride: dcae-ves-openapi-manager roles: - read + +# initial application configuration +applicationConfig: + vesopenapimanager: + validation: + schemaMapPath: ${SCHEMA_MAP_PATH:./src/main/resources/schema-map.json} + eventDomainPath: /event/structure/commonEventHeader/structure/domain/value + eventSchemaReferencePath: /event/structure/stndDefinedFields/structure/schemaReference/value + distribution: + sdcAddress: ${SDC_ADDRESS:sdc-be.onap:8080} + isUseHttpsWithSDC: false + user: dcae + password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + pollingInterval: 20 + pollingTimeout: 20 + consumerGroup: dcaegen2 + environmentName: AUTO + consumerID: dcae-ves-openapi-manager + activateServerTLSAuth: false + isFilterInEmptyResources: false + +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: dcaegen2 + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] diff --git a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml index af62dc30ca..cae85bfb90 100644 --- a/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml +++ b/kubernetes/dcaegen2-services/resources/config/log/filebeat/filebeat.yml @@ -70,7 +70,7 @@ output.logstash: #ssl.key_passphrase: $ssl.key_passphrase logging: - level: debug + level: info # enable file rotation with default configuration to_files: true diff --git a/kubernetes/dcaegen2-services/resources/expected-components.json b/kubernetes/dcaegen2-services/resources/expected-components.json index 7c4c3fba4c..c91552ed43 100644 --- a/kubernetes/dcaegen2-services/resources/expected-components.json +++ b/kubernetes/dcaegen2-services/resources/expected-components.json @@ -40,7 +40,7 @@ */}} {{- $ctx := . -}} -{{- $components := list "dcae-hv-ves-collector" "dcae-prh" "dcae-tcagen2" "dcae-ves-collector" "dcae-ves-openapi-manager" -}} +{{- $components := list "dcae-hv-ves-collector" "dcae-prh" "dcae-ves-collector" "dcae-ves-openapi-manager" -}} {{- $enabled := dict "enabled" list -}} {{- range $components -}} {{- if index $ctx.Values . "enabled" -}} diff --git a/kubernetes/dcaegen2-services/values.yaml b/kubernetes/dcaegen2-services/values.yaml index 1652f04f0f..6efbf36c66 100644 --- a/kubernetes/dcaegen2-services/values.yaml +++ b/kubernetes/dcaegen2-services/values.yaml @@ -1,6 +1,6 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T. All rights reserved. -# Modifications Copyright (C) 2021 Nordix Foundation. +# Modifications Copyright (C) 2021-2023 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,7 +16,6 @@ global: centralizedLoggingEnabled: true - hvVesKafkaUser: dcae-hv-ves-kafka-user ################################################################# # Filebeat Configuration Defaults. @@ -29,9 +28,6 @@ filebeatConfig: # Control deployment of DCAE microservices at ONAP installation time dcae-ves-openapi-manager: enabled: true -dcae-datafile-collector: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' dcae-datalake-admin-ui: enabled: false logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' @@ -41,47 +37,15 @@ dcae-datalake-des: dcae-datalake-feeder: enabled: false logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-heartbeat: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' dcae-hv-ves-collector: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.hvVesKafkaUser }}' -dcae-kpi-ms: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' dcae-ms-healthcheck: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-pm-mapper: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-pmsh: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' dcae-prh: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-restconf-collector: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-slice-analysis-ms: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-snmptrap-collector: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-son-handler: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-tcagen2: - enabled: true - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' dcae-ves-collector: enabled: true logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' -dcae-ves-mapper: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-dcaegen2-services' diff --git a/kubernetes/dcaemod/Chart.yaml b/kubernetes/dcaemod/Chart.yaml deleted file mode 100644 index fc15c0be2b..0000000000 --- a/kubernetes/dcaemod/Chart.yaml +++ /dev/null @@ -1,56 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD -name: dcaemod -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: dcaemod-genprocessor - version: ~12.x-0 - repository: 'file://components/dcaemod-genprocessor' - condition: dcaemod-genprocessor.enabled - - name: dcaemod-distributor-api - version: ~12.x-0 - repository: 'file://components/dcaemod-distributor-api' - condition: dcaemod-distributor-api.enabled - - name: dcaemod-designtool - version: ~12.x-0 - repository: 'file://components/dcaemod-designtool' - condition: dcaemod-designtool.enabled - - name: dcaemod-onboarding-api - version: ~12.x-0 - repository: 'file://components/dcaemod-onboarding-api' - condition: dcaemod-onboarding-api.enabled - - name: dcaemod-runtime-api - version: ~12.x-0 - repository: 'file://components/dcaemod-runtime-api' - condition: dcaemod-runtime-api.enabled - - name: dcaemod-nifi-registry - version: ~12.x-0 - repository: 'file://components/dcaemod-nifi-registry' - condition: dcaemod-nifi-registry.enabled - - name: dcaemod-healthcheck - version: ~12.x-0 - repository: 'file://components/dcaemod-healthcheck' - condition: dcaemod-healthcheck.enabled diff --git a/kubernetes/dcaemod/Makefile b/kubernetes/dcaemod/Makefile deleted file mode 100644 index 5617b0d816..0000000000 --- a/kubernetes/dcaemod/Makefile +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Copyright (c) 2021 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -HELM_REPO := local - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/dcaemod/components/Makefile b/kubernetes/dcaemod/components/Makefile deleted file mode 100644 index 86bd7b9fa5..0000000000 --- a/kubernetes/dcaemod/components/Makefile +++ /dev/null @@ -1,74 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# Copyright (c) 2021 AT&T. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -HELM_REPO := local - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -# Helm v2 and helm v3 uses different version format so we first try in helm v3 format -# and if it fails then we fallback to helm v2 one -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}" 2>/dev/null) -ifneq "$(findstring v3,$(HELM_VER))" "v3" - HELM_VER := $(shell $(HELM_BIN) version -c --template "{{.Client.SemVer}}") -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) helm-repo-update - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME $(HELM_REPO); fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) - -helm-repo-update: -ifeq "$(findstring v3,$(HELM_VER))" "v3" - @$(HELM_BIN) repo update -endif - -%: - @: \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml deleted file mode 100644 index 54680d2881..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/Chart.yaml +++ /dev/null @@ -1,33 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Design Tool -name: dcaemod-designtool -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml deleted file mode 100644 index 556ac90e02..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/deployment.yaml +++ /dev/null @@ -1,89 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcaemod-genprocessor-http - - --container-name - - dcaemod-nifi-registry - - --container-name - - dcaemod-distributor-api - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-create-bucket - image: {{ include "repositoryGenerator.image.curl" . }} - args: - - -kv - - -X - - POST - - -H - - "Content-Type: application/json" - - --data-binary - - '{"name": "dcaemod-flows"}' - - http://dcaemod-nifi-registry:18080/nifi-registry-api/buckets - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: NIFI_DCAE_JARS_INDEX_URL - value: {{ .Values.config.nifiJarsIndexURL }} - - name: NIFI_DCAE_DISTRIBUTOR_API_URL - value: {{ .Values.config.distributorAPIURL }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml deleted file mode 100644 index e7f8e2da8f..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml deleted file mode 100644 index 7fc4e896d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml b/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml deleted file mode 100644 index b05639b178..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-designtool/values.yaml +++ /dev/null @@ -1,98 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - nifiJarsIndexURL: http://dcaemod-genprocessor:8080/nifi-jars - distributorAPIURL: /distributor - -# application image -image: onap/org.onap.dcaegen2.platform.mod.designtool-web:1.0.2 - -service: - type: ClusterIP - name: dcaemod-designtool - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-nifi-ui" - path: "/nifi" - name: "dcaemod-designtool" - port: 8080 - - baseaddr: "dcaemod-nifi-api" - path: "/nifi-api" - name: "dcaemod-designtool" - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 90 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - path: /nifi-api/system-diagnostics - scheme: HTTP - port: http - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-designtool - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml deleted file mode 100644 index 2d8ab41305..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Distributor API -name: dcaemod-distributor-api -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml deleted file mode 100644 index f36c2af002..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/deployment.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dcaemod-runtime-api - - --container-name - - dcaemod-nifi-registry - - --container-name - - dcaemod-onboarding-api - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: NIFI_REGISTRY_URL - value: {{ .Values.config.nifiRegistryURL }} - - name : ONBOARDING_API_URL - value: {{ .Values.config.onboardingAPIURL }} - resources: {{ include "common.resources" . | nindent 12 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml deleted file mode 100644 index 68fcf1487f..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml +++ /dev/null @@ -1,97 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - nifiRegistryURL: http://dcaemod-nifi-registry:18080/nifi-registry-api - onboardingAPIURL: http://dcaemod-onboarding-api:8080/onboarding - -# application image -image: onap/org.onap.dcaegen2.platform.mod.distributorapi:1.1.1 - -service: - type: ClusterIP - name: dcaemod-distributor-api - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-distributor-api" - path: "/distributor" - name: dcaemod-distributor-api - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - # Should have a proper readiness endpoint - # This will be OK as long as we have a small number - # of distribution targets - path: /distributor/distribution-targets - scheme: HTTP - port: http - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-distributor-api - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml deleted file mode 100644 index 8cdb072951..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Genprocessor -name: dcaemod-genprocessor -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml deleted file mode 100644 index 26f6586688..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/deployment.yaml +++ /dev/null @@ -1,81 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - # apps run as uid 1000, gid 1000 - # the volume is mounted with root permissions - # this initContainer changes ownership to uid 1000 gid 1000 - # (tried using a securityContext in the pod spec, but it didn't seem to work) - - name: set-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - - -c - - chown -R 1000:1000 /genprocessor-data - volumeMounts: - - mountPath: /genprocessor-data - name: genprocessor-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: GENPROC_ONBOARDING_API_HOST - value: {{ .Values.config.onboardingAPIURL }} - volumeMounts: - - mountPath: /work/ - name: genprocessor-data - resources: {{ include "common.resources" . | nindent 12 }} - - name: {{ include "common.name" . }}-http - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.httpImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /www/data - name: genprocessor-data - readOnly: true - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: genprocessor-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml deleted file mode 100644 index 2831c151d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pv.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PV" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml deleted file mode 100644 index 1e6c62a653..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/pvc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml b/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml deleted file mode 100644 index 2dafdc9c8a..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-genprocessor/values.yaml +++ /dev/null @@ -1,104 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -config: - onboardingAPIURL: http://dcaemod-onboarding-api:8080/onboarding - -# application image -image: onap/org.onap.dcaegen2.platform.mod.genprocessor-job:1.0.2 -httpImage: onap/org.onap.dcaegen2.platform.mod.genprocessor-http:1.0.2 - -service: - type: ClusterIP - name: dcaemod-genprocessor - ports: - - name: http - port: 8080 - -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-genprocessor-api" - path: "/nifi-jars" - name: dcaemod-genprocessor - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# Parameters for persistent storage -persistence: - enabled: true -# Only the genprocessor-job writes, genprocessor-http mounts readOnly - accessMode: ReadWriteMany - size: 4Gi - mountPath: /dockerdata-nfs - mountSubPath: dcae-mod-genprocessor/data - volumeReclaimPolicy: Retain - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-genprocessor - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml deleted file mode 100644 index 74ad041dd0..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Health Check -name: dcaemod-healthcheck -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml deleted file mode 100644 index f46dc5f287..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/deployment.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: 1 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ include "common.getPort" (dict "global" . "name" "http") }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ include "common.getPort" (dict "global" . "name" "http") }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/app/expected-components.json - subPath: expected-components.json - name: {{ include "common.fullname" .}}-expected-components - env: - - name: DCAE_NAMESPACE - value: {{ .Values.dcae_ns }} - - name: ONAP_NAMESPACE - value: {{ include "common.namespace" . }} - - name: HELM_RELEASE - value: {{ include "common.release" . }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-expected-components - configMap: - name: {{ include "common.release" . }}-dcaemod-expected-components - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml deleted file mode 100644 index 7fc4e896d2..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml b/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml deleted file mode 100644 index 73661ac843..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-healthcheck/values.yaml +++ /dev/null @@ -1,72 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Copyright (c) 2021 J. F. Lucas. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -service: - name: dcaemod-healthcheck - type: ClusterIP - ports: - - name: http - port: 8080 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 -# application image -image: onap/org.onap.dcaegen2.deployments.healthcheck-container:2.4.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-healthcheck - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml deleted file mode 100644 index d9620bbb09..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Nifi Registry -name: dcaemod-nifi-registry -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml deleted file mode 100644 index 53f1de59bc..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/deployment.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - # nifi-registry app runs as user "nifi", uid 1000, group "nifi", gid 1000 - # the volume is mounted with root permissions - # this initContainer changes ownership to uid 1000 gid 1000 - # (tried using a securityContext in the pod spec, but it didn't seem to work) - - name: set-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - - -c - - chown -R 1000:1000 /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - volumeMounts: - - mountPath: /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - name: flow-storage - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /opt/nifi-registry/nifi-registry-0.4.0/flow_storage - name: flow-storage - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: NIFI_REGISTRY_DB_URL - value: {{ .Values.config.dbURL }} - - name: NIFI_REGISTRY_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "login") | indent 12 }} - - name: NIFI_REGISTRY_DB_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dbsecret" "key" "password") | indent 12 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: flow-storage - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml deleted file mode 100644 index b351573f83..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pv.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - - -{{ include "common.PV" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml deleted file mode 100644 index 1e6c62a653..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/pvc.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.PVC" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml deleted file mode 100644 index 869e3d3912..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml b/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml deleted file mode 100644 index a0bbacc7ef..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-nifi-registry/values.yaml +++ /dev/null @@ -1,96 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -config: - dbURL: jdbc:h2:./database/nifi-registry-primary - dbUser: nobody - dbPassword: nobody - -secrets: - - uid: "dbsecret" - type: basicAuth - login: '{{ .Values.config.dbUser }}' - password: '{{ .Values.config.dbPassword }}' - passwordPolicy: generate - -# application image -image: apache/nifi-registry:0.5.0 - -service: - type: ClusterIP - name: dcaemod-nifi-registry - ports: - - name: http - port: 18080 - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# Parameters for persistent storage -persistence: - enabled: true - accessMode: ReadWriteOnce - size: 4Gi - mountPath: /dockerdata-nfs - mountSubPath: dcae-mod-nifi-registry/data - volumeReclaimPolicy: Retain - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-nifi-registry - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml deleted file mode 100644 index 051d942ac4..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Onboarding API -name: dcaemod-onboarding-api -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml deleted file mode 100644 index 5c7d1b6d0d..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.postgres.nameOverride }} - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - 'PG_CONN=postgresql://${PG_USER}:${PG_PASSWORD}@${PG_ADDR}:${PG_PORT}/${PG_DB_NAME} ./start.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: PG_ADDR - value: {{ .Values.postgres.service.name2 }} - # This should be kept in secret but it needs a fix in postgres common chart - - name: PG_USER - value: postgres - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14 }} - - name: PG_PORT - value: "5432" - - name: PG_DB_NAME - value: dcae_onboarding_db - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml deleted file mode 100644 index 4a4ee7c876..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -{{ include "common.ingress" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml deleted file mode 100644 index 70067e557c..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml +++ /dev/null @@ -1,122 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - ingress: - virtualhost: - baseurl: "simpledemo.onap.org" - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - name: &rootPassSecretName '{{ include "common.release" . }}-dcaemod-db-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dcaemod-db-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret)}}' - password: '{{ .Values.postgres.config.pgRootPassword }}' - - uid: db-primary-pass - name: &primaryPassSecretName '{{ include "common.release" . }}-dcaemod-db-primary-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgPrimaryPasswordExternalSecret) .) (hasSuffix "dcaemod-db-primary-pass" .Values.postgres.config.pgPrimaryPasswordExternalSecret)}}' - password: '{{ .Values.postgres.config.pgPrimaryPassword }}' - -service: - type: ClusterIP - name: dcaemod-onboarding-api - ports: - - name: http - port: 8080 -ingress: - enabled: true - enabledOverride: true - service: - - baseaddr: "dcaemod-onboarding-api" - path: "/onboarding" - name: dcaemod-onboarding-api - port: 8080 - config: - ssl: "none" - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: http - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# postgres values--overriding defaults in the postgres subchart -postgres: - nameOverride: dcaemod-db - service: - name: dcaemod-postgres - name2: dcaemod-pg-primary - name3: dcaemod-pg-replica - suffix: svc.cluster.local - container: - name: - primary: dcaemod-pg-primary - replica: dcaemod-pg-replica - config: - pgPrimaryPasswordExternalSecret: *primaryPassSecretName - pgRootPasswordExternalSecret: *rootPassSecretName - persistence: - mountSubPath: dcaemod/data - mountInitPath: dcaemod - -# application image -image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.13.0 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-onboarding-api - roles: - - read - diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml deleted file mode 100644 index 6afc6a72aa..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP DCAE MOD Runtime API -name: dcaemod-runtime-api -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml deleted file mode 100644 index 8c964ecd02..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/addons/templates/certificates.yaml +++ /dev/null @@ -1,3 +0,0 @@ -{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} -{{ include "certManagerCertificate.certificate" . }} -{{ end }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml deleted file mode 100644 index 85dcc792be..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/Chart.yaml +++ /dev/null @@ -1,47 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -apiVersion: v2 -appVersion: "Kohn" -description: TBD -name: TBD -version: TBD - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: dcaegen2-services-common - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - condition: postgres.enabled - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: mongo - version: ~12.x-0 - repository: '@local' - condition: mongo.enabled diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml deleted file mode 100644 index 866a9ad672..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/configmap.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "dcaegen2-services-common.configMap" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml deleted file mode 100644 index bef31a7a3a..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/deployment.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "dcaegen2-services-common.microserviceDeployment" . }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml deleted file mode 100644 index 6ee9297869..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/secret.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml deleted file mode 100644 index f024c64864..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/templates/service.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml deleted file mode 100644 index 99160210d0..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/resources/config/base/values.yaml +++ /dev/null @@ -1,110 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2021-2022 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -################################################################# -# initContainer images. -################################################################# -tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 -consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: TBD #DONE -pullPolicy: Always - -#policy sync image -dcaePolicySyncImage: onap/org.onap.dcaegen2.deployments.dcae-services-policy-sync:1.0.1 - -#postgres enable/disable -postgres: - enabled: false - -#mongo enable/disable -mongo: - enabled: false - nameOverride: dcae-mongo - config: - dbName: dcaecommondb - service: - name: dcae-mongohost - internalPort: 27017 - nfsprovisionerPrefix: dcaemongo - sdnctlPrefix: tcagen2 - persistence: - mountSubPath: dcae/mongo/data - enabled: true - disableNfsProvisioner: true - -# log directory where logging sidecar should look for log files -# if absent, no sidecar will be deployed -#log: -# path: TBD #/opt/app/VESCollector/logs #DONE -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' - -# directory where TLS certs should be stored -# if absent, no certs will be retrieved and stored -#certDirectory: TBD #/opt/app/dcae-certificate #DONE - -# TLS role -- set to true if microservice acts as server -# If true, an init container will retrieve a server cert -# and key from AAF and mount them in certDirectory. -#tlsServer: TBD #DONE - -# dependencies -readinessCheck: - wait_for: - - aaf-cm - -# probe configuration #NEED DISCUSSION -readiness: - initialDelaySeconds: TBD - periodSeconds: TBD - path: TBD - scheme: TBD - port: TBD - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} -serviceAccount: - nameOverride: TBD - roles: - - read diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml deleted file mode 100644 index 7d90f5812c..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/configmap.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-templates - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/base/templates/*.yaml").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-base - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/base/*.yaml").AsConfig | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dcae-helmgen-addons-templates - namespace: {{ include "common.namespace" . }} -data: -{{ (.Files.Glob "resources/config/addons/templates/*").AsConfig | indent 2 }} \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml deleted file mode 100644 index 39044465dc..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/deployment.yaml +++ /dev/null @@ -1,107 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: {{ include "common.resources" . | nindent 12 }} - volumeMounts: - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/values.yaml - subPath: values.yaml - name: dcae-helmgen-base - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/Chart.yaml - subPath: Chart.yaml - name: dcae-helmgen-base - - mountPath: {{ .Values.config.basehelmchartlocation }}/base/templates - name: dcae-helmgen-templates - - mountPath: {{ .Values.config.basehelmchartlocation }}/addons/templates - name: dcae-helmgen-addon-templates - env: - - name: DASHBOARD_URL - value: {{ .Values.config.dashboardURL }} - - name: DASHBOARD_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dashsecret" "key" "login") | indent 14 }} - - name: DASHBOARD_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dashsecret" "key" "password") | indent 14 }} - - name: ONAP_TOPICURL - value: {{ .Values.config.mrTopicURL }} - - name: ONAP_IMPORT_CLOUDIFYPLUGIN - value: {{ .Values.config.importCloudify }} - - name: ONAP_IMPORT_K8SPLUGIN - value: {{ .Values.config.importK8S }} - - name: ONAP_IMPORT_POLICYPLUGIN - value: {{ .Values.config.importPolicy }} - - name: ONAP_IMPORT_POSTGRESPLUGIN - value: {{ .Values.config.importPostgres }} - - name: ONAP_IMPORT_CLAMPPLUGIN - value: {{ .Values.config.importClamp }} - - name: ONAP_IMPORT_DMAAPPLUGIN - value: {{ .Values.config.importDMaaP }} - - name: ONAP_USEDMAAPPLUGIN - value: {{ .Values.config.useDmaapPlugin | quote }} - - name: BP_RESOURCES_CPU_LIMIT - value: {{ .Values.config.bpResourcesCpuLimit }} - - name: BP_RESOURCES_MEMORY_LIMIT - value: {{ .Values.config.bpResourcesMemoryLimit }} - - name: ARTIFACT_TYPE - value: {{ .Values.config.artifactType }} - - name: CHARTMUSEUM_BASEURL - value: {{ .Values.config.registryBaseurl }} - - name: HELM_BASE_CHART_TEMPLATE_LOCATION - value: {{ .Values.config.basehelmchartlocation }} - - name: CHARTMUSEUM_AUTH_BASIC_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "registrycred" "key" "login") | indent 14 }} - - name: CHARTMUSEUM_AUTH_BASIC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "registrycred" "key" "password") | indent 14 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: - - name: dcae-helmgen-templates - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-templates - - name: dcae-helmgen-base - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-base - - name: dcae-helmgen-addon-templates - configMap: - name: {{ include "common.fullname" . }}-dcae-helmgen-addons-templates \ No newline at end of file diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml deleted file mode 100644 index 3c527f8cd3..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/secrets.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml deleted file mode 100644 index 100c3d5670..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml deleted file mode 100644 index 64d196d908..0000000000 --- a/kubernetes/dcaemod/components/dcaemod-runtime-api/values.yaml +++ /dev/null @@ -1,122 +0,0 @@ -#============LICENSE_START======================================================== -#================================================================================= -# Copyright (c) 2019-2021 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - -config: - dashboardURL: https://inventory:8080/dcae-service-types - # The dashboard credentials aren't actually used, since - # the inventory API and the dashboard pass-through to the - # inventory API don't require authentication. - # Since the password doesn't matter, we let it be - # generated by the common secret template. - dashboardUser: nobody - #dashboardPassword: doesntmatter - mrTopicURL: http://message-router:3904/events - importCloudify: https://www.getcloudify.org/spec/cloudify/4.5.5/types.yaml - importK8S: plugin:k8splugin?version=>=3.5.1,<4.0.0 - importPostgres: plugin:pgaas?version=1.3.0 - importClamp: plugin:clamppolicyplugin?version=1.1.1 - importDMaaP: plugin:dmaap?version=>=1.5.1,<2.0.0 - useDmaapPlugin: false - bpResourcesCpuLimit: 250m - bpResourcesMemoryLimit: 128Mi - artifactType: "HELM" - registryBaseurl: http://chart-museum:80 - basehelmchartlocation: /helm-gen/ - - -secrets: - - uid: "dashsecret" - type: basicAuth - login: '{{ .Values.config.dashboardUser }}' - password: '{{ .Values.config.dashboardPassword }}' - passwordPolicy: generate - - uid: registrycred - type: basicAuth - login: '{{ .Values.registryCred.username }}' - password: '{{ .Values.registryCred.password }}' - passwordPolicy: required - -# Below parameter should match setting in all clients -# including oom\kubernetes\platform\components\chartmuseum -# where ONAP registry is setup -registryCred: - username: onapinitializer - password: demo123456! - -service: - type: ClusterIP - name: dcaemod-runtime-api - ports: - - name: http - port: 9090 - -# probe configuration parameters -liveness: - initialDelaySeconds: 60 - periodSeconds: 30 - port: http - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 60 - periodSeconds: 20 - port: http - # Should have a proper readiness endpoint or script - -# dependencies -#readinessCheck: -# wait_for: -# - chart-museum - - -# application image -image: onap/org.onap.dcaegen2.platform.mod.runtime-web:1.3.3 - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 4Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dcaemod-runtime-api - roles: - - read diff --git a/kubernetes/dcaemod/resources/expected-components.json b/kubernetes/dcaemod/resources/expected-components.json deleted file mode 100644 index 7fd644c3f8..0000000000 --- a/kubernetes/dcaemod/resources/expected-components.json +++ /dev/null @@ -1,10 +0,0 @@ -[ -{{- $ctx := . }} -{{- $components := tuple "dcaemod-designtool" "dcaemod-distributor-api" "dcaemod-genprocessor" "dcaemod-nifi-registry" "dcaemod-onboarding-api" "dcaemod-runtime-api" }} -{{- range $i, $v := $components }} -{{- if index $ctx.Values . "enabled" }} -{{- if $i }},{{ end }} -{{ $v | quote | indent 2 }} -{{- end -}} -{{- end }} -] \ No newline at end of file diff --git a/kubernetes/dcaemod/templates/configmap.yaml b/kubernetes/dcaemod/templates/configmap.yaml deleted file mode 100644 index 13b374cb04..0000000000 --- a/kubernetes/dcaemod/templates/configmap.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.release" . }}-dcaemod-expected-components - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaemod/values.yaml b/kubernetes/dcaemod/values.yaml deleted file mode 100644 index 57e6d32693..0000000000 --- a/kubernetes/dcaemod/values.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -# Enable all DCAE MOD components by default -dcaemod-designtool: - enabled: true -dcaemod-distributor-api: - enabled: true -dcaemod-genprocessor: - enabled: true -dcaemod-healthcheck: - enabled: true -dcaemod-nifi-registry: - enabled: true -dcaemod-onboarding-api: - enabled: true -dcaemod-runtime-api: - enabled: true \ No newline at end of file diff --git a/kubernetes/dmaap/.helmignore b/kubernetes/dmaap/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/dmaap/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/dmaap/Chart.yaml b/kubernetes/dmaap/Chart.yaml deleted file mode 100644 index 8d84a97ba2..0000000000 --- a/kubernetes/dmaap/Chart.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP DMaaP components -name: dmaap -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: message-router - version: ~12.x-0 - repository: 'file://components/message-router' - condition: message-router.enabled - - name: dmaap-bc - version: ~12.x-0 - repository: 'file://components/dmaap-bc' - condition: dmaap-bc.enabled - - name: dmaap-dr-node - version: ~12.x-0 - repository: 'file://components/dmaap-dr-node' - condition: dmaap-dr-node.enabled - - name: dmaap-dr-prov - version: ~12.x-0 - repository: 'file://components/dmaap-dr-prov' - condition: dmaap-dr-prov.enabled - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/README.md b/kubernetes/dmaap/README.md deleted file mode 100644 index 8c61b6a012..0000000000 --- a/kubernetes/dmaap/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Helm Chart for ONAP DMaaP Applications - -ONAP DMaaP includes the following Kubernetes services: - -1) message-router - a message bus for applications -2) dbc-api - an API to provision DMaaP resources -3) dmaap-data-router - an API to provision data feeds for consumers - -# Service Dependencies - -message-router depends on AAF -dmaap-data-router depends on AAF -dbc-api depends on AAF and Postgresql. \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-bc/Chart.yaml b/kubernetes/dmaap/components/dmaap-bc/Chart.yaml deleted file mode 100644 index 66f93cd90d..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/Chart.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: a Helm chart to deploy ONAP DMaaP Bus Controller (aka dmaap-bc) in Kubernetes -name: dmaap-bc -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - condition: PG.enabled - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-bc/README.md b/kubernetes/dmaap/components/dmaap-bc/README.md deleted file mode 100644 index a6115477ec..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Helm Chart for ONAP DMaaP Applications - -ONAP includes the following Kubernetes services available in ONAP Beijing Release (more expected in future): - -1) message-router - a message bus for applications -2) dmaap-prov - an API to provision DMaaP resources - -# Service Dependencies - -message-router depends on AAF -dmaap-prov depends on AAF and Postgresql. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env deleted file mode 100644 index 2b2ea4183a..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Environment settings for starting a container -DMAAPBC_WAIT_TO_EXIT=Y -DMAAPBC_KSTOREFILE=/opt/app/osaaf/local/org.onap.dmaap-bc.jks diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties deleted file mode 100644 index d464428893..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties +++ /dev/null @@ -1,277 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -##################################################### -# -# Hooks for specific environment configurations -# -##################################################### -# Indicator for whether to use AAF for authentication -UseAAF: {{ .Values.global.aafEnabled }} - -# Stub out southbound calls for Unit Test cases to run. e.g. not timeout -# Comment out in other environments to get default (No) -#UnitTest: Yes - - -##################################################### -# -# Settings for Southbound API: Datarouter -# -##################################################### - -# URI to retrieve dynamic DR configuration -ProvisioningURI: /internal/prov - -# indicator for handling feed delete: -# DeleteOnDR - means use the DR API to DELETE a feed. (default for backwards compatibility) -# SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL. Better for cloudify environments. -Feed.deleteHandling: SimulateDelete - -########################################################### -# The following properties default to match ONAP DR instance. -# However, there are some non-ONAP DR instances that require other values. -# Sets the X-DR-ON-BEHALF-OF HTTP Header value -#DR.onBehalfHeader: -# Value for the Content-Type Header in DR Feed API -#DR.feedContentType: -# Value for the Content-Type Header in DR Subscription API -#DR.subContentType: -# -# END OF properties helpful for non-ONAP DR instance. -############################################################ - -##################################################### -# -# Settings for Soutbound API: Postgresql -# -##################################################### -# flag indicates if we are using postgresql -UsePGSQL: {{ .Values.PG.enabled }} - -# postgres host name -# Need to connect to PG primary service, designated by service.name2 -DB.host: {{ .Values.postgres.service.name2 }} - -# postgres schema name -#DB.schema: {{ .Values.postgres.config.pgDatabase }} - -# postgres user name -DB.user: ${PG_USER} - -# postgres user password -DB.cred: ${PG_PASSWORD} - - -##################################################### -# -# Settings for Soutbound API: Message Router -# -##################################################### -# indicator for multi-site (locations) deployment. Give clue to buscontroller whether -# there is a need for message replication between edge and central. -# ONAP Casablanca is a single site deployment -MR.multisite: false - -# FQDN of primary message router. -# In ONAP Casablanca, there is only 1 message router service, so use that. -# In a multi-site, MR cluster deployment, use the CNAME DNS entry which resolves to the primary central MR -MR.CentralCname: {{ .Values.dmaapMessageRouterService }} - -# Indicator for whether we want hostname verification on SSL connection to MR -MR.hostnameVerify: false - -# MR Client Delete Level thoroughness: -# 0 = don't delete -# 1 = delete from persistent store -# 2 = delete from persistent store (DB) and authorization store (AAF) -MR.ClientDeleteLevel: 1 - -# namespace of MR Topic Factory -MR.TopicFactoryNS: org.onap.dmaap.mr.topicFactory - -# AAF Role assigned to Topic Manager Identity -MR.TopicMgrRole: org.onap.dmaap-bc-topic-mgr.client - -# MR topic ProjectID (used in certain topic name generation formats) -MR.projectID: mr - -# Use Basic Authentication when provisioning topics -MR.authentication: basicAuth - -# MR topic name style (default is FQTN_LEGACY_FORMAT) -#MR.topicStyle: FQTN_LEGACY_FORMAT -# -# end of MR Related Properties -################################################################################ - - -##################################################### -# -# Settings for Southbound API: CADI -# -##################################################### -# path to cadi.properties -cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props - -##################################################### -# -# Settings for Southbound API: AAF proxy -# -##################################################### -# URL of the AAF server -aaf.URL: {{ .Values.aafURL }} - -# TopicMgr Identity -aaf.TopicMgrUser: {{ .Values.topicMgrUser }} - -# Password for TopicMgr identity -aaf.TopicMgrPassword: {{ .Values.topicMgrPwd }} - -# Buscontroller Admin Identity -aaf.AdminUser: {{ .Values.adminUser }} - -# Admin Password -aaf.AdminPassword: {{ .Values.adminPwd }} - -# Identity that is owner of any created namespaces for topics -aaf.NsOwnerIdentity: {{ .Values.adminUser }} - - -# this overrides the Class used for Decryption. -# This allows for a plugin encryption/decryption method if needed. -# Call this Class for decryption at runtime. -#AafDecryption.Class: com.company.proprietaryDecryptor - -# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF -# Not used in ONAP, but possibly used with Decryption override class. -#CredentialCodeKeyfile: etc/LocalKey - -# -# endof AAF Properties -#################################################### - - -##################################################### -# -# Settings for authorization of DBCAPI -# -##################################################### -# Namespace for URI values for the API used to create AAF permissions -# e.g. if ApiNamespace is X.Y.dmaapbc.api then for URI /mr_clients we create AAF perm X.Y.dmaapbc.api.mr_clients -ApiNamespace: org.onap.dmaap-bc.api - -# If API authorization is required, then implement a class to enforce it. -# This overrides the Class used for API permission check. -ApiPermission.Class: org.onap.dmaap.dbcapi.authentication.AllowAll - -##################################################### -# -# Settings for Southbound API: MirrorMaker provisioning -# -##################################################### -# AAF Role of client publishing MM prov cmds -MM.ProvRole: org.onap.dmaap-bc-mm-prov.prov - -# AAF identity when publishing MM prov cmds -MM.ProvUserMechId: dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org - -# pwd for Identity used to publish MM prov cmds -MM.ProvUserPwd: demo123456! - -# AAF Role of MirrorMaker agent subscribed to prov cmds. -MM.AgentRole: org.onal.dmaap-bc-mm-prov.agent - -##################################################### -# -# Certificate Management -# -##################################################### - -# Indicates how we are expecting certificates to be provided: -# cadi - a set of artifacts will be downloaded from AAF at deployment time, and details will be in a cadi properties file -# legacy (default) - artifacts will be installed manually or some other way and details will be in this file -CertificateManagement: cadi - -# When CertificateManagement is cadi, then this is where all the cadi properties will be. -# Note that the cadi properties include where the cert is, and the encrypted passwords to read. -cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props - -########################################################################################### -# When CertificateManagement is legacy, we need to provide more details about cert handling: -#CertificateManagement: legacy -# the type of keystore for https (for legacy CertificateManagment only) -#KeyStoreType: jks - -# path to the keystore file (for legacy CertificateManagment only) -#KeyStoreFile: etc/keystore - -# password for the https keystore (for legacy CertificateManagment only) -#KeyStorePassword: Y@Y5f&gm?PAz,CVQL,lk[VAF -# password for the private key in the https keystore (for legacy CertificateManagment only) -#KeyPassword: changeit - -# type of truststore for https (for legacy CertificateManagment only) -#TrustStoreType: jks - -# path to the truststore for https (for legacy CertificateManagment only) -#TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks - -# password for the https truststore (for legacy CertificateManagment only) -#TrustStorePassword: changeit -# -# END OF legacy CertificateManagement properties -########################################################################################### - - -##################################################### -# -# HTTP Server Configuration -# -##################################################### - -# Allow http access to dbcapi -HttpAllowed: true - -# listen to http port within this container (server) -IntHttpPort: 8080 - -# listen to https port within this container (server) -# set to 0 if no certificates are available. -IntHttpsPort: 8443 - - - -inHttpsPort: 0 - -##################################################### -# -# Deprecated -# -##################################################### -# csit: stubs out some southbound APIs for csit (deprecated) -#csit: No -# name of this DMaaP instance (deprecated) -#DmaapName: demo -# external port number for https taking port mapping into account (deprecated) -#ExtHttpsPort: 443 -# path to the file used to trigger an orderly shutdown (deprecated) -#QuiesceFile: etc/SHUTDOWN -# FQDN of DR Prov Server (deprecated) -#DR.provhost: dcae-drps.domain.not.set -# root of topic namespace (decrecated) -#topicNsRoot: org.onap.dcae.dmaap diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json b/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json deleted file mode 100644 index ca1e740dd8..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dcaeLocations/san-francisco.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - - "dcaeLayer": "kubernetes-central", - "dcaeLocationName": "san-francisco" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json b/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json deleted file mode 100644 index 23b111c8f3..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dmaap/onap.json +++ /dev/null @@ -1,11 +0,0 @@ -{ -{{ if eq .Values.fixedTopicNamespace true }} - "dmaapName": "mr", -{{- else -}} - "dmaapName": "{{ include "common.namespace" . }}", -{{- end}} - "drProvUrl": "https://dmaap-dr-prov", - "version": "1", - "topicNsRoot": "org.onap.dmaap", - "bridgeAdminTopic": "DCAE_MM_AGENT" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml deleted file mode 100644 index 7ef2dcdb8f..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/central.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName" : "san-francisco", - "fqdn" : "dmaap-dr-node.san-francisco", - "hostName" : "dmaap-dr-node.pod", - "version" : "1.0.1" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml b/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml deleted file mode 100644 index 272cd75e52..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/dr_nodes/edge.yaml +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName" : "edge1", - "fqdn" : "dmaap-dr-node.edge1", - "hostName" : "dmaap-dr-node.pod.edge1", - "version" : "1.0.1" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README b/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README deleted file mode 100644 index 4f5eac5ba1..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/feeds/README +++ /dev/null @@ -1,3 +0,0 @@ -# -# Intent of this directory is for it to contain a file for each feed that needs to be provisioned in DR. -# So, app teams can add files to this directory as needed without impacting each other's code. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json b/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json deleted file mode 100644 index 9e732d2af8..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/mr_clusters/san-francisco.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "dcaeLocationName": "san-francisco", - "fqdn": "message-router", - "topicProtocol": "http", - "topicPort": "3904" -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json deleted file mode 100644 index 34197b948e..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_READY.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "topicName": "PNF_READY", - "topicDescription": "This topic will be used to publish the PNF_READY events generated by the PNF REgistration Handler service in the DCAE platform.", - "owner": "PNFRegistrationHandler", - "tnxEnabled": false, - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientRole": "org.onap.dmaap.mr.PNF_READY.pub", - "action": [ - "pub", - "view" - ] - - } - ] -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json deleted file mode 100644 index e7325794a1..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/PNF_REGISTRATION.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "topicName": "PNF_REGISTRATION", - "topicDescription": "the VES collector will be publishing pnfRegistration events in this topic", - "owner": "VEScollector", - "tnxEnabled": false, - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientRole": "org.onap.dmaap.mr.PNF_REGISTRATION.sub", - "action": [ - "sub", - "view" - ] - - } - ] -} diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/README b/kubernetes/dmaap/components/dmaap-bc/resources/topics/README deleted file mode 100644 index fbb88b97e6..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/README +++ /dev/null @@ -1,3 +0,0 @@ -# -# Intent of this directory is for it to contain a file for each topic that needs to be provisioned in MR. -# So, app teams can add files to this directory as needed without impacting each other's code. diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json b/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json deleted file mode 100644 index fb2c54ed4b..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/resources/topics/mirrormakeragent.json +++ /dev/null @@ -1,37 +0,0 @@ -{ - "topicName": "mirrormakeragent", - "topicDescription": "the topic used to provision the MM agent whitelist", - "replicationCase": "REPLICATION_NONE", - "owner": "dmaap", - "tnxEnabled": false, - "partitionCount": "1", - "clients": [ - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org", - "action": [ - "pub", - "sub", - "view" - ] - }, - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org", - "action": [ - "pub", - "sub", - "view" - ] - }, - { - "dcaeLocationName": "san-francisco", - "clientIdentity": "demo@people.osaaf.org", - "action": [ - "pub", - "sub", - "view" - ] - } - ] -} \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt deleted file mode 100644 index 050853cfa2..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}-prov) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml deleted file mode 100644 index b7c52df169..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/configmap.yaml +++ /dev/null @@ -1,107 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-dmaap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dmaap/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-dcaelocations - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dcaeLocations/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dr-nodes - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_nodes/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-feeds - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/feeds/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-mr-clusters - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/mr_clusters/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-topics - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/topics/*.json").AsConfig . | indent 2 }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml deleted file mode 100644 index a0c315426c..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml +++ /dev/null @@ -1,137 +0,0 @@ -{{/* -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim}} -{{- if .Values.PG.enabled }} - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: {{ include "common.name" . }}-config-input - - mountPath: /config - name: {{ include "common.name" . }}-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | nindent 6 }} -{{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-permission-fixer - securityContext: - runAsUser: 0 - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - command: ["chown","-Rf","1000:1001", "/opt/app/"] -# See AAF-425 for explanation of why this is needed. -# This artifact is provisioned in AAF for both pks12 and jks format and apparently -# the cadi library is not using the jks password on the jks keystore. -# So, this attempts to "fix" the credential property file until this is fixed properly. - - name: {{ include "common.name" . }}-cred-fixer - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - command: ["/bin/sh"] - args: [ "-c", "sed -i -e '/cadi_keystore_password=/d' -e '/cadi_keystore_password_jks/p' -e 's/cadi_keystore_password_jks/cadi_keystore_password/' -e 's/dmaap-bc.p12/dmaap-bc.jks/' /opt/app/osaaf/local/org.onap.dmaap-bc.cred.props" ] -{{- end }} - - name: {{ include "common.name" . }}-postgres-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - command: - - /app/ready.py - args: - - --container-name - - {{ .Values.postgres.nameOverride }} - - --container-name - - message-router - - --container-name - - dmaap-dr-node - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- end }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - {{ if eq .Values.liveness.enabled true -}} - livenessProbe: - httpGet: - port: {{ .Values.liveness.port }} - path: /webapi/topics - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - httpGet: - port: {{ .Values.readiness.port }} - path: /webapi/topics - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath - - name: {{ include "common.name" . }}-config - mountPath: /opt/app/config/conf/ - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.name" . }}-config-input - configMap: - name: {{ include "common.fullname" . }}-config - - name: {{ include "common.name" . }}-config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml deleted file mode 100644 index ab6f573a34..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/dmaap-provisioning-job.yaml +++ /dev/null @@ -1,93 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-dmaap-provisioning - namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} -spec: - backoffLimit: 20 - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dmaap-bc - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: dmaap-provisioning-job - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.clientImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DELAY - value: "0" - {{- if or (include "common.onServiceMesh" .) .Values.global.allow_http }} - - name: PROTO - value: "http" - - name: PORT - value: "8080" - {{ end }} - - name: REQUESTID - value: "{{.Chart.Name}}-dmaap-provisioning" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true -# NOTE: on the following several configMaps, careful to include / at end -# since there may be more than one file in each mountPath -# NOTE: the basename of the subdirectory of mountPath is important - it matches the DBCL API URI - - name: {{ include "common.fullname" . }}-dbc-dmaap - mountPath: /opt/app/config/dmaap/ - - name: {{ include "common.fullname" . }}-dbc-dcaelocations - mountPath: /opt/app/config/dcaeLocations/ - - name: {{ include "common.fullname" . }}-dr-nodes - mountPath: /opt/app/config/dr_nodes/ - - name: {{ include "common.fullname" . }}-feeds - mountPath: /opt/app/config/feeds/ - - name: {{ include "common.fullname" . }}-mr-clusters - mountPath: /opt/app/config/mr_clusters/ - - name: {{ include "common.fullname" . }}-topics - mountPath: /opt/app/config/topics/ - resources: {{ include "common.resources" . | nindent 10 }} - {{ include "common.waitForJobContainer" . | indent 6 | trim }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-dbc-dmaap - configMap: - name: {{ include "common.fullname" . }}-dbc-dmaap - - name: {{ include "common.fullname" . }}-dbc-dcaelocations - configMap: - name: {{ include "common.fullname" . }}-dbc-dcaelocations - - name: {{ include "common.fullname" . }}-dr-nodes - configMap: - name: {{ include "common.fullname" . }}-dr-nodes - - name: {{ include "common.fullname" . }}-feeds - configMap: - name: {{ include "common.fullname" . }}-feeds - - name: {{ include "common.fullname" . }}-mr-clusters - configMap: - name: {{ include "common.fullname" . }}-mr-clusters - - name: {{ include "common.fullname" . }}-topics - configMap: - name: {{ include "common.fullname" . }}-topics - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml deleted file mode 100644 index 7074e4de9a..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/secrets.yaml +++ /dev/null @@ -1,16 +0,0 @@ - -# Modifications Copyright © 2019 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml deleted file mode 100644 index e658a712a0..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml deleted file mode 100644 index 911fee85f4..0000000000 --- a/kubernetes/dmaap/components/dmaap-bc/values.yaml +++ /dev/null @@ -1,182 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -secrets: - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-dmaap-bc-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "dmaap-bc-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-dmaap-bc-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "dmaap-bc-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################################################# -# Application configuration defaults. -################################################################# -pullPolicy: Always - -# application images -image: onap/dmaap/dmaap-bc:2.0.10 - - -# application configuration -dmaapMessageRouterService: message-router - -# change the following value to point to Windriver instance maintained -# by AAF team. -# e.g. -#aafURL: https://aaf-onap-test.osaaf.org:8095/proxy/ -aafURL: https://aaf-service:8100/ -aafLocateUrl: https://aaf-locate:8095 -topicMgrUser: dmaap-bc@dmaap-bc.onap.org -topicMgrPwd: demo123456! -adminUser: aaf_admin@people.osaaf.org -adminPwd: demo123456! - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-bc-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-bc - fqi: dmaap-bc@dmaap-bc.onap.org - publicFqdn: dmaap-bc.onap.org - cadiLatitude: 0.0 - cadiLongitude: 0.0 - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - -persistence: - aafCredsPath: /opt/app/osaaf/local/ - -# for Casablanca default deployment, leave this true to -# get a topic namespace that matches MR. When set to false, -# it will compose the topic namespace using the kubernetes namespace value -fixedTopicNamespace: true - -# for quicker deployments in dev, ability to disable using postgres -PG: - enabled: true - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - port: api - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - port: api - - -service: - type: NodePort - name: dmaap-bc - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - nodePort: 42 - - -# application configuration override for postgres -postgres: - nameOverride: dbc-pg - service: - name: dbc-postgres - name2: dbc-pg-primary - name3: dbc-pg-replica - container: - name: - primary: dbc-pg-primary - replica: dbc-pg-replica - config: - pgUserName: dmaap_admin - pgDatabase: dmaap - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName - persistence: - mountSubPath: dbc/data - mountInitPath: dbc - -ingress: - enabled: false - service: - - baseaddr: "dmaap-bc-api" - name: "dmaap-bc" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small - -securityContext: - user_id: 1000 - group_id: 101 - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 1Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dmaap-bc - roles: - - read - -wait_for_job_container: - containers: - - 'dmaap-provisioning-job' - diff --git a/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml b/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml deleted file mode 100644 index c0a3039b3a..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP DMaaP Data Router Node Server -name: dmaap-dr-node -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 6292be2d9d..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -# dmaap-dr-node filebeat.yml -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml deleted file mode 100644 index 8b8c16c287..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/logback.xml +++ /dev/null @@ -1,223 +0,0 @@ - - - - - - - - - - - - - - - - - - - ${defaultPattern} - - - - - - - - - - - - ${logDirectory}/${auditLog}.log - - - - ${logDirectory}/${auditLog}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - - - - - - ${logDirectory}/${metricsLog}.log - - - - ${logDirectory}/${metricsLog}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - - - - - - - ${logDirectory}/${debugLog}.log - - - - ${logDirectory}/${debugLog}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - - - - - - ${logDirectory}/${errorLog}.log - - - - ${logDirectory}/${errorLog}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - - - - - ${logDirectory}/${jettyLog}.log - - - ${logDirectory}/${jettyLog}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties b/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties deleted file mode 100644 index 20030a79c8..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/resources/config/node.properties +++ /dev/null @@ -1,106 +0,0 @@ -{{/* -#------------------------------------------------------------------------------- -# ============LICENSE_START================================================== -# * org.onap.dmaap -# * =========================================================================== -# * Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# * =========================================================================== -# * Licensed under the Apache License, Version 2.0 (the "License"); -# * you may not use this file except in compliance with the License. -# * You may obtain a copy of the License at -# * -# * http://www.apache.org/licenses/LICENSE-2.0 -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, -# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# * See the License for the specific language governing permissions and -# * limitations under the License. -# * ============LICENSE_END==================================================== -# * -# * ECOMP is a trademark and service mark of AT&T Intellectual Property. -# * -#------------------------------------------------------------------------------- -# -# Configuration parameters fixed at startup for the DataRouter node -# -# URL to retrieve dynamic configuration -# -#ProvisioningURL: ${DRTR_PROV_INTURL} -*/}} -ProvisioningURL=https://{{ .Values.global.dmaapDrProvName }}:{{ .Values.global.dmaapDrProvExtPort2 }}/internal/prov - -# -# URL to upload PUB/DEL/EXP logs -# -#LogUploadURL: ${DRTR_LOG_URL} -LogUploadURL=https://{{ .Values.global.dmaapDrProvName }}:{{ .Values.global.dmaapDrProvExtPort2 }}/internal/logs - -# -# The port number for http as seen within the server -# -#IntHttpPort: ${DRTR_NODE_INTHTTPPORT:-8080} -IntHttpPort={{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} -# -# The port number for https as seen within the server -# -IntHttpsPort={{ include "common.getPort" (dict "global" . "name" "api") }} -# -# The external port number for https taking port mapping into account -# -ExtHttpsPort=443 -# -# The minimum interval between fetches of the dynamic configuration -# from the provisioning server -# -MinProvFetchInterval=10000 -# -# The minimum interval between saves of the redirection data file -# -MinRedirSaveInterval=10000 -# -# The path to the directory where log files are stored -# -LogDir={{ .Values.persistence.event.path }} -# -# The retention interval (in days) for log files -# -LogRetention=30 -# -# The path to the directories where data and meta data files are stored -# -SpoolDir={{ .Values.persistence.spool.path }} -# -# The path to the redirection data file -# -RedirectionFile = etc/redirections.dat -# -# The type of keystore for https -KeyStoreType = PKCS12 -# -# The type of truststore for https -TrustStoreType = jks -# -# The path to the file used to trigger an orderly shutdown -QuiesceFile = etc/SHUTDOWN -# -# The key used to generate passwords for node to node transfers -NodeAuthKey = Node123! -# -# DR_NODE DEFAULT ENABLED TLS PROTOCOLS -NodeHttpsProtocols = TLSv1.1|TLSv1.2 -# -# AAF type to generate permission string -AAFType = org.onap.dmaap-dr.feed -# -# AAF default instance to generate permission string - default should be legacy -AAFInstance = legacy -# -# AAF action to generate permission string - default should be publish -AAFAction = publish -# -# AAF CADI enabled flag -CadiEnabled = false -# -# AAF Props file path -AAFPropsFilePath = {{ .Values.certInitializer.credsPath }}/org.onap.dmaap-dr.props diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt deleted file mode 100644 index 62aeffbe80..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{.Values.config.dmaapDrNode.externalPort}} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ include "common.getPort" (dict "global" . "name" "api" "getPlain" true) }} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml deleted file mode 100644 index 597da1734c..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/configmap.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drnodes - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_nodes/*.json").AsConfig . | indent 2 }} ---- -{{ include "common.log.configMap" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml deleted file mode 100644 index 9a3f011e80..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml b/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml deleted file mode 100644 index 69f6fc1d6e..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/templates/statefulset.yaml +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim}} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 8 }} - - name: {{ include "common.name" . }}-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - dmaap-dr-prov - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-permission-fixer - securityContext: - runAsUser: 0 - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: {{ .Values.persistence.spool.path }} - name: {{ include "common.fullname" . }}-spool - - mountPath: {{ .Values.persistence.event.path }} - name: {{ include "common.fullname" . }}-event-logs - command: ["chown","-Rf","1000:1001", "/opt/app/"] - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{.Values.liveness.port}} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{.Values.readiness.port}} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: {{ .Values.persistence.spool.path }} - name: {{ include "common.fullname" . }}-spool - - mountPath: {{ .Values.persistence.event.path }} - name: {{ include "common.fullname" . }}-event-logs - - mountPath: /etc/localtime - name: localtime - readOnly: false - - mountPath: /opt/app/datartr/etc/node.properties - name: {{ include "common.fullname" . }}-config - subPath: node.properties - - mountPath: /opt/app/datartr/etc/logback.xml - name: {{ include "common.fullname" . }}-log-conf - subPath: logback.xml - - mountPath: {{ .Values.global.loggingDirectory }} - name: logs - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 10 }} - {{- end }} - # Filebeat sidecar container - {{ include "common.log.sidecar" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: node.properties - path: node.properties - - name: {{ include "common.fullname" . }}-log-conf - configMap: - name: {{ include "common.fullname" . }}-log - {{ include "common.log.volumes" . | nindent 8 }} - - name: logs - emptyDir: {} - {{- if not .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-event-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-spool - emptyDir: {} - {{- end }} -{{- if .Values.persistence.enabled }} - volumeClaimTemplates: - - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "spool" "persistenceInfos" .Values.persistence.spool) | indent 4 | trim }} - - {{ include "common.PVCTemplate" (dict "dot" . "suffix" "event-logs" "persistenceInfos" .Values.persistence.event) | indent 4 | trim }} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml b/kubernetes/dmaap/components/dmaap-dr-node/values.yaml deleted file mode 100644 index 6da3cda668..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-node/values.yaml +++ /dev/null @@ -1,169 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - loggingDirectory: /var/log/onap/datarouter - persistence: {} - aafEnabled: true - centralizedLoggingEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-dr-node-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-dr-node - fqi: dmaap-dr-node@dmaap-dr.onap.org - public_fqdn: dmaap-dr.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/dmaap/datarouter-node:2.1.11 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration - see parent values chart - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - port: api - -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - port: api - -## Persist data to a persitent volume -persistence: - enabled: true - mountPath: /dockerdata-nfs - spool: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: data-router/dr-node/spool-data - size: 2Gi - path: /opt/app/datartr/spool - labels: - app.kubernetes.io/component: spool - - event: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountSubPath: data-router/dr-node/event-logs - path: /opt/app/datartr/logs - size: 2Gi - labels: - app.kubernetes.io/component: event-logs - -################################################################# -# Secrets metaconfig -################################################################# -secrets: {} - -ingress: - enabled: false - service: - - baseaddr: "dmaap-dr-node-api" - name: "dmaap-dr-node" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small - -securityContext: - user_id: 1000 - group_id: 1000 - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2000m - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi - large: - limits: - cpu: 4000m - memory: 8Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - -service: - type: NodePort - name: dmaap-dr-node - useNodePortExt: true - both_tls_and_plain: true - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" - ports: - - name: api - port: 8443 - plain_port: 8080 - port_protocol: http - nodePort: 94 - -config: - # dr node server configuration - dmaapDrNode: - # dr uses the EELF Logging framework https://github.com/att/EELF - # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF - logLevel: "INFO" - -#Pods Service Account -serviceAccount: - nameOverride: dmaap-dr-node - roles: - - read - -#Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml deleted file mode 100644 index 15c6e8b25b..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/Chart.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP DMaaP Data Router Provisioning Server -name: dmaap-dr-prov -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index c8a173c531..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -# dmaap-dr-prov filebeat.yml -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - /opt/app/datartr/logs/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml deleted file mode 100644 index 73446ee3ec..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/logback.xml +++ /dev/null @@ -1,408 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${defaultPattern} - - - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - INFO - ACCEPT - DENY - - - ${logDirectory}/${generalLogName}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - - - - - - - - - - - - - - - - - - - - - - - - - - ${logDirectory}/${errorLogName}.log - - ERROR - ACCEPT - DENY - - - ${logDirectory}/${errorLogName}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - - - - - ${logDirectory}/${jettyLogName}.log - - - ${logDirectory}/${jettyLogName}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${jettyLoggerPattern} - - - - - 256 - - true - - - - - - - ${logDirectory}/${debugLogName}.log - - - ${logDirectory}/${debugLogName}.%i.log.zip - - 1 - 9 - - - 50MB - - - ${defaultPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties b/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties deleted file mode 100644 index 18ab41982a..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/resources/config/provserver.properties +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -#------------------------------------------------------------------------------- -# ============LICENSE_START================================================== -# * org.onap.dmaap -# * =========================================================================== -# * Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# * =========================================================================== -# * Licensed under the Apache License, Version 2.0 (the "License"); -# * you may not use this file except in compliance with the License. -# * You may obtain a copy of the License at -# * -# * http://www.apache.org/licenses/LICENSE-2.0 -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, -# * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# * See the License for the specific language governing permissions and -# * limitations under the License. -# * ============LICENSE_END==================================================== -# * -# * ECOMP is a trademark and service mark of AT&T Intellectual Property. -# * -#------------------------------------------------------------------------------- -*/}} - - -#Jetty Server properties -org.onap.dmaap.datarouter.provserver.http.port = {{.Values.config.dmaapDrProv.internalPort}} -org.onap.dmaap.datarouter.provserver.https.port = {{.Values.config.dmaapDrProv.internalPort2}} -org.onap.dmaap.datarouter.provserver.https.relaxation = true - -org.onap.dmaap.datarouter.provserver.aafprops.path = /opt/app/osaaf/local/org.onap.dmaap-dr.props - -org.onap.dmaap.datarouter.provserver.accesslog.dir = /opt/app/datartr/logs -org.onap.dmaap.datarouter.provserver.spooldir = /opt/app/datartr/spool -org.onap.dmaap.datarouter.provserver.dbscripts = /opt/app/datartr/etc/misc -org.onap.dmaap.datarouter.provserver.logretention = 30 - -#DMAAP-597 (Tech Dept) REST request source IP auth -# relaxation to accommodate OOM kubernetes deploy -org.onap.dmaap.datarouter.provserver.isaddressauthenabled = false - -# Database access -org.onap.dmaap.datarouter.db.driver = org.mariadb.jdbc.Driver -org.onap.dmaap.datarouter.db.url = jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{index .Values "mariadb-galera" "db" "name"}} -org.onap.dmaap.datarouter.db.login = ${DB_USERNAME} -org.onap.dmaap.datarouter.db.password = ${DB_PASSWORD} - -# PROV - DEFAULT ENABLED TLS PROTOCOLS -org.onap.dmaap.datarouter.provserver.https.include.protocols = TLSv1.1|TLSv1.2 - -# AAF config -org.onap.dmaap.datarouter.provserver.cadi.enabled = false - -org.onap.dmaap.datarouter.provserver.aaf.feed.type = org.onap.dmaap-dr.feed -org.onap.dmaap.datarouter.provserver.aaf.sub.type = org.onap.dmaap-dr.sub -org.onap.dmaap.datarouter.provserver.aaf.instance = legacy -org.onap.dmaap.datarouter.provserver.aaf.action.publish = publish -org.onap.dmaap.datarouter.provserver.aaf.action.subscribe = subscribe diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt b/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt deleted file mode 100644 index 8d29cf9e66..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.config.dmaapDrProv.servicetype }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.config.dmaapDrProv.servicetype }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{.Values.config.dmaapDrProv.externalPort}} -{{- else if contains "ClusterIP" .Values.config.dmaapDrProv.servicetype }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{.Values.config.dmaapDrProv.internalPort}} -{{- end }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml deleted file mode 100644 index 9031cce423..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/configmap.yaml +++ /dev/null @@ -1,77 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -{{ include "common.log.configMap" . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-feeds - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/feeds/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drpubs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_pubs/*.json").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-dbc-drsubs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/dr_subs/*.json").AsConfig . | indent 2 }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml deleted file mode 100644 index 325ca9f2a7..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/deployment.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - {{ include "common.podSecurityContext" . | indent 6 | trim}} - hostname: {{ .Values.global.dmaapDrProvName }} - initContainers: - - name: {{ include "common.name" . }}-readiness - securityContext: - runAsUser: 100 - runAsGroup: 65533 - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-dmaap-dr-mariadb-init-config-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- if .Values.global.aafEnabled }} - - {{ include "common.certInitializer.initContainer" . | nindent 8 }} - - - name: {{ include "common.name" . }}-permission-fixer - securityContext: - runAsUser: 0 - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - command: ["chown","-Rf","1000:1001", "/opt/app/"] - - {{ end }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.config.dmaapDrProv.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.config.dmaapDrProv.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.config.dmaapDrProv.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: DB_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "login") | indent 12 }} - - name: DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-dr-db-user-credentials" "key" "password") | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: false - - mountPath: /opt/app/datartr/etc/provserver.properties - name: {{ include "common.fullname" . }}-config - subPath: provserver.properties - - mountPath: /opt/app/datartr/etc/logback.xml - name: {{ include "common.fullname" . }}-log-conf - subPath: logback.xml - - mountPath: {{ .Values.global.loggingDirectory }} - name: logs - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - # Filebeat sidecar container - {{ include "common.log.sidecar" . | nindent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: provserver.properties - path: provserver.properties - - name: {{ include "common.fullname" . }}-log-conf - configMap: - name: {{ include "common.fullname" . }}-log - {{ include "common.log.volumes" . | nindent 6 }} - - name: logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml deleted file mode 100644 index 1a0143f9ae..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/templates/service.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ default "dmaap-dr-prov" .Values.global.dmaapDrProvName }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" - msb.onap.org/service-info: '[ - { - "serviceName": "{{ .Values.global.dmaapDrProvName }}", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.global.dmaapDrProvExtPort2 }}", - "visualRange":"1" - } - ]' - -spec: - type: {{ .Values.config.dmaapDrProv.servicetype }} - ports: - {{- if eq .Values.config.dmaapDrProv.servicetype "NodePort" -}} - {{- if .Values.global.allow_http }} - - port: {{ .Values.global.dmaapDrProvExtPort }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.config.dmaapDrProv.nodePort }} - name: {{ .Values.config.dmaapDrProv.portName }} - {{- end}} - - port: {{ .Values.global.dmaapDrProvExtPort2 }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.config.dmaapDrProv.nodePort2 }} - name: {{ .Values.config.dmaapDrProv.portName }}2 - {{- else -}} - - port: {{ .Values.global.dmaapDrProvExtPort }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort }} - name: {{ .Values.config.dmaapDrProv.portName }} - - port: {{ .Values.global.dmaapDrProvExtPort2 }} - targetPort: {{ .Values.config.dmaapDrProv.internalPort2 }} - name: {{ .Values.config.dmaapDrProv.portName }}2 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml b/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml deleted file mode 100644 index 59b0765f28..0000000000 --- a/kubernetes/dmaap/components/dmaap-dr-prov/values.yaml +++ /dev/null @@ -1,177 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - loggingDirectory: /opt/app/datartr/logs - persistence: {} - centralizedLoggingEnabled: true - mariadbGalera: &mariadbGalera - #This flag allows DMAAP-DR to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - name: &dbUserSecretName '{{ include "common.release" . }}-dmaap-dr-db-user-credentials' - uid: 'dmaap-dr-db-user-credentials' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "dmaap-dr-db-user-credentials" (index .Values "mariadb-galera" "db" "externalSecret"))}}' - login: '{{ index .Values "mariadb-galera" "db" "user" }}' - password: '{{ index .Values "mariadb-galera" "db" "password" }}' - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/dmaap/datarouter-prov:2.1.11 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration - see parent values chart - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 30 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - mountPath: /dockerdata-nfs - -ingress: - enabled: false - service: - - baseaddr: "dmaap-dr-prov-api" - name: "dmaap-dr-prov" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -config: - # dr provisioning server configuration - dmaapDrProv: - servicetype: NodePort - internalPort: 8080 - internalPort2: 8443 - portName: dr-prov-port - portName2: dr-prov-port2 - nodePort: 59 - nodePort2: 69 - # dr uses the EELF Logging framework https://github.com/att/EELF - # and supports the following log levels: TRACE, DEBUG, INFO, WARN, ERROR, OFF - logLevel: "INFO" - -# mariadb-galera configuration -mariadb-galera: - nameOverride: &dbServer dmaap-dr-db - replicaCount: 1 - db: - name: &mysqlDbName datarouter - user: datarouter - # password: - externalSecret: *dbUserSecretName - service: - name: *dbServer - nfsprovisionerPrefix: dmaap-dr-db - persistence: - size: 1Gi - mountSubPath: data-router/dr-db-data - serviceAccount: - nameOverride: *dbServer - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: dmaap-dr-mariadb-init - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-dr-prov-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! -# aafDeployCredsExternalSecret: some secret - fqdn: dmaap-dr-prov - fqi: dmaap-dr-prov@dmaap-dr.onap.org - publicFqdn: dmaap-dr.onap.org - cadiLatitude: 0.0 - cadiLongitude: 0.0 - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - - -# Resource Limit flavor -By Default using small -flavor: small - -securityContext: - user_id: 1000 - group_id: 1000 - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2000m - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi - large: - limits: - cpu: 4000m - memory: 8Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: dmaap-dr-prov - roles: - - read - -#Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/dmaap/components/message-router/Chart.yaml b/kubernetes/dmaap/components/message-router/Chart.yaml deleted file mode 100644 index ba7beaf7f7..0000000000 --- a/kubernetes/dmaap/components/message-router/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Message Router -name: message-router -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/dmaap/components/message-router/Makefile b/kubernetes/dmaap/components/message-router/Makefile deleted file mode 100644 index ef273d0e9b..0000000000 --- a/kubernetes/dmaap/components/message-router/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) package -d $(PACKAGE_DIR) $*; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties deleted file mode 100755 index a9b0a012a4..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/MsgRtrApi.properties +++ /dev/null @@ -1,151 +0,0 @@ -{{/* -# LICENSE_START======================================================= -# org.onap.dmaap -# ================================================================================ -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2021-2022 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -############################################################################### -############################################################################### -*/}} -## -## Kafka Connection -## -## Items below are passed through to Kafka's producer and consumer -## configurations (after removing "kafka.") -## if you want to change request.required.acks it can take this one value -#kafka.request.required.acks=-1 -kafka.metadata.broker.list={{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 -config.zk.servers=127.0.0.1:{{ .Values.global.zkTunnelService.internalPort }} -consumer.timeout.ms=100 -zookeeper.connection.timeout.ms=6000 -zookeeper.session.timeout.ms=20000 -zookeeper.sync.time.ms=2000 -auto.commit.interval.ms=1000 -fetch.message.max.bytes =1000000 -auto.commit.enable=false - -#(backoff*retries > zksessiontimeout) -kafka.rebalance.backoff.ms=10000 -kafka.rebalance.max.retries=6 - - -############################################################################### -## -## Secured Config -## -## Some data stored in the config system is sensitive -- API keys and secrets, -## for example. to protect it, we use an encryption layer for this section -## of the config. -## -## The key is a base64 encode AES key. This must be created/configured for -## each installation. -#cambria.secureConfig.key= -## -## The initialization vector is a 16 byte value specific to the secured store. -## This must be created/configured for each installation. -#cambria.secureConfig.iv= - -## Southfield Sandbox -cambria.secureConfig.key=b/7ouTn9FfEw2PQwL0ov/Q== -cambria.secureConfig.iv=wR9xP5k5vbz/xD0LmtqQLw== -authentication.adminSecret=fe3cCompound -#cambria.secureConfig.key[pc569h]=YT3XPyxEmKCTLI2NK+Sjbw== -#cambria.secureConfig.iv[pc569h]=rMm2jhR3yVnU+u2V9Ugu3Q== - - -############################################################################### -## -## Consumer Caching -## -## Kafka expects live connections from the consumer to the broker, which -## obviously doesn't work over connectionless HTTP requests. The Cambria -## server proxies HTTP requests into Kafka consumer sessions that are kept -## around for later re-use. Not doing so is costly for setup per request, -## which would substantially impact a high volume consumer's performance. -## -## This complicates Cambria server failover, because we often need server -## A to close its connection before server B brings up the replacement. -## - -## The consumer cache is normally enabled. -#cambria.consumer.cache.enabled=true - -## Cached consumers are cleaned up after a period of disuse. The server inspects -## consumers every sweepFreqSeconds and will clean up any connections that are -## dormant for touchFreqMs. -#cambria.consumer.cache.sweepFreqSeconds=15 -cambria.consumer.cache.touchFreqMs=120000 -##stickforallconsumerrequests=false -## The cache is managed through ZK. The default value for the ZK connection -## string is the same as config.zk.servers. -#cambria.consumer.cache.zkConnect=${config.zk.servers} - -## -## Shared cache information is associated with this node's name. The default -## name is the hostname plus the HTTP service port this host runs on. (The -## hostname is determined via InetAddress.getLocalHost ().getCanonicalHostName(), -## which is not always adequate.) You can set this value explicitly here. -## -#cambria.api.node.identifier= - -#cambria.rateLimit.maxEmptyPollsPerMinute=30 -#cambria.rateLimitActual.delay.ms=10 - -############################################################################### -## -## Metrics Reporting -## -## This server can report its metrics periodically on a topic. -## -#metrics.send.cambria.enabled=true -#metrics.send.cambria.topic=cambria.apinode.metrics #msgrtr.apinode.metrics.dmaap -#metrics.send.cambria.sendEverySeconds=60 - -cambria.consumer.cache.zkBasePath=/fe3c/cambria/consumerCache -consumer.timeout=17 -default.partitions=3 -default.replicas=3 -############################################################################## -#100mb -maxcontentlength=10000 - - -############################################################################## -#AAF Properties -msgRtr.namespace.aaf=org.onap.dmaap.mr.topic -msgRtr.topicfactory.aaf=org.onap.dmaap.mr.topicFactory|:org.onap.dmaap.mr.topic: -enforced.topic.name.AAF=org.onap.dmaap.mr -forceAAF=false -useCustomAcls=false -transidUEBtopicreqd=false -defaultNSforUEB=org.onap.dmaap.mr -############################################################################## -#Mirror Maker Agent - -msgRtr.mirrormakeradmin.aaf=org.onap.dmaap.mr.mirrormaker|*|admin -msgRtr.mirrormakeruser.aaf=org.onap.dmaap.mr.mirrormaker|*|user -msgRtr.mirrormakeruser.aaf.create=org.onap.dmaap.mr.topicFactory|:org.onap.dmaap.mr.topic: -msgRtr.mirrormaker.timeout=15000 -msgRtr.mirrormaker.topic=org.onap.dmaap.mr.mirrormakeragent -msgRtr.mirrormaker.consumergroup=mmagentserver -msgRtr.mirrormaker.consumerid=1 - -kafka.max.poll.interval.ms=300000 -kafka.heartbeat.interval.ms=60000 -kafka.session.timeout.ms=240000 -kafka.max.poll.records=1000 diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml b/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml deleted file mode 100644 index 3ee9fc5fe6..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/jmx-mrservice-prometheus.yml +++ /dev/null @@ -1,4 +0,0 @@ -jmxUrl: service:jmx:rmi:///jndi/rmi://localhost:{{ .Values.prometheus.jmx.targetPort }}/jmxrmi -lowercaseOutputName: true -lowercaseOutputLabelNames: true -ssl: false \ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties deleted file mode 100644 index cd88565ed0..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties +++ /dev/null @@ -1,165 +0,0 @@ -############################################################################### -# ============LICENSE_START======================================================= -# org.onap.dmaap -# ================================================================================ -# Copyright (c) 2017-201 AT&T Intellectual Property. All rights reserved. -# Copyright (c) 2021 Orange Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -# -# ECOMP is a trademark and service mark of AT&T Intellectual Property. -# -############################################################################### -#This file is used for defining AJSC system properties for different configuration schemes and is necessary for the AJSC to run properly. -#The sys-props.properties file is used for running locally. The template.sys-props.properties file will be used when deployed -#to a SOA/CSI Cloud node. For more information, - -#AJSC System Properties. The following properties are required for ALL AJSC services. If you are adding System Properties for your -#particular service, please add them AFTER all AJSC related System Properties. - -#For Cadi Authorization, use value="authentication-scheme-1 -CadiAuthN=authentication-scheme-1 - -#For Basic Authorization, use value="authentication-scheme-1 -authN=authentication-scheme-2 - -#Persistence used for AJSC meta-data storage. For most environments, "file" should be used. -ajscPersistence=file - -# If using hawtio for local development, these properties will allow for faster server startup and usage for local development -hawtio.authenticationEnabled=false -hawtio.config.pullOnStartup=false - -#Removes the extraneous restlet console output -org.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade - -#server.host property to be enabled for local DME2 related testing -#server.host= - -#Enable/disable SSL (values=true/false). This property also determines which protocol to use (https if true, http otherwise), to register services into GRM through DME2. -enableSSL=false - -#Enable/disable csi logging (values=true/false). This can be disabled during local development -csiEnable=false - -#Enable/disable CAET This can be disabled during local development -isCAETEnable=true - -#Enable/disable EJB Container -ENABLE_EJB=false - -#Enable/disable OSGI -isOSGIEnable=false - -#Configure JMS Queue (WMQ/TIBCO) -JMS_BROKER=WMQ - -#Generate/Skip api docs -isApiDoc=false - - -#WMQ connectivity -JMS_WMQ_PROVIDER_URL=aftdsc://AFTUAT/34.07/-84.28 -JMS_WMQ_CONNECTION_FACTORY_NAME=aftdsc://AFTUAT/?service=CSILOG,version=1.0,bindingType=fusionBus,envContext=Q,Q30A=YES -JMS_WMQ_INITIAL_CONNECTION_FACTORY_NAME=com.att.aft.jms.FusionCtxFactory -JMS_WMQ_AUDIT_DESTINATION_NAME=queue:///CSILOGQL.M2E.DASHBOARD01.NOT.Q30A -JMS_WMQ_PERF_DESTINATION_NAME=queue:///CSILOGQL.M2E.PERFORMANCE01.NOT.Q30A - -#CSI related variables for CSM framework -csm.hostname=d1a-m2e-q112m2e1.edc.cingular.net - -#Enable/disable endpoint level logging (values=true/false). This can be disabled during local development -endpointLogging=false - -#Enable/disable trail logging and trail logging summary -enableTrailLogging=false -enableTrailLoggingSummary=false - -#SOA_CLOUD_ENV is used to register your service with dme2 and can be turned off for local development (values=true/false). -SOA_CLOUD_ENV=false - -#CONTINUE_ON_LISTENER_EXCEPTION will exit the application if there is a DME2 exception at the time of registration. -CONTINUE_ON_LISTENER_EXCEPTION=false - -#Jetty Container ThreadCount Configuration Variables -AJSC_JETTY_ThreadCount_MIN=1 -AJSC_JETTY_ThreadCount_MAX=200 -AJSC_JETTY_IDLETIME_MAX=3000 - -#Camel Context level default threadPool Profile configuration -CAMEL_POOL_SIZE=10 -CAMEL_MAX_POOL_SIZE=20 -CAMEL_KEEP_ALIVE_TIME=60 -CAMEL_MAX_QUEUE_SIZE=1000 - -#File Monitor configurations -ssf_filemonitor_polling_interval=5 -ssf_filemonitor_threadpool_size=10 - -#GRM/DME2 System Properties -AFT_DME2_CONN_IDLE_TIMEOUTMS=5000 -AJSC_ENV=SOACLOUD - -SOACLOUD_NAMESPACE=org.onap.dmaap.dev -SOACLOUD_ENV_CONTEXT=TEST -SOACLOUD_PROTOCOL=http -SOACLOUD_ROUTE_OFFER=DEFAULT - -AFT_LATITUDE=23.4 -AFT_LONGITUDE=33.6 -AFT_ENVIRONMENT=AFTUAT - -#Restlet Component Default Properties -RESTLET_COMPONENT_CONTROLLER_DAEMON=true -RESTLET_COMPONENT_CONTROLLER_SLEEP_TIME_MS=100 -RESTLET_COMPONENT_INBOUND_BUFFER_SIZE=8192 -RESTLET_COMPONENT_MIN_THREADS=1 -RESTLET_COMPONENT_MAX_THREADS=10 -RESTLET_COMPONENT_LOW_THREADS=8 -RESTLET_COMPONENT_MAX_QUEUED=0 -RESTLET_COMPONENT_MAX_CONNECTIONS_PER_HOST=-1 -RESTLET_COMPONENT_MAX_TOTAL_CONNECTIONS=-1 -RESTLET_COMPONENT_OUTBOUND_BUFFER_SIZE=8192 -RESTLET_COMPONENT_PERSISTING_CONNECTIONS=true -RESTLET_COMPONENT_PIPELINING_CONNECTIONS=false -RESTLET_COMPONENT_THREAD_MAX_IDLE_TIME_MS=60000 -RESTLET_COMPONENT_USE_FORWARDED_HEADER=false -RESTLET_COMPONENT_REUSE_ADDRESS=true - -#Externalized jar and properties file location. In CSI environments, there are a few libs that have been externalized to aid -#in CSTEM maintenance of the versions of these libs. The most important to the AJSC is the DME2 lib. Not only is this lib necessary -#for proper registration of your AJSC service on a node, but it is also necessary for running locally as well. Another framework -#used in CSI envs is the CSM framework. These 2 framework libs are shown as "provided" dependencies within the pom.xml. These -#dependencies will be copied into the target/commonLibs folder with the normal "mvn clean package" goal of the AJSC. They will -#then be added to the classpath via AJSC_EXTERNAL_LIB_FOLDERS system property. Any files (mainly property files) that need -#to be on the classpath should be added to the AJSC_EXTERNAL_PROPERTIES_FOLDERS system property. The default scenario when -#testing your AJSC service locally will utilize the target/commonLibs directory for DME2 and CSM related artifacts and 2 -#default csm properties files will be used for local testing with anything CSM knorelated. -#NOTE: we are using maven-replacer-plugin to replace "(doubleUnderscore)basedir(doubleUnderscore)" with ${basedir} within the -#target directory for running locally. Multiple folder locations can be separated by the pipe ("|") character. -#Please, NOTE: for running locally, we are setting this system property in the antBuild/build.xml "runLocal" target and in the -#"runAjsc" profile within the pom.xml. This is to most effectively use maven variables (${basedir}, most specifically. Therefore, -#when running locally, the following 2 properties should be set within the profile(s) themselves. -#Example: target/commonLibs|target/otherLibs -#AJSC_EXTERNAL_LIB_FOLDERS=__basedir__/target/commonLibs -#AJSC_EXTERNAL_PROPERTIES_FOLDERS=__basedir__/ajsc-shared-config/etc -#End of AJSC System Properties - -#Service System Properties. Please, place any Service related System Properties below. - -#msgrtr content length and error message -#100mb -maxcontentlength=10000 -msg_size_exceeds=Message size exceeds the default size. -forceAAF=false -cadi_prop_files={{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.properties \ No newline at end of file diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml deleted file mode 100644 index 49196e441b..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml +++ /dev/null @@ -1,138 +0,0 @@ - - - - - - - - - true - - - /etc/runner-web.xml - /etc/ajsc-override-web.xml - true - /extJars/json-20131018.jar - - - false - - - - - - - - - - - - - - - - - - - - - - - - - - /extApps - 10 - true - - - - - - - - - - - - - - - - - - - - - - - {{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.jks - ${KEYSTORE_PASSWORD} - ${KEYSTORE_PASSWORD} - true - - - - - - - - - - - - http/1.1 - - - - - - - - - - - - - - - - - - - - - - 30000 - - - - - - - - - - false - - - diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties b/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties deleted file mode 100644 index 596a316d77..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties +++ /dev/null @@ -1,19 +0,0 @@ -aaf_locate_url=https://aaf-locate.onap:8095 -aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 -aaf_env=DEV -aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm - -cadi_truststore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks -cadi_truststore_password=${TRUSTSTORE_PASSWORD} - -cadi_keyfile={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.keyfile - -cadi_alias={{ .Values.certInitializer.fqi }} -cadi_keystore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.p12 -cadi_keystore_password=${KEYSTORE_PASSWORD_P12} -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US - -cadi_loglevel=INFO -cadi_protocols=TLSv1.1,TLSv1.2 -cadi_latitude=37.78187 -cadi_longitude=-122.26147 diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml deleted file mode 100644 index 116c52499f..0000000000 --- a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml +++ /dev/null @@ -1,108 +0,0 @@ - - - - - - contextConfigLocation - /WEB-INF/spring-servlet.xml, - classpath:applicationContext.xml - - - - - spring.profiles.default - nooauth - - - - org.springframework.web.context.ContextLoaderListener - - - - ManagementServlet - ajsc.ManagementServlet - - - - WriteableRequestFilter - com.att.ajsc.csi.writeablerequestfilter.WriteableRequestFilter - - - - InterceptorFilter - ajsc.filters.InterceptorFilter - - preProcessor_interceptor_config_file - /etc/PreProcessorInterceptors.properties - - - postProcessor_interceptor_config_file - /etc/PostProcessorInterceptors.properties - - - - - - - DMaaPAuthFilter - DMaaPAuthFilter - org.onap.dmaap.util.DMaaPAuthFilter - - cadi_prop_files - {{.Values.certInitializer.appMountPath}}/local/cadi.properties - - - - - - RestletServlet - ajsc.restlet.RestletSpringServlet - - org.restlet.component - restletComponent - - - - - CamelServlet - ajsc.servlet.AjscCamelServlet - - - - - springSecurityFilterChain - org.springframework.web.filter.DelegatingFilterProxy - - - - spring - org.springframework.web.servlet.DispatcherServlet - 1 - - - - spring - / - - - diff --git a/kubernetes/dmaap/components/message-router/templates/NOTES.txt b/kubernetes/dmaap/components/message-router/templates/NOTES.txt deleted file mode 100644 index a44d0f76ee..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/dmaap/components/message-router/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/templates/configmap.yaml deleted file mode 100644 index c999b79183..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/configmap.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/MsgRtrApi.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-logback-xml-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-etc - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/etc/*").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-sys-props - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/sys-props.properties").AsConfig . | indent 2 }} ---- -{{- if .Values.prometheus.jmx.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-prometheus-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/dmaap/jmx-mrservice-prometheus.yml").AsConfig . | indent 2 }} ---- -{{ end }} diff --git a/kubernetes/dmaap/components/message-router/templates/secrets.yaml b/kubernetes/dmaap/components/message-router/templates/secrets.yaml deleted file mode 100644 index 50dda8a8f9..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-secret - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ (.Files.Glob "resources/config/dmaap/mykey").AsSecrets | indent 2 }} -type: Opaque ---- -{{ include "common.secretFast" . }} diff --git a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml deleted file mode 100644 index 904c160c70..0000000000 --- a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml +++ /dev/null @@ -1,232 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0); - cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /config - name: jetty - - mountPath: /config-input - name: etc - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - containers: - {{- if .Values.prometheus.jmx.enabled }} - - name: prometheus-jmx-exporter - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.prometheus.jmx.image }}:{{ .Values.prometheus.jmx.imageTag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - java - - -XX:+UnlockExperimentalVMOptions - - -XX:+UseCGroupMemoryLimitForHeap - - -XX:MaxRAMFraction=1 - - -XshowSettings:vm - - -jar - - jmx_prometheus_httpserver.jar - - {{ .Values.prometheus.jmx.port | quote }} - - /etc/jmx-kafka/jmx-mrservice-prometheus.yml - ports: - - containerPort: {{ .Values.prometheus.jmx.port }} - resources: - volumeMounts: - - name: jmx-config - mountPath: /etc/jmx-kafka - {{- end }} - - name: srimzi-zk-entrance - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.zookeeper.entrance.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /opt/stunnel/stunnel_run.sh - ports: - - containerPort: {{ .Values.global.zkTunnelService.internalPort }} - name: zoo - protocol: TCP - env: - - name: LOG_LEVEL - value: debug - - name: STRIMZI_ZOOKEEPER_CONNECT - value: '{{ include "common.release" . }}-strimzi-zookeeper-client:{{ .Values.global.zkTunnelService.internalPort }}' - livenessProbe: - exec: - command: - - /opt/stunnel/stunnel_healthcheck.sh - - '{{ .Values.global.zkTunnelService.internalPort }}' - failureThreshold: 3 - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - exec: - command: - - /opt/stunnel/stunnel_healthcheck.sh - - '{{ .Values.global.zkTunnelService.internalPort }}' - failureThreshold: 3 - initialDelaySeconds: 15 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - volumeMounts: - - mountPath: /etc/cluster-operator-certs/ - name: cluster-operator-certs - - mountPath: /etc/cluster-ca-certs/ - name: cluster-ca-certs - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - cp /jetty-config/ajsc-jetty.xml /appl/dmaapMR1/etc/ - cp /jetty-config/cadi.properties {{ .Values.certInitializer.appMountPath }}/local/cadi.properties - /bin/sh /appl/startup.sh - {{- end }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - successThreshold: {{ .Values.readiness.successThreshold }} - failureThreshold: {{ .Values.readiness.failureThreshold }} - startupProbe: - tcpSocket: - port: {{ .Values.startup.port }} - initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} - periodSeconds: {{ .Values.startup.periodSeconds }} - timeoutSeconds: {{ .Values.startup.timeoutSeconds }} - successThreshold: {{ .Values.startup.successThreshold }} - failureThreshold: {{ .Values.startup.failureThreshold }} - env: - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "mr-kafka-admin-secret" "key" "sasl.jaas.config") | indent 12 }} - - name: SASLMECH - value: scram-sha-512 - - name: enableCadi - value: "{{ .Values.global.aafEnabled }}" - - name: useZkTopicStore - value: "false" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /appl/dmaapMR1/bundleconfig/etc/appprops/MsgRtrApi.properties - subPath: MsgRtrApi.properties - name: appprops - - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml - subPath: logback.xml - name: logback - {{- if .Values.global.aafEnabled }} - - mountPath: /appl/dmaapMR1/etc/runner-web.xml - subPath: runner-web.xml - name: etc - - mountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops/sys-props.properties - subPath: sys-props.properties - name: sys-props - - mountPath: /jetty-config - name: jetty - {{- end }} - resources: {{ include "common.resources" . | nindent 12 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: appprops - configMap: - name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap - - name: etc - configMap: - name: {{ include "common.fullname" . }}-etc - - name: logback - configMap: - name: {{ include "common.fullname" . }}-logback-xml-configmap - {{- if .Values.prometheus.jmx.enabled }} - - name: jmx-config - configMap: - name: {{ include "common.fullname" . }}-prometheus-configmap - {{- end }} - - name: sys-props - configMap: - name: {{ include "common.fullname" . }}-sys-props - - name: jetty - emptyDir: {} - - name: cluster-operator-certs - secret: - defaultMode: 288 - secretName: {{ include "common.release" . }}-strimzi-cluster-operator-certs - - name: cluster-ca-certs - secret: - defaultMode: 288 - secretName: {{ include "common.release" . }}-strimzi-cluster-ca-cert - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "common.fullname" . }}-zk-network-policy - namespace: {{ include "common.namespace" . }} -spec: - podSelector: - matchLabels: - strimzi.io/name: {{ include "common.release" . }}-strimzi-zookeeper - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: {{ include "common.name" . }} - ports: - - port: {{ .Values.global.zkTunnelService.internalPort }} - protocol: TCP - policyTypes: - - Ingress diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml deleted file mode 100644 index 80460ba570..0000000000 --- a/kubernetes/dmaap/components/message-router/values.yaml +++ /dev/null @@ -1,186 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - zkTunnelService: - type: ClusterIP - name: zk-tunnel-svc - portName: tcp-zk-tunnel - internalPort: 2181 - -zookeeper: - entrance: - image: scholzj/zoo-entrance:latest - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: dmaap-mr-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: dmaap-mr - fqi: dmaapmr@mr.dmaap.onap.org - public_fqdn: mr.dmaap.onap.org - cadi_longitude: "-122.26147" - cadi_latitude: "37.78187" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - appMountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops - fqi_namespace: org.onap.dmaap.mr - aaf_add_config: | - cd {{ .Values.credsPath }} - echo "*** change jks password into shell safe one" - export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - echo "*** set key password as same password as jks keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} - echo "*** store the passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop - echo "KEYSTORE_PASSWORD_P12=${cadi_keystore_password_p12}" >> mycreds.prop - echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> mycreds.prop - echo "*** give ownership of files to the user" - chown -R 1000 . - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/dmaap/dmaap-mr:1.4.3 -pullPolicy: Always - -secrets: - - uid: mr-kafka-admin-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - someConfig: blah - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - port: api - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - port: api - -startup: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 70 - port: api - -service: - type: NodePort - name: message-router - both_tls_and_plain: true - msb: - - port: 3904 - url: "/" - version: "v1" - protocol: "REST" - visualRange: "1" - ports: - - name: api - port: 3905 - plain_port: 3904 - port_protocol: http - nodePort: 26 - -prometheus: - jmx: - enabled: false - image: solsson/kafka-prometheus-jmx-exporter@sha256 - imageTag: 6f82e2b0464f50da8104acd7363fb9b995001ddff77d248379f8788e78946143 - port: 5556 - targetPort: 5555 - -ingress: - enabled: false - service: - - baseaddr: "dmaap-mr-api" - name: "message-router" - port: 3905 - plain_port: 3904 - config: - ssl: "redirect" - - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2000m - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi - large: - limits: - cpu: 4000m - memory: 8Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: message-router - roles: - - read diff --git a/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml b/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 8540903193..0000000000 --- a/kubernetes/dmaap/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2019 The Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - - /opt/app/datartr/logs/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.global.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.global.logstashPort}}"] - #If enable will do load balancing among available Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase \ No newline at end of file diff --git a/kubernetes/dmaap/values.yaml b/kubernetes/dmaap/values.yaml deleted file mode 100644 index 1cb537b5f4..0000000000 --- a/kubernetes/dmaap/values.yaml +++ /dev/null @@ -1,61 +0,0 @@ -# Copyright © 2018 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs,Bell Canada -# Modifications Copyright © 2021-2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - clientImage: onap/dmaap/dbc-client:2.0.10 - -#Global DMaaP app config - allow_http: false - - #Logstash config - logstashServiceName: log-ls - logstashPort: 5044 - - #dmaap-dr-prov server configuration - dmaapDrProvName: dmaap-dr-prov - dmaapDrProvExtPort2: 443 - dmaapDrProvExtPort: 80 - - #AAF global config overrides - aafEnabled: true - - #Strimzi config - kafkaStrimziAdminUser: strimzi-kafka-admin - -#Component overrides -message-router: - enabled: true - config: - jaasConfExternalSecret: '{{ .Values.global.kafkaStrimziAdminUser }}' -dmaap-bc: - enabled: true -dmaap-dr-node: - enabled: true -dmaap-dr-prov: - enabled: true -dmaap-strimzi: - enabled: true - -#Pods Service Account -serviceAccount: - nameOverride: dmaap - roles: - - read diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 347c7689e4..08ced6e879 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -51,8 +51,8 @@ generate_overrides() { END=${SUBCHART_NAMES[index+1]} if [ "$START" = "global:" ]; then echo "global:" > $GLOBAL_OVERRIDES - cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ - | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES + cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \ + | sed '1d;$d' >> $GLOBAL_OVERRIDES else SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)" if [ -d "$SUBCHART_DIR" ]; then @@ -271,7 +271,7 @@ deploy() { #So cache the results to prevent repeated execution. ALL_HELM_RELEASES=$(helm ls -q) - for subchart in strimzi cassandra mariadb-galera postgres ; do + for subchart in roles-wrapper repository-wrapper strimzi cassandra mariadb-galera postgres ; do SUBCHART_OVERRIDES=$CACHE_SUBCHART_DIR/$subchart/subchart-overrides.yaml SUBCHART_ENABLED=0 @@ -296,8 +296,8 @@ deploy() { done fi done - - + # Disable delay + DELAY="false" for subchart in * ; do SUBCHART_OVERRIDES=$CACHE_SUBCHART_DIR/$subchart/subchart-overrides.yaml diff --git a/kubernetes/helm/starters/onap-app/Chart.yaml b/kubernetes/helm/starters/onap-app/Chart.yaml index abad5ca4ee..c8f618a984 100644 --- a/kubernetes/helm/starters/onap-app/Chart.yaml +++ b/kubernetes/helm/starters/onap-app/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: name: -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/helm/starters/onap-app/templates/deployment.yaml b/kubernetes/helm/starters/onap-app/templates/deployment.yaml index fc76c1ff6d..c4d0eb5d3f 100644 --- a/kubernetes/helm/starters/onap-app/templates/deployment.yaml +++ b/kubernetes/helm/starters/onap-app/templates/deployment.yaml @@ -70,16 +70,12 @@ spec: #Example environment variable passed to container # - name: DEBUG_FLAG # value: {{ .Values.global.debugEnabled | default .Values.debugEnabled | quote }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true #Example config file mount into container +# volumeMounts: # - mountPath: /opt/app/application.properties # name: {{ include "common.name" . }}-config # subPath: application.properties - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -89,16 +85,12 @@ spec: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime #Example config file mount into container +# volumes: # - name: {{ include "common.fullname" . }}-config # configMap: # name: {{ include "common.fullname" . }}-configmap # items: # - key: application.properties # path: application.properties - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/helm/starters/onap-app/values.yaml b/kubernetes/helm/starters/onap-app/values.yaml index 702bfb2a73..eef745d940 100644 --- a/kubernetes/helm/starters/onap-app/values.yaml +++ b/kubernetes/helm/starters/onap-app/values.yaml @@ -85,8 +85,8 @@ resources: {} # Minimum memory for production is 4 CPU cores and 8GB memory #resources: # limits: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" # requests: -# cpu: 2 -# memory: 4Gi +# cpu: "2" +# memory: "4Gi" diff --git a/kubernetes/holmes/Chart.yaml b/kubernetes/holmes/Chart.yaml deleted file mode 100644 index 971d81c614..0000000000 --- a/kubernetes/holmes/Chart.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP DCAE HOLMES -name: holmes -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - condition: global.postgres.localCluster - - name: postgres-init - version: ~12.x-0 - repository: '@local' - condition: not global.postgres.localCluster - - name: holmes-rule-mgmt - version: ~12.x-0 - repository: 'file://components/holmes-rule-mgmt' - - name: holmes-engine-mgmt - version: ~12.x-0 - repository: 'file://components/holmes-engine-mgmt' diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml deleted file mode 100644 index 1aa4726253..0000000000 --- a/kubernetes/holmes/components/holmes-engine-mgmt/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Modifications Copyright © 2021 ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -appVersion: "2.0" -description: Holmes Engine Management -name: holmes-engine-mgmt -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml deleted file mode 100644 index f818dfd3b0..0000000000 --- a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/application.yaml +++ /dev/null @@ -1,23 +0,0 @@ -server: - port: 9102 - servlet: - context-path: /api/holmes-engine-mgmt/v1 - ssl: - key-store: /opt/onap/conf/holmes.keystore - key-store-password: holmes - #PKCS12 - key-store-type: JKS - -logging: - config: classpath:logback-spring.xml - -spring: - application: - name: Holmes Engine Management - datasource: - dirver-class-name: org.postgresql.Driver - url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} - username: ${JDBC_USERNAME} - password: ${JDBC_PASSWORD} - mvc: - throw-exception-if-no-handler-found: true \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml b/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml deleted file mode 100644 index 9e62ccf2f7..0000000000 --- a/kubernetes/holmes/components/holmes-engine-mgmt/resources/config/engine-d.yml +++ /dev/null @@ -1,74 +0,0 @@ -# -# Copyright 2017 ZTE Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -server: - type: simple - rootPath: '/api/holmes-engine-mgmt/v1/*' - applicationContextPath: / - adminContextPath: /admin - connector: - type: https - port: 9102 - keyStorePath: /opt/onap/conf/holmes.keystore - keyStorePassword: holmes - validateCerts: false - validatePeers: false - - -# Logging settings. -logging: - - # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL. - level: INFO - - # Logger-specific levels. - loggers: - - # Sets the level for 'com.example.app' to DEBUG. - org.onap.holmes.engine: ALL - - appenders: - - type: console - threshold: INFO - timeZone: UTC - logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - - type: file - threshold: ERROR - logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - currentLogFilename: /var/log/ONAP/holmes/engine-d-error.log - archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/engine-d-error-%d{yyyy-MM-dd}.log.gz - archivedFileCount: 7 - - type: file - threshold: INFO - logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - currentLogFilename: /var/log/ONAP/holmes/engine-d-debug.log - archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/engine-d-debug-%d{yyyy-MM-dd}.log.gz - archivedFileCount: 7 - - -database: - driverClass: org.postgresql.Driver - user: ${JDBC_USERNAME} - password: ${JDBC_PASSWORD} - url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} - properties: - charSet: UTF-8 - maxWaitForConnection: 1s - validationQuery: "/* MyService Health Check */ SELECT 1" - minSize: 8 - maxSize: 100 - checkConnectionWhileIdle: false - evictionInterval: 10s - minIdleTime: 1s diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml deleted file mode 100644 index dd7bb4552e..0000000000 --- a/kubernetes/holmes/components/holmes-engine-mgmt/templates/deployment.yaml +++ /dev/null @@ -1,131 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 ZTE Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -{{- $sum := "" }} -{{- range $path, $bytes := .Files.Glob "resources/config/*.json"}} -{{- $sum = $.Files.Get $path | sha256sum | print $sum }} -{{- end }} - annotations: - checksum/config: {{ $sum | sha256sum }} - -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: {{- include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-env-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - -c - - "cd /hemconfig && for PFILE in `find . -type f -not -name '*.json'`; do envsubst < ${PFILE} > /config/${PFILE##*/}; done" - env: - - name: JDBC_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: JDBC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - - name: DB_NAME - value: {{ .Values.config.pgConfig.dbName }} - - name: URL_JDBC - value: {{ .Values.config.pgConfig.dbHost }} - - name: DB_PORT - value: "{{ .Values.config.pgConfig.dbPort }}" - volumeMounts: - - mountPath: /hemconfig - name: {{ include "common.fullname" . }}-config - - mountPath: /config - name: {{ include "common.fullname" . }}-env-config - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: {{ include "common.resources" . | nindent 10 }} - ports: {{ include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-env-config - mountPath: /opt/hemconfig - - name: {{ include "common.fullname" . }}-config - mountPath: /opt/hemtopics - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: {{ .Values.liveness.path }} - port: {{ .Values.liveness.port }} - scheme: {{ .Values.liveness.scheme }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{- end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - failureThreshold: 1 - successThreshold: 1 - timeoutSeconds: 1 - env: - - name: CONSUL_HOST - value: consul-server.{{ include "common.namespace" . }} - - name: CONFIG_BINDING_SERVICE - value: config-binding-service - - name: MSB_IAG_SERVICE_PROTOCOL - value: {{ .Values.global.msbProtocol }} - - name: MSB_IAG_SERVICE_HOST - value: {{ .Values.global.msbServiceName }}.{{ include "common.namespace" . }} - - name: MSB_IAG_SERVICE_PORT - value: {{ .Values.global.msbPort | quote }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - - name: JDBC_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: JDBC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - - name: DB_NAME - value: {{ .Values.config.pgConfig.dbName }} - - name: URL_JDBC - value: {{ .Values.config.pgConfig.dbHost }} - - name: DB_PORT - value: "{{ .Values.config.pgConfig.dbPort }}" - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: {{ include "common.fullname" . }}-config - configMap: - defaultMode: 422 - name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-env-config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml b/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml deleted file mode 100644 index ce3035e5da..0000000000 --- a/kubernetes/holmes/components/holmes-engine-mgmt/values.yaml +++ /dev/null @@ -1,139 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 ZTE Corporation Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefixExt: 302 - msbProtocol: https - msbServiceName: msb-iag - msbPort: 443 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/holmes/engine-management:11.0.0 -consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: holmes-engine-mgmt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: holmes-engine-mgmt - fqi: holmes-engine-mgmt@holmes-engine-mgmt.onap.org - fqi_namespace: org.onap.holmes-engine-mgmt - public_fqdn: holmes-engine-mgmt.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - -################################################################# -# Secrets metaconfig -################################################################# -secrets: -- uid: pg-user-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.pgConfig.dbUserCredsExternalSecret) . }}' - login: '{{ .Values.config.pgConfig.dbUser }}' - password: '{{ .Values.config.pgConfig.dbUserPassword }}' - -# application configuration -config: - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - pgConfig: - dbName: defaultName - dbHost: defaultHost - dbPort: 1234 - dbUser: admin - dbUserPassword: admin - # dbUserCredsExternalSecret - -service: - type: ClusterIP - name: holmes-engine-mgmt - ports: - - name: https-rest - port: &svc_port 9102 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - path: /api/holmes-engine-mgmt/v1/healthcheck - scheme: HTTPS - port: *svc_port - enabled: true - -readiness: - initialDelaySeconds: 30 - periodSeconds: 30 - path: /api/holmes-engine-mgmt/v1/healthcheck - scheme: HTTPS - port: *svc_port - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 1Gi - requests: - cpu: 250m - memory: 500Mi - large: - limits: - cpu: 500m - memory: 2Gi - requests: - cpu: 250m - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: holmes-engine-mgmt - roles: - - read diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml deleted file mode 100644 index 628f5c6828..0000000000 --- a/kubernetes/holmes/components/holmes-rule-mgmt/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Modifications Copyright © 2021 ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -appVersion: "2.0" -description: Holmes Rule Management -name: holmes-rule-mgmt -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml deleted file mode 100644 index 18cf3b4966..0000000000 --- a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/application.yaml +++ /dev/null @@ -1,23 +0,0 @@ -server: - port: 9101 - servlet: - context-path: /api/holmes-rule-mgmt/v1 - ssl: - key-store: /opt/onap/conf/holmes.keystore - key-store-password: holmes - #PKCS12 - key-store-type: JKS - -logging: - config: classpath:logback-spring.xml - -spring: - application: - name: Holmes Rule Management - datasource: - dirver-class-name: org.postgresql.Driver - url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} - username: ${JDBC_USERNAME} - password: ${JDBC_PASSWORD} - mvc: - throw-exception-if-no-handler-found: true \ No newline at end of file diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml b/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml deleted file mode 100644 index 89269dede8..0000000000 --- a/kubernetes/holmes/components/holmes-rule-mgmt/resources/config/rulemgt.yml +++ /dev/null @@ -1,68 +0,0 @@ -apidescription: ZTE Holmes rule Management rest API - -# use the simple server factory if you only want to run on a single port -#server: -# type: simple -# connector: -# type: http -# port: 12003 - -server: - type: simple - rootPath: '/api/holmes-rule-mgmt/v1/*' - applicationContextPath: / - adminContextPath: /admin - connector: - type: https - port: 9101 - keyStorePath: /opt/onap/conf/holmes.keystore - keyStorePassword: holmes - validateCerts: false - validatePeers: false - -# Logging settings. -logging: - - # The default level of all loggers. Can be OFF, ERROR, WARN, INFO, DEBUG, TRACE, or ALL. - level: INFO - - # Logger-specific levels. - loggers: - - # Sets the level for 'com.example.app' to DEBUG. - org.onap.holmes.rulemgt: ALL - - appenders: - - type: console - threshold: INFO - timeZone: UTC - logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - - type: file - threshold: ERROR - #logFormat: "%nopexception%logger\n|%date{yyyy-MM-dd'T'HH:mm:ss.SSSXXX,UTC}\n|%level\n|%message\n|%X{InvocationID}\n|%rootException\n|%marker\n|%thread\n|%n \r\n" - logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - currentLogFilename: /var/log/ONAP/holmes/rulemgt-relation-error.log - archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/rulemgt-relation-error-%d{yyyy-MM-dd}.log.gz - archivedFileCount: 7 - - type: file - threshold: INFO - logFormat: "%d{yyyy-MM-dd HH:mm:ss SSS} %-5p [%c][%t] invocationID:{InvocationID} - %m%n" - currentLogFilename: /var/log/ONAP/holmes/rulemgt-relation-debug.log - archivedLogFilenamePattern: /var/log/ONAP/holmes/zip/rulemgt-relation-debug-%d{yyyy-MM-dd}.log.gz - archivedFileCount: 7 - -#database -database: - driverClass: org.postgresql.Driver - user: ${JDBC_USERNAME} - password: ${JDBC_PASSWORD} - url: jdbc:postgresql://${URL_JDBC}:${DB_PORT}/${DB_NAME} - properties: - charSet: UTF-8 - maxWaitForConnection: 1s - validationQuery: "/* MyService Health Check */ SELECT 1" - minSize: 8 - maxSize: 100 - checkConnectionWhileIdle: false - evictionInterval: 10s - minIdleTime: 1s diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml deleted file mode 100644 index 21a96568cb..0000000000 --- a/kubernetes/holmes/components/holmes-rule-mgmt/templates/deployment.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{/* -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 ZTE Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -{{- $sum := "" }} -{{- range $path, $bytes := .Files.Glob "resources/rules/*"}} -{{- $sum = $.Files.Get $path | sha256sum | print $sum }} -{{- end }} - annotations: - checksum/rules: {{ $sum | sha256sum }} -spec: - replicas: 1 - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: {{- include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-env-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - -c - - "cd /hrmconfig && for PFILE in `find . -type f -not -name '*.json'`; do envsubst < ${PFILE} > /config/${PFILE##*/}; done" - env: - - name: JDBC_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: JDBC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - - name: DB_NAME - value: {{ .Values.config.pgConfig.dbName }} - - name: URL_JDBC - value: {{ .Values.config.pgConfig.dbHost }} - - name: DB_PORT - value: "{{ .Values.config.pgConfig.dbPort }}" - volumeMounts: - - mountPath: /hrmconfig - name: {{ include "common.fullname" . }}-general-config - - mountPath: /config - name: {{ include "common.fullname" . }}-env-config - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 8 }} - volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-env-config - mountPath: /opt/hrmconfig - - name: {{ include "common.fullname" . }}-rule-config - mountPath: /opt/hrmrules - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: {{ .Values.liveness.path }} - port: {{ .Values.liveness.port }} - scheme: {{ .Values.liveness.scheme }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{- end }} - readinessProbe: - httpGet: - path: {{ .Values.readiness.path }} - port: {{ .Values.readiness.port }} - scheme: {{ .Values.readiness.scheme }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - failureThreshold: 1 - successThreshold: 1 - timeoutSeconds: 1 - env: - - name: CONSUL_HOST - value: consul-server.{{ include "common.namespace" . }} - - name: CONFIG_BINDING_SERVICE - value: config-binding-service - - name: MSB_IAG_SERVICE_PROTOCOL - value: {{ .Values.global.msbProtocol }} - - name: MSB_IAG_SERVICE_HOST - value: {{ .Values.global.msbServiceName }}.{{ include "common.namespace" . }} - - name: MSB_IAG_SERVICE_PORT - value: {{ .Values.global.msbPort | quote}} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - - name: JDBC_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: JDBC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - - name: DB_NAME - value: {{ .Values.config.pgConfig.dbName }} - - name: URL_JDBC - value: {{ .Values.config.pgConfig.dbHost }} - - name: DB_PORT - value: "{{ .Values.config.pgConfig.dbPort }}" - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: {{ include "common.fullname" . }}-general-config - configMap: - defaultMode: 422 - name: {{ include "common.fullname" . }}-general-config - - name: {{ include "common.fullname" . }}-rule-config - configMap: - defaultMode: 422 - name: {{ include "common.fullname" . }}-rule-config - - name: {{ include "common.fullname" . }}-env-config - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml b/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml deleted file mode 100644 index bd84c249c9..0000000000 --- a/kubernetes/holmes/components/holmes-rule-mgmt/values.yaml +++ /dev/null @@ -1,143 +0,0 @@ -#============LICENSE_START======================================================== -# ================================================================================ -# Copyright (c) 2021 ZTE Corporation Intellectual Property. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration. -################################################################# -global: - nodePortPrefixExt: 302 - msbProtocol: https - msbServiceName: msb-iag - msbPort: 443 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/holmes/rule-management:11.0.0 -consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: holmes-rule-mgmt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: holmes-rule-mgmt - fqi: holmes-rule-mgmt@holmes-rule-mgmt.onap.org - fqi_namespace: org.onap.holmes-rule-mgmt - public_fqdn: holmes-rule-mgmt.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - -################################################################# -# Secrets metaconfig -################################################################# -secrets: -- uid: pg-user-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.pgConfig.dbUserCredsExternalSecret) . }}' - login: '{{ .Values.config.pgConfig.dbUser }}' - password: '{{ .Values.config.pgConfig.dbUserPassword }}' - -# application configuration -config: - logstashServiceName: log-ls - logstashPort: 5044 - # Addresses of other ONAP entities - address: - consul: - host: consul-server - port: 8500 - pgConfig: - dbName: defaultName - dbHost: defaultHost - dbPort: 1234 - dbUser: admin - dbUserPassword: admin - # dbUserCredsExternalSecret - -service: - type: NodePort - name: holmes-rule-mgmt - ports: - - name: https-rest - port: &svc_port 9101 - nodePort: 92 - - name: https-ui - port: 9104 - nodePort: 93 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - port: *svc_port - periodSeconds: 10 - path: /api/holmes-rule-mgmt/v1/healthcheck - enabled: true - scheme: HTTPS - -readiness: - initialDelaySeconds: 30 - port: *svc_port - periodSeconds: 30 - path: /api/holmes-rule-mgmt/v1/healthcheck - scheme: HTTPS - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 250m - memory: 1024Mi - requests: - cpu: 250m - memory: 256Mi - large: - limits: - cpu: 500m - memory: 2Gi - requests: - cpu: 500m - memory: 512Mi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: holmes-rule-mgmt - roles: - - read diff --git a/kubernetes/holmes/values.yaml b/kubernetes/holmes/values.yaml deleted file mode 100644 index a536380bd5..0000000000 --- a/kubernetes/holmes/values.yaml +++ /dev/null @@ -1,107 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.0.0 - #Service Names of the postgres db to connect to. - #Override it to dbc-pg if localCluster is enabled. - postgres: - localCluster: false - service: - name: pgset - name2: &postgres tcp-pgset-primary - name3: tcp-pgset-replica - container: - name: postgres -secrets: -- uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-holmes-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "holmes-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootPassword }}' -- uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-holmes-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "holmes-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - - -################################################################# -# Application configuration defaults. -################################################################# -pullPolicy: IfNotPresent - -config: - logstashServiceName: log-ls - logstashPort: 5044 - -# application configuration override for postgres -postgres: - nameOverride: holmes-pg - service: - name: holmes-postgres - name2: &dbHost holmes-postgres-primary - name3: holmes-postgres-replica - container: - name: - primary: holmes-postgres-primary - replica: holmes-postgres-replica - config: - pgUserName: holmes - pgDatabase: &dbName holmes - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName - pgPort: &dbPort "5432" - persistence: - mountSubPath: holmes/data - mountInitPath: holmes - -postgres-init: - nameOverride: holmes-postgres-init - config: - pgUserName: holmes - pgDatabase: *dbName - pgDataPath: data - pgUserExternalSecret: *pgUserCredsSecretName - # pgPrimaryPassword: password - # pgUserPassword: password - # pgRootPassword: password - -holmes-engine-mgmt: - config: - pgConfig: - dbName: *dbName - # dbHost: *dbHost - dbHost: *postgres - dbPort: *dbPort - dbUserCredsExternalSecret: *pgUserCredsSecretName - -holmes-rule-mgmt: - config: - pgConfig: - dbName: *dbName - # dbHost: *dbHost - dbHost: *postgres - dbPort: *dbPort - dbUserCredsExternalSecret: *pgUserCredsSecretName - -# Resource Limit flavor -By Default using small -flavor: small diff --git a/kubernetes/log/.helmignore b/kubernetes/log/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/log/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/log/Chart.yaml b/kubernetes/log/Chart.yaml deleted file mode 100644 index 16df2f8953..0000000000 --- a/kubernetes/log/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging ElasticStack -name: log -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: log-elasticsearch - version: ~12.x-0 - repository: 'file://components/log-elasticsearch' - - name: log-kibana - version: ~12.x-0 - repository: 'file://components/log-kibana' - - name: log-logstash - version: ~12.x-0 - repository: 'file://components/log-logstash' diff --git a/kubernetes/log/components/log-elasticsearch/Chart.yaml b/kubernetes/log/components/log-elasticsearch/Chart.yaml deleted file mode 100644 index fad4c67e45..0000000000 --- a/kubernetes/log/components/log-elasticsearch/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Elasticsearch -name: log-elasticsearch -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml b/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml deleted file mode 100644 index d39fc97e0d..0000000000 --- a/kubernetes/log/components/log-elasticsearch/resources/config/elasticsearch.yml +++ /dev/null @@ -1,146 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# ======================== Elasticsearch Configuration ========================= -# -# NOTE: Elasticsearch comes with reasonable defaults for most settings. -# Before you set out to tweak and tune the configuration, make sure you -# understand what are you trying to accomplish and the consequences. -# -# The primary way of configuring a node is via this file. This template lists -# the most important settings you may want to configure for a production cluster. -# -# Please consult the documentation for further information on configuration options: -# https://www.elastic.co/guide/en/elasticsearch/reference/index.html -# -# ---------------------------------- Cluster ----------------------------------- -# -# Name of the Elasticsearch cluster. -# A node can only join a cluster when it shares its cluster.name with all the other nodes in the cluster. -# The default name is elasticsearch, but you should change it to an appropriate name which describes the -# purpose of the cluster. -# -cluster.name: "onap-log" -# -# The port that other nodes in the cluster should use when communicating with this node. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_port:$transport.publish_port -# -# The host address to publish for nodes in the cluster to connect to. -# Required for Elasticsearch's nodes running on different cluster nodes. -# More : https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html -#transport.publish_host:$transport.publish_host -# -# ------------------------------------ Node ------------------------------------ -# -# It is better to provide different meaningfull names fot different elastic nodes. -# By default, Elasticsearch will take the 7 first character of the randomly generated uuid used as the node id. -# Note that the node id is persisted and does not change when a node restarts -# -#node.name: $node.name -# -# Add custom attributes to the node: -# -#node.attr.rack: r1 -# -# ----------------------------------- Paths ------------------------------------ -# -# The location of the data files of each index / shard allocated on the node. Can hold multiple locations separated by coma. -# In production, we should not keep this default to "/elasticsearch/data", as on upgrading Elasticsearch, directory structure -# may change & can deal to data loss. -path.data: /usr/share/elasticsearch/data -# -# Elasticsearch's log files location. In production, we should not keep this default to "/elasticsearch/logs", -# as on upgrading Elasticsearch, directory structure may change. -path.logs: /usr/share/elasticsearch/logs -# -# ----------------------------------- Memory ----------------------------------- -# -# It is vitally important to the health of your node that none of the JVM is ever swapped out to disk. -# Lock the memory on startup. -# -bootstrap.memory_lock: false -# -# Make sure that the heap size is set to about half the memory available -# on the system and that the owner of the process is allowed to use this -# limit. -# -# Elasticsearch performs poorly when the system is swapping the memory. -# -# ---------------------------------- Network ----------------------------------- -# -# Set the bind address to a specific IP (IPv4 or IPv6): -# In order to communicate and to form a cluster with nodes on other servers, your node will need to bind to a -# non-loopback address. -network.host: 0.0.0.0 -# -# Set a custom port for HTTP: If required, default is 9200-9300 -# -#http.port: $http.port -# -# For more information, consult the network module documentation. -# -# --------------------------------- Discovery ---------------------------------- -# -# Pass an initial list of hosts to perform discovery when new node is started -# To form a cluster with nodes on other servers, you have to provide a seed list of other nodes in the cluster -# that are likely to be live and contactable. -# By default, Elasticsearch will bind to the available loopback addresses and will scan ports 9300 to 9305 to try -# to connect to other nodes running on the same server. -# -#$discovery.zen.ping.unicast.hosts -# -# This setting tells Elasticsearch to not elect a master unless there are enough master-eligible nodes -# available. Only then will an election take place. -# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1): -discovery.zen.minimum_master_nodes: 1 -# -# For more information, consult the zen discovery module documentation. -# -# ---------------------------------- Gateway ----------------------------------- -# -# Block initial recovery after a full cluster restart until N nodes are started: -# -#gateway.recover_after_nodes: 3 -# -# For more information, consult the gateway module documentation. -# -# ---------------------------------- Various ----------------------------------- -# -# Require explicit names when deleting indices: -# -#action.destructive_requires_name: true -# Set a custom port for HTTP: If required, default is 9200-9300 -# This is used for REST APIs -http.port: {{.Values.service.externalPort}} -# Port to bind for communication between nodes. Accepts a single value or a range. -# If a range is specified, the node will bind to the first available port in the range. -# Defaults to 9300-9400. -# More info: -transport.tcp.port: {{.Values.service.externalPort2}} - -xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. - -xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. - -xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. - -xpack.security.enabled: false -#Set to false to disable X-Pack security features. - -xpack.watcher.enabled: false -#Set to false to disable Watcher. diff --git a/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt b/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt deleted file mode 100644 index ab908cd309..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml b/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml deleted file mode 100644 index fe0349ede9..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml b/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml deleted file mode 100644 index b778af8564..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/deployment.yaml +++ /dev/null @@ -1,115 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /bin/sh - - -c - - | - sysctl -w vm.max_map_count=262144 - mkdir -p /logroot/elasticsearch/logs - mkdir -p /logroot/elasticsearch/data - chmod -R 777 /logroot/elasticsearch - chown -R root:root /logroot - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - securityContext: - privileged: true - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: init-sysctl - volumeMounts: - - name: {{ include "common.fullname" . }}-logs - mountPath: /logroot/ - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort2 }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/elasticsearch/config/elasticsearch.yml - name: {{ include "common.fullname" . }}-config - subPath: elasticsearch.yml - - mountPath: /usr/share/elasticsearch/data/ - name: {{ include "common.fullname" . }}-data - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: elasticsearch.yml - path: elasticsearch.yml - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-logs - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPathLogs }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml b/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-elasticsearch/templates/pv.yaml b/kubernetes/log/components/log-elasticsearch/templates/pv.yaml deleted file mode 100644 index 9d4093db11..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/pv.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-data - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} diff --git a/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml b/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml deleted file mode 100644 index 6ae4eea0d3..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/pvc.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/log/components/log-elasticsearch/templates/service.yaml b/kubernetes/log/components/log-elasticsearch/templates/service.yaml deleted file mode 100644 index 7736f0c9d7..0000000000 --- a/kubernetes/log/components/log-elasticsearch/templates/service.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name2 }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.name2 }} - {{- else -}} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-elasticsearch/values.yaml b/kubernetes/log/components/log-elasticsearch/values.yaml deleted file mode 100644 index 74cf4ed8c2..0000000000 --- a/kubernetes/log/components/log-elasticsearch/values.yaml +++ /dev/null @@ -1,116 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: elasticsearch/elasticsearch:5.5.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -# Example: -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 120 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - accessMode: ReadWriteOnce - size: 1Gi - mountPath: /dockerdata-nfs - mountSubPath: log/elasticsearch/data - mountSubPathLogs: log - -service: - type: NodePort - name: log-es - externalPort: 9200 - internalPort: 9200 - nodePort: 54 - type2: ClusterIP - name2: log-es-tcp - externalPort2: 9300 - internalPort2: 9300 - -ingress: - enabled: false - service: - - baseaddr: "log-es-api" - name: "log-es" - port: 9200 - config: - ssl: "none" -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 1 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/components/log-kibana/Chart.yaml b/kubernetes/log/components/log-kibana/Chart.yaml deleted file mode 100644 index fc557127ba..0000000000 --- a/kubernetes/log/components/log-kibana/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Kibana -name: log-kibana -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-kibana/resources/config/README.txt b/kubernetes/log/components/log-kibana/resources/config/README.txt deleted file mode 100644 index 2863c1d5e5..0000000000 --- a/kubernetes/log/components/log-kibana/resources/config/README.txt +++ /dev/null @@ -1 +0,0 @@ -"kibana-onboarding.json" file contains initial setup of Kibana obtained using Elasticdump tool. \ No newline at end of file diff --git a/kubernetes/log/components/log-kibana/resources/config/kibana.yml b/kubernetes/log/components/log-kibana/resources/config/kibana.yml deleted file mode 100644 index 377f3c7b65..0000000000 --- a/kubernetes/log/components/log-kibana/resources/config/kibana.yml +++ /dev/null @@ -1,129 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -xpack.graph.enabled: false -#Set to false to disable X-Pack graph features. -xpack.ml.enabled: false -#Set to false to disable X-Pack machine learning features. -xpack.monitoring.enabled: false -#Set to false to disable X-Pack monitoring features. -xpack.reporting.enabled: false -#Set to false to disable X-Pack reporting features. -xpack.security.enabled: false -#Set to false to disable X-Pack security features. -xpack.watcher.enabled: false -#Set to false to disable Watcher. -# Kibana is served by a back end server. This setting specifies the port to use. -server.port: {{.Values.service.externalPort}} - -# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. -# The default is 'localhost', which usually means remote machines will not be able to connect. -# To allow connections from remote users, set this parameter to a non-loopback address. -server.host: "0" - -# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects -# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests -# to Kibana. This setting cannot end in a slash. -#server.basePath: "" - -# The maximum payload size in bytes for incoming server requests. -#server.maxPayloadBytes: 1048576 - -# The Kibana server's name. This is used for display purposes. -server.name: "Kibana" - -# The URL of the Elasticsearch instance to use for all your queries. -elasticsearch.url: "http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}" -# When this setting's value is true Kibana uses the hostname specified in the server.host -# setting. When the value of this setting is false, Kibana uses the hostname of the host -# that connects to this Kibana instance. -#elasticsearch.preserveHost: true - -# Kibana uses an index in Elasticsearch to store saved searches, visualizations and -# dashboards. Kibana creates a new index if the index doesn't already exist. -#kibana.index: ".kibana" - -# The default application to load. -#kibana.defaultAppId: "discover" - -# If your Elasticsearch is protected with basic authentication, these settings provide -# the username and password that the Kibana server uses to perform maintenance on the Kibana -# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which -# is proxied through the Kibana server. -elasticsearch.username: "elastic" -elasticsearch.password: "changeme" -# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. -# These settings enable SSL for outgoing requests from the Kibana server to the browser. -#server.ssl.enabled: $server_ssl_enabled -#server.ssl.certificate: $server_ssl_certificate -#server.ssl.key: $server_ssl_key - -# Optional settings that provide the paths to the PEM-format SSL certificate and key files. -# These files validate that your Elasticsearch backend uses the same key files. -#elasticsearch.ssl.certificate: $elasticsearch_ssl_certificate -#elasticsearch.ssl.key: $elasticsearch_ssl_key - -# Optional setting that enables you to specify a path to the PEM file for the certificate -# authority for your Elasticsearch instance. -#elasticsearch.ssl.certificateAuthorities: $elasticsearch_ssl_certificateAuthorities - -# To disregard the validity of SSL certificates, change this setting's value to 'none'. -#elasticsearch.ssl.verificationMode: $elasticsearch_ssl_verificationMode - -# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of -# the elasticsearch.requestTimeout setting. -#elasticsearch.pingTimeout: 1500 - -# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value -# must be a positive integer. -#elasticsearch.requestTimeout: 30000 - -# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side -# headers, set this value to [] (an empty list). -#elasticsearch.requestHeadersWhitelist: [ authorization ] - -# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten -# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration. -#elasticsearch.customHeaders: {} - -# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable. -#elasticsearch.shardTimeout: 0 - -# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying. -#elasticsearch.startupTimeout: 5000 - -# Specifies the path where Kibana creates the process ID file. -#pid.file: /var/run/kibana.pid - -# Enables you specify a file where Kibana stores log output. -#logging.dest: stdout - -# Set the value of this setting to true to suppress all logging output. -#logging.silent: false - -# Set the value of this setting to true to suppress all logging output other than error messages. -#logging.quiet: false - -# Set the value of this setting to true to log all events, including system usage information -# and all requests. -#logging.verbose: false - -# Set the interval in milliseconds to sample system and process performance -# metrics. Minimum is 100ms. Defaults to 5000. -#ops.interval: 5000 - -# The default locale. This locale can be used in certain circumstances to substitute any missing -# translations. -#i18n.defaultLocale: "en" diff --git a/kubernetes/log/components/log-kibana/templates/NOTES.txt b/kubernetes/log/components/log-kibana/templates/NOTES.txt deleted file mode 100644 index f115eb6f23..0000000000 --- a/kubernetes/log/components/log-kibana/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-kibana/templates/configmap.yaml b/kubernetes/log/components/log-kibana/templates/configmap.yaml deleted file mode 100644 index 3e98246df1..0000000000 --- a/kubernetes/log/components/log-kibana/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-kibana/templates/deployment.yaml b/kubernetes/log/components/log-kibana/templates/deployment.yaml deleted file mode 100644 index 5e3dc98f84..0000000000 --- a/kubernetes/log/components/log-kibana/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - log-elasticsearch - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - - args: - - --input=/config/kibana-onboarding.json - - --output=http://{{.Values.config.elasticsearchServiceName}}.{{ include "common.namespace" . }}:{{.Values.config.elasticsearchPort}}/.kibana - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.elasticdumpImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-elasticdump - volumeMounts: - - mountPath: /config/kibana-onboarding.json - name: {{ include "common.fullname" . }} - subPath: kibana-onboarding.json - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - readinessProbe: - httpGet: - path: "/" - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: "/" - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{ end -}} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/kibana/config/ - name: {{ include "common.fullname" . }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }} - configMap: - name: {{ include "common.fullname" . }} - items: - - key: kibana.yml - path: kibana.yml - - key: kibana-onboarding.json - path: kibana-onboarding.json - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-kibana/templates/ingress.yaml b/kubernetes/log/components/log-kibana/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-kibana/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-kibana/templates/service.yaml b/kubernetes/log/components/log-kibana/templates/service.yaml deleted file mode 100644 index c53dc03368..0000000000 --- a/kubernetes/log/components/log-kibana/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-kibana/values.yaml b/kubernetes/log/components/log-kibana/values.yaml deleted file mode 100644 index 276bfea3b7..0000000000 --- a/kubernetes/log/components/log-kibana/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# Elasticdump image -elasticdumpImage: taskrabbit/elasticsearch-dump - -# application image -image: kibana/kibana:5.5.0 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - elasticsearchServiceName: log-es - elasticsearchPort: 9200 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 300 - periodSeconds: 10 - timeoutSeconds: 1 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 300 - periodSeconds: 10 - timeoutSeconds: 1 - -service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. - type: NodePort - name: log-kibana - externalPort: 5601 - internalPort: 5601 - nodePort: 53 - -ingress: - enabled: false - service: - - baseaddr: "log-kibana-ui" - name: "log-kibana" - port: 5601 - config: - ssl: "none" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - large: - limits: - cpu: 4 - memory: 8Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/components/log-logstash/Chart.yaml b/kubernetes/log/components/log-logstash/Chart.yaml deleted file mode 100644 index 0c51886c82..0000000000 --- a/kubernetes/log/components/log-logstash/Chart.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Logging Logstash -name: log-logstash -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/log/components/log-logstash/resources/config/logstash.yml b/kubernetes/log/components/log-logstash/resources/config/logstash.yml deleted file mode 100644 index 7c3bd8f851..0000000000 --- a/kubernetes/log/components/log-logstash/resources/config/logstash.yml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -http.host: "0.0.0.0" -pipeline.workers: 3 -## Path where pipeline configurations reside -path.config: /usr/share/logstash/pipeline - -## Type of queue : memeory based or file based -#queue.type: persisted -## Size of queue -#queue.max_bytes: 1024mb -## Setting true makes logstash check periodically for change in pipeline configurations -config.reload.automatic: true - -## xpack configurations -#xpack.monitoring.elasticsearch.url: ["http://10.247.186.12:9200", "http://10.247.186.13:9200"] -#xpack.monitoring.elasticsearch.username: elastic -#xpack.monitoring.elasticsearch.password: changeme -xpack.monitoring.enabled: false diff --git a/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf b/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf deleted file mode 100644 index b224bf3173..0000000000 --- a/kubernetes/log/components/log-logstash/resources/config/onap-pipeline.conf +++ /dev/null @@ -1,276 +0,0 @@ -{{/* -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -input { - beats { - - ## Add a id to plugin configuration. Can be anything unique. - id => 'beats_plugin' - - ######## Connection configurations ######## - - ## The port to listen on. - port => {{.Values.service.externalPort}} - - ## Close Idle clients after the specified time in seconds. Default is 60 seconds - #client_inactivity_timeout => 60 - - ######## Security configurations ######## - - ## Enable encryption. Default false. - #ssl => $filebeat_ssl - - ## ssl certificate path. - #ssl_certificate => $filebeat_ssl_certificate - - ## SSL key to use. - #ssl_key => $filebeat_ssl_key - - ##SSL key passphrase to use. - #ssl_key_passphrase => $filebeat_ssl_key_passphrase - - ## Value can be any of: none, peer, force_peer. - #ssl_verify_mode => $filebeat_ssl_verify_mode - - ## Time in milliseconds for an incomplete ssl handshake to timeout. Default is 10000 ms. - #ssl_handshake_timeout => 10000 - include_codec_tag => false - } -} - - -filter { - grok { - break_on_match => false - match => { - "source" => ["/var/log/onap/(?[^/]+)/", - "/var/log/onap/%{GREEDYDATA:componentLogFile}" - ] - } - } - - # Filter for log4j xml events - if "" in [message] { - - #mutate { add_field => { "orgmsg_log4j" => "%{message}" } } # Copy of orginal msg for debug - - #Filter to parse xml event and retrieve data - xml { - source => "message" - store_xml => false - remove_namespaces => true - target => "xml_content" - xpath => [ "/event/message/text()", "logmsg" , - "/event/@logger", "Logger", - "/event/@timestamp", "Timestamp", - "/event/@level", "loglevel", - "/event/@thread", "Thread", - "/event/throwable/text()", "Exceptionthrowable", - "/event/NDC/text()", "NDCs", - "/event/properties/data/@name","mdcname", - "/event/properties/data/@value","mdcvalue"] - - } - - #Ruby filter to iterate and separate MDCs into documents - ruby { - code => ' - $i = 0 - $num = 0 - if event.get("[mdcname]") - $num = event.get("[mdcname]").length - end - if $num != 0 - until $i > $num do - if event.get("[mdcname]").at($i) and event.get("[mdcvalue]").at($i) - event.set(event.get("[mdcname]").at($i), event.get("[mdcvalue]").at($i)) - end - $i=$i+1 - end - end - ' - } - - #Validations - if [Exceptionthrowable] - { - mutate { - replace => { - "exceptionmessage" => "%{[Exceptionthrowable]}" - } - } - } - - if [NDCs] - { - mutate { - replace => { - "NDC" => "%{[NDCs]}" - } - } - } - - mutate { - replace => { - "Logger" =>"%{[Logger]}" - "logmsg" =>"%{[logmsg]}" - "Timestamp" =>"%{[Timestamp]}" - "loglevel" =>"%{[loglevel]}" - "message" => "%{logmsg}" - "Thread" => "%{[Thread]}" - } - remove_field => ["mdcname", "mdcvalue", "logmsg","Exceptionthrowable","NDCs"] - } - - if [Timestamp] - { - date { - match => ["Timestamp", "UNIX_MS"] - target => "Timestamp" - } - } - } - # Filter for logback events - else { - - #mutate { add_field => { "orgmsg" => "%{message}" } } # Copy of orginal msg for debug - - mutate { - gsub => [ - 'message', ' = ', '=', - 'message', '= ', '=null', - 'message', '=\t', '=null\t', #This null is followed by a tab - 'message', '\t$', '\t' - ] - } - # The grok below parses the message field for all current logback patterns used by oom components. - # Example logback pattern: %d{"yyyy-MM-dd'T'HH:mm:ss.SSSXXX", UTC}|%X{RequestId}|%msg - # Example grok pattern: %{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message} - # Use the following command to find all logback patterns in oom directory: find oom -name "logback*xml" -exec grep "property.*attern.*value" {} \;|sort|uniq - grok { - match => { - "message" => [ - "%{TIMESTAMP_ISO8601:Timestamp}\\t[%{GREEDYDATA:Thread}]\\t%{GREEDYDATA:loglevel}\\t%{JAVACLASS:Logger}\\t%{GREEDYDATA:MDCs}\\t%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:TargetVirtualEntity}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:BeginTimestamp}\|%{TIMESTAMP_ISO8601:EndTimestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:Unknown1}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:StatusCode}\|%{GREEDYDATA:ResponseCode}\|%{GREEDYDATA:ResponseDesc}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{GREEDYDATA:Timer}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Unknown2}\|%{GREEDYDATA:Unknown3}\|%{GREEDYDATA:Unknown4}\|%{GREEDYDATA:Unknown5}\|%{GREEDYDATA:Unknown6}\|%{GREEDYDATA:Unknown7}\|%{GREEDYDATA:Unknown8}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:ServiceInstanceId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{UUID:InstanceUUID}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:AlertSeverity}\|%{IP:ServerIPAddress}\|%{HOSTNAME:ServerFQDN}\|%{IPORHOST:RemoteHost}\|%{GREEDYDATA:Timer}\|\[%{GREEDYDATA:caller}\]\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ServiceName}\|%{GREEDYDATA:PartnerName}\|%{GREEDYDATA:TargetEntity}\|%{GREEDYDATA:TargetServiceName}\|%{GREEDYDATA:loglevel}\|%{GREEDYDATA:ErrorCode}\|%{GREEDYDATA:ErrorDesc}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{GREEDYDATA:RequestId}\|%{GREEDYDATA:Thread}\|%{GREEDYDATA:ClassName}\|%{GREEDYDATA:message}", - "%{TIMESTAMP_ISO8601:Timestamp}\|%{UUID:RequestId}\|%{GREEDYDATA:message}", - "\[%{TIMESTAMP_ISO8601:Timestamp}\|%{LOGLEVEL:loglevel}\|%{GREEDYDATA:Logger}\|%{GREEDYDATA:Thread}\] %{GREEDYDATA:message}" - ] - } - overwrite => ["message"] - } - # The MDCs are key value pairs that are seperated by "," or "\t". Extra space characters are trimmed from the keys and values. - kv { - source => "MDCs" - field_split => ",\t" - trim_key => "\s" - trim_value => "\s" - remove_field => [ "MDCs" ] - } - - if (![Timestamp] and [EndTimestamp]) { - mutate { add_field => { "Timestamp" => "%{EndTimestamp}" } } - } - date { - match => [ "Timestamp", "ISO8601", "yyyy-MM-dd HH:mm:ss,SSS" ] - target => "Timestamp" - } - - mutate { - remove_field => ["DuplicateRequestID", "Unknown1", "Unknown2", "Unknown3", "Unknown4", "Unknown5", "Unknown6", "Unknown7", "Unknown8"] - } - - if ([source] == "/var/log/onap/sdc/sdc-be/audit.log") { - #Parse kvps in message - kv { - field_split => "\s" - trim_key => "\s" - trim_value => "\s" - } - - #If Request Id is missing and DID is present use as RequestId - if (![RequestId] and [DID] =~ /.+/) { - mutate { add_field => { "RequestId" => "%{DID}" } } - } - } - - } #Close else statement for logback events -} #Close filter - - -output { - elasticsearch { - id => 'onap_es' - - ######### Security configurations ######### - - user => "elastic" - password => "changeme" - - ## The .cer or .pem file to validate the server's certificate - #cacert => $es_cacert - - ## The keystore used to present a certificate to the server. It can be either .jks or .p12 - #keystore => $es_keystore - #keystore_password => $es_keystore_password - - ## Enable SSL/TLS secured communication to Elasticsearch cluster. - ## Default is not set which in that case depends on the protocol specidfied in hosts list - #ssl => $es_ssl - - ## Option to validate the server's certificate. Default is true - #ssl_certificate_verification => $es_ssl_certificate_verification - - ## The JKS truststore to validate the server's certificate. - #truststore => $es_truststore - #truststore_password => $es_truststore_password - - - ######### Elasticsearchcluster and host configurations ######### - - ##can specify one or a list of hosts. If sniffing is set, one is enough and others will be auto-discovered - hosts => ["http://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}:{{.Values.config.elasticsearchPort}}"] - - - ## This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list. Default is false. - sniffing => true - - ## How long to wait, in seconds, between sniffing attempts. Default is 5 seconds. - #sniffing_delay => 5 - - ## Set the address of a forward HTTP proxy. - #proxy => $es_proxy - - ##Use this if you must run Elasticsearch behind a proxy that remaps the root path for the Elasticsearch HTTP API lives - #path => $es_path - - ######### Elasticsearch request configurations ######### - - ## This setting defines the maximum sized bulk request Logstash will make. - #flush_size => ? - - ######### Document configurations ######### - - index => "logstash-%{+YYYY.MM.dd}" - document_type => "logs" - - ## This can be used to associate child documents with a parent using the parent ID. - #parent => "abcd' - } -} - diff --git a/kubernetes/log/components/log-logstash/templates/NOTES.txt b/kubernetes/log/components/log-logstash/templates/NOTES.txt deleted file mode 100644 index f115eb6f23..0000000000 --- a/kubernetes/log/components/log-logstash/templates/NOTES.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2018 AT&T, Amdocs, Bell Canada Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/log/components/log-logstash/templates/configmap.yaml b/kubernetes/log/components/log-logstash/templates/configmap.yaml deleted file mode 100644 index 3e98246df1..0000000000 --- a/kubernetes/log/components/log-logstash/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/log/components/log-logstash/templates/deployment.yaml b/kubernetes/log/components/log-logstash/templates/deployment.yaml deleted file mode 100644 index 92817fac88..0000000000 --- a/kubernetes/log/components/log-logstash/templates/deployment.yaml +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - log-elasticsearch - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.elasticRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ include "common.resources" . | indent 12 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - - containerPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} -# disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/share/logstash/config/ - name: {{ include "common.fullname" . }}-config - - mountPath: /usr/share/logstash/pipeline/ - name: {{ include "common.fullname" . }}-pipeline - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - items: - - key: logstash.yml - path: logstash.yml - - name: {{ include "common.fullname" . }}-pipeline - configMap: - name: {{ include "common.fullname" . }} - items: - - key: onap-pipeline.conf - path: onap-pipeline.conf - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/log/components/log-logstash/templates/ingress.yaml b/kubernetes/log/components/log-logstash/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/log/components/log-logstash/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/log/components/log-logstash/templates/service.yaml b/kubernetes/log/components/log-logstash/templates/service.yaml deleted file mode 100644 index 7736f0c9d7..0000000000 --- a/kubernetes/log/components/log-logstash/templates/service.yaml +++ /dev/null @@ -1,70 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name2 }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type2 }} - ports: - {{if eq .Values.service.type2 "NodePort" -}} - - port: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.name2 }} - {{- else -}} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.name2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/log/components/log-logstash/values.yaml b/kubernetes/log/components/log-logstash/values.yaml deleted file mode 100644 index 0ffb32aa68..0000000000 --- a/kubernetes/log/components/log-logstash/values.yaml +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: logstash/logstash:5.4.3 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - elasticsearchServiceName: log-es - elasticsearchPort: 9200 - -# default number of instances -# 30+ logs/sec will saturate a single node to 6+ vCores -replicaCount: 3 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. - type: NodePort - name: log-ls - externalPort: 5044 - internalPort: 5044 - nodePort: 55 - type2: ClusterIP - name2: log-ls-http - externalPort2: 9600 - internalPort2: 9600 -ingress: - enabled: false - service: - - baseaddr: "log-ls-api" - name: "log-ls" - port: 5044 - - baseaddr: "log-ls-http-api" - name: "log-ls" - port: 9600 - config: - ssl: "none" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 0.5 - memory: 1Gi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 2 - memory: 4Gi - unlimited: {} diff --git a/kubernetes/log/values.yaml b/kubernetes/log/values.yaml deleted file mode 100644 index ddcf5235cd..0000000000 --- a/kubernetes/log/values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 diff --git a/kubernetes/modeling/.helmignore b/kubernetes/modeling/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/modeling/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/modeling/Chart.yaml b/kubernetes/modeling/Chart.yaml deleted file mode 100644 index c70962627a..0000000000 --- a/kubernetes/modeling/Chart.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Modeling (Modeling) -name: modeling -version: 12.0.0 - -dependencies: - - name: modeling-etsicatalog - version: ~12.x-0 - repository: 'file://components/modeling-etsicatalog' diff --git a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml b/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml deleted file mode 100644 index a90c700a8e..0000000000 --- a/kubernetes/modeling/components/modeling-etsicatalog/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Modeling - Etsicatalog -name: modeling-etsicatalog -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: readinessCheck - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml b/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml deleted file mode 100644 index 72eced7710..0000000000 --- a/kubernetes/modeling/components/modeling-etsicatalog/templates/deployment.yaml +++ /dev/null @@ -1,165 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - initContainers: - - command: - - /app/ready.py - args: - - -j - - "{{ include "common.release" . }}-{{ include "common.name" . }}-config-job" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-job-readiness - {{ if .Values.config.msb_enabled }} - {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for.msb ) | indent 6 | trim }} - {{ end }} - - command: - - /bin/sh - - -c - - chown -R 1000:1000 /service/modeling/etsicatalog/static - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-init - volumeMounts: - - name: {{ include "common.fullname" . }}-etsicatalog - mountPath: /service/modeling/etsicatalog/static - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - {{- if and (include "common.needTLS" .) (eq .Values.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: MSB_ENABLED - value: "{{ .Values.config.msb_enabled }}" - {{- if (include "common.needTLS" .) }} - - name: MSB_ADDR - value: "{{ .Values.config.msbProtocol }}s://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPort }}" - - name: SDC_ADDR - value: "{{ .Values.config.sdcProtocol }}s://{{ .Values.config.sdcServiceName }}:{{ .Values.config.sdcPort }}" - {{- else }} - - name: MSB_ADDR - value: "{{ .Values.config.msbProtocol }}://{{ .Values.config.msbServiceName }}:{{ .Values.config.msbPlainPort }}" - - name: SDC_ADDR - value: "{{ .Values.config.sdcProtocol }}://{{ .Values.config.sdcServiceName }}:{{ .Values.config.sdcPlainPort }}" - {{- end }} - - name: DMAAP_ENABLED - value: "{{ .Values.config.dmaap_enabled }}" - - name: DMAAP_ADDR - value: "{{ .Values.config.dmaapProtocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.config.dmaapServiceName }}:{{ .Values.config.dmaapPort }}" - - name: DB_IP - value: "{{ include "common.mariadbService" . }}" - - name: DB_PORT - value: "{{ include "common.mariadbPort" . }}" - - name: DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "modeling-db-secret" "key" "login") | indent 12 }} - - name: DB_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "modeling-db-secret" "key" "password") | indent 12 }} - volumeMounts: - - name: {{ include "common.fullname" . }}-etsicatalog - mountPath: /service/modeling/etsicatalog/static - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: {{ .Values.log.path }} - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/modeling/etsicatalog/config/log.yml - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-etsicatalog - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - - {{ include "common.log.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml b/kubernetes/modeling/components/modeling-etsicatalog/values.yaml deleted file mode 100644 index 21abce3dda..0000000000 --- a/kubernetes/modeling/components/modeling-etsicatalog/values.yaml +++ /dev/null @@ -1,193 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - - persistence: - mountPath: /dockerdata-nfs - - mariadbGalera: - #This flag allows Modeling to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - - centralizedLoggingEnabled: true - -readinessCheck: - wait_for: - msb: - name: msb - containers: - - msb-iag - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: modeling-db-secret - name: &dbSecretName '{{ include "common.release" . }}-modeling-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - -################################################################# -# Dependencies configuration -################################################################# - -mariadb-galera: - db: - externalSecret: *dbSecretName - name: &mysqlDbName etsicatalog - nameOverride: &modeling-db modeling-db - service: - name: *modeling-db - internalPort: 3306 - nfsprovisionerPrefix: modeling - persistence: - mountSubPath: modeling/data - enabled: true - disableNfsProvisioner: true - serviceAccount: - nameOverride: *modeling-db - -mariadb-init: - config: - userCredentialsExternalSecret: *dbSecretName - mysqlDatabase: *mysqlDbName - # nameOverride should be the same with common.name - nameOverride: modeling-etsicatalog - -################################################################# -# Application configuration defaults. -################################################################# -config: - #application configuration about msb - ssl_enabled: false - msb_enabled: false - msbProtocol: http - msbServiceName: msb-iag - msbPort: 443 - msbPlainPort: 80 - sdcProtocol: http - sdcServiceName: sdc-be - sdcPort: 8443 - sdcPlainPort: 8080 - dmaap_enabled: false - dmaapProtocol: http - dmaapServiceName: message-router-external - dmaapPort: 3905 - - #application configuration user password about mariadb - db: - userName: etsicatalog - # userPassword: password - # userCredentialsExternalSecret: some-secret - -# application image -flavor: small - -image: onap/modeling/etsicatalog:1.0.14 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: modeling/etsicatalog - -service: - type: ClusterIP - name: modeling-etsicatalog - portName: http - externalPort: 8806 - internalPort: 8806 -# nodePort: 30806 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1000Mi - requests: - cpu: 200m - memory: 500Mi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: modeling-etsicatalog - roles: - - read - -#Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/msb/.helmignore b/kubernetes/msb/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/msb/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/msb/Chart.yaml b/kubernetes/msb/Chart.yaml deleted file mode 100644 index 84b1a0f523..0000000000 --- a/kubernetes/msb/Chart.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP MicroServices Bus -name: msb -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: kube2msb - version: ~12.x-0 - repository: 'file://components/kube2msb' - - name: msb-consul - version: ~12.x-0 - repository: 'file://components/msb-consul' - - name: msb-discovery - version: ~12.x-0 - repository: 'file://components/msb-discovery' - - name: msb-eag - version: ~12.x-0 - repository: 'file://components/msb-eag' - - name: msb-iag - version: ~12.x-0 - repository: 'file://components/msb-iag' - diff --git a/kubernetes/msb/components/Makefile b/kubernetes/msb/components/Makefile deleted file mode 100644 index 9544d70f33..0000000000 --- a/kubernetes/msb/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/msb/components/kube2msb/Chart.yaml b/kubernetes/msb/components/kube2msb/Chart.yaml deleted file mode 100644 index b72e4fb921..0000000000 --- a/kubernetes/msb/components/kube2msb/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v2 -description: ONAP MicroServices Bus Kube2MSB Registrator -name: kube2msb -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/msb/components/kube2msb/templates/deployment.yaml b/kubernetes/msb/components/kube2msb/templates/deployment.yaml deleted file mode 100644 index ed99deea43..0000000000 --- a/kubernetes/msb/components/kube2msb/templates/deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - serviceAccountName: msb - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - msb-discovery - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: KUBE_MASTER_URL - value: {{ .Values.config.kubeMasterUrl }} - - name: MSB_URL - value: {{tpl $.Values.config.discoveryUrl .}} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/msb/components/kube2msb/values.yaml b/kubernetes/msb/components/kube2msb/values.yaml deleted file mode 100644 index d2a0a15f49..0000000000 --- a/kubernetes/msb/components/kube2msb/values.yaml +++ /dev/null @@ -1,70 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/oom/kube2msb:1.2.6 -pullPolicy: Always -istioSidecar: true - -# application configuration -config: - routeLabels: "visualRange:1" - kubeMasterUrl: https://kubernetes.default:443 - discoveryUrl: http://msb-discovery.{{include "common.namespace" .}}:10081 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: {} - -readiness: {} - -service: {} - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 500m - memory: 500Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 1 - memory: 1Gi - unlimited: {} diff --git a/kubernetes/msb/components/msb-consul/Chart.yaml b/kubernetes/msb/components/msb-consul/Chart.yaml deleted file mode 100644 index d75b7292e0..0000000000 --- a/kubernetes/msb/components/msb-consul/Chart.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v2 -description: ONAP MicroServices Bus Consul -name: msb-consul -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/msb/components/msb-consul/templates/deployment.yaml b/kubernetes/msb/components/msb-consul/templates/deployment.yaml deleted file mode 100644 index d03829d89d..0000000000 --- a/kubernetes/msb/components/msb-consul/templates/deployment.yaml +++ /dev/null @@ -1,97 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - securityContext: - runAsUser: {{ .Values.securityContext.runAsUser }} - runAsGroup: {{ .Values.securityContext.runAsGroup }} - command: - - docker-entrypoint.sh - args: - - "agent" - - "-dev" - - "-client" - - "0.0.0.0" - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/docker-entrypoint.sh - name: entrypoint - subPath: docker-entrypoint.sh - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: entrypoint - configMap: - name: {{ include "common.fullname" . }}-entrypoint - defaultMode: 0777 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/msb/components/msb-consul/templates/ingress.yaml b/kubernetes/msb/components/msb-consul/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/msb/components/msb-consul/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/msb/components/msb-consul/values.yaml b/kubernetes/msb/components/msb-consul/values.yaml deleted file mode 100644 index 01f246689f..0000000000 --- a/kubernetes/msb/components/msb-consul/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: library/consul:1.4.3 -pullPolicy: Always -istioSidecar: true - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: msb-consul - externalPort: 8500 - internalPort: 8500 - nodePort: 85 - -ingress: - enabled: false - service: - - baseaddr: "msb-consul-api" - name: "msb-consul" - port: 8500 - config: - ssl: "none" - -flavor: small - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 20m - memory: 100Mi - requests: - cpu: 10m - memory: 50Mi - large: - limits: - cpu: 40m - memory: 200Mi - requests: - cpu: 20m - memory: 100Mi - unlimited: {} - -securityContext: - fsGroup: 1000 - runAsUser: 100 - runAsGroup: 1000 - -#Pods Service Account -serviceAccount: - nameOverride: msb-consul - roles: - - read diff --git a/kubernetes/msb/components/msb-discovery/Chart.yaml b/kubernetes/msb/components/msb-discovery/Chart.yaml deleted file mode 100644 index a29970ae35..0000000000 --- a/kubernetes/msb/components/msb-discovery/Chart.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v2 -description: ONAP MicroServices Bus Discovery -name: msb-discovery -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/msb/components/msb-discovery/templates/deployment.yaml b/kubernetes/msb/components/msb-discovery/templates/deployment.yaml deleted file mode 100644 index d9f902be4d..0000000000 --- a/kubernetes/msb/components/msb-discovery/templates/deployment.yaml +++ /dev/null @@ -1,108 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - msb-consul - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: CONSUL_IP - value: msb-consul.{{ include "common.namespace" . }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/discover-works/logs - name: {{ include "common.fullname" . }}-logs - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # Filebeat sidecar container - {{ include "common.log.sidecar" . | nindent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-log-conf - configMap: - name: {{ include "common.fullname" . }}-log - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/msb/components/msb-discovery/templates/ingress.yaml b/kubernetes/msb/components/msb-discovery/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/msb/components/msb-discovery/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/msb/components/msb-discovery/values.yaml b/kubernetes/msb/components/msb-discovery/values.yaml deleted file mode 100644 index 678dde79fa..0000000000 --- a/kubernetes/msb/components/msb-discovery/values.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/msb/msb_discovery:1.3.0 -pullPolicy: Always -istioSidecar: true - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: msb-discovery - externalPort: 10081 - internalPort: 10081 - nodePort: 81 - -ingress: - enabled: false - service: - - baseaddr: "msb-discovery-api" - name: "msb-discovery" - port: 10081 - config: - ssl: "none" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 400m - memory: 400Mi - requests: - cpu: 200m - memory: 200Mi - large: - limits: - cpu: 800m - memory: 800Mi - requests: - cpu: 400m - memory: 400Mi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: msb-discovery - roles: - - read - -#Logs configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/msb/components/msb-eag/.helmignore b/kubernetes/msb/components/msb-eag/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/msb/components/msb-eag/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/msb/components/msb-eag/Chart.yaml b/kubernetes/msb/components/msb-eag/Chart.yaml deleted file mode 100644 index 55dd2401c7..0000000000 --- a/kubernetes/msb/components/msb-eag/Chart.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v2 -description: ONAP MicroServices Bus Internal API Gateway -name: msb-eag -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml deleted file mode 100644 index 30c0a80209..0000000000 --- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml deleted file mode 100644 index c6cf2d150d..0000000000 --- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml +++ /dev/null @@ -1,110 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - - command: - - /app/ready.py - args: - - --container-name - - msb-discovery - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{- include "common.containerPorts" . | indent 10 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: CONSUL_IP - value: msb-consul.{{ include "common.namespace" . }} - - name: SDCLIENT_IP - value: msb-discovery.{{ include "common.namespace" . }} - - name: ROUTE_LABELS - value: {{ .Values.config.routeLabels }} - volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/apiroute-works/logs - name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - - name: {{ include "common.fullname" . }}-log-conf - configMap: - name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/msb/components/msb-eag/templates/ingress.yaml b/kubernetes/msb/components/msb-eag/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/msb/components/msb-eag/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml deleted file mode 100644 index 1c3f3131d6..0000000000 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-eag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-eag - fqi: msb-eag@msb-eag.onap.org - fqi_namespace: org.onap.msb-eag - public_fqdn: msb-eag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/msb/msb_apigateway:1.4.0 -pullPolicy: Always -istioSidecar: true - -# application configuration -config: - routeLabels: "visualRange:0" - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: msb-eag - both_tls_and_plain: true - # for liveness and readiness probe only - # internalPort: - internalPort: 443 - internalPlainPort: 80 - ports: - - name: msb-eag - port: 443 - plain_port: 80 - port_protocol: http - nodePort: '84' - -ingress: - enabled: false - service: - - baseaddr: "msb-eag-ui" - name: "msb-eag" - port: 443 - plain_port: 80 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 200Mi - large: - limits: - cpu: 400m - memory: 800Mi - requests: - cpu: 200m - memory: 400Mi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: msb-eag - roles: - - read - -#Logs configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/msb/components/msb-iag/.helmignore b/kubernetes/msb/components/msb-iag/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/msb/components/msb-iag/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/msb/components/msb-iag/Chart.yaml b/kubernetes/msb/components/msb-iag/Chart.yaml deleted file mode 100644 index d015cceee5..0000000000 --- a/kubernetes/msb/components/msb-iag/Chart.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -apiVersion: v2 -description: ONAP MicroServices Bus Internal API Gateway -name: msb-iag -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf deleted file mode 100644 index 70125753ed..0000000000 --- a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# -# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -*/}} -server { - listen 443 ssl; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_protocols TLSv1.1 TLSv1.2; - ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; - include ../msb-enabled/location-default/msblocations.conf; - # Add below settings for making SDC to work - underscores_in_headers on; -} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-iag/templates/configmap.yaml b/kubernetes/msb/components/msb-iag/templates/configmap.yaml deleted file mode 100644 index 30c0a80209..0000000000 --- a/kubernetes/msb/components/msb-iag/templates/configmap.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-nginx - namespace: {{ include "common.namespace" . }} -data: -{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-iag/templates/deployment.yaml b/kubernetes/msb/components/msb-iag/templates/deployment.yaml deleted file mode 100644 index c6cf2d150d..0000000000 --- a/kubernetes/msb/components/msb-iag/templates/deployment.yaml +++ /dev/null @@ -1,110 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - - command: - - /app/ready.py - args: - - --container-name - - msb-discovery - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{- include "common.containerPorts" . | indent 10 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: CONSUL_IP - value: msb-consul.{{ include "common.namespace" . }} - - name: SDCLIENT_IP - value: msb-discovery.{{ include "common.namespace" . }} - - name: ROUTE_LABELS - value: {{ .Values.config.routeLabels }} - volumeMounts: - {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/apiroute-works/logs - name: {{ include "common.fullname" . }}-logs - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf - name: {{ include "common.fullname" . }}-nginx-conf - subPath: msbhttps.conf - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - - name: {{ include "common.fullname" . }}-log-conf - configMap: - name: {{ include "common.fullname" . }}-log - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.fullname" . }}-nginx-conf - configMap: - name: {{ include "common.fullname" . }}-nginx - {{- end }} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/msb/components/msb-iag/templates/ingress.yaml b/kubernetes/msb/components/msb-iag/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/msb/components/msb-iag/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml deleted file mode 100644 index 4bb772da16..0000000000 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ /dev/null @@ -1,136 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada , ZTE -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: msb-iag-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: msb-iag - fqi: msb-iag@msb-iag.onap.org - fqi_namespace: org.onap.msb-iag - public_fqdn: msb-iag.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - mkdir -p {{ .Values.credsPath }}/certs - echo "*** retrieve certificate from pkcs12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key to relevant place" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership and read/write attributes" - chown -R 1000 {{ .Values.credsPath }}/certs - chmod 600 {{ .Values.credsPath }}/certs/cert.crt - chmod 600 {{ .Values.credsPath }}/certs/cert.key - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/msb/msb_apigateway:1.4.0 -pullPolicy: Always -istioSidecar: true - -# application configuration -config: - routeLabels: "visualRange:1" - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: msb-iag - both_tls_and_plain: true - # for liveness and readiness probe only - # internalPort: - internalPort: 443 - internalPlainPort: 80 - ports: - - name: msb-iag - port: 443 - plain_port: 80 - port_protocol: http - nodePort: '83' - -ingress: - enabled: false - service: - - baseaddr: "msb-iag-ui" - name: "msb-iag" - port: 443 - plain_port: 80 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 100m - memory: 400Mi - requests: - cpu: 50m - memory: 200Mi - large: - limits: - cpu: 200m - memory: 800Mi - requests: - cpu: 100m - memory: 400Mi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: msb-iag - roles: - - read - -#Logs configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/multicloud/Chart.yaml b/kubernetes/multicloud/Chart.yaml index 2b49b60025..89bdbe7c42 100644 --- a/kubernetes/multicloud/Chart.yaml +++ b/kubernetes/multicloud/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 AT&T # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,43 +19,23 @@ apiVersion: v2 description: ONAP multicloud broker name: multicloud -version: 12.0.0 +version: 15.0.3 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: multicloud-fcaps - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-fcaps' condition: multicloud-fcaps.enabled - name: multicloud-k8s - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/multicloud-k8s' condition: multicloud-k8s.enabled - - name: multicloud-pike - version: ~12.x-0 - repository: 'file://components/multicloud-pike' - condition: multicloud-pike.enabled - - name: multicloud-prometheus - version: ~12.x-0 - repository: 'file://components/multicloud-prometheus' - condition: multicloud-prometheus.enabled - - name: multicloud-starlingx - version: ~12.x-0 - repository: 'file://components/multicloud-starlingx' - condition: multicloud-starlingx.enabled - - name: multicloud-vio - version: ~12.x-0 - repository: 'file://components/multicloud-vio' - condition: multicloud-vio.enabled - - name: multicloud-windriver - version: ~12.x-0 - repository: 'file://components/multicloud-windriver' - condition: multicloud-windriver.enabled - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml index 3378830f3e..64c8d5a7fe 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/Chart.yaml @@ -1,5 +1,6 @@ # Copyright (c) 2019, CMCC Technologies Co., Ltd. # Modifications Copyright © 2021 Orange +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,15 +17,15 @@ apiVersion: v2 description: ONAP multicloud OpenStack fcaps Plugin name: multicloud-fcaps -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml index 2750f5f145..7c850a4463 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/deployment.yaml @@ -16,91 +16,73 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: fcaps-log - - mountPath: /opt/fcaps/fcaps/pub/config/log.yml - name: fcaps-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-fcaps/v1/healthcheck - port: {{ .Values.service.internalPort }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.rabbitmq }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: rabbit-mq - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: fcaps-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 5 }} - - name: fcaps-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: SSL_ENABLED + value: "false" + name: {{ include "common.name" . }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: fcaps-log + - mountPath: /opt/fcaps/fcaps/pub/config/log.yml + name: fcaps-logconfig + subPath: log.yml + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + path: /api/multicloud-fcaps/v1/healthcheck + port: {{ .Values.service.internalPort }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + # side car containers + {{ include "common.log.sidecar" . | nindent 6 }} + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.rabbitmq }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: rabbit-mq + - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: memcached + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: fcaps-log + emptyDir: {} + {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 6 }} + - name: fcaps-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml b/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml index e73a942172..ce6f1479bd 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/templates/service.yaml @@ -1,62 +1,18 @@ {{/* # Copyright (c) 2019, CMCC Technologies Co., Ltd. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-fcaps", - "version": "v0", - "url": "/api/multicloud-fcaps/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-fcaps", - "version": "v1", - "url": "/api/multicloud-fcaps/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-fcaps/values.yaml b/kubernetes/multicloud/components/multicloud-fcaps/values.yaml index b9e90af1ef..f6adfba5ae 100644 --- a/kubernetes/multicloud/components/multicloud-fcaps/values.yaml +++ b/kubernetes/multicloud/components/multicloud-fcaps/values.yaml @@ -30,13 +30,10 @@ istioSidecar: true # application configuration config: - ssl_enabled: true msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 + msbPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 8080 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -58,15 +55,42 @@ liveness: enabled: true service: - type: ClusterIP - name: multicloud-fcaps - portName: http - externalPort: 9011 + type: NodePort internalPort: 9011 - nodePort: 87 + ports: + - name: http + port: 9011 + nodePort: '87' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-fcaps", + "version": "v0", + "url": "/api/multicloud-fcaps/v0", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + }, + { + "serviceName": "multicloud-fcaps", + "version": "v1", + "url": "/api/multicloud-fcaps/v1", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} ingress: enabled: false + service: + - baseaddr: 'multicloud-fcaps-api' + name: 'multicloud-fcaps' + port: 9011 # Resource Limit flavor -By Default using small flavor: small @@ -74,18 +98,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} # rabbit-mq image resource diff --git a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml index faf9ebfe0b..9e56446a56 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/Chart.yaml @@ -1,6 +1,7 @@ # Copyright 2019 Intel Corporation, Inc # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +18,24 @@ apiVersion: v2 description: ONAP Multicloud Kubernetes Plugin name: multicloud-k8s -version: 12.0.0 +version: 13.1.3 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: mongo - version: ~12.x-0 + - name: mongodb + version: ~16.5.x-0 repository: '@local' - name: etcd - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json index 4a08322634..54b2b0e12b 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json +++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/config.json @@ -44,8 +44,10 @@ "CLOUD_TECHNOLOGY_SPECIFIC_ARTIFACT", "HELM" ], - "consumerGroup": "{{ .Values.config.kafka.sdcTopic.consumerGroup }}", - "consumerId": "{{ .Values.config.kafka.sdcTopic.clientId }}", + {{- with (first .Values.kafkaUser.acls) }} + "consumerGroup": "{{ .name }}", + "consumerId": "{{ .name }}-k8s", + {{- end }} "environmentName": "AUTO", "keystorePath": "null", "keystorePassword": "null", diff --git a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json index d6fa40d471..08c228f2eb 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json +++ b/kubernetes/multicloud/components/multicloud-k8s/resources/config/k8sconfig.json @@ -8,4 +8,4 @@ "database-address": "multicloud-k8s-mongo", "etcd-ip": "multicloud-k8s-etcd", "plugin-dir": "/opt/multicloud/k8splugin/plugins" -} \ No newline at end of file +} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml index 45494e1730..6ed5dee8ee 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,33 +17,22 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }} command: ["/opt/multicloud/k8splugin/k8plugin"] workingDir: /opt/multicloud/k8splugin - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: @@ -56,14 +46,12 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/multicloud/k8splugin/k8sconfig.json - name: {{ include "common.name" .}} - subPath: k8sconfig.json - resources: -{{ include "common.resources" . | indent 10 }} + - mountPath: /tmp + name: tmp-dir-k8s + - mountPath: /opt/multicloud/k8splugin/k8sconfig.json + name: {{ include "common.name" .}} + subPath: k8sconfig.json + resources: {{ include "common.resources" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -77,31 +65,54 @@ spec: name: framework-artifactbroker command: ["/opt/app/distribution/bin/artifact-dist.sh"] args: ["/opt/app/distribution/etc/mounted/config.json"] + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} ports: - containerPort: {{ .Values.artifactbroker.internalPort }} protocol: TCP + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.artifactbroker.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.artifactbroker.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: + - mountPath: /tmp + name: tmp-dir-broker + - mountPath: "{{ .Values.log.path }}" + name: framework-log - mountPath: /opt/app/distribution/etc/mounted/config.json name: {{ include "common.name" .}} subPath: config.json - mountPath: /data name: artifact-data env: - - name: SECURITY_PROTOCOL - value: {{ .Values.config.kafka.securityProtocol }} - - name: SASL_MECHANISM - value: {{ .Values.config.kafka.saslMechanism }} - name: SASL_JAAS_CONFIG - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "multicloud-k8s-sdc-kafka-secret" "key" "sasl.jaas.config") | indent 10 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime + - name: tmp-dir-k8s + emptyDir: + sizeLimit: {{ .Values.volumes.tmpK8SSizeLimit }} + - name: tmp-dir-broker + emptyDir: + sizeLimit: {{ .Values.volumes.tmpBrokerSizeLimit }} + - name: framework-log + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} - name : {{ include "common.name" . }} configMap: name: {{ include "common.fullname" . }} - name: artifact-data - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + emptyDir: + sizeLimit: {{ .Values.volumes.artifactDataSizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml new file mode 100644 index 0000000000..324a068cf0 --- /dev/null +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2022-23 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml deleted file mode 100644 index 7600facb08..0000000000 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/multicloud-k8s-sdc-list-kafka-user.yaml +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.multicloudK8sKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: {{ .Values.config.kafka.saslMechanism | lower }} - authorization: - type: {{ .Values.config.kafka.authType }} - acls: - - resource: - type: group - name: {{ .Values.config.kafka.sdcTopic.consumerGroup }} - operation: All - - resource: - type: topic - patternType: prefix - name: {{ .Values.config.kafka.sdcTopic.pattern }} - operation: All diff --git a/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml b/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml index b2b39db899..dc9695266a 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,39 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-k8s", - "version": "v1", - "url": "/", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.PortName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/components/multicloud-k8s/values.yaml b/kubernetes/multicloud/components/multicloud-k8s/values.yaml index cae151ae58..02509e6d7a 100644 --- a/kubernetes/multicloud/components/multicloud-k8s/values.yaml +++ b/kubernetes/multicloud/components/multicloud-k8s/values.yaml @@ -1,4 +1,5 @@ # Copyright 2019 Intel Corporation, Inc +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,20 +19,16 @@ global: nodePortPrefixExt: 304 persistence: {} - artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 - multicloudK8sKafkaUser: mc-k8s-sdc-list-kafka-user - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: multicloud-k8s-sdc-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate + artifactImage: onap/multicloud/framework-artifactbroker:1.9.2 + # Docker Repository used by RepositoryGenerator + dockerHubRepository: docker.io + # Additions for MongoDB**************************** + # If dockerHubRepository is changes the following entry needs + # to be changed as well + imageRegistry: docker.io + imagePullSecrets: + - '{{ include "common.names.namespace" . }}-docker-registry-key' + # ************************************************* ################################################################# # Application configuration defaults. @@ -40,16 +37,16 @@ secrets: image: onap/multicloud/k8s:0.10.1 pullPolicy: Always -config: - someConfig: blah - kafka: - securityProtocol: SASL_PLAINTEXT - saslMechanism: SCRAM-SHA-512 - authType: simple - sdcTopic: - pattern: SDC-DIST - consumerGroup: multicloud - clientId: multicloud-k8s +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: multicloud + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] # flag to enable debugging - application support required debugEnabled: false @@ -63,6 +60,16 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 999 + group_id: 999 + +volumes: + tmpK8SSizeLimit: 100Mi + tmpBrokerSizeLimit: 100Mi + artifactDataSizeLimit: 100Mi + logSizeLimit: 100Mi + # probe configuration parameters liveness: initialDelaySeconds: 10 @@ -74,55 +81,81 @@ liveness: readiness: initialDelaySeconds: 10 periodSeconds: 30 + enabled: true service: - type: ClusterIP - name: multicloud-k8s - portName: http + type: NodePort internalPort: 9015 - externalPort: 9015 - nodePort: 98 + ports: + - name: http + port: 9015 + nodePort: '98' + useNodePortExt: true + annotations: + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "multicloud-k8s", + "version": "v1", + "url": "/", + "protocol": "REST", + "port": "{{ .Values.service.internalPort }}", + "enable_ssl": false, + "visualRange": "1" + } + ]{{ end }} + +ingress: + enabled: false + service: + - baseaddr: 'multicloud-k8s-api' + name: 'multicloud-k8s' + port: 9015 #Mongo chart overrides for k8splugin -mongo: +mongodb: nameOverride: multicloud-k8s-mongo service: - name: multicloud-k8s-mongo - internalPort: 27017 - nfsprovisionerPrefix: multicloud-k8s - sdnctlPrefix: multicloud-k8s + nameOverride: multicloud-k8s-mongo + port: 27017 + auth: + enabled: false + resources: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "500m" + memory: "2Gi" + +#etcd chart overrides for k8splugin +etcd: + nameOverride: multicloud-k8s-etcd + service: + name: multicloud-k8s-etcd + clientPortName: tcp-etcd-client + peerPortName: tcp-etcd-server persistence: - mountSubPath: multicloud-k8s/mongo/data + mountSubPath: multicloud-k8s/etcd/data enabled: true - disableNfsProvisioner: true - flavor: &storage_flavor large - resources: &storage_resources + flavor: large + resources: small: limits: - cpu: 100m - memory: 300Mi + cpu: "100m" + memory: "300Mi" requests: - cpu: 10m - memory: 75Mi + cpu: "10m" + memory: "70Mi" large: limits: - cpu: 200m - memory: 1Gi + cpu: "200m" + memory: "1Gi" requests: - cpu: 50m - memory: 300Mi + cpu: "50m" + memory: "300Mi" unlimited: {} -#etcd chart overrides for k8splugin -etcd: - nameOverride: multicloud-k8s-etcd - service: - name: multicloud-k8s-etcd - persistence: - mountSubPath: multicloud-k8s/etcd/data - enabled: true - flavor: *storage_flavor - resources: *storage_resources # No persistence right now as we rely on Mongo to handle that persistence: @@ -133,9 +166,6 @@ persistence: mountPath: /dockerdata-nfs mountSubPath: multicloud-k8s/data -ingress: - enabled: false - artifactbroker: internalPort: 9014 @@ -144,18 +174,18 @@ flavor: large resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "400m" + memory: "500Mi" requests: - cpu: 10m - memory: 10Mi + cpu: "10m" + memory: "10Mi" large: limits: - cpu: 400m - memory: 1Gi + cpu: "600m" + memory: "1Gi" requests: - cpu: 10m - memory: 100Mi + cpu: "10m" + memory: "100Mi" unlimited: {} #Pods Service Account @@ -163,3 +193,7 @@ serviceAccount: nameOverride: multicloud-k8s roles: - read + +#Log configuration +log: + path: /var/log/onap diff --git a/kubernetes/multicloud/components/multicloud-pike/.helmignore b/kubernetes/multicloud/components/multicloud-pike/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/multicloud/components/multicloud-pike/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/multicloud/components/multicloud-pike/Chart.yaml b/kubernetes/multicloud/components/multicloud-pike/Chart.yaml deleted file mode 100644 index fd844694d1..0000000000 --- a/kubernetes/multicloud/components/multicloud-pike/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2018 Intel Corporation. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP multicloud OpenStack Pike Plugin -name: multicloud-pike -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml deleted file mode 100644 index 3174dae242..0000000000 --- a/kubernetes/multicloud/components/multicloud-pike/templates/deployment.yaml +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -# Copyright (c) 2018 Intel Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: pike-log - - mountPath: /opt/pike/pike/pub/config/log.yml - name: pike-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/sh"] - args: ["-c", "/bin/sh /opt/pike/run.sh"] - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-pike/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: HTTP - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: pike-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 5 }} - - name: pike-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml b/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml deleted file mode 100644 index 503fae375a..0000000000 --- a/kubernetes/multicloud/components/multicloud-pike/templates/service.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{/* -# Copyright (c) 2018 Intel Corporation. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-pike", - "version": "v0", - "url": "/api/multicloud-pike/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - }, - { - "serviceName": "multicloud-pike", - "version": "v1", - "url": "/api/multicloud-pike/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' - -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} diff --git a/kubernetes/multicloud/components/multicloud-pike/values.yaml b/kubernetes/multicloud/components/multicloud-pike/values.yaml deleted file mode 100644 index 4ed7a64ecb..0000000000 --- a/kubernetes/multicloud/components/multicloud-pike/values.yaml +++ /dev/null @@ -1,103 +0,0 @@ -# Copyright (c) 2018 Intel Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/multicloud/openstack-pike:1.5.7 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# application configuration -config: - ssl_enabled: false - msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 - aai: - aaiPort: 8443 - aaiPlainPort: 8080 - schemaVersion: v13 - username: AAI - password: AAI - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - enabled: true - -service: - type: ClusterIP - name: multicloud-pike - portName: http - externalPort: 9007 - internalPort: 9007 - nodePort: 96 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} - -# memcached image resource -memcached: memcached:alpine3.15 - -#Pods Service Account -serviceAccount: - nameOverride: multicloud-pike - roles: - - read - -#Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml deleted file mode 100644 index 0075548d2a..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Multicloud Prometheus -name: multicloud-prometheus -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: prometheus-alertmanager - version: ~12.x-0 - repository: 'file://components/prometheus-alertmanager' - - name: prometheus-grafana - version: ~12.x-0 - repository: 'file://components/prometheus-grafana' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml deleted file mode 100644 index 91fdb7dbb6..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/Chart.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Multicloud Prometheus Alert Manager -name: prometheus-alertmanager -version: 12.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml deleted file mode 100644 index ca56b670cd..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/templates/deployment.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.alertmanager.enabled -}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - containers: - - name: {{ include "common.name" . }}-configmap-reload - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.global.configmapReload.image.repository }}:{{ .Values.global.configmapReload.image.tag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --volume-dir=/etc/config - - --webhook-url=http://localhost:9093/-/reload - volumeMounts: - - name: {{ include "common.fullname" . }}-config - mountPath: /etc/config - readOnly: true - - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --config.file=/etc/config/alertmanager.yml - - --storage.path={{ .Values.persistence.containerMountPath }} - resources: -{{ toYaml .Values.resources | indent 10 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if .Values.readiness.enabled }} - readinessProbe: - httpGet: - path: /#/status - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - {{ end -}} - volumeMounts: - - name: {{ include "common.fullname" . }}-config - mountPath: /etc/config - - name: {{ include "common.fullname" . }}-storage - mountPath: {{ .Values.persistence.containerMountPath }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-storage - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always - -{{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml deleted file mode 100644 index ccd70b30cf..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-alertmanager/values.yaml +++ /dev/null @@ -1,87 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -#Alertmanager Configuration -image: - repository: prom/alertmanager - tag: v0.15.2 - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: multicloud/prometheus/alertmanager - containerMountPath: /alertmanager/data - -#Service configuration for this chart -service: - type: ClusterIP - name: multicloud-prometheus-alertmanager - portName: prometheus-alertmanager - internalPort: 9093 - externalPort: 9093 - - meshpeer: - enabled: false - portName: multicloud-prometheus-meshpeer - port: 6783 - -# probe configuration parameters -readiness: - initialDelaySeconds: 10 - periodSeconds: 30 - timeoutSeconds: 30 - enabled: true - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml deleted file mode 100644 index 1a5912f330..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/Chart.yaml +++ /dev/null @@ -1,19 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# Modifications Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Multicloud Grafana for Prometheus -name: prometheus-grafana -version: 12.0.0 diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml deleted file mode 100644 index 2dea842733..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/templates/deployment.yaml +++ /dev/null @@ -1,139 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.grafana.enabled -}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - {{- if .Values.dashboards }} - initContainers: - - name: {{ include "common.name" . }}-download-dashboards - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["sh", "/etc/grafana/download_dashboards.sh"] - volumeMounts: - - name: {{ include "common.fullname" . }}-config - mountPath: "/etc/grafana/download_dashboards.sh" - subPath: download_dashboards.sh - - name: {{ include "common.fullname" . }}-storage - mountPath: {{ .Values.persistence.containerMountPath }} - {{- end }} - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: -{{ toYaml .Values.resources | indent 10 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - protocol: TCP - {{- if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/health - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{ end -}} - {{- if .Values.readiness.enabled }} - readinessProbe: - httpGet: - path: /api/health - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - {{ end -}} - volumeMounts: - - name: {{ include "common.fullname" . }}-config - mountPath: "/etc/grafana/grafana.ini" - subPath: grafana.ini - - name: {{ include "common.fullname" . }}-storage - mountPath: {{ .Values.persistence.containerMountPath }} - {{- if .Values.dashboards }} - {{- range $provider, $dashboards := .Values.dashboards }} - {{- range $key, $value := $dashboards }} - {{- if hasKey $value "json" }} - - name: {{ include "common.fullname" $ }}-dashboards-{{ $provider }} - mountPath: "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" - subPath: "{{ $key }}.json" - {{- end }} - {{- end }} - {{- end }} - {{- end -}} - {{- if .Values.datasources }} - - name: {{ include "common.fullname" . }}-config - mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" - subPath: datasources.yaml - {{- end }} - {{- if .Values.dashboardProviders }} - - name: {{ include "common.fullname" . }}-config - mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" - subPath: dashboardproviders.yaml - {{- end }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-storage - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - {{- if .Values.dashboards }} - {{- range keys .Values.dashboards }} - - name: {{ include "common.fullname" $ }}-dashboards-{{ . }} - configMap: - name: {{ include "common.fullname" $ }}-dashboards-{{ . }} - {{- end }} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always - -{{- end -}} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml deleted file mode 100644 index 43f4e93a6f..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/components/prometheus-grafana/values.yaml +++ /dev/null @@ -1,114 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - persistence: {} - -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -#Alertmanager Configuration -image: - repository: grafana/grafana - tag: 5.2.4 - -downloadDashboardsImage: - repository: appropriate/curl - tag: latest - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 10Gi - mountPath: /dockerdata-nfs - mountSubPath: multicloud/prometheus/grafana - containerMountPath: /grafana/data - -#Service configuration for this chart -service: - type: ClusterIP - name: multicloud-prometheus-grafana - portName: prometheus-grafana - internalPort: 3000 - externalPort: 3000 - -#Grafana Datasources -datasources: - datasources.yaml: - apiVersion: 1 - datasources: - - name: Prometheus - type: prometheus - #Make sure the port number matches for the prometheus service - url: http://multicloud-prometheus:9090 - access: proxy - isDefault: true - - -#Grafana Dashboard providers -dashboardProviders: {} - -#Grafana Dashboards for importing -#This requires dashboardProviders to be enabled with some data -#The dashboards will be downloaded from the URL provided in -#dashboardProviders -dashboards: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 30 - timeoutSeconds: 30 - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 30 - timeoutSeconds: 30 - enabled: true - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/configmap.yaml b/kubernetes/multicloud/components/multicloud-prometheus/templates/configmap.yaml deleted file mode 100644 index 471c9094aa..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/templates/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml deleted file mode 100644 index 74941292fd..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/templates/deployment.yaml +++ /dev/null @@ -1,122 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - initContainers: - - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-chown-init - command: ["chown", "-R", "65534:65534", "{{ .Values.persistence.containerMountPath }}"] - volumeMounts: - - name: {{ include "common.fullname" . }}-storage - mountPath: {{ .Values.persistence.containerMountPath }} - containers: - - name: {{ include "common.name" . }}-configmap-reload - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.global.configmapReload.image.repository }}:{{ .Values.global.configmapReload.image.tag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --volume-dir=/etc/config - - --webhook-url=http://localhost:9090/-/reload - volumeMounts: - - name: {{ include "common.fullname" . }}-config - mountPath: /etc/config - readOnly: true - - - name: {{ include "common.name" . }}-server - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - args: - - --config.file=/etc/config/prometheus.yml - - --storage.tsdb.path={{ .Values.persistence.containerMountPath }} - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - - --web.enable-lifecycle - {{- if .Values.server.enableAdminApi }} - - --web.enable-admin-api - {{- end }} - resources: -{{ toYaml .Values.resources | indent 10 }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /-/healthy - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - {{ end -}} - {{- if .Values.readiness.enabled }} - readinessProbe: - httpGet: - path: /-/ready - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - {{ end -}} - volumeMounts: - - name: {{ include "common.fullname" . }}-config - mountPath: /etc/config - - name: {{ include "common.fullname" . }}-storage - mountPath: {{ .Values.persistence.containerMountPath }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - - name: {{ include "common.fullname" . }}-storage - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml b/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml deleted file mode 100644 index b8dbb687fb..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - - name: {{ .Values.service.portName }} - {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default "302" }}{{ .Values.service.nodePort }} - {{- else -}} - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - protocol: TCP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} \ No newline at end of file diff --git a/kubernetes/multicloud/components/multicloud-prometheus/values.yaml b/kubernetes/multicloud/components/multicloud-prometheus/values.yaml deleted file mode 100644 index 78373c88f2..0000000000 --- a/kubernetes/multicloud/components/multicloud-prometheus/values.yaml +++ /dev/null @@ -1,108 +0,0 @@ -# Copyright 2018 Intel Corporation, Inc -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - alertmanager: - enabled: false - grafana: - enabled: false - configmapReload: - image: - repository: jimmidyson/configmap-reload - tag: v0.2.2 - persistence: {} - -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -#Server Configuration -image: - repository: prom/prometheus - tag: v2.4.0 - -server: - enableAdminApi: false - -persistence: - enabled: true - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 8Gi - mountPath: /dockerdata-nfs - mountSubPath: multicloud/prometheus/server - containerMountPath: /prometheus/data - -#Service configuration for this chart -service: - type: ClusterIP - name: multicloud-prometheus - portName: http - internalPort: 9090 - externalPort: 9090 - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 30 - timeoutSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 30 - timeoutSeconds: 30 - enabled: true - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -ingress: - enabled: false - -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: multicloud-prometheus - roles: - - read diff --git a/kubernetes/multicloud/components/multicloud-starlingx/.helmignore b/kubernetes/multicloud/components/multicloud-starlingx/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/multicloud/components/multicloud-starlingx/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml b/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml deleted file mode 100644 index d4eac135bb..0000000000 --- a/kubernetes/multicloud/components/multicloud-starlingx/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2019 Intel Corporation. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP multicloud OpenStack Starlingx Plugin -name: multicloud-starlingx -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml deleted file mode 100644 index 7f178063b5..0000000000 --- a/kubernetes/multicloud/components/multicloud-starlingx/templates/deployment.yaml +++ /dev/null @@ -1,119 +0,0 @@ -{{/* -# Copyright (c) 2019 Intel Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: starlingx-log - - mountPath: /opt/starlingx/starlingx/pub/config/log.yml - name: starlingx-logconfig - subPath: log.yml - - mountPath: /opt/artifacts/ - name: artifact-data - resources: {{ include "common.resources" . | nindent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-starlingx/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 7 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.artifactImage }} - name: framework-artifactbroker - command: ["/opt/app/distribution/bin/artifact-dist.sh"] - args: ["/opt/app/distribution/etc/mounted/config.json"] - ports: - - containerPort: 9014 - protocol: TCP - volumeMounts: - - mountPath: /opt/app/distribution/etc/mounted/config.json - name: starlingx-logconfig - subPath: config.json - - mountPath: /data - name: artifact-data - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: starlingx-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 7 }} - - name: starlingx-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - - name: artifact-data - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml b/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml deleted file mode 100644 index 5c30c26296..0000000000 --- a/kubernetes/multicloud/components/multicloud-starlingx/templates/service.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright (c) 2019 Intel Corporation. -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-starlingx", - "version": "v0", - "url": "/api/multicloud-starlingx/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-starlingx", - "version": "v1", - "url": "/api/multicloud-starlingx/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} diff --git a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml b/kubernetes/multicloud/components/multicloud-starlingx/values.yaml deleted file mode 100644 index 1fe7775aed..0000000000 --- a/kubernetes/multicloud/components/multicloud-starlingx/values.yaml +++ /dev/null @@ -1,105 +0,0 @@ -# Copyright (c) 2019 Intel Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefixExt: 304 - artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -repository: nexus3.onap.org:10001 -image: onap/multicloud/openstack-starlingx:1.5.7 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: false - -# application configuration -config: - ssl_enabled: true - msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 - aai: - aaiPort: 8443 - aaiPlainPort: 8080 - schemaVersion: v13 - username: AAI - password: AAI - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - enabled: true - -service: - type: ClusterIP - name: multicloud-starlingx - portName: multicloud-starlingx - externalPort: 9009 - internalPort: 9009 - nodePort: 85 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} - -# memcached image resource -memcached: memcached:alpine3.15 - -#Pods Service Account -serviceAccount: - nameOverride: multicloud-starlingx - roles: - - read - -#Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/multicloud/components/multicloud-vio/.helmignore b/kubernetes/multicloud/components/multicloud-vio/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/multicloud/components/multicloud-vio/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/multicloud/components/multicloud-vio/Chart.yaml b/kubernetes/multicloud/components/multicloud-vio/Chart.yaml deleted file mode 100644 index ed67b5e5d7..0000000000 --- a/kubernetes/multicloud/components/multicloud-vio/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP multicloud VIO plugin -name: multicloud-vio -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml deleted file mode 100644 index c5c368c8b5..0000000000 --- a/kubernetes/multicloud/components/multicloud-vio/templates/deployment.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: vio-log - - mountPath: /opt/vio/vio/pub/config/log.yml - name: vio-logconfig - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: /api/multicloud-vio/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: HTTP - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: vio-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 5 }} - - name: vio-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml b/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml deleted file mode 100644 index 4a926df420..0000000000 --- a/kubernetes/multicloud/components/multicloud-vio/templates/service.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-vio", - "version": "v0", - "url": "/api/multicloud-vio/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - }, - { - "serviceName": "multicloud-vio", - "version": "v1", - "url": "/api/multicloud-vio/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} diff --git a/kubernetes/multicloud/components/multicloud-vio/values.yaml b/kubernetes/multicloud/components/multicloud-vio/values.yaml deleted file mode 100644 index 3b852df885..0000000000 --- a/kubernetes/multicloud/components/multicloud-vio/values.yaml +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/multicloud/vio:1.4.2 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# application configuration -config: - msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 - aai: - aaiPort: 8443 - aaiPlainPort: 8080 - schemaVersion: v13 - username: AAI - password: AAI - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - enabled: true - -service: - type: ClusterIP - name: multicloud-vio - portName: http - externalPort: 9004 - internalPort: 9004 - nodePort: 92 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: multicloud-vio - roles: - - read - -#Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/multicloud/components/multicloud-windriver/.helmignore b/kubernetes/multicloud/components/multicloud-windriver/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/multicloud/components/multicloud-windriver/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml b/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml deleted file mode 100644 index 3cf069b67b..0000000000 --- a/kubernetes/multicloud/components/multicloud-windriver/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP multicloud OpenStack WindRiver Plugin -name: multicloud-windriver -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml deleted file mode 100644 index 8eadcf689d..0000000000 --- a/kubernetes/multicloud/components/multicloud-windriver/templates/deployment.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - initContainers: - - command: ["sh", "-c", "chown -R 100:101 /data"] - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-init - volumeMounts: - - mountPath: /data - name: artifact-data - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: windriver-log - - mountPath: /opt/windriver/titanium_cloud/pub/config/log.yml - name: windriver-logconfig - subPath: log.yml - - mountPath: /opt/artifacts/ - name: artifact-data - resources: {{ include "common.resources" . | nindent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - path: /api/multicloud-titaniumcloud/v1/swagger.json - port: {{ .Values.service.internalPort }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 7 }} - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.memcached }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: memcached - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.artifactImage }} - name: framework-artifactbroker - command: ["/opt/app/distribution/bin/artifact-dist.sh"] - args: ["/opt/app/distribution/etc/mounted/config.json"] - ports: - - containerPort: 9014 - protocol: TCP - volumeMounts: - - mountPath: /opt/app/distribution/etc/mounted/config.json - name: windriver-logconfig - subPath: config.json - - mountPath: /data - name: artifact-data - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: windriver-log - emptyDir: {} - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 7 }} - - name: windriver-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - - name: artifact-data - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always diff --git a/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml b/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml deleted file mode 100644 index f71306740f..0000000000 --- a/kubernetes/multicloud/components/multicloud-windriver/templates/service.yaml +++ /dev/null @@ -1,73 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud-titanium_cloud", - "version": "v0", - "url": "/api/multicloud-titanium_cloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-titaniumcloud", - "version": "v0", - "url": "/api/multicloud-titaniumcloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - }, - { - "serviceName": "multicloud-titaniumcloud", - "version": "v1", - "url": "/api/multicloud-titaniumcloud/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' - -spec: - ports: - {{ if eq .Values.service.type "NodePort" }} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{ else }} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{ end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} diff --git a/kubernetes/multicloud/components/multicloud-windriver/values.yaml b/kubernetes/multicloud/components/multicloud-windriver/values.yaml deleted file mode 100644 index a328daedc6..0000000000 --- a/kubernetes/multicloud/components/multicloud-windriver/values.yaml +++ /dev/null @@ -1,114 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 - persistence: {} - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/multicloud/openstack-windriver:1.5.7 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# application configuration -config: - ssl_enabled: true - msbgateway: msb-iag - msbPort: 443 - msbPlainPort: 80 - aai: - aaiPort: 8443 - aaiPlainPort: 8080 - schemaVersion: v13 - username: AAI - password: AAI - -service: - type: ClusterIP - name: multicloud-titaniumcloud - portName: multicloud-titaniumcloud - externalPort: 9005 - internalPort: 9005 - nodePort: 94 - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 - enabled: true - -ingress: - enabled: false - -persistence: - enabled: true - mountPath: /dockerdata-nfs - mountSubPath: multicloud-windriver/data - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 5Gi - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 4Gi - requests: - cpu: 10m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 20m - memory: 2Gi - unlimited: {} - -# memcached image resource -memcached: memcached:alpine3.15 - -#Pods Service Account -serviceAccount: - nameOverride: multicloud-windriver - roles: - - read - -#Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/multicloud/templates/deployment.yaml b/kubernetes/multicloud/templates/deployment.yaml index 5e1090798e..a03a6d02b7 100644 --- a/kubernetes/multicloud/templates/deployment.yaml +++ b/kubernetes/multicloud/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,92 +18,105 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - containers: - - env: - - name: MSB_PROTO - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: MSB_ADDR - value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" - - name: MSB_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.msbPort }}{{ else }}{{ .Values.config.msbPlainPort }}{{ end }}" - - name: AAI_ADDR - value: "aai.{{ include "common.namespace" . }}" - - name: AAI_PORT - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.aai.aaiPort }}{{ else }}{{ .Values.config.aai.aaiPlainPort }}{{ end }}" - - name: AAI_SCHEMA_VERSION - value: "{{ .Values.config.aai.schemaVersion }}" - - name: AAI_USERNAME - value: "{{ .Values.config.aai.username }}" - - name: AAI_PASSWORD - value: "{{ .Values.config.aai.password }}" - - name: AAI_PROTOCOL - value: "{{- if (include "common.needTLS" .) }}https{{ else }}http{{ end }}" - - name: SSL_ENABLED - value: "{{- if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}" - resources: -{{ include "common.resources" . | indent 12 }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - volumeMounts: - - mountPath: "{{ .Values.log.path }}" - name: framework-log - - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml - name: framework-logconfig - subPath: log.yml - - mountPath: /opt/multivimbroker/multivimbroker/pub/config/provider-plugin.json - name: provider-plugin - subPath: provider-plugin.json - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - httpGet: - path: /api/multicloud/v0/swagger.json - port: {{ .Values.service.internalPort }} - scheme: "{{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }}" - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end -}} - + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - name: {{ include "common.name" . }}-copy-pub + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["cp", "-R", "/opt/multivimbroker/multivimbroker/pub/.", "/opt/multivimbroker/multivimbroker/pub_rw/"] + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 10m + memory: 100Mi + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /opt/multivimbroker/multivimbroker/pub_rw + name: framework-pub + containers: + - env: + - name: MSB_PROTO + value: "http" + - name: MSB_ADDR + value: "{{ .Values.config.msbgateway }}.{{ include "common.namespace" . }}" + - name: MSB_PORT + value: "{{ .Values.config.msbPort }}" + - name: AAI_ADDR + value: "aai.{{ include "common.namespace" . }}" + - name: AAI_PORT + value: "{{ .Values.config.aai.aaiPlainPort }}" + - name: AAI_SCHEMA_VERSION + value: "{{ .Values.config.aai.schemaVersion }}" + - name: AAI_USERNAME + value: "{{ .Values.config.aai.username }}" + - name: AAI_PASSWORD + value: "{{ .Values.config.aai.password }}" + - name: AAI_PROTOCOL + value: "http" + - name: SSL_ENABLED + value: "false" + resources: {{ include "common.resources" . | nindent 10 }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: "{{ .Values.log.path }}" + name: framework-log + - mountPath: /opt/multivimbroker/multivimbroker/pub + name: framework-pub + - mountPath: /opt/multivimbroker/multivimbroker/pub/config/log.yml + name: framework-logconfig + subPath: log.yml + - mountPath: /opt/multivimbroker/multivimbroker/pub/config/provider-plugin.json + name: provider-plugin + subPath: provider-plugin.json + ports: {{ include "common.containerPorts" . | nindent 10 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{ if .Values.liveness.enabled }} + livenessProbe: + httpGet: + port: {{ .Values.service.internalPort }} + path: {{ .Values.liveness.path }} + scheme: HTTP + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end }} + {{ if .Values.readiness.enabled }} + readinessProbe: + httpGet: + port: {{ .Values.service.internalPort }} + path: {{ .Values.readiness.path }} + scheme: HTTP + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + {{ end }} # side car containers - {{ include "common.log.sidecar" . | nindent 5 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: framework-log - emptyDir: {} - - name: provider-plugin - configMap: - name: {{ include "common.fullname" . }}-provider-plugin-configmap - {{ include "common.log.volumes" . | nindent 5 }} - - name: framework-logconfig - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Always + {{ include "common.log.sidecar" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: framework-log + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: framework-pub + emptyDir: + sizeLimit: {{ .Values.volumes.pubSizeLimit }} + - name: provider-plugin + configMap: + name: {{ include "common.fullname" . }}-provider-plugin-configmap + {{ include "common.log.volumes" . | nindent 6 }} + - name: framework-logconfig + configMap: + name: {{ include "common.fullname" . }}-log-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} + restartPolicy: Always diff --git a/kubernetes/multicloud/templates/ingress.yaml b/kubernetes/multicloud/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/multicloud/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/multicloud/templates/service.yaml b/kubernetes/multicloud/templates/service.yaml index 1c483b0d2d..578036bb8d 100644 --- a/kubernetes/multicloud/templates/service.yaml +++ b/kubernetes/multicloud/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,53 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "multicloud", - "version": "v0", - "url": "/api/multicloud/v0", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - {{if (include "common.needTLS" .) -}} - "enable_ssl": {{ .Values.config.ssl_enabled }}, - {{- else -}} - "enable_ssl": false, - {{- end}} - "visualRange": "1" - }, - { - "serviceName": "multicloud", - "version": "v1", - "url": "/api/multicloud/v1", - "protocol": "REST", - "port": "{{ .Values.service.externalPort }}", - "enable_ssl": {{ if (include "common.needTLS" .) }}{{ .Values.config.ssl_enabled }}{{ else }}false{{ end }}, - "visualRange": "1" - } - ]' -spec: - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - type: {{ .Values.service.type }} +{{ include "common.service" . }} diff --git a/kubernetes/multicloud/values.yaml b/kubernetes/multicloud/values.yaml index 21e6a61cf5..6193fb0e14 100644 --- a/kubernetes/multicloud/values.yaml +++ b/kubernetes/multicloud/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +19,17 @@ ################################################################# global: nodePortPrefix: 302 - artifactImage: onap/multicloud/framework-artifactbroker:1.9.0 + artifactImage: onap/multicloud/framework-artifactbroker:1.9.2 prometheus: enabled: false persistence: {} centralizedLoggingEnabled: true - multicloudK8sKafkaUser: mc-k8s-sdc-list-kafka-user ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/multicloud/framework:1.8.1 +image: onap/multicloud/framework:1.9.2 pullPolicy: Always #Istio sidecar injection policy @@ -40,34 +40,13 @@ multicloud-fcaps: logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' multicloud-k8s: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.multicloudK8sKafkaUser }}' -multicloud-pike: - enabled: true - logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' -multicloud-prometheus: - enabled: false -multicloud-starlingx: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' -multicloud-vio: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' -multicloud-windriver: - enabled: false - logConfigMapNamePrefix: '{{ include "common.release" . }}-multicloud' # application configuration config: - ssl_enabled: true - msbgateway: msb-iag logstashServiceName: log-ls logstashPort: 5044 - msbPort: 443 - msbPlainPort: 80 aai: - aaiPort: 8443 - aaiPlainPort: 80 + aaiPort: 80 schemaVersion: v13 username: AAI password: AAI @@ -79,25 +58,41 @@ nodeSelector: {} affinity: {} +securityContext: + user_id: 100 + group_id: 65533 + +volumes: + logSizeLimit: 50Mi + pubSizeLimit: 50Mi + # probe configuration parameters liveness: + enabled: true + path: /api/multicloud/v0/swagger.json initialDelaySeconds: 30 periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 5 + +readiness: enabled: true + path: /api/multicloud/v0/swagger.json + initialDelaySeconds: 10 + periodSeconds: 30 service: - type: ClusterIP - name: multicloud - portName: http - externalPort: 9001 + type: NodePort internalPort: 9001 - nodePort: 91 + ports: + - name: http + port: 9001 + nodePort: '91' ingress: enabled: false + service: + - baseaddr: 'multicloud-api' + name: 'multicloud' + port: 9001 # Resource Limit flavor -By Default using small flavor: small @@ -105,18 +100,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "10m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "20m" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/nbi/.helmignore b/kubernetes/nbi/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/nbi/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/nbi/Chart.yaml b/kubernetes/nbi/Chart.yaml deleted file mode 100644 index ee1e330072..0000000000 --- a/kubernetes/nbi/Chart.yaml +++ /dev/null @@ -1,48 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018,2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Northbound Interface -name: nbi -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: mongo - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml deleted file mode 100644 index 6a246a623c..0000000000 --- a/kubernetes/nbi/templates/deployment.yaml +++ /dev/null @@ -1,141 +0,0 @@ -{{/* -# Copyright © 2018 Orange -# Modifications Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2020 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ .Values.replicaCount }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: -{{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} -{{- end }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{ include "common.containerPorts" . | nindent 12 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Dserver.ssl.key-store={{ .Values.certInitializer.credsPath }}/org.onap.nbi.p12 \ - -Dserver.ssl.key-store-type=PKCS12 \ - -Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/org.onap.nbi.trust.jks \ - -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \ - -Djavax.net.ssl.trustStoreType=jks\ - -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443" - exec java -XX:+UseContainerSupport $JAVA_OPTS -jar /opt/onap/app.jar - {{- end }} - {{ if .Values.liveness.enabled }} - livenessProbe: - httpGet: - port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }} - path: {{ .Values.liveness.path }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - httpGet: - port: {{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }} - path: {{ .Values.readiness.path }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: SPRING_DATASOURCE_URL - value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "db" "name" }} - - name: SPRING_DATASOURCE_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nbi-db-secret" "key" "login") | indent 14 }} - - name: SPRING_DATASOURCE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nbi-db-secret" "key" "password") | indent 14 }} - - name: SPRING_DATA_MONGODB_HOST - value: {{ .Values.mongo.service.name }}.{{ include "common.namespace" . }} - - name: SPRING_DATA_MONGODB_PORT - value: "{{ .Values.mongo.service.internalPort }}" - - name: SPRING_DATA_MONGODB_DATABASE - value: {{ .Values.mongo.config.dbName }} - - name: ONAP_LCPCLOUDREGIONID - value: {{ .Values.config.openStackRegion }} - - name: ONAP_TENANTID - value: {{ .Values.config.openStackVNFTenantId | quote }} - - name: ONAP_CLOUDOWNER - value: {{ .Values.config.cloudOwner }} - - name: ONAP_K8SCLOUDREGIONID - value: {{ .Values.config.k8sCloudRegionId }} - - name: ONAP_K8SCLOUDOWNER - value: {{ .Values.config.k8sCloudOwner }} - - name: NBI_URL - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://nbi.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}{{ .Values.service.internalPort }}{{ else }}{{ .Values.service.internalPlainPort }}{{ end }}/nbi/api/v4" - - name: SDC_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://sdc-be.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}8080{{ end }}" - - name: SDC_HEADER_ECOMPINSTANCEID - value: {{ .Values.config.ecompInstanceId }} - - name: SDC_HEADER_AUTHORIZATION - value: {{ .Values.sdc_authorization }} - - name: AAI_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://aai.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}8443{{ else }}80{{ end }}" - - name: AAI_HEADER_AUTHORIZATION - value: {{ .Values.aai_authorization }} - - name: SO_HOST - value: http://so.{{ include "common.namespace" . }}:8080 - {{- if .Values.so_authorization }} - - name: SO_HEADER_AUTHORIZATION - value: {{ .Values.so_authorization }} - {{- end }} - - name: DMAAP_HOST - value: "{{ if (include "common.needTLS" .) }}https{{ else }}http{{ end }}://message-router.{{ include "common.namespace" . }}:{{ if (include "common.needTLS" .) }}3905{{ else }}3904{{ end }}" - - name: LOGGING_LEVEL_ORG_ONAP_NBI - value: {{ .Values.config.loglevel }} - - name: MSB_ENABLED - value: "{{ .Values.global.msbEnabled }}" - - name: MSB_DISCOVERY_HOST - value: "msb-discovery.{{ include "common.namespace" . }}" - - name: MSB_DISCOVERY_PORT - value: "10081" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/nbi/templates/secret.yaml b/kubernetes/nbi/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/nbi/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/nbi/tests/deployment_test.yaml b/kubernetes/nbi/tests/deployment_test.yaml deleted file mode 100644 index 7c8a1b0dbb..0000000000 --- a/kubernetes/nbi/tests/deployment_test.yaml +++ /dev/null @@ -1,205 +0,0 @@ ---- -suite: test deployment behavior -templates: - - deployment.yaml -tests: - - it: "should render with default values (global)" - asserts: - - isKind: - of: Deployment - - equal: - path: metadata.name - value: RELEASE-NAME-nbi - - equal: - path: metadata.namespace - value: NAMESPACE - - matchRegex: - path: metadata.labels.app - pattern: nbi - - matchRegex: - path: spec.template.metadata.labels.app - pattern: nbi - - equal: - path: spec.template.metadata.name - value: RELEASE-NAME-nbi - - equal: - path: spec.replicas - value: 1 - - isNull: - path: spec.template.spec.nodeSelector - - isNull: - path: spec.template.spec.affinity - - - it: "should render with default value (container)" - asserts: - - equal: - path: spec.template.spec.containers[0].name - value: nbi - - equal: - path: spec.template.spec.containers[0].image - value: nexus3.onap.org:10001/onap/externalapi/nbi:5.0.1 - - equal: - path: spec.template.spec.containers[0].imagePullPolicy - value: IfNotPresent - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATASOURCE_URL - value: jdbc:mariadb://mariadb-galera:3306/nbi - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATASOURCE_USERNAME - value: rene - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATASOURCE_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-nbi-config - key: db-user-password - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATA_MONGODB_HOST - value: nbi-mongohost.NAMESPACE - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATA_MONGODB_PORT - value: "27017" - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATA_MONGODB_DATABASE - value: ServiceOrderDB - - contains: - path: spec.template.spec.containers[0].env - content: - name: ONAP_LCPCLOUDREGIONID - value: RegionOne - - contains: - path: spec.template.spec.containers[0].env - content: - name: ONAP_TENANTID - value: 31047205ce114b60833b23e400d6a535 - - contains: - path: spec.template.spec.containers[0].env - content: - name: ONAP_CLOUDOWNER - value: CloudOwner - - contains: - path: spec.template.spec.containers[0].env - content: - name: NBI_URL - value: http://nbi.NAMESPACE:8080/nbi/api/v4 - - contains: - path: spec.template.spec.containers[0].env - content: - name: SDC_HOST - value: https://sdc-be.NAMESPACE:8443 - - contains: - path: spec.template.spec.containers[0].env - content: - name: SDC_HEADER_ECOMPINSTANCEID - value: OOM - - contains: - path: spec.template.spec.containers[0].env - content: - name: SDC_HEADER_AUTHORIZATION - value: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= - - contains: - path: spec.template.spec.containers[0].env - content: - name: AAI_HOST - value: https://aai.NAMESPACE:8443 - - contains: - path: spec.template.spec.containers[0].env - content: - name: AAI_HEADER_AUTHORIZATION - value: Basic QUFJOkFBSQ== - - contains: - path: spec.template.spec.containers[0].env - content: - name: SO_HOST - value: http://so.NAMESPACE:8080 - - contains: - path: spec.template.spec.containers[0].env - content: - name: DMAAP_HOST - value: http://message-router.NAMESPACE:3904 - - contains: - path: spec.template.spec.containers[0].env - content: - name: LOGGING_LEVEL_ORG_ONAP_NBI - value: INFO - - contains: - path: spec.template.spec.containers[0].env - content: - name: MSB_ENABLED - value: "true" - - contains: - path: spec.template.spec.containers[0].env - content: - name: MSB_DISCOVERY_HOST - value: msb-discovery.NAMESPACE - - contains: - path: spec.template.spec.containers[0].env - content: - name: MSB_DISCOVERY_PORT - value: "10081" - - equal: - path: spec.template.spec.containers[0].livenessProbe - value: - initialDelaySeconds: 180 - periodSeconds: 30 - tcpSocket: - port: 8080 - - equal: - path: spec.template.spec.containers[0].readinessProbe - value: - initialDelaySeconds: 185 - periodSeconds: 30 - tcpSocket: - port: 8080 - - contains: - path: spec.template.spec.containers[0].ports - content: - containerPort: 8080 - - equal: - path: spec.template.spec.containers[0].resources.limits.cpu - value: 1 - - equal: - path: spec.template.spec.containers[0].resources.limits.memory - value: 2Gi - - equal: - path: spec.template.spec.containers[0].resources.requests.cpu - value: 100m - - equal: - path: spec.template.spec.containers[0].resources.requests.memory - value: 1Gi - - it: "should render when deciding to use local cluster (container)" - set: - global: - mariadbGalera: - localCluster: true - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATASOURCE_URL - value: jdbc:mariadb://nbi-galera:3306/nbi - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATASOURCE_USERNAME - value: rene - - contains: - path: spec.template.spec.containers[0].env - content: - name: SPRING_DATASOURCE_PASSWORD - valueFrom: - secretKeyRef: - name: RELEASE-NAME-nbi-nbi-galera - key: user-password diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml deleted file mode 100644 index dc323675ad..0000000000 --- a/kubernetes/nbi/values.yaml +++ /dev/null @@ -1,194 +0,0 @@ -# Copyright © 2018 Orange -# Modifications Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - mariadbGalera: &mariadbGalera - #This flag allows SO to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - aafEnabled: true - msbEnabled: true - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: nbi-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: nbi - fqi: nbi@nbi.onap.org - public_fqdn: nbi.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - -aafConfig: - permission_user: 1000 - permission_group: 999 - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: nbi-db-secret - name: &dbUserSecretName '{{ include "common.release" . }}-nbi-db-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - -subChartsOnly: - enabled: true - -# application image -repository: nexus3.onap.org:10001 -image: onap/externalapi/nbi:10.0.0 -pullPolicy: IfNotPresent -sdc_authorization: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= -aai_authorization: Basic QUFJOkFBSQ== -so_authorization: - -# application configuration -config: - loglevel: INFO - logstashServiceName: log-ls - logstashPort: 5044 - cloudOwner: CloudOwner - k8sCloudRegionId: k8sregionfour - k8sCloudOwner: k8scloudowner4 - ecompInstanceId: OOM - openStackRegion: RegionOne - openStackVNFTenantId: 31047205ce114b60833b23e400d6a535 - db: - userName: rene - # userPassword: password - # userCredentialsExternalSecret: some-secret - -mariadb-galera: - db: - externalSecret: *dbUserSecretName - name: &mysqlDbName nbi - service: - name: nbi-galera - portName: nbi-galera - internalPort: 3306 - nameOverride: &nbi-galera nbi-galera - replicaCount: 1 - persistence: - enabled: true - mountSubPath: nbi/maria/data - serviceAccount: - nameOverride: *nbi-galera - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: nbi-config - -mongo: - nameOverride: nbi-mongo - config: - dbName: ServiceOrderDB - service: - name: nbi-mongohost - internalPort: 27017 - nfsprovisionerPrefix: nbi - sdnctlPrefix: nbi - persistence: - mountSubPath: nbi/mongo/data - enabled: true - disableNfsProvisioner: true - - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - path: /nbi/api/v4/status - initialDelaySeconds: 180 - periodSeconds: 30 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - path: /nbi/api/v4/status - initialDelaySeconds: 185 - periodSeconds: 30 - -service: - type: NodePort - portName: api - name: nbi - internalPort: 8443 - internalPlainPort: 8080 - ports: - - name: http - port: 8443 - plain_port: 8080 - nodePort: '74' - -ingress: - enabled: false - service: - - baseaddr: "nbi-api" - name: "nbi" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 200m - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: nbi - roles: - - read diff --git a/kubernetes/onap/Chart.yaml b/kubernetes/onap/Chart.yaml index 951543473a..4532ad7d73 100644 --- a/kubernetes/onap/Chart.yaml +++ b/kubernetes/onap/Chart.yaml @@ -1,5 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021,2024 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,8 +15,8 @@ apiVersion: v2 name: onap -version: 12.0.0 -appVersion: Kohn +version: 16.0.0 +appVersion: Paris description: Open Network Automation Platform (ONAP) home: https://www.onap.org/ sources: @@ -25,157 +25,89 @@ icon: https://wiki.onap.org/download/thumbnails/1015829/onap_704x271%20copy.png? kubeVersion: ">=1.19.11-0" dependencies: - - name: aaf - version: ~12.x-0 + - name: authentication + version: ~15.x-0 repository: '@local' - condition: aaf.enabled + condition: authentication:enabled - name: aai - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: aai.enabled - - name: appc - version: ~12.x-0 - repository: '@local' - condition: appc.enabled - name: cassandra - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: cassandra.enabled - name: cds - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: cds.enabled - - name: cli - version: ~12.x-0 - repository: '@local' - condition: cli.enabled - name: common - version: ~12.x-0 - repository: '@local' - - name: consul - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - condition: consul.enabled - - name: contrib - version: ~12.x-0 - repository: '@local' - condition: global.addTestingComponents - name: cps - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: cps.enabled - name: dcaegen2-services - version: ~12.x-0 + version: ~15.x-0 repository: '@local' condition: dcaegen2-services.enabled - - name: dcaemod - version: ~12.x-0 - repository: '@local' - condition: dcaemod.enabled - - name: holmes - version: ~12.x-0 - repository: '@local' - condition: holmes.enabled - - name: dmaap - version: ~12.x-0 - repository: '@local' - condition: dmaap.enabled - - name: log - version: ~12.x-0 - repository: '@local' - condition: log.enabled - - name: sniro-emulator - version: ~12.x-0 - repository: '@local' - condition: sniro-emulator.enabled - name: mariadb-galera - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: mariadb-galera.enabled - - name: msb - version: ~12.x-0 - repository: '@local' - condition: msb.enabled - name: multicloud - version: ~12.x-0 + version: ~15.x-0 repository: '@local' condition: multicloud.enabled - - name: nbi - version: ~12.x-0 - repository: '@local' - condition: nbi.enabled - name: policy - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: policy.enabled - - name: portal - version: ~12.x-0 + - name: portal-ng + version: ~14.x-0 repository: '@local' - condition: portal.enabled + condition: portal-ng.enabled - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: postgres.enabled - - name: oof - version: ~12.x-0 - repository: '@local' - condition: oof.enabled - name: repository-wrapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: robot - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: robot.enabled - name: sdc - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: sdc.enabled - name: sdnc - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: sdnc.enabled - name: so - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: so.enabled - name: strimzi - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: strimzi.enabled - name: uui - version: ~12.x-0 + version: ~15.x-0 repository: '@local' condition: uui.enabled - - name: vfc - version: ~12.x-0 - repository: '@local' - condition: vfc.enabled - - name: vid - version: ~12.x-0 - repository: '@local' - condition: vid.enabled - - name: vnfsdk - version: ~12.x-0 - repository: '@local' - condition: vnfsdk.enabled - - name: modeling - version: ~12.x-0 - repository: '@local' - condition: modeling.enabled - name: platform - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: platform.enabled - name: a1policymanagement - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: a1policymanagement.enabled - - name: cert-wrapper - version: ~12.x-0 - repository: '@local' - condition: cert-wrapper.enabled - name: roles-wrapper - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: roles-wrapper.enabled diff --git a/kubernetes/onap/resources/environments/core-onap.yaml b/kubernetes/onap/resources/environments/core-onap.yaml index 8a4bb706d9..ebfe688619 100644 --- a/kubernetes/onap/resources/environments/core-onap.yaml +++ b/kubernetes/onap/resources/environments/core-onap.yaml @@ -52,21 +52,11 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 3 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -77,14 +67,10 @@ dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -log: - enabled: false mariadb-galera: enabled: true msb: @@ -97,9 +83,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -112,19 +96,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -146,8 +128,6 @@ strimzi: enabled: false uui: enabled: false -vid: - enabled: false vfc: enabled: false vnfsdk: diff --git a/kubernetes/onap/resources/environments/dev.yaml b/kubernetes/onap/resources/environments/dev.yaml index 2caad2d530..f66b1d7b2d 100644 --- a/kubernetes/onap/resources/environments/dev.yaml +++ b/kubernetes/onap/resources/environments/dev.yaml @@ -32,7 +32,7 @@ global: #repository: nexus3.onap.org:10001 # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.1.2 # logging agent - temporary repo until images migrated to nexus3 loggingRepository: docker.elastic.co @@ -52,14 +52,10 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false aai-cassandra: replicaCount: 1 -appc: - enabled: false cassandra: enabled: false replicaCount: 1 @@ -67,10 +63,6 @@ clamp: enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -79,12 +71,6 @@ holmes: enabled: false dmaap: enabled: false -log: - enabled: false - log-logstash: - replicaCount: 1 -sniro-emulator: - enabled: false oof: enabled: false mariadb-galera: @@ -97,9 +83,7 @@ nbi: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: true @@ -143,7 +127,5 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/kubernetes/onap/resources/environments/disable-allcharts.yaml b/kubernetes/onap/resources/environments/disable-allcharts.yaml index 43aa4c8c05..2d42af05ac 100644 --- a/kubernetes/onap/resources/environments/disable-allcharts.yaml +++ b/kubernetes/onap/resources/environments/disable-allcharts.yaml @@ -25,22 +25,12 @@ # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: false aai: enabled: false -appc: - enabled: false cassandra: enabled: false -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -49,10 +39,6 @@ holmes: enabled: false dmaap: enabled: false -log: - enabled: false -sniro-emulator: - enabled: false mariadb-galera: enabled: false msb: @@ -65,9 +51,7 @@ oof: enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -83,7 +67,5 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false diff --git a/kubernetes/onap/resources/environments/minimal-onap.yaml b/kubernetes/onap/resources/environments/minimal-onap.yaml index 7bfa258e5a..5a628c8c7d 100644 --- a/kubernetes/onap/resources/environments/minimal-onap.yaml +++ b/kubernetes/onap/resources/environments/minimal-onap.yaml @@ -16,17 +16,15 @@ # This override file is used to deploy a minimal configuration to # onboard and deploy a VNF. # It includes the following components: -# A&AI, Cassandra, DMAAP Message Router, Portal, Robot, SDC, SDNC, SO, STRIMZI Kafka, VID +# A&AI, Cassandra, DMAAP Message Router, Portal, Robot, SDC, SDNC, SO, STRIMZI Kafka # # Minimal resources are also reviewed for the various containers # A&AI: no override => to be fixed # DMAAP: no override -# Portal: new values # Robot: new values # SO: no override # SDC: new values # SDNC: no override -# VID: no override # # Replica are set to 1 (A&AI Cassandra) # @@ -47,21 +45,11 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 1 -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: @@ -72,14 +60,10 @@ dmaap: enabled: true message-router: enabled: true - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -log: - enabled: false mariadb-galera: enabled: true msb: @@ -92,49 +76,8 @@ oof: enabled: false policy: enabled: false -pomba: +portal-ng: enabled: false -portal: - enabled: true - portal-cassandra: - config: - cassandraJvmOpts: "-Xmx512m -Xms256m" - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - portal-app: - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - resources: - portal-mariaddb: - resources: - small: - limits: - cpu: 800m - memory: 1Gi - requests: - cpu: 100m - memory: 500Mi - portal-widget: - resources: - small: - limits: - cpu: 1 - memory: 2Gi - requests: - cpu: 100m - memory: 500Mi robot: enabled: true config: @@ -142,11 +85,11 @@ robot: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 100Mi + cpu: "10m" + memory: "100Mi" sdc: enabled: true sdc-be: @@ -156,19 +99,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -190,8 +131,6 @@ strimzi: enabled: false uui: enabled: false -vid: - enabled: true vfc: enabled: false vnfsdk: diff --git a/kubernetes/onap/resources/environments/public-cloud.yaml b/kubernetes/onap/resources/environments/public-cloud.yaml index 90714a46d5..74ce637d52 100644 --- a/kubernetes/onap/resources/environments/public-cloud.yaml +++ b/kubernetes/onap/resources/environments/public-cloud.yaml @@ -24,27 +24,6 @@ # deploy ONAP. This increase in timeouts prevents restarting of # the pods thereby the components will be deployed without error. ################################################################# -aaf: - aaf-cs: - liveness: - initialDelaySeconds: 240 - readiness: - initialDelaySeconds: 240 - aaf-gui: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - aaf-oauth: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 - aaf-service: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 aai: aai-champ: liveness: @@ -56,11 +35,6 @@ cassandra: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 -clamp: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 holmes: holmes-rule-mgmt: liveness: @@ -93,13 +67,6 @@ dmaap: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 - -portal: - portal-app: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 sdc: sdc-fe: liveness: diff --git a/kubernetes/onap/resources/overrides/environment.yaml b/kubernetes/onap/resources/overrides/environment.yaml index cb43e2e094..554bacd51f 100644 --- a/kubernetes/onap/resources/overrides/environment.yaml +++ b/kubernetes/onap/resources/overrides/environment.yaml @@ -32,27 +32,6 @@ # large value may not fix all installation issues on over subscribed hardware. # ################################################################# -aaf: - aaf-cs: - liveness: - initialDelaySeconds: 240 - readiness: - initialDelaySeconds: 240 - aaf-gui: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - aaf-oauth: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 - aaf-service: - liveness: - initialDelaySeconds: 300 - readiness: - initialDelaySeconds: 300 aai: liveness: initialDelaySeconds: 120 @@ -75,11 +54,6 @@ aai: periodSeconds: 120 readiness: periodSeconds: 60 -appc: - mariadb-galera: - liveness: - initialDelaySeconds: 180 - periodSeconds: 60 cassandra: liveness: timeoutSeconds: 30 @@ -87,47 +61,6 @@ cassandra: readiness: timeoutSeconds: 30 periodSeconds: 60 -clamp: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 - clamp-mariadb: - liveness: - initialDelaySeconds: 30 - readiness: - initialDelaySeconds: 30 -holmes: - holmes-rule-mgmt: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - holmes-engine-mgmt: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 -dmaap: - dmaap-bus-controller: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - dmaap-dr-prov: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 - mariadb: - liveness: - initialDelaySeconds: 180 - periodSeconds: 60 - dmaap-dr-node: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 mariadb-galera: liveness: initialDelaySeconds: 30 @@ -137,30 +70,6 @@ mariadb-galera: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 -modeling: - mariadb-galera: - liveness: - initialDelaySeconds: 180 - periodSeconds: 60 -oof: - oof-has: - music: - music-cassandra: - liveness: - periodSeconds: 120 - readiness: - periodSeconds: 60 -portal: - portal-app: - liveness: - initialDelaySeconds: 60 - readiness: - initialDelaySeconds: 60 - portal-cassandra: - liveness: - periodSeconds: 120 - readiness: - periodSeconds: 60 sdc: sdc-fe: liveness: @@ -206,11 +115,6 @@ sdnc: initialDelaySeconds: 60 readiness: initialDelaySeconds: 60 - dmaap-listener: - liveness: - initialDelaySeconds: 120 - readiness: - initialDelaySeconds: 120 mariadb-galera: liveness: initialDelaySeconds: 180 @@ -237,8 +141,3 @@ uui: initialDelaySeconds: 120 readiness: initialDelaySeconds: 120 -vfc: - mariadb-galera: - liveness: - initialDelaySeconds: 180 - periodSeconds: 60 diff --git a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml index 506dd4f7fe..4f23dfcb9c 100644 --- a/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml +++ b/kubernetes/onap/resources/overrides/onap-5g-network-slicing.yaml @@ -35,7 +35,7 @@ global: password: docker # readiness check - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.1.2 # logging agent - temporary repo until images migrated to nexus3 loggingRepository: docker.elastic.co @@ -68,96 +68,45 @@ global: # Enable/disable and configure helm charts (ie. applications) # to customize the ONAP deployment. ################################################################# -aaf: - enabled: true aai: enabled: true -appc: - enabled: false - config: - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: admin cassandra: enabled: true cds: enabled: true -clamp: - enabled: false -cli: - enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: enabled: false -holmes: - enabled: false -dmaap: - enabled: true - message-router: - enabled: true - dmaap-bc: - enabled: false - dmaap-dr-prov: - enabled: false - dmaap-dr-node: - enabled: false -log: - enabled: true -sniro-emulator: - enabled: false -oof: - enabled: true mariadb-galera: enabled: true msb: enabled: true multicloud: enabled: false -nbi: - enabled: true - config: - # openstack configuration - openStackRegion: "Yolo" - openStackVNFTenantId: "1234" policy: enabled: true -pomba: - enabled: false -portal: +portal-ng: enabled: true robot: enabled: true config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" sdc: enabled: true sdnc: enabled: false - replicaCount: 1 - mysql: replicaCount: 1 so: enabled: true - replicaCount: 1 - liveness: # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: false - # so server configuration config: # message router configuration @@ -175,11 +124,3 @@ strimzi: enabled: false uui: enabled: true -vfc: - enabled: false -vid: - enabled: false -vnfsdk: - enabled: false -modeling: - enabled: false diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml new file mode 100644 index 0000000000..b4b7741be3 --- /dev/null +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml @@ -0,0 +1,128 @@ +# Copyright © 2019 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################### +# This override file enables helm charts for all ONAP applications. +################################################################### +#ingress virtualhost based configuration +global: + ingress: + enabled: true + # enable all component's Ingress interfaces + enable_all: true + # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: gw-api + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "common-gateway" + httpListener: "http-80" + httpsListener: "https-443" + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: istio-ingress + centralizedLoggingEnabled: ¢ralizedLogging false + # Disabling CMPv2 + cmpv2Enabled: false + +cassandra: + enabled: true +mariadb-galera: + enabled: true +postgres: + enabled: true +authentication: + enabled: true +aai: + enabled: true +cds: + enabled: true +cps: + enabled: true +dcaegen2-services: + enabled: true + dcae-datalake-admin-ui: + enabled: true + dcae-datalake-des: + enabled: true + dcae-datalake-feeder: + enabled: true + dcae-hv-ves-collector: + enabled: true + dcae-ms-healthcheck: + enabled: true + dcae-prh: + enabled: true + dcae-ves-collector: + enabled: true + applicationConfig: + auth.method: "noAuth" + dcae-ves-openapi-manager: + enabled: true +multicloud: + enabled: true +platform: + enabled: true + cmpv2-cert-service: + enabled: false +policy: + enabled: true +portal-ng: + enabled: true +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: true + network-name-gen: + enabled: true + dgbuilder: + enabled: true + ueb-listener: + enabled: true + sdnc-ansible-server: + enabled: true + sdnc-web: + enabled: true +so: + enabled: true +strimzi: + enabled: true + strimzi-kafka-bridge: + enabled: true +uui: + enabled: true +a1policymanagement: + enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml index c78ac8abd2..c4b5e0969f 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml @@ -22,6 +22,30 @@ global: # enable all component's Ingress interfaces enable_all: true # All http requests via ingress will be redirected + + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" config: ssl: "redirect" # you can set an own Secret containing a certificate @@ -29,8 +53,6 @@ global: # secret: 'my-ingress-cert' # optional: Namespace of the Istio IngressGateway namespace: istio-ingress - # don't need ejbca server - addTestingComponents: &testing false centralizedLoggingEnabled: ¢ralizedLogging false # Disabling CMPv2 cmpv2Enabled: false @@ -41,105 +63,60 @@ mariadb-galera: enabled: true postgres: enabled: true -aaf: - enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: true +authentication: + enabled: true aai: enabled: true -appc: - enabled: false cds: enabled: true -cli: - enabled: true -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing -consul: - enabled: true cps: enabled: true -dcaegen2: - enabled: true dcaegen2-services: enabled: true - dcae-datafile-collector: - enabled: true dcae-datalake-admin-ui: enabled: true dcae-datalake-des: enabled: true dcae-datalake-feeder: enabled: true - dcae-heartbeat: - enabled: true dcae-hv-ves-collector: enabled: true - dcae-kpi-ms: - enabled: true dcae-ms-healthcheck: enabled: true - dcae-pm-mapper: - enabled: true - dcae-pmsh: - enabled: true dcae-prh: enabled: true - dcae-restconf-collector: - enabled: true - dcae-slice-analysis-ms: - enabled: true - dcae-snmptrap-collector: - enabled: true - dcae-son-handler: - enabled: true - dcae-tcagen2: - enabled: true dcae-ves-collector: enabled: true applicationConfig: auth.method: "noAuth" - dcae-ves-mapper: - enabled: true dcae-ves-openapi-manager: enabled: true -dcaemod: - enabled: true -holmes: - enabled: true -dmaap: - enabled: true - message-router: - enabled: true - dmaap-bc: - enabled: true - dmaap-dr-prov: - enabled: true - dmaap-dr-node: - enabled: true -oof: - enabled: true -msb: - enabled: true multicloud: enabled: true -nbi: +platform: enabled: true + cmpv2-cert-service: + enabled: false policy: enabled: true -portal: - enabled: false +portal-ng: + enabled: true robot: enabled: true sdc: enabled: true sdnc: enabled: true + network-name-gen: + enabled: true + dgbuilder: + enabled: true + ueb-listener: + enabled: true + sdnc-ansible-server: + enabled: true + sdnc-web: + enabled: true so: enabled: true strimzi: @@ -148,15 +125,5 @@ strimzi: enabled: true uui: enabled: true -vfc: - enabled: true -vid: - enabled: false -vnfsdk: - enabled: true -modeling: - enabled: true -platform: - enabled: true a1policymanagement: enabled: true diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml index 9a090c1a41..c90614b650 100644 --- a/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-nginx-vhost.yaml @@ -20,74 +20,81 @@ global: ingress: enabled: true enable_all: true - addTestingComponents: &testing true - centralizedLoggingEnabled: ¢ralizedLogging false + # Provider: ingress, istio, gw-api + provider: ingress + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: nginx + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + cassandra: enabled: true mariadb-galera: enabled: true postgres: enabled: true - -aaf: +authentication: enabled: true - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: true aai: enabled: true -appc: - enabled: false cds: enabled: true -clamp: - enabled: true -cli: - enabled: true -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing -consul: - enabled: true cps: enabled: true dcaegen2-services: enabled: true -dcaemod: - enabled: true -holmes: - enabled: true -dmaap: - enabled: true - message-router: + dcae-datalake-admin-ui: enabled: true - dmaap-bc: + dcae-datalake-des: enabled: true - dmaap-dr-prov: + dcae-datalake-feeder: enabled: true - dmaap-dr-node: + dcae-hv-ves-collector: + enabled: true + dcae-ms-healthcheck: + enabled: true + dcae-prh: + enabled: true + dcae-restconf-collector: + enabled: false + dcae-ves-collector: + enabled: true + applicationConfig: + auth.method: "noAuth" + dcae-ves-openapi-manager: enabled: true -oof: - enabled: true -msb: - enabled: true multicloud: enabled: true -nbi: +platform: enabled: true + cmpv2-cert-service: + enabled: false policy: enabled: true -portal: - enabled: false +portal-ng: + enabled: true robot: enabled: true sdc: enabled: true sdnc: enabled: true + network-name-gen: + enabled: true + dgbuilder: + enabled: true + ueb-listener: + enabled: true + sdnc-ansible-server: + enabled: true + sdnc-web: + enabled: true so: enabled: true strimzi: @@ -96,12 +103,6 @@ strimzi: enabled: true uui: enabled: true -vfc: - enabled: true -vid: - enabled: true - ingress: - enabled: true -vnfsdk: +a1policymanagement: enabled: true - + 55,15 39% diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index aeac83f7ef..444d904453 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -19,112 +19,60 @@ ################################################################### # This override file enables helm charts for all ONAP applications. ################################################################### -global: - addTestingComponents: &testing true - centralizedLoggingEnabled: ¢ralizedLogging false cassandra: enabled: true mariadb-galera: enabled: true postgres: enabled: true -aaf: +authentication: enabled: true - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: true aai: enabled: true -appc: - enabled: false cds: enabled: true -clamp: - enabled: true -cli: - enabled: true -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing -consul: - enabled: true cps: enabled: true dcaegen2-services: enabled: true - dcae-datafile-collector: - enabled: true dcae-datalake-admin-ui: enabled: true dcae-datalake-des: enabled: true dcae-datalake-feeder: enabled: true - dcae-heartbeat: - enabled: true dcae-hv-ves-collector: enabled: true - dcae-kpi-ms: - enabled: true dcae-ms-healthcheck: enabled: true - dcae-pm-mapper: - enabled: true - dcae-pmsh: - enabled: true dcae-prh: enabled: true - dcae-restconf-collector: - enabled: true - dcae-slice-analysis-ms: - enabled: true - dcae-snmptrap-collector: - enabled: true - dcae-son-handler: - enabled: true - dcae-tcagen2: - enabled: true dcae-ves-collector: enabled: true - dcae-ves-mapper: - enabled: true dcae-ves-openapi-manager: enabled: true -dcaemod: - enabled: true -holmes: - enabled: true -dmaap: - enabled: true - message-router: - enabled: true - dmaap-bc: - enabled: true - dmaap-dr-prov: - enabled: true - dmaap-dr-node: - enabled: true -oof: - enabled: true -msb: - enabled: true multicloud: enabled: true -nbi: - enabled: true policy: enabled: true -portal: - enabled: false +portal-ng: + enabled: true robot: enabled: true sdc: enabled: true sdnc: enabled: true + network-name-gen: + enabled: true + dgbuilder: + enabled: true + ueb-listener: + enabled: true + sdnc-ansible-server: + enabled: true + sdnc-web: + enabled: true so: enabled: true strimzi: @@ -133,14 +81,6 @@ strimzi: enabled: true uui: enabled: true -vfc: - enabled: true -vid: - enabled: false -vnfsdk: - enabled: true -modeling: - enabled: true platform: enabled: true a1policymanagement: diff --git a/kubernetes/onap/resources/overrides/onap-vfw.yaml b/kubernetes/onap/resources/overrides/onap-vfw.yaml index fc0c94de24..5ce3a97488 100644 --- a/kubernetes/onap/resources/overrides/onap-vfw.yaml +++ b/kubernetes/onap/resources/overrides/onap-vfw.yaml @@ -21,39 +21,13 @@ cassandra: mariadb-galera: enabled: true -aaf: - enabled: true aai: enabled: true -appc: - enabled: true -clamp: - enabled: true -consul: - enabled: true dcaegen2-services: enabled: true -holmes: - enabled: true -dmaap: - enabled: true - message-router: - enabled: true - dmaap-bc: - enabled: false - dmaap-dr-prov: - enabled: false - dmaap-dr-node: - enabled: false -log: - enabled: true -oof: - enabled: true -msb: - enabled: true policy: enabled: true -portal: +portal-ng: enabled: true robot: enabled: true @@ -67,5 +41,3 @@ strimzi: enabled: true strimzi-kafka-bridge: enabled: false -vid: - enabled: true diff --git a/kubernetes/onap/resources/overrides/openstack.yaml b/kubernetes/onap/resources/overrides/openstack.yaml index 5e09d7cfe9..9c0fc539c3 100644 --- a/kubernetes/onap/resources/overrides/openstack.yaml +++ b/kubernetes/onap/resources/overrides/openstack.yaml @@ -15,19 +15,7 @@ ################################################################# # This override file configures openstack parameters for ONAP ################################################################# -appc: - config: - enableClustering: false - openStackType: "OpenStackProvider" - openStackName: "OpenStack" - openStackKeyStoneUrl: "http://10.12.25.2:5000/v2.0" - openStackServiceTenantName: "OPENSTACK_TENANTNAME_HERE" - openStackDomain: "Default" - openStackUserName: "OPENSTACK_USERNAME_HERE" - openStackEncryptedPassword: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_PASSWORD_HERE_XXXXXXXXXXXXXXXX" robot: - appcUsername: "appc@appc.onap.org" - appcPassword: "demo123456!" openStackKeyStoneUrl: "http://10.12.25.2:5000" openStackPublicNetId: "971040b2-7059-49dc-b220-4fab50cb2ad4" openStackTenantId: "09d8566ea45e43aa974cf447ed591d77" @@ -46,7 +34,7 @@ robot: scriptVersion: "1.4.0-SNAPSHOT" rancherIpAddress: "10.12.5.127" config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "XXXXXXXXXXXXXXXXXXXXXXXX_OPENSTACK_ENCRYPTED_PASSWORD_HERE_XXXXXXXXXXXXXXXX" so: # so server configuration diff --git a/kubernetes/onap/resources/overrides/sm-onap.yaml b/kubernetes/onap/resources/overrides/sm-onap.yaml index 1d3b2eb5c9..6877e33875 100644 --- a/kubernetes/onap/resources/overrides/sm-onap.yaml +++ b/kubernetes/onap/resources/overrides/sm-onap.yaml @@ -60,58 +60,20 @@ aai: replicas: 1 aai-cassandra: replicaCount: 1 -aaf: - enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: false -appc: - enabled: false cassandra: enabled: true replicaCount: 3 -clamp: - enabled: false -cli: - enabled: false -consul: - enabled: false -contrib: - enabled: false cps: enabled: false dcaegen2-services: enabled: false -dmaap: - enabled: true - message-router: - enabled: true - dmaap-bc: - enabled: true - dmaap-dr-prov: - enabled: true - dmaap-dr-node: - enabled: true -holmes: - enabled: false -log: - enabled: false mariadb-galera: enabled: true -msb: - enabled: false multicloud: enabled: false -nbi: - enabled: false -oof: - enabled: false policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false @@ -124,19 +86,17 @@ sdc: resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 10m - memory: 500Mi + cpu: "10m" + memory: "500Mi" sdc-cs: config: maxHeapSize: "512M" heapNewSize: "256M" sdnc: enabled: true -sniro-emulator: - enabled: false so: enabled: true config: @@ -152,12 +112,5 @@ strimzi: enabled: true uui: enabled: false -vid: - enabled: false -vfc: - enabled: false -vnfsdk: - enabled: false cds: enabled: true - diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index bdbf5ab323..089e65a2c5 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2019 Amdocs, Bell Canada # Copyright (c) 2020 Nordix Foundation, Modifications # Modifications Copyright © 2020-2021 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,19 +27,6 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - - # Install test components - # test components are out of the scope of ONAP but allow to have a entire - # environment to test the different features of ONAP - # Current tests environments provided: - # - netbox (needed for CDS IPAM) - # - AWX (needed for XXX) - # - EJBCA Server (needed for CMPv2 tests) - # Today, "contrib" chart that hosting these components must also be enabled - # in order to make it work. So `contrib.enabled` must have the same value than - # addTestingComponents - addTestingComponents: &testing false - # ONAP Repository # Four different repositories are used # You can change individually these repositories to ones that will serve the @@ -46,14 +34,10 @@ global: repository: nexus3.onap.org:10001 dockerHubRepository: &dockerHubRepository docker.io elasticRepository: &elasticRepository docker.elastic.co + quayRepository: quay.io googleK8sRepository: k8s.gcr.io githubContainerRegistry: ghcr.io - - #/!\ DEPRECATED /!\ - # Legacy repositories which will be removed at the end of migration. - # Please don't use - loggingRepository: *elasticRepository - busyboxRepository: *dockerHubRepository + mariadbContainerRegistry: docker-registry3.mariadb.com # Default credentials # they're optional. If the target repository doesn't need them, comment them @@ -75,38 +59,55 @@ global: # user: myuser # password: mypassord + # Default definition of the secret containing the docker image repository + # credentials. In the default ONAP deployment the secret is created by the + # repository-wrapper component, which uses the secrets defined above. + # If this is not wanted or other secrets are created, alternative secret + # names can be used + # Overrides for specific images can be done, if the "image" entry is used as + # a map and the "pullSecrets" is used, e.g. + # image: + # ... + # pullSecrets: + # - myRegistryKeySecretName + # + imagePullSecrets: + - '{{ include "common.namespace" . }}-docker-registry-key' # common global images # Busybox for simple shell manipulation - busyboxImage: busybox:1.34.1 + busyboxImage: busybox:1.37.0 # curl image - curlImage: curlimages/curl:7.80.0 + curlImage: curlimages/curl:8.14.1 # env substitution image - envsubstImage: dibi/envsubst:1 + envsubstImage: dibi/envsubst:latest # generate htpasswd files image # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest # kubenretes client image - kubectlImage: bitnami/kubectl:1.22.4 + kubectlImage: bitnami/kubectl:1.22.16 # logging agent loggingImage: beats/filebeat:5.5.0 # mariadb client image - mariadbImage: bitnami/mariadb:10.5.8 + mariadbImage: mariadb:11.7.2 + + # mongodb server image + mongodbImage: percona/percona-server-mongodb:7.0.16-10 # nginx server image - nginxImage: bitnami/nginx:1.21.4 + nginxImage: bitnami/nginx:1.29.0 # postgreSQL client and server image postgresImage: crunchydata/crunchy-postgres:centos8-13.2-4.6.1 # readiness check image - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.2.0 # image pull policy pullPolicy: Always @@ -118,6 +119,14 @@ global: # {{ template "common.fullname" . }}.{{ template "common.namespace" . }}.svc.{{ .Values.global.clusterName }} clusterName: cluster.local + # enable this if you have deployed Jaeger alongside ONAP + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + # default mount path root directory referenced # by persistent volumes and log files persistence: @@ -127,6 +136,10 @@ global: storageclassProvisioner: kubernetes.io/no-provisioner volumeReclaimPolicy: Retain + # Global flag to enable the creation of default roles instead of using + # common roles-wrapper + createDefaultRoles: false + # override default resource limit flavor for all charts flavor: unlimited @@ -150,11 +163,36 @@ global: enabled: false # enable all component's Ingress interfaces enable_all: false - # default Ingress base URL - # can be overwritten in component vy setting ingress.baseurlOverride + + # Provider: ingress, istio, gw-api + provider: istio + # Ingress class (only for provider "ingress"): e.g. nginx, traefik + ingressClass: + # Ingress Selector (only for provider "istio") to match with the + # ingress pod label "istio=ingress" + ingressSelector: ingress + # optional: common used Gateway (for Istio, GW-API) and listener names + commonGateway: + name: "" + httpListener: "" + httpsListener: "" + + # default Ingress base URL and preAddr- and postAddr settings + # Ingress URLs result: + # . virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride baseurl: "simpledemo.onap.org" - # All http requests via ingress will be redirected on Ingress controller + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + + # All http (port 80) requests via ingress will be redirected + # to port 443 on Ingress controller # only valid for Istio Gateway (ServiceMesh enabled) config: ssl: "redirect" @@ -163,17 +201,23 @@ global: # tls: # secret: 'my-ingress-cert' - # optional: Namespace of the Istio IngressGateway + # optional: Namespace of the Istio IngressGateway or Gateway-API # only valid for Istio Gateway (ServiceMesh enabled) namespace: istio-ingress # Global Service Mesh configuration - # POC Mode, don't use it in production serviceMesh: enabled: false tls: true # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + # if nativeSidecars are enabled in Istio, this value can be set to "true" + # and will disable the deployment of sidecar killer containers in jobs + nativeSidecars: false + + # Global Istio Authorization Policy configuration + authorizationPolicies: + enabled: false # metrics part # If enabled, exporters (for prometheus) will be deployed @@ -188,8 +232,7 @@ global: # Disabling AAF # POC Mode, only for use in development environment # Keep it enabled in production - aafEnabled: true - aafAgentImage: onap/aaf/aaf_agent:2.1.20 + aafEnabled: false # Disabling MSB # POC Mode, only for use in development environment @@ -212,7 +255,7 @@ global: name: cmpv2-issuer-onap # Enabling CMPv2 - cmpv2Enabled: true + cmpv2Enabled: false platform: certificates: clientSecretName: oom-cert-service-client-tls-secret @@ -232,7 +275,7 @@ global: # Set to false if you want to disable TLS for NodePorts. Be aware that this # will loosen your security. # if set this element will force or not tls even if serviceMesh.tls is set. - # tlsEnabled: false + tlsEnabled: false # Logging # Currently, centralized logging is not in best shape so it's disabled by @@ -255,14 +298,6 @@ global: # storageClass: "-" # Example of specific for the components which requires RWX: -# aaf: -# persistence: -# storageClassOverride: "My_RWX_Storage_Class" -# contrib: -# netbox: -# netbox-app: -# persistence: -# storageClassOverride: "My_RWX_Storage_Class" # cds: # cds-blueprints-processor: # persistence: @@ -277,64 +312,30 @@ global: # to customize the ONAP deployment. ################################################################# -aaf: +authentication: enabled: false - aaf-sms: - cps: - # you must always set the same values as value set in cps.enabled - enabled: false aai: enabled: false -appc: - enabled: false - config: - openStackType: OpenStackProvider - openStackName: OpenStack - openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html - openStackServiceTenantName: default - openStackDomain: default - openStackUserName: admin - openStackEncryptedPassword: admin cassandra: enabled: false cds: enabled: false -clamp: - enabled: false cli: enabled: false -consul: - enabled: false -# Today, "contrib" chart that hosting these components must also be enabled -# in order to make it work. So `contrib.enabled` must have the same value than -# addTestingComponents -contrib: - enabled: *testing cps: enabled: false dcaegen2-services: enabled: false -dcaemod: - enabled: false holmes: enabled: false dmaap: enabled: false message-router: enabled: false - dmaap-bc: - enabled: false dmaap-dr-prov: enabled: false dmaap-dr-node: enabled: false -# Today, "logging" chart that perform the central part of logging must also be -# enabled in order to make it work. So `logging.enabled` must have the same -# value as centralizedLoggingEnabled -log: - enabled: *centralizedLogging -sniro-emulator: - enabled: false oof: enabled: false mariadb-galera: @@ -351,14 +352,12 @@ nbi: openStackVNFTenantId: "1234" policy: enabled: false -pomba: - enabled: false -portal: +portal-ng: enabled: false robot: enabled: false config: - # openStackEncryptedPasswordHere should match the encrypted string used in SO and APPC and overridden per environment + # openStackEncryptedPasswordHere should match the encrypted string used in SO and overridden per environment openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e" sdc: enabled: false @@ -415,8 +414,6 @@ uui: enabled: false vfc: enabled: false -vid: - enabled: false vnfsdk: enabled: false modeling: @@ -425,8 +422,6 @@ platform: enabled: false a1policymanagement: enabled: false -cert-wrapper: - enabled: true repository-wrapper: enabled: true roles-wrapper: diff --git a/kubernetes/oof/Chart.yaml b/kubernetes/oof/Chart.yaml deleted file mode 100755 index 3d5441dd4c..0000000000 --- a/kubernetes/oof/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Optimization Framework -name: oof -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: oof-has - version: ~12.x-0 - repository: 'file://components/oof-has' - condition: oof-has.enabled - - name: oof-templates - version: ~12.x-0 - repository: 'file://components/oof-templates' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/oof/Makefile b/kubernetes/oof/Makefile deleted file mode 100644 index eea1b7aefb..0000000000 --- a/kubernetes/oof/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/oof/components/Makefile b/kubernetes/oof/components/Makefile deleted file mode 100755 index f09e21e75c..0000000000 --- a/kubernetes/oof/components/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/oof/components/oof-has/.helmignore b/kubernetes/oof/components/oof-has/.helmignore deleted file mode 100644 index 68ffb32406..0000000000 --- a/kubernetes/oof/components/oof-has/.helmignore +++ /dev/null @@ -1 +0,0 @@ -components/ diff --git a/kubernetes/oof/components/oof-has/Chart.yaml b/kubernetes/oof/components/oof-has/Chart.yaml deleted file mode 100755 index 0b3a324c9a..0000000000 --- a/kubernetes/oof/components/oof-has/Chart.yaml +++ /dev/null @@ -1,62 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Homing and Allocation Service -name: oof-has -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: music - version: ~12.x-0 - repository: '@local' - condition: music.enabled - - name: etcd - version: ~12.x-0 - repository: '@local' - condition: etcd.enabled - - name: etcd-init - version: ~12.x-0 - repository: '@local' - condition: etcd-init.enabled - - name: oof-has-api - version: ~12.x-0 - repository: 'file://components/oof-has-api' - condition: oof-has-api.enabled - - name: oof-has-controller - version: ~12.x-0 - repository: 'file://components/oof-has-controller' - condition: oof-has-controller.enabled - - name: oof-has-data - version: ~12.x-0 - repository: 'file://components/oof-has-data' - condition: oof-has-data.enabled - - name: oof-has-reservation - version: ~12.x-0 - repository: 'file://components/oof-has-reservation' - condition: oof-has-reservation.enabled - - name: oof-has-solver - version: ~12.x-0 - repository: 'file://components/oof-has-solver' - condition: oof-has-solver.enabled - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml deleted file mode 100755 index 39d3f0c89f..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/Chart.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Homing and Allocation Servicei - API -name: oof-has-api -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: oof-templates - version: ~12.x-0 - repository: 'file://../../../oof-templates' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml deleted file mode 100755 index 4e38c830f0..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml +++ /dev/null @@ -1,195 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Copyright (C) 2020 Wipro Limited. -# Modifications Copyright © 2018 AT&T,VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - oof-has-controller - {{- if (include "common.needTLS" .) }} - - --container-name - - aaf-service - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-has-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/sh","-c"] - args: ["/usr/local/bin/uwsgi -s /run/conductor/uwsgi.sock --chmod-socket=777 --wsgi-file /etc/nginx/conductor.wsgi --callable application --set port={{ .Values.uwsgi.internalPort }} --die-on-term --exit-on-reload --pidfile /run/conductor/conductor-uwsgi.pid --enable-threads --workers 6 --master --vacuum --single-interpreter --socket-timeout 10 --max-worker-lifetime 300 --max-requests 100 --no-defer-accept --protocol=uwsgi --socket 0.0.0.0:{{ .Values.uwsgi.internalPort }}"] - ports: - - containerPort: {{ .Values.uwsgi.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.uwsgi.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.uwsgi.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: {{ include "oof.etcd.env" . | nindent 10 }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/etc/conductor/conductor.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: conductor.conf - - mountPath: /usr/local/bin/log.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: log.conf - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - - name: {{ include "common.name" . }}-nginx - image: {{ include "repositoryGenerator.image.nginx" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/sh - args: - - "-c" - - | - {{- if (include "common.needTLS" .) }} - grep -v '^$' /opt/bitnami/nginx/ssl/local/org.onap.oof.crt > /tmp/oof.crt - cat /tmp/oof.crt /tmp/intermediate_root_ca.pem /tmp/AAF_RootCA.cer >> /opt/bitnami/nginx/org.onap.oof.crt - {{- end }} - /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/bitnami/nginx/conf/nginx.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: nginx.conf - {{- if (include "common.needTLS" .) }} - - mountPath: /tmp/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - - mountPath: /tmp/intermediate_root_ca.pem - name: {{ include "common.fullname" . }}-onap-certs - subPath: intermediate_root_ca.pem - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ .Values.global.commonConfigPrefix }}-config - configMap: - name: {{ .Values.global.commonConfigPrefix }}-configmap - items: - - key: nginx.conf - path: nginx.conf - - key: conductor.conf - path: conductor.conf - - key: log.conf - path: log.conf -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml deleted file mode 100755 index f13e7cea9b..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml deleted file mode 100755 index c850cb7752..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml +++ /dev/null @@ -1,119 +0,0 @@ -# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware -# Copyright (C) 2020 Wipro Limited. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: # global defaults - nodePortPrefix: 302 - image: - optf_has: onap/optf-has:2.3.1 - -################################################################# -# secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - - uid: oof-has-etcd-secret - name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.etcd.appUser }}' - password: '{{ .Values.config.etcd.appPassword }}' - passwordPolicy: required - -config: - etcd: - appUser: user - appPassword: pass - -service: - type: NodePort - name: oof-has-api - externalPort: 8091 - internalPort: 8091 - nodePort: 75 - portName: http - -#backend container info -uwsgi: - internalPort: 8080 -ingress: - enabled: false -replicaCount: 1 -nodeSelector: {} -affinity: {} -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -#sub-charts configuration -certInitializer: - nameOverride: oof-has-cert-initializer - fqdn: "oof.onap" - app_ns: "org.osaaf.aaf" - fqi: "oof@oof.onap.org" - fqi_namespace: org.onap.oof - public_fqdn: "oof.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/bitnami/nginx/ssl - aaf_add_config: > - chmod 444 {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key; - - -ingress: - enabled: false - service: - - baseaddr: "oof-has-api" - name: "oof-has-api" - port: 8091 - config: - ssl: "redirect" - -#Pods Service Account -serviceAccount: - nameOverride: oof-has-api - roles: - - read diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml deleted file mode 100755 index 9713d7a497..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Homing and Allocation Sservice - Controller -name: oof-has-controller -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: oof-templates - version: ~12.x-0 - repository: 'file://../../../oof-templates' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml deleted file mode 100755 index 92be670db6..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml +++ /dev/null @@ -1,154 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - {{- if (include "common.needTLS" .) }} - - --container-name - - aaf-sms - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-cont-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - python - args: - - /usr/local/bin/conductor-controller - - --config-file=/usr/local/bin/conductor.conf - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} - livenessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: {{ include "oof.etcd.env" . | nindent 10 }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/conductor.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: conductor.conf - - mountPath: /usr/local/bin/log.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: log.conf - - mountPath: /usr/local/bin/healthy.sh - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ .Values.global.commonConfigPrefix }}-config - configMap: - name: {{ .Values.global.commonConfigPrefix }}-configmap - items: - - key: conductor.conf - path: conductor.conf - - key: log.conf - path: log.conf - - key: healthy.sh - path: healthy.sh -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml deleted file mode 100755 index d6da75fd18..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/values.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - image: - optf_has: onap/optf-has:2.3.1 - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - - uid: oof-has-etcd-secret - name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.etcd.appUser }}' - password: '{{ .Values.config.etcd.appPassword }}' - passwordPolicy: required - -config: - etcd: - appUser: user - appPassword: pass - -ingress: - enabled: false -replicaCount: 1 -nodeSelector: {} -affinity: {} -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -#Pods Service Account -serviceAccount: - nameOverride: oof-has-controller - roles: - - read diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml deleted file mode 100755 index 725545159c..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Homing and Allocation Service - Data Component -name: oof-has-data -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: oof-templates - version: ~12.x-0 - repository: 'file://../../../oof-templates' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml deleted file mode 100755 index 72ecd7db2d..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml +++ /dev/null @@ -1,163 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-data-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - python - args: - - /usr/local/bin/conductor-data - - --config-file=/usr/local/bin/conductor.conf - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} - livenessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: {{ include "oof.etcd.env" . | nindent 10 }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/conductor.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: conductor.conf - - mountPath: /usr/local/bin/log.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: log.conf - - mountPath: /usr/local/bin/healthy.sh - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/aai_cert.cer - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: aai_cert.cer - - mountPath: /usr/local/bin/aai_key.key - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: aai_key.key - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ .Values.global.commonConfigPrefix }}-config - configMap: - name: {{ .Values.global.commonConfigPrefix }}-configmap - items: - - key: conductor.conf - path: conductor.conf - - key: log.conf - path: log.conf - - key: healthy.sh - path: healthy.sh - {{- if (include "common.needTLS" .) }} - - key: aai_cert.cer - path: aai_cert.cer - - key: aai_key.key - path: aai_key.key - {{- end }} -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml deleted file mode 100755 index 93a335d29d..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/values.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - image: - optf_has: onap/optf-has:2.3.1 - -################################################################# -# secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - - uid: oof-has-etcd-secret - name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.etcd.appUser }}' - password: '{{ .Values.config.etcd.appPassword }}' - passwordPolicy: required - -config: - etcd: - appUser: user - appPassword: pass - -ingress: - enabled: false -replicaCount: 1 -nodeSelector: {} -affinity: {} -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -#Pods Service Account -serviceAccount: - nameOverride: oof-has-data - roles: - - read diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml deleted file mode 100755 index b8e5521b93..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Homing and Allocation Sevice - Reservation Component -name: oof-has-reservation -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: oof-templates - version: ~12.x-0 - repository: 'file://../../../oof-templates' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml deleted file mode 100755 index b90a6f6e89..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml +++ /dev/null @@ -1,151 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-resrv-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" .}}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - python - args: - - /usr/local/bin/conductor-reservation - - --config-file=/usr/local/bin/conductor.conf - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} - livenessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - readinessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - {{ end -}} - env: {{ include "oof.etcd.env" . | nindent 10 }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/conductor.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: conductor.conf - - mountPath: /usr/local/bin/log.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: log.conf - - mountPath: /usr/local/bin/healthy.sh - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ .Values.global.commonConfigPrefix }}-config - configMap: - name: {{ .Values.global.commonConfigPrefix }}-configmap - items: - - key: conductor.conf - path: conductor.conf - - key: log.conf - path: log.conf - - key: healthy.sh - path: healthy.sh -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml deleted file mode 100755 index 651e832929..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/values.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - image: - optf_has: onap/optf-has:2.3.1 - -################################################################# -# secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - - uid: oof-has-etcd-secret - name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.etcd.appUser }}' - password: '{{ .Values.config.etcd.appPassword }}' - passwordPolicy: required - -config: - etcd: - appUser: user - appPassword: pass - -ingress: - enabled: false -replicaCount: 1 -nodeSelector: {} -affinity: {} -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -#Pods Service Account -serviceAccount: - nameOverride: oof-has-reservation - roles: - - read diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml deleted file mode 100755 index 9f5381be53..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Homing and Allocation Service - Solver Component -name: oof-has-solver -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: oof-templates - version: ~12.x-0 - repository: 'file://../../../oof-templates' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml deleted file mode 100755 index 4499d9806e..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml +++ /dev/null @@ -1,151 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - {{- if (include "common.needTLS" .) }} - - name: {{ include "common.name" . }}-solvr-sms-readiness - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/has/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- end }} - - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - python - args: - - /usr/local/bin/conductor-solver - - --config-file=/usr/local/bin/conductor.conf - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} - livenessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - exec: - command: - - cat - - /usr/local/bin/healthy.sh - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: {{ include "oof.etcd.env" . | nindent 10 }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/conductor.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: conductor.conf - - mountPath: /usr/local/bin/log.conf - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: log.conf - - mountPath: /usr/local/bin/healthy.sh - name: {{ .Values.global.commonConfigPrefix }}-config - subPath: healthy.sh - {{- if (include "common.needTLS" .) }} - - mountPath: /usr/local/bin/AAF_RootCA.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ .Values.global.commonConfigPrefix }}-config - configMap: - name: {{ .Values.global.commonConfigPrefix }}-configmap - items: - - key: conductor.conf - path: conductor.conf - - key: log.conf - path: log.conf - - key: healthy.sh - path: healthy.sh -{{- if (include "common.needTLS" .) }} -{{ include "oof.certificate.volume" . | indent 8 }} -{{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml deleted file mode 100755 index 46ff033c82..0000000000 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/values.yaml +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - image: - optf_has: onap/optf-has:2.3.1 - -################################################################# -# secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - - uid: oof-has-etcd-secret - name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.etcd.appUser }}' - password: '{{ .Values.config.etcd.appPassword }}' - passwordPolicy: required - -config: - etcd: - appUser: user - appPassword: pass - -ingress: - enabled: false -replicaCount: 1 -nodeSelector: {} -affinity: {} -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -#Pods Service Account -serviceAccount: - nameOverride: oof-has-solver - roles: - - read diff --git a/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer b/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer deleted file mode 100755 index 4c6eb916e6..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/aai_cert.cer +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIBHjANBgkqhkiG9w0BAQsFADBHMQswCQYDVQQGEwJVUzEN -MAsGA1UECgwET05BUDEOMAwGA1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVk -aWF0ZUNBXzEwHhcNMTgwNDI1MTIxMzAxWhcNMTkwNDIwMTIxMzAxWjBtMQswCQYD -VQQGEwJVUzENMAsGA1UECgwET05BUDEZMBcGA1UECwwQb29mQG9vZi5vbmFwLm9y -ZzEOMAwGA1UECwwFT1NBQUYxJDAiBgNVBAMMG29vZi5hcGkuc2ltcGxlZGVtby5v -bmFwLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANGpQUtgLXG3 -dVikd/QC2Q24wzeTOeZzbx3PnidNYZT5K0sJ/TdnZF6O/4+9gXQ6AQS2Q8wfQ009 -MQAA5vhUaq5yZ2K+XAtEFGln1TxTFpGu3WDOwQ800Vw18Dk8WidrkzDJv489Bn1f -SSaPC0IaRB0K1d8BD63ZHgsuEY8lt31DX2wFWJcfN9mxNDzuLTZoLxtxKsedoZKH -rsOOILwXOhwuunfx40i6RQN/pFX6C2i8dtOA5OwUm9Q1RrZ2Tv1Uf4IURriH6bfZ -5n50yxTuL22TMYXsF/ohrdgwacuC0aV9ZSGhIZUJPyHVg7+QTBioHmoUJInVKuIx -kkC4lENbLYUCAwEAAaOB+jCB9zAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIG -wDAzBglghkgBhvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRp -ZmljYXRlMB0GA1UdDgQWBBQwbU5oHU2iYHCoVz4hFCvBW59cdTBUBgNVHSMETTBL -gBQd5lldG54KOKRipsGF8/PP1vGX6qEwpC4wLDEOMAwGA1UECwwFT1NBQUYxDTAL -BgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTggEBMA4GA1UdDwEB/wQEAwIF4DAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggEBADEa -0VuxoFIygeQTqlizpHNwfApPmlAVSKDTWuEu4rhJs8GT61EuWZQPygXEUHCYmGvJ -GMwEGGIDGiQqxMqlqng46gksNJbi1ktXr6Du18qW7gziUd84ve8KcecjZru1Sk1e -UJ/6WEQVE17CHKcnzQZsMDakgP+61VgKbk5NlkeF/Qh4L6/3jY7g+xoXqaId5RT9 -BetmH/cMsj33lxQTs0fcXTbAQd6BX5ug854OJ1mU4ngJnNBdmn9Ow1bB71ohf5Xv -OEYX8+khjgjlmM0u1hBRL4qViv3y2Gzhpm1M8cETMDj4g0zIJytzIYMxO8XvDPCF -YmVZHXJDLsCogSOmmh0= ------END CERTIFICATE----- \ No newline at end of file diff --git a/kubernetes/oof/components/oof-has/resources/config/aai_key.key b/kubernetes/oof/components/oof-has/resources/config/aai_key.key deleted file mode 100755 index 246ff6d8cb..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/aai_key.key +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN ENCRYPTED PRIVATE KEY----- -MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvxjZPeQVkRACAggA -MBQGCCqGSIb3DQMHBAhWqwQCjZFCrASCBMjWG5wsC1WFJISJ5odMHzYOWOKLpaDP -7a/dxnBrV6gId/DTmzoqtiBCmQRqhnUuYok98DNUFGjR9JqztNNOf5eslzqCugsh -zVwCvsJYKvxxJ4Q8tow3DKx28I6EmOvwudMsL9c30OxpEWdlWmyFimu5JDdDvWUH -S0fWKebQETZ7lptiRX2IXhC3Ye6Wu/DowDYc5L4Z/Q8nwncMB3n2ntMX10pBrura -15/R18AvG5cDwcasTXz5WKIB/K2onvJfW0so2M8jApu2DF4MpEIN9Z973uTNFXcL -dgHKWtIl2WO38coedaXUILgsxLSSU27TG4F+7QMGjiKXUSWjN9+TD+8zWye/9OIW -qfVtoh+n7lWtzC3Axo1OmPInCkFb+I7QaDsJgsUn+ZWap7FVJFrYiz20UTzYYgAK -OukCgKiJTHOhTT1k0km34ROPmqOk6mH7IkioUSTmoP362RpIVTbKv2e5GKzhYfkk -27W3RRG/qoZLUTU2AaAyoGZlzXDkBFw2g4vxnhcfHeXX6jyJyQWOOOeRJ5B6uc+Y -4XmKKJvq5pFlxUDmVCZLRzjwpvYPTQwTQQ9t7kEZFI8B7TMkDqv62YlXyoWNDwPq -yLvDwPDicx33AZor8N/eDgIOE+TXQ0vEyphf0c9OcgneeJmEtn7IskEahv32ruMQ -uFAAuIUmQfXPNMXu3MYIUItvZDm3RUk3YJDj9c8YtvxDlzLytHu5QYJ3v7rvo+mG -XKwmnZouaNRLw5Y7Mff07BuTPuttyNadacuJtUjvv8qVOIeuxQ7nku6yqKKLTeJr -8E4/tYyZ15FIo3hWi16h3zyZ9LiHhhe7d2XYSVMuzuD4jkIdHbdgiKsCJn9mI5PF -VpDF34w1Fjwv7Gu32MRMpJijAW10ENaP1O2izr9l8jwo+CLgi5qa6a2YTYAZooqt -UjTLfEIQKbwFbq5L9Eb1uRw1lRR9SxcxdNQdY+mtx0x2BSmXVUEcyi6OG/8Lzf/1 -9VoE5UPfhSE7ogfbL8eraFlQmKL8f3h3Jx/XDvvKC8YXxgooEhV0BsofXmLdF0BK -bhXR1/JptLz8CJjtlBWQkmqj+ONOHFA9/4YHMNn5T1PBLNzQCZSjQXrDKxowLDsI -ozUyZ080c2LrJCf6zj6+fB3LDvHYfJ6LnYASCHJlNS0NVmRPiYB/dmoqF/iyAEjp -cKUUrbhs6U95aPMo0pPSCuhLKiibCo3Vz/9dvGb7pr6aj/ehOjrtKtGlYukBqNkS -RQK2kkL8IO+iPWs3aCnEhfeS+wNBMAtI/TEw6As2zseyb3/SylHjek4s1gs9MPdw -c3o2ArwMzmP0sfFIjYz+AyQm+5i/LSnkNjG0OU9ekGXy7Z4HAcko2Dv8/SmOVapP -cf8c55RUDlYJh9Ltn0W5fuNA6dykV7f9s8BIrZcnzTN+lifNhNlEYYcmyZwlCcX4 -NBLoH+ENW+Q7+nuhGcf52j/XgTaPZ0Eec8ZJdK7FzVDN4DWKM4KHD7DgpkOR7TZl -IKGNtdvb3SaGG83YlJhRkkr0C2KvB0Mz2dkAhOKX3NkBr5fY62IvuMdqD7VDjGAw -h/GBn0k5+gpVP0Uh6yWEla3CjM9GnUuMVcwIUAYSeW2rFu4iapK0gBwguR91cM1N -MA8= ------END ENCRYPTED PRIVATE KEY----- diff --git a/kubernetes/oof/components/oof-has/resources/config/bundle.pem b/kubernetes/oof/components/oof-has/resources/config/bundle.pem deleted file mode 100755 index 60121e751b..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/bundle.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEVDCCAjygAwIBAgIBATANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwNDA1MTQxNTQwWhcN -MTgwNjA0MTQxNTQwWjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzEwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCY3YPA/YQdz4kaZQzdRzWNjmn33WYAWZ8+ -EIz3PhkEzk7M1q9N7Icx2LvozMj4VH0yGz/HYlliHhw26ZRsjYMSR8zATsXl4oW9 -w9BrjuyvM3w8Ptxe8WbUFF9LJDGyXPeVvcXVo0iyh3QYPWC/AWmomN19MvBFN5vH -AvEG/7qtonViNfISW9Gr9LpXB0foCmUDBu/lV+SwRGajoCPqdZhZ6/L6/yqDvha2 -wsML/UZXlGhXAedt/xOKmT/dSXx/I0vWBVp6Tq4zu87yCvd+I6Tpa5HjttA2I5EV -zdHX+JYBPBBcVCyO9YQOYjJuoVDE4D5etY6dEipKG/KZF/rqAoqZAgMBAAGjZjBk -MB0GA1UdDgQWBBQd5lldG54KOKRipsGF8/PP1vGX6jAfBgNVHSMEGDAWgBRTVTPy -S+vQUbHBeJrBKDF77+rtSTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQE -AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAmgeiitBDi/YEqFh2Cqp0VIEqw8hiuV87 -rADQWMK4hv5WXl3KJTjFAnWsYFUKrm6s1jNH16FyGExUQgwggob0Vt+MHiUs36jU -kyret/uE5qrjz+/J+i2XG6s1oKcDRVD/jU4qBygZWFBMuwl7sz8IEvaYXGM43s96 -Du3UF9E+V3aMppqkGWz6MnrTmANnWAlDAMeifcoexjrpxiKbp8f49HX1UzwFoeEg -RnVwNqgDWT66yGV6mbNl6FpE/U81RpCRY1ZJDeVTxbqIaG/UPV4hpQ+BEVBDF+cb -rGsvsNYYpWx5srIQ7WtGKIlaDFbfWPwnHDHegzr8ypAS3KNWULE+QXCbHWtB+b0Y -WhP/2F6Jjb+ByvJqQoE+nHEYBeUOZUUZC4IuQFNJ5Wy5P0CNXdheiWhdrBmG02Gy -KMi0FJx6BEoWM2xcdl6bn5j9mhF4TX7zgepNWlgTra4Z8Oz8iqbQk33/s2OKM4ic -6ZezUYhNp+MuUt4Se+ufNcGV65jnUKeROtWzNLwP+xwglEFlG8aNiAORthd7QJuT -Ey2cX7H7f38ENQ5YCriUk1nVLO9F66l/rNRzYZgQzRI3IvDW8vyM2TLW2mcZNsaf -qjFMcCDweV2FRb8eTbmWzzB2/xTVpGzVJqzwgE+U7UtJx5CZS3wPkvXuEgvcg1tY -m1r4NGYFvLM= ------END CERTIFICATE----- \ No newline at end of file diff --git a/kubernetes/oof/components/oof-has/resources/config/conductor.conf b/kubernetes/oof/components/oof-has/resources/config/conductor.conf deleted file mode 100755 index d650808036..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/conductor.conf +++ /dev/null @@ -1,804 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware, Intel Corporation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -[DEFAULT] - -# -# From conductor -# - -# Configuration file for WSGI definition of API. (string value) -api_paste_config = /usr/local/etc/conductor/api_paste.ini - -# Music keyspace for content (string value) -#keyspace = conductor - -# Delay time (Seconds) for MUSIC requests. Set it to 2 seconds by default. -# (integer value) -#delay_time = 2 - -# (boolean value) -#HPA_enabled = true - -# -# From oslo.log -# - -# If set to true, the logging level will be set to DEBUG instead of the default -# INFO level. (boolean value) -# Note: This option can be changed without restarting. -#debug = false -debug = true - -# The name of a logging configuration file. This file is appended to any -# existing logging configuration files. For details about logging configuration -# files, see the Python logging module documentation. Note that when logging -# configuration files are used then all logging configuration is set in the -# configuration file and other logging configuration options are ignored (for -# example, logging_context_format_string). (string value) -# Note: This option can be changed without restarting. -# Deprecated group/name - [DEFAULT]/log_config -#log_config_append = -log_config_append = /usr/local/bin/log.conf - -# Defines the format string for %%(asctime)s in log records. Default: -# %(default)s . This option is ignored if log_config_append is set. (string -# value) -#log_date_format = %Y-%m-%d %H:%M:%S - -# (Optional) Name of log file to send logging output to. If no default is set, -# logging will go to stderr as defined by use_stderr. This option is ignored if -# log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logfile -#log_file = - -# (Optional) The base directory used for relative log_file paths. This option -# is ignored if log_config_append is set. (string value) -# Deprecated group/name - [DEFAULT]/logdir -#log_dir = - -# Uses logging handler designed to watch file system. When log file is moved or -# removed this handler will open a new log file with specified path -# instantaneously. It makes sense only if log_file option is specified and -# Linux platform is used. This option is ignored if log_config_append is set. -# (boolean value) -#watch_log_file = false - -# Use syslog for logging. Existing syslog format is DEPRECATED and will be -# changed later to honor RFC5424. This option is ignored if log_config_append -# is set. (boolean value) -#use_syslog = false - -# Enable journald for logging. If running in a systemd environment you may wish -# to enable journal support. Doing so will use the journal native protocol -# which includes structured metadata in addition to log messages.This option is -# ignored if log_config_append is set. (boolean value) -#use_journal = false - -# Syslog facility to receive log lines. This option is ignored if -# log_config_append is set. (string value) -#syslog_log_facility = LOG_USER - -# Use JSON formatting for logging. This option is ignored if log_config_append -# is set. (boolean value) -#use_json = false - -# Log output to standard error. This option is ignored if log_config_append is -# set. (boolean value) -#use_stderr = false - -# Format string to use for log messages with context. (string value) -#logging_context_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [%(request_id)s %(user_identity)s] %(instance)s%(message)s - -# Format string to use for log messages when context is undefined. (string -# value) -#logging_default_format_string = %(asctime)s.%(msecs)03d %(process)d %(levelname)s %(name)s [-] %(instance)s%(message)s - -# Additional data to append to log message when logging level for the message -# is DEBUG. (string value) -#logging_debug_format_suffix = %(funcName)s %(pathname)s:%(lineno)d - -# Prefix each line of exception output with this format. (string value) -#logging_exception_prefix = %(asctime)s.%(msecs)03d %(process)d ERROR %(name)s %(instance)s - -# Defines the format string for %(user_identity)s that is used in -# logging_context_format_string. (string value) -#logging_user_identity_format = %(user)s %(tenant)s %(domain)s %(user_domain)s %(project_domain)s - -# List of package logging levels in logger=LEVEL pairs. This option is ignored -# if log_config_append is set. (list value) -#default_log_levels = amqp=WARN,amqplib=WARN,boto=WARN,qpid=WARN,sqlalchemy=WARN,suds=INFO,oslo.messaging=INFO,oslo_messaging=INFO,iso8601=WARN,requests.packages.urllib3.connectionpool=WARN,urllib3.connectionpool=WARN,websocket=WARN,requests.packages.urllib3.util.retry=WARN,urllib3.util.retry=WARN,keystonemiddleware=WARN,routes.middleware=WARN,stevedore=WARN,taskflow=WARN,keystoneauth=WARN,oslo.cache=INFO,dogpile.core.dogpile=INFO - -# Enables or disables publication of error events. (boolean value) -#publish_errors = false - -# The format for an instance that is passed with the log message. (string -# value) -#instance_format = "[instance: %(uuid)s] " - -# The format for an instance UUID that is passed with the log message. (string -# value) -#instance_uuid_format = "[instance: %(uuid)s] " - -# Interval, number of seconds, of log rate limiting. (integer value) -#rate_limit_interval = 0 - -# Maximum number of logged messages per rate_limit_interval. (integer value) -#rate_limit_burst = 0 - -# Log level name used by rate limiting: CRITICAL, ERROR, INFO, WARNING, DEBUG -# or empty string. Logs with level greater or equal to rate_limit_except_level -# are not filtered. An empty string means that all levels are filtered. (string -# value) -#rate_limit_except_level = CRITICAL - -# Enables or disables fatal status of deprecations. (boolean value) -#fatal_deprecations = false - -[auth] -appkey = "" - -[aaf_api] - -# -# From conductor -# - -# is_aaf_enabled. (boolean value) -is_aaf_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - -# aaf_cache_expiry_hrs. (integer value) -aaf_cache_expiry_hrs = 3 - -# aaf_url. (string value) -aaf_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}}/authz/perms/user/ - -# aaf_cert_file. (string value) -#aaf_cert_file = - -# aaf_cert_key_file. (string value) -#aaf_cert_key_file = - -# aaf_ca_bundle_file. (string value) -#aaf_ca_bundle_file = -aaf_ca_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} - -# aaf_retries. (integer value) -#aaf_retries = 3 - -# aaf_timeout. (integer value) -#aaf_timeout = 100 - -# aaf_user_roles. (list value) -#aaf_permissions = {"type": "org.onap.oof.access","instance": "*","action": "*"} - - -[aaf_sms] - -# -# From conductor -# - -# is_enabled. (boolean value) -is_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - -# Base URL for SMS, up to and not including the version, and without a trailing -# slash. (string value) -aaf_sms_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sms.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sms.port}} - - -# Timeout for SMS API Call (integer value) -#aaf_sms_timeout = 30 - -# Path to the cacert that will be used to verify If this is None, verify will -# be False and the server certis not verified by the client. (string value) -#aaf_ca_certs = AAF_RootCA.cer -aaf_ca_certs = /usr/local/bin/AAF_RootCA.cer - -# Domain UUID - A unique UUID generated when the domainfor HAS is created by -# administrator during deployment (string value) -#secret_domain = has - - -[aai] - -# -# From conductor -# - -# Interval with which to refresh the local cache, in minutes. (integer value) -#cache_refresh_interval = 1440 -cache_refresh_interval = 1 - -# Interval with which to refresh the local complex cache, in minutes. (integer -# value) -#complex_cache_refresh_interval = 1440 -complex_cache_refresh_interval = 60 - -# Data Store table prefix. (string value) -#table_prefix = aai - -# Base URL for A&AI, up to and not including the version, and without a -# trailing slash. (string value) -#server_url = https://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai -server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aai.port .Values.config.aai.plainPort }}/aai - -# Timeout for A&AI Rest Call (string value) -#aai_rest_timeout = 30 - -# Number of retry for A&AI Rest Call (string value) -#aai_retries = 3 - -# The version of A&AI in v# format. (string value) -server_url_version = v21 - -# SSL/TLS certificate file in pem format. This certificate must be registered -# with the A&AI endpoint. (string value) -certificate_file = - -# Private Certificate Key file in pem format. (string value) -certificate_key_file = - -# Certificate Authority Bundle file in pem format. Must contain the appropriate -# trust chain for the Certificate file. (string value) -#certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} - -# Username for AAI. (string value) -username = OOF - -# Password for AAI. (string value) -password = OOF - - -[api] - -# -# From conductor -# - -# Toggle Pecan Debug Middleware. (boolean value) -#pecan_debug = false - -# Default maximum number of items returned by API request. (integer value) -# Minimum value: 1 -#default_api_return_limit = 100 - -[conductor_api] - -# -# From conductor -# - -# Base URL for plans. (string value) -#server_url = - -# username for plans. (string value) -#username = -username = admin1 - -# password for plans. (string value) -#password = -password = plan.15 - -# auth toggling. (boolean value) -basic_auth_secure = true - - -[controller] - -# -# From conductor -# - -# Timeout for planning requests. Default value is 10. (integer value) -# Minimum value: 1 -#timeout = 10 -timeout = 200 - -# Maximum number of result sets to return. Default value is 1. (integer value) -# Minimum value: 1 -#limit = 1 - -# Number of workers for controller service. Default value is 1. (integer value) -# Minimum value: 1 -#workers = 1 - -# Set to True when controller will run in active-active mode. When set to -# False, controller will flush any abandoned messages at startup. The -# controller always restarts abandoned template translations at startup. -# (boolean value) -#concurrent = false -concurrent = true - -# Time between checking for new plans. Default value is 1. (integer value) -# Minimum value: 1 -#polling_interval = 1 - -# (integer value) -# Minimum value: 1 -#max_translation_counter = 1 - -# (string value) -opt_schema_file = /opt/has/conductor/etc/conductor/opt_schema.json - -[data] - -# -# From conductor -# - -# Number of workers for data service. Default value is 1. (integer value) -# Minimum value: 1 -#workers = 1 - -# Set to True when data will run in active-active mode. When set to False, data -# will flush any abandoned messages at startup. (boolean value) -#concurrent = false -concurrent = true - -# Default value is -8000, which is the diameter of the earth. The distance -# cannot larger than this value (floating point value) -#existing_placement_cost = -8000.0 - -# (floating point value) -#cloud_candidate_cost = 2.0 - -# (floating point value) -#service_candidate_cost = 1.0 - - -[inventory_provider] - -# -# From conductor -# - -# Extensions list to use (list value) -extensions = aai,generator - - -[messaging_server] - -# -# From conductor -# - -# Music keyspace for messages (string value) -#keyspace = conductor_rpc - -# Wait interval while checking for a message response. Default value is 1 -# second. (integer value) -# Minimum value: 1 -#check_interval = 1 - -# Overall message response timeout. Default value is 120 seconds. (integer -# value) -# Minimum value: 1 -#response_timeout = 120 - -# Timeout for detecting a VM is down, and other VMs can pick the plan up. -# Default value is 5 minutes. (integer value) (integer value) -# Minimum value: 1 -timeout = 300 - -# Number of workers for messaging service. Default value is 1. (integer value) -# Minimum value: 1 -#workers = 1 - -# Time between checking for new messages. Default value is 1. (integer value) -# Minimum value: 1 -#polling_interval = 1 - -# Log debug messages. Default value is False. (boolean value) -#debug = false - - -[multicloud] - -# -# From conductor -# - -# Base URL for Multicloud without a trailing slash. (string value) -#server_url = http://msb.onap.org/api/multicloud -server_url = http://{{.Values.config.msb.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.msb.port}}/api/multicloud - -# Timeout for Multicloud Rest Call (string value) -#multicloud_rest_timeout = 30 - -# Number of retry for Multicloud Rest Call (string value) -#multicloud_retries = 3 - -# The version of Multicloud API. (string value) -#server_url_version = v0 - - -[db_options] - -# db_backend to use -db_backend = {{.Values.config.dbBackend}} - -# Use music mock api -music_mock = False - - -[etcd_api] - -# host/ip address of etcd server -host = {{.Values.config.etcd.serviceName}}.{{ include "common.namespace" . }} - -# port of etcd server -port = {{.Values.config.etcd.port}} - -# username for etcd authentication -username = - -# password for etcd authentication -password = - - -[music_api] - -# -# From conductor -# - -# Base URL for Music REST API without a trailing slash. (string value) -#server_url = http://oof-has-music:8080/MUSIC/rest/v2 -server_url = https://{{.Values.config.music.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.music.port}}/MUSIC/rest/v2 -version = v2 - -# DEPRECATED: List of hostnames (round-robin access) (list value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#hostnames = - -# DEPRECATED: Port (integer value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#port = - -# DEPRECATED: Path (string value) -# This option is deprecated for removal. -# Its value may be silently ignored in the future. -# Reason: Use server_url instead -#path = - -# Socket connection timeout (floating point value) -#connect_timeout = 3.05 - -# Socket read timeout (floating point value) -#read_timeout = 12.05 - -# Lock timeout (integer value) -#lock_timeout = 10 - -# Replication factor (integer value) -#replication_factor = 1 -replication_factor = 1 - -# Use mock API (boolean value) -#mock = false - -# (string value) -#music_topology = SimpleStrategy - -# Name of the first data center (string value) -#first_datacenter_name = - -# Number of replicas in first data center (integer value) -#first_datacenter_replicas = - -# Name of the second data center (string value) -#second_datacenter_name = - -# Number of replicas in second data center (integer value) -#second_datacenter_replicas = - -# Name of the third data center (string value) -#third_datacenter_name = - -# Number of replicas in third data center (integer value) -#third_datacenter_replicas = - -# new or old version (boolean value) -#music_new_version = -music_new_version = True - -# for version (string value) -#music_version = -music_version = "3.2.40" - -# username value that used for creating basic authorization header (string -# value) -#aafuser = -aafuser = conductor - -# password value that used for creating basic authorization header (string -# value) -#aafpass = -aafpass = c0nduct0r - -# AAF namespace field used in MUSIC request header (string value) -#aafns = -aafns = conductor - -# Enabling HTTPs mode (boolean value) -enable_https_mode = True - -# Certificate Authority Bundle file in pem format. Must contain the appropriate -# trust chain for the Certificate file. (string value) -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer - - -[prometheus] - -# -# From conductor -# - -# Prometheus Metrics Endpoint (list value) -#metrics_port = 8000,8001,8002,8003,8004 - - -[reservation] - -# -# From conductor -# - -# Number of workers for reservation service. Default value is 1. (integer -# value) -# Minimum value: 1 -#workers = 1 - -# Number of times reservation/release should be attempted. (integer value) -#reserve_retries = 1 - -# Timeout for detecting a VM is down, and other VMs can pick the plan up and -# resereve. Default value is 600 seconds. (integer value) (integer value) -# Minimum value: 1 -#timeout = 600 - -# Set to True when reservation will run in active-active mode. When set to -# False, reservation will restart any orphaned reserving requests at startup. -# (boolean value) -#concurrent = false -concurrent = true - -# (integer value) -# Minimum value: 1 -#max_reservation_counter = 1 - - -[sdnc] - -# -# From conductor -# - -# Interval with which to refresh the local cache, in minutes. (integer value) -#cache_refresh_interval = 1440 - -# Data Store table prefix. (string value) -#table_prefix = sdnc - -# Base URL for SDN-C, up to and including the version. (string value) -server_url = https://controller:8443/restconf/ - -# Basic Authentication Username (string value) -#username = -username = admin - -# Basic Authentication Password (string value) -#password = -password = Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - -# Timeout for SDNC Rest Call (string value) -#sdnc_rest_timeout = 30 - -# Retry Numbers for SDNC Rest Call (string value) -#sdnc_retries = 3 - -[service_controller] - -# -# From conductor -# - -# Extensions list to use (list value) -#extensions = sdnc - - -[solver] - -# -# From conductor -# - -# Number of workers for solver service. Default value is 1. (integer value) -# Minimum value: 1 -#workers = 1 - -# The timeout value for solver service. Default value is 480 seconds. (integer -# value) -# Minimum value: 1 -#solver_timeout = 480 - -# Set to True when solver will run in active-active mode. When set to False, -# solver will restart any orphaned solving requests at startup. (boolean value) -#concurrent = false -concurrent = true - -# Timeout for detecting a VM is down, and other VMs can pick the plan up. This -# value should be larger than solver_timeoutDefault value is 10 minutes. -# (integer value) (integer value) -# Minimum value: 1 -#timeout = 600 - -# (integer value) -# Minimum value: 1 -#max_solver_counter = 1 - - -[vim_controller] - -# -# From conductor -# - -# Extensions list to use (list value) -#extensions = multicloud - - -[sdc] - -# -# From conductor -# - -# Data Store table prefix. (string value) -#table_prefix = sdc - -# Base URL for SDC, up to and not including the version, and without a -# trailing slash. (string value) -#server_url = https://controller:8443/sdc -#server_url = https://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc -server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdc.port .Values.config.sdc.plainPort }}/sdc - -# Timeout for SDC Rest Call (string value) -#sdc_rest_timeout = 30 - -# Number of retry for SDC Rest Call (string value) -#sdc_retries = 3 - -# The version of A&AI in v# format. (string value) -server_url_version = v1 - -# SSL/TLS certificate file in pem format. This certificate must be registered -# with the SDC endpoint. (string value) -#certificate_file = certificate.pem -certificate_file = - -# Private Certificate Key file in pem format. (string value) -#certificate_key_file = certificate_key.pem -certificate_key_file = - -# Certificate Authority Bundle file in pem format. Must contain the appropriate -# trust chain for the Certificate file. (string value) -#certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} - -# Username for SDC. (string value) -#username = - -# Password for SDC. (string value) -#password = - -temp_path = "/tmp/nsttemplates" - - -[cps] - -# -# From conductor -# - -# Data Store table prefix. (string value) -#table_prefix = cps - -# Base URL for CPS, up to and not including the version, and without a -# trailing slash. (string value) -#yet to be finalized -#server_url = https://cps.api.simpledemo.onap.org:8443/cps -server_url=http://{{.Values.config.cps.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.cps.port}}/ - -# Timeout for CPS Rest Call (string value) -#cps_rest_timeout = 30 - -# Number of retry for CPS Rest Call (string value) -#cps_retries = 3 - - -# SSL/TLS certificate file in pem format. This certificate must be registered -# with the CPS endpoint. (string value) -#certificate_file = certificate.pem -certificate_file = - -# Private Certificate Key file in pem format. (string value) -#certificate_key_file = certificate_key.pem -certificate_key_file = - -# Certificate Authority Bundle file in pem format. Must contain the appropriate -# trust chain for the Certificate file. (string value) -#certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} - -# Username for CPS. (string value) -#username = - -# Password for CPS. (string value) -#password = - -get_ta_list_url = "/api/v1/execute/ran-coverage-area/get_ta_list" - -[dcae] - -# -# From conductor -# -# -# Data Store table prefix. (string value) -#table_prefix = dcae - -# Base URL for DCAE, up to and not including the version, and without a -# trailing slash. (string value) -server_url = http://{{.Values.config.dcae.service}}.{{ include "common.namespace" . }}:{{.Values.config.dcae.port}} - -# Timeout for DCAE Rest Call (string value) -#dcae_rest_timeout = 30 - -# Number of retry for DCAE Rest Call (string value) -#dcae_retries = 3 - -# The version of A&AI in v# format. (string value) -server_url_version = v1 - -# SSL/TLS certificate file in pem format. This certificate must be registered -# with the SDC endpoint. (string value) -#certificate_file = certificate.pem -certificate_file = - -# Private Certificate Key file in pem format. (string value) -#certificate_key_file = certificate_key.pem -certificate_key_file = - -# Certificate Authority Bundle file in pem format. Must contain the appropriate -# trust chain for the Certificate file. (string value) -#certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} - -# Username for DCAE. (string value) -#username = - -# Password for DCAE. (string value) -#password = - -get_slice_config_url = "/api/v1/slices-config" diff --git a/kubernetes/oof/components/oof-has/resources/config/nginx.conf b/kubernetes/oof/components/oof-has/resources/config/nginx.conf deleted file mode 100644 index 9272e8581c..0000000000 --- a/kubernetes/oof/components/oof-has/resources/config/nginx.conf +++ /dev/null @@ -1,36 +0,0 @@ -events { - worker_connections 768; - # multi_accept on; -} - -http { - # ... - upstream conductor_uwsgi { - server 127.0.0.1:8080; - } - - server { - -{{ if (include "common.needTLS" .) }} - listen 8091 ssl; - server_name oof; - ssl_certificate /opt/bitnami/nginx/org.onap.oof.crt; - ssl_certificate_key /opt/bitnami/nginx/ssl/local/org.onap.oof.key; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; -{{ else }} - listen 8091; - server_name oof; -{{ end }} - - location / { - include /opt/bitnami/nginx/conf/uwsgi_params; - uwsgi_pass conductor_uwsgi; - - uwsgi_param Host $host; - uwsgi_param X-Real-IP $remote_addr; - uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for; - uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto; - } - } -} diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml deleted file mode 100755 index 0c5397c5a8..0000000000 --- a/kubernetes/oof/components/oof-has/values.yaml +++ /dev/null @@ -1,165 +0,0 @@ -# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware -# Modifications Copyright © 2018 Intel Corporation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - commonConfigPrefix: onap-oof-has - image: - optf_has: onap/optf-has:2.3.1 - persistence: - enabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - name: &oof-certs '{{ include "common.release" . }}-oof-onap-certs' - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: '{{ .Values.secretsFilePaths }}' - - uid: oof-has-etcd-root-password - name: &root-password '{{ include "common.release" . }}-has-etcd-root-password' - type: password - password: '{{ .Values.config.etcd.rootPassword }}' - policy: generate - - uid: oof-has-etcd-secret - name: &user-creds '{{ include "common.release" . }}-oof-has-etcd-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.etcd.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.etcd.appUser }}' - password: '{{ .Values.config.etcd.appPassword }}' - passwordPolicy: generate - -pullPolicy: Always -nodePortPrefix: 302 -dataRootDir: /dockerdata-nfs -config: - dbBackend: etcd - aaf: - serviceName: aaf-service - port: 8100 - aai: - serviceName: aai - port: 8443 - plainPort: 80 - msb: - serviceName: msb-iag - port: 80 - music: - serviceName: music - port: 8443 - sms: - serviceName: aaf-sms - port: 10443 - sdc: - serviceName: sdc-be - port: 8443 - plainPort: 8080 - cps: - service: cps-tbdmt - port: 8080 - dcae: - service: dcae-slice-analysis-ms - port: 8080 - etcd: - serviceName: &etcd-service oof-has-etcd - port: 2379 - appUser: conductor -# rootPassword: -# appPassword: -# userCredentialsExternalSecret: -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 2Gi - cpu: 1000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} - -#component overrides -oof-has-api: &has-config - enabled: true - certSecret: *oof-certs - config: - etcd: - userCredentialsExternalSecret: *user-creds - configJobNameOverride: &job-name oof-has-etcd-config -oof-has-controller: *has-config -oof-has-data: *has-config -oof-has-reservation: *has-config -oof-has-solver: *has-config -music: - enabled: false - -#etcd subchart configurations -etcd: - enabled: true - replicaCount: 3 - nameOverride: &etcd-container oof-has-etcd - service: - name: *etcd-service - persistence: - mountSubPath: oof/etcd/data - enabled: true - flavor: &etcd-flavor large - resources: &etcd-resources - small: - limits: - cpu: 100m - memory: 300Mi - requests: - cpu: 10m - memory: 75Mi - large: - limits: - cpu: 200m - memory: 1Gi - requests: - cpu: 50m - memory: 300Mi - unlimited: {} - -etcd-init: - enabled: true - nameOverride: *job-name - etcd: - serviceName: *etcd-service - port : 2379 - containerName: *etcd-container - config: - userRootSecret: *root-password - userCredentialsExternalSecret: *user-creds - appRole: conductor - keyPrefix: conductor - flavor: *etcd-flavor - resources: *etcd-resources - -# Python doesn't support well dollar sign in password -passwordStrengthOverride: basic diff --git a/kubernetes/oof/components/oof-templates/Chart.yaml b/kubernetes/oof/components/oof-templates/Chart.yaml deleted file mode 100755 index 92fea369db..0000000000 --- a/kubernetes/oof/components/oof-templates/Chart.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP OOF helm templates -name: oof-templates -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - diff --git a/kubernetes/oof/components/oof-templates/templates/_certificate.tpl b/kubernetes/oof/components/oof-templates/templates/_certificate.tpl deleted file mode 100644 index 4da128bcbb..0000000000 --- a/kubernetes/oof/components/oof-templates/templates/_certificate.tpl +++ /dev/null @@ -1,11 +0,0 @@ -{{- define "oof.certificate.volume" -}} -- name: {{ include "common.fullname" . }}-onap-certs - secret: - secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "oof-onap-certs") }} - items: - - key: aaf_root_ca.cer - path: aaf_root_ca.cer - - key: intermediate_root_ca.pem - path: intermediate_root_ca.pem -{{- end -}} - diff --git a/kubernetes/oof/resources/config/certs/aaf_root_ca.cer b/kubernetes/oof/resources/config/certs/aaf_root_ca.cer deleted file mode 100755 index e9a50d7ea0..0000000000 --- a/kubernetes/oof/resources/config/certs/aaf_root_ca.cer +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV -BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx -NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK -DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC -ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 -XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn -H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM -pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 -NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg -2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY -wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd -ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM -P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 -aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY -PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G -A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ -UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN -BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz -L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 -7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx -c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf -jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 -RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h -PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF -CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ -Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A -cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR -ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX -dYY= ------END CERTIFICATE----- diff --git a/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem b/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem deleted file mode 100644 index b67866d160..0000000000 --- a/kubernetes/oof/resources/config/certs/intermediate_root_ca.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB -RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN -MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG -A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL -neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d -o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 -nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV -v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO -15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw -gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV -M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ -BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q -ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl -u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ -+pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ -QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht -8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX -kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 -aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky -uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w -tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep -BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= ------END CERTIFICATE----- - diff --git a/kubernetes/oof/resources/config/conf/common_config.yaml b/kubernetes/oof/resources/config/conf/common_config.yaml deleted file mode 100644 index d34967617b..0000000000 --- a/kubernetes/oof/resources/config/conf/common_config.yaml +++ /dev/null @@ -1,166 +0,0 @@ -osdf_system: - libpath: /opt/app/osdf/libs - osdf_ports: - internal: 8699 # inside the Docker container, the app listens to this port - external: 8698 # clients use this port on DockerHost - osdf_ip_default: 0.0.0.0 -# # Important Note: At deployment time, we need to ensure the port mapping is done - ssl_context: {{ if (include "common.needTLS" .) }}['/opt/osdf/org.onap.oof.crt', '/opt/osdf/osaaf/local/org.onap.oof.key']{{ end }} - -osdf_temp: # special configuration required for "workarounds" or testing - local_policies: - global_disabled: True - local_placement_policies_enabled: True - local_slice_selection_policies_enabled: True - local_nst_selection_policies_enabled: True - placement_policy_dir_vcpe: "./test/policy-local-files/" - placement_policy_files_vcpe: # workaroud for policy platform glitches (or "work-arounds" for other components) - - Affinity_vCPE_1.json - - Attribute_vNS_1.json - #- Capacity_vGMuxInfra.json - #- Capacity_vG_1.json - - Distance_vG_1.json - - Distance_vGMuxInfra_1.json - - hpa_policy_vG_1.json - - hpa_policy_vGMuxInfra_1.json - - Placement_Optimization_1.json - - QueryPolicy_vCPE.json - - vnfPolicy_vG.json - - vnfPolicy_vGMuxInfra.json - placement_policy_dir_vfw: "./test/policy-local-files/" - placement_policy_files_vfw: # workaroud for policy platform glitches (or "work-arounds" for other components) - #- Capacity_vFW_1.json - - Distance_vFW_1.json - - hpa_policy_vFW_1.json - - Placement_Optimization_1.json - - QueryPolicy_vFW.json - - vnfPolicy_vFW.json - placement_policy_dir_vfw_td: "./test/policy-local-files/" - placement_policy_files_vfw_td: - - vnfPolicy_vFW_TD.json - - vnfPolicy_vPGN_TD.json - - affinity_vFW_TD.json - - QueryPolicy_vFW_TD.json - slice_selection_policy_dir_embb-nst: "./test/policy-local-files/slice-selection-files/" - slice_selection_policy_files_embb-nst: - - query_policy_nsi.json - - threshold_policy_nsi.json - - vnf_policy_nsi_shared_case.json - nst_selection_policy_dir_nst: "./test/policy-local-files/nst-selection-files/" - nst_selection_policy_files_nst: - - query_policy_nst.json - - attribute_policy_nst.json - - vnf_policy_nst.json - - optimization_policy_nst.json - -service_info: - vCPE: - vcpeHostName: requestParameters.vcpeHostName - e2eVpnKey: requestParameters.e2eVpnKey - vFW: - vcpeHostName: requestParameters.vcpeHostName - e2eVpnKey: requestParameters.e2eVpnKey - -references: - service_name: - source: request - value: serviceInfo.serviceName - resource: - source: request - value: placementInfo.placementDemands.resourceModuleName - subscriber_role: - source: onap.policies.optimization.SubscriberPolicy - value: properties.properties.subscriberRole - resource_sharing_level: - source: request - value: serviceProfile.resourceSharingLevel - slice_scope: - source: request - value: slice_scope - reuse_preference: - source: request - value: preferReuse - -policy_info: - prioritization_attributes: - policy_type: - - type - resources: - - properties.resources - - properties.objectiveParameter.parameterAttributes.resources - service_name: - - properties.services - - slice_selection: - policy_fetch: by_scope - policy_scope: - - - scope: - - get_param: slice_scope - services: - - get_param: service_name - resources: - - get_param: service_name - - nst_selection: - policy_fetch: by_scope - policy_scope: - - - scope: - - OSDF_GUILIN - services: - - nst - resources: - - nst - - subnet_selection: - policy_fetch: by_scope - policy_scope: - - scope: - - OSDF_GUILIN - services: - - get_param: service_name - resources: - - get_param: service_name - - placement: - policy_fetch: by_scope - policy_scope: - - - scope: - - OSDF_FRANKFURT - geography: - - US - services: - - get_param: service_name - resources: - - get_param: resource - # - - # - get_param: service_name - # - get_param: subscriber_role - default: # if no explicit service related information is needed - policy_fetch: by_name - policy_scope: none - -PCI: - ML: - average_ho_threshold: 10000 - latest_ho_threshold: 500 - DES: - service_id: ho_metric - filter: - interval: 10 - ml_enabled: false - -nxi_termination: - query_templates: - nsi: "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}') > service-instance*('service-role','e2eserviceprofile-service')" - nsi_with_profile: "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}') > service-instance*('service-role','e2eserviceprofile-service')('service-instance-id','{{ printf "{{profile_id}}" }}')" - nssi: - - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'CN') > service-instance*('service-role','nsi')" - - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'TN_BH') > service-instance*('service-role','nsi')" - - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'AN') > service-instance*('service-role','nsi')" - - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'AN_NF') > service-instance*('workload-context','AN')" - - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'TN_MH') > service-instance*('workload-context','AN')" - - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'TN_FH') > service-instance*('workload-context','AN')" - - "service-instance*('service-instance-id','{{ printf "{{instance_id}}" }}')('workload-context', 'AN_NF') > service-instance*('workload-context','AN')" diff --git a/kubernetes/oof/resources/config/conf/osdf_config.yaml b/kubernetes/oof/resources/config/conf/osdf_config.yaml deleted file mode 100755 index ff62bb6b0a..0000000000 --- a/kubernetes/oof/resources/config/conf/osdf_config.yaml +++ /dev/null @@ -1,79 +0,0 @@ -placementVersioningEnabled: {{ .Values.config.placementVersioningEnabled }} - -# Placement API latest version numbers to be set in HTTP header -placementMajorVersion: {{ .Values.config.placementMajorVersion }} -placementMinorVersion: {{ .Values.config.placementMinorVersion }} -placementPatchVersion: {{ .Values.config.placementPatchVersion }} - -# Placement API default version numbers to be set in HTTP header -placementDefaultMajorVersion: {{ .Values.config.placementDefaultMajorVersion }} -placementDefaultMinorVersion: {{ .Values.config.placementDefaultMinorVersion }} -placementDefaultPatchVersion: {{ .Values.config.placementDefaultPatchVersion }} - -# Credentials for Conductor -conductorUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.conductorUrl.https .Values.config.conductorUrl.http }} -conductorPingWaitTime: {{ .Values.config.conductorPingWaitTime }} -conductorMaxRetries: {{ .Values.config.conductorMaxRetries }} -# versions to be set in HTTP header -conductorMinorVersion: {{ .Values.config.conductorMinorVersion }} - -# Policy Platform -- requires ClientAuth, Authorization, and Environment -policyPlatformUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.policyPlatformUrl.https .Values.config.policyPlatformUrl.http }} -policyPlatformEnv: {{ .Values.config.policyPlatformEnv }} - -# Credentials for DMaaP -messageReaderHosts: {{ .Values.config.messageReaderHosts }} -messageReaderTopic: {{ .Values.config.messageReaderTopic }} - -# Credentials for SDC -sdcUrl: {{ .Values.config.sdcUrl }} -sdcONAPInstanceID: {{ .Values.config.sdcONAPInstanceID }} - -is_aaf_enabled: {{ .Values.config.is_aaf_enabled }} -aaf_cache_expiry_mins: {{ .Values.config.aaf_cache_expiry_mins }} -aaf_url: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaf_url.https .Values.config.aaf_url.http }} -aaf_user_roles: - {{- range .Values.config.aaf_user_roles }} - - {{ . }} - {{- end }} - -# Secret Management Service from AAF -aaf_sms_url: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaf_sms_url.https .Values.config.aaf_sms_url.http }}.{{ include "common.namespace" . }}:{{ .Values.config.aaf_sms_port }} -aaf_sms_timeout: {{ .Values.config.aaf_sms_timeout }} -secret_domain: {{ .Values.config.secret_domain }} -aaf_ca_certs: {{ .Values.config.aaf_ca_certs }} - -configClientType: {{ .Values.config.configClientType }} - -# config db api -configDbUrl: {{ .Values.config.configDbUrl }} -configDbGetCellListUrl: {{ .Values.config.configDbGetCellListUrl }} -configDbGetNbrListUrl: {{ .Values.config.configDbGetNbrListUrl }} - -# cps api -cpsUrl: {{ .Values.config.cps.Url }} -cpsCellListUrl: {{ .Values.config.cps.cellListUrl }} -cpsNbrListUrl: {{ .Values.config.cps.nbrListUrl }} - -# AAI api -aaiUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaiUrl.https .Values.config.aaiUrl.http }} -aaiGetLinksUrl: {{ .Values.config.aaiGetLinksUrl }} -aaiServiceInstanceUrl : {{ .Values.config.aaiServiceInstanceUrl }} -aaiGetControllersUrl: {{ .Values.config.aaiGetControllersUrl }} -controllerQueryUrl: {{ .Values.config.controllerQueryUrl }} -aaiGetInterDomainLinksUrl: {{ .Values.config.aaiGetInterDomainLinksUrl }} -dslQueryPath: /aai/v23/dsl?format= - -#DES api -desUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.desUrl.https .Values.config.desUrl.http }} -desApiPath: {{ .Values.config.desApiPath }} -desHeaders: - Accept: application/json - Content-Type: application/json -desUsername: {{ .Values.config.desUsername }} -desPassword: {{ .Values.config.desPassword }} - -#key -appkey: '' - -activateConsulConfig: False diff --git a/kubernetes/oof/templates/deployment.yaml b/kubernetes/oof/templates/deployment.yaml deleted file mode 100644 index 31884c06bb..0000000000 --- a/kubernetes/oof/templates/deployment.yaml +++ /dev/null @@ -1,162 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# Modifications Copyright (C) 2020 Wipro Limited. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - policy-xacml-pdp - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - {{- if (include "common.needTLS" .) }} - - command: - - sh - - -c - - resp="FAILURE"; - until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} http{{ if (include "common.needTLS" .) }}s{{ end }}://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/osdf/secret); - echo $resp; - sleep 2; - done - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.curl" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-osdf-sms-readiness - {{- end }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/sh - args: - - "-c" - - | - {{- if (include "common.needTLS" .) }} - grep -v '^$' /opt/osdf/osaaf/local/org.onap.oof.crt > /tmp/oof.crt - cat /tmp/oof.crt /opt/app/ssl_cert/intermediate_root_ca.pem /opt/app/ssl_cert/aaf_root_ca.cer >> /opt/osdf/org.onap.oof.crt - {{ end }} - python osdfapp.py - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/osdf/config/osdf_config.yaml - name: {{ include "common.fullname" . }}-config - subPath: osdf_config.yaml - {{- if (include "common.needTLS" .) }} - - mountPath: /opt/app/ssl_cert/aaf_root_ca.cer - name: {{ include "common.fullname" . }}-onap-certs - subPath: aaf_root_ca.cer - - mountPath: /opt/app/ssl_cert/intermediate_root_ca.pem - name: {{ include "common.fullname" . }}-onap-certs - subPath: intermediate_root_ca.pem - {{- end }} - - mountPath: /opt/osdf/config/common_config.yaml - name: {{ include "common.fullname" . }}-config - subPath: common_config.yaml - - mountPath: /opt/osdf/config/log.yml - name: {{ include "common.fullname" . }}-config - subPath: log.yml - - mountPath: /opt/osdf/config/slicing_config.yaml - name: {{ include "common.fullname" . }}-config - subPath: slicing_config.yaml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-configmap - items: - - key: osdf_config.yaml - path: osdf_config.yaml - - key: common_config.yaml - path: common_config.yaml - - key: log.yml - path: log.yml - - key: slicing_config.yaml - path: slicing_config.yaml -{{ include "oof.certificate.volume" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/templates/ingress.yaml b/kubernetes/oof/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/oof/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/oof/templates/service.yaml b/kubernetes/oof/templates/service.yaml deleted file mode 100644 index b2da17a23f..0000000000 --- a/kubernetes/oof/templates/service.yaml +++ /dev/null @@ -1,44 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T,VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/oof/values.yaml b/kubernetes/oof/values.yaml deleted file mode 100644 index f6867bd8bf..0000000000 --- a/kubernetes/oof/values.yaml +++ /dev/null @@ -1,197 +0,0 @@ -# Copyright © 2017 Amdocs, AT&T, Bell Canada, VMware -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - persistence: {} - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: oof-onap-certs - name: &oof-certs '{{ include "common.release" . }}-oof-onap-certs' - externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' - type: generic - filePaths: - - resources/config/certs/intermediate_root_ca.pem - - resources/config/certs/aaf_root_ca.cer - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/optf-osdf:3.0.7 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - msbgateway: msb-iag - msbPort: 80 - placementVersioningEnabled: True - # Placement API latest version numbers to be set in HTTP header - placementMajorVersion: "1" - placementMinorVersion: "0" - placementPatchVersion: "0" - # Placement API default version numbers to be set in HTTP header - placementDefaultMajorVersion: "1" - placementDefaultMinorVersion: "0" - placementDefaultPatchVersion: "0" - - # Url and credentials for Conductor. - conductorUrl: - https: https://oof-has-api:8091/v1/plans/ - http: http://oof-has-api:8091/v1/plans/ - conductorPingWaitTime: 10 - conductorMaxRetries: 30 - # versions to be set in HTTP header - conductorMinorVersion: 0 - # Url and credentials for the Policy Platform - policyPlatformUrl: - https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision # Policy Dev platform URL - http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision - policyPlatformEnv: TEST # Environment for policy platform - # Credentials for the message reader - A placeholder. - messageReaderHosts: NA - messageReaderTopic: NA - # Credentials for the SDC interface - A placeholder. - sdcUrl: NA - sdcONAPInstanceID: NA - #AAF Authentication - is_aaf_enabled: False - aaf_cache_expiry_mins: 5 - aaf_url: - https: https://aaf-service:8100 - http: http://aaf-service:8080 - aaf_user_roles: - - '/placement:org.onap.oof.access|*|read ALL' - - '/pci:org.onap.oof.access|*|read ALL' - # Secret Management Service from AAF - aaf_sms_url: - https: https://aaf-sms - http: http://aaf-sms - aaf_sms_port: 10443 - aaf_sms_timeout: 30 - secret_domain: osdf - aaf_ca_certs: /opt/app/ssl_cert/aaf_root_ca.cer - configClientType: cps - # config db api - configDbUrl: http://configdb:8080 - configDbGetCellListUrl: 'api/sdnc-config-db/v3/getCellList' - configDbGetNbrListUrl: 'api/sdnc-config-db/v3/getNbrList' - # cps api - cps: - url: cps-tbdmt:8080/execute - cellListUrl: 'ran-network/getCellList' - nbrListUrl: 'ran-network/getNbrList' - - #aai api - aaiUrl: - https: https://aai:8443 - http: http://aai:8080 - aaiGetLinksUrl: /aai/v16/network/logical-links - aaiServiceInstanceUrl : /aai/v20/nodes/service-instances/service-instance/ - aaiGetControllersUrl: /aai/v19/external-system/esr-thirdparty-sdnc-list - controllerQueryUrl: /aai/v19/query?format=resource - aaiGetInterDomainLinksUrl: /aai/v19/network/logical-links?link-type=inter-domain&operational-status=up - #des api - desUrl: - https: https://des.url:9000 - http: http://des.url:8080 - desApiPath: /datalake/v1/exposure/ - desUsername: '' - desPassword: '' -# default number of instances -replicaCount: 1 -nodeSelector: {} -affinity: {} -# Resource Limit flavor -By Default using small -flavor: small - -#sub-charts configuration -certInitializer: - nameOverride: oof-osdf-cert-initializer - fqdn: "oof.onap" - app_ns: "org.osaaf.aaf" - fqi: "oof@oof.onap.org" - fqi_namespace: org.onap.oof - public_fqdn: "oof.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - appMountPath: /opt/osdf/osaaf - aaf_add_config: > - chmod 444 {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key; - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 2Gi - cpu: 1000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 -service: - type: NodePort - name: oof-osdf - externalPort: 8698 - internalPort: 8699 - nodePort: 48 -ingress: - enabled: false - service: - - baseaddr: "oof-osdf-api" - name: "oof-osdf" - port: 8698 - config: - ssl: "redirect" - -#component overrides - -oof-has: - enabled: true - certSecret: *oof-certs - -#Pods Service Account -serviceAccount: - nameOverride: oof - roles: - - read diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml index 8ba1101d99..c3f776803e 100644 --- a/kubernetes/platform/Chart.yaml +++ b/kubernetes/platform/Chart.yaml @@ -3,6 +3,7 @@ # Modifications Copyright © 2020 Nokia # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,15 +20,18 @@ apiVersion: v2 description: ONAP platform components name: platform -version: 12.0.0 +version: 13.0.1 dependencies: - name: oom-cert-service - version: ~12.x-0 - repository: 'file://components/oom-cert-service' + version: ~13.x-0 + repository: '@local' + condition: oom-cert-service.enabled - name: cmpv2-cert-provider - version: ~12.x-0 - repository: 'file://components/cmpv2-cert-provider' + version: ~13.x-0 + repository: '@local' + condition: cmpv2-cert-provider.enabled - name: chartmuseum - version: ~12.x-0 - repository: 'file://components/chartmuseum' + version: ~13.x-0 + repository: '@local' + condition: chartmuseum.enabled diff --git a/kubernetes/platform/components/chartmuseum/Chart.yaml b/kubernetes/platform/components/chartmuseum/Chart.yaml index ccf50f78fc..14a2d0b9e1 100644 --- a/kubernetes/platform/components/chartmuseum/Chart.yaml +++ b/kubernetes/platform/components/chartmuseum/Chart.yaml @@ -20,18 +20,15 @@ apiVersion: v2 description: ONAP Chart Museum name: chartmuseum -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml index cc07f27bb1..fea1a1a614 100644 --- a/kubernetes/platform/components/chartmuseum/templates/deployment.yaml +++ b/kubernetes/platform/components/chartmuseum/templates/deployment.yaml @@ -27,21 +27,6 @@ spec: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 7 | trim}} - initContainers: - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - chown -R {{ .Values.securityContext.user_id }}:{{ .Values.securityContext.group_id }} //chartmuseum-persist - securityContext: - runAsUser: 0 - volumeMounts: - - name: chart-persistent - mountPath: "/chartmuseum-persist" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.githubContainerRegistry" . }}/{{ .Values.image }} @@ -79,5 +64,4 @@ spec: emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/platform/components/chartmuseum/values.yaml b/kubernetes/platform/components/chartmuseum/values.yaml index 05a8b1537b..7068990c7d 100644 --- a/kubernetes/platform/components/chartmuseum/values.yaml +++ b/kubernetes/platform/components/chartmuseum/values.yaml @@ -82,16 +82,16 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} \ No newline at end of file diff --git a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml index c48d31d7a4..a77fb20fd6 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml @@ -17,12 +17,12 @@ apiVersion: v2 description: ONAP CMPv2 certificate external provider for cert-manager name: cmpv2-cert-provider -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml index ce5e410abe..3513c21d1a 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml @@ -43,8 +43,7 @@ spec: {{- end }} {{- end }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index e387cc8e55..70bd872107 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -15,7 +15,7 @@ # Global global: nodePortPrefix: 302 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.1.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 busyboxRepository: registry.hub.docker.com @@ -35,14 +35,15 @@ deployment: logLevel: debug resources: limits: - cpu: 250m - memory: 128Mi + cpu: "250m" + memory: "100Mi" requests: - cpu: 100m - memory: 64Mi + cpu: "100m" + memory: "60Mi" readinessCheck: wait_for: - - oom-cert-service + services: + - oom-cert-service # CMPv2Issuer cmpv2issuer: @@ -57,7 +58,3 @@ cmpv2issuer: certRef: tls.crt keyRef: tls.key cacertRef: ca.crt - - - - diff --git a/kubernetes/platform/components/oom-cert-service/Chart.yaml b/kubernetes/platform/components/oom-cert-service/Chart.yaml index 072de8c788..c71653b778 100644 --- a/kubernetes/platform/components/oom-cert-service/Chart.yaml +++ b/kubernetes/platform/components/oom-cert-service/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: ONAP Cert Service name: oom-cert-service -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: cmpv2Config - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml index 5f80a7dc75..4c97359714 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml @@ -33,8 +33,7 @@ spec: {{- end }} {{- end }} spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} volumes: {{- if .Values.global.addTestingComponents }} - name: cmp-servers-template-volume @@ -57,7 +56,7 @@ spec: command: - /app/ready.py args: - - --container-name + - --service-name - ejbca-ejbca env: - name: NAMESPACE @@ -67,6 +66,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" - name: subsitute-envs image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index d9c215cd9e..52e7649d6f 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -61,18 +61,18 @@ flavor: small resources: small: limits: - cpu: 0.5 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.2 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 1 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 0.4 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/platform/values.yaml b/kubernetes/platform/values.yaml index a30dabbcc2..95c98f6eb4 100644 --- a/kubernetes/platform/values.yaml +++ b/kubernetes/platform/values.yaml @@ -32,6 +32,14 @@ global: # Application configuration defaults. ################################################################# +# Control deployment of Platform services at ONAP installation time +chartmuseum: + enabled: false +cmpv2-cert-provider: + enabled: true +oom-cert-service: + enabled: true + flavor: small # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/Chart.yaml b/kubernetes/policy/Chart.yaml old mode 100755 new mode 100644 index 8f2723e72e..d406b442c0 --- a/kubernetes/policy/Chart.yaml +++ b/kubernetes/policy/Chart.yaml @@ -1,7 +1,8 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021, 2022 Nordix Foundation +# Modifications Copyright © 2021-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,73 +19,75 @@ apiVersion: v2 description: ONAP Policy name: policy -version: 12.0.0 +version: 16.0.10 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: policy-nexus - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/policy-nexus' condition: policy-nexus.enabled - name: policy-api - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-api' condition: policy-api.enabled - name: policy-pap - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-pap' condition: policy-pap.enabled - name: policy-xacml-pdp - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-xacml-pdp' condition: policy-xacml-pdp.enabled - name: policy-apex-pdp - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-apex-pdp' condition: policy-apex-pdp.enabled - name: policy-drools-pdp - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-drools-pdp' condition: policy-drools-pdp.enabled + - name: policy-opa-pdp + version: ~16.x-0 + repository: 'file://components/policy-opa-pdp' + condition: policy-opa-pdp.enabled - name: policy-distribution - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-distribution' condition: policy-distribution.enabled - name: policy-clamp-ac-k8s-ppnt - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-k8s-ppnt' condition: policy-clamp-ac-k8s-ppnt.enabled - name: policy-clamp-ac-http-ppnt - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-http-ppnt' condition: policy-clamp-ac-http-ppnt.enabled + - name: policy-clamp-ac-a1pms-ppnt + version: ~16.x-0 + repository: 'file://components/policy-clamp-ac-a1pms-ppnt' + condition: policy-clamp-ac-a1pms-ppnt.enabled + - name: policy-clamp-ac-kserve-ppnt + version: ~16.x-0 + repository: 'file://components/policy-clamp-ac-kserve-ppnt' + condition: policy-clamp-ac-kserve-ppnt.enabled - name: policy-clamp-ac-pf-ppnt - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-ac-pf-ppnt' condition: policy-clamp-ac-pf-ppnt.enabled - name: policy-clamp-runtime-acm - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/policy-clamp-runtime-acm' condition: policy-clamp-runtime-acm.enabled - - name: policy-gui - version: ~12.x-0 - repository: 'file://components/policy-gui' - condition: policy-gui.enabled - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: '@local' - - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: global.postgres.localCluster diff --git a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml old mode 100755 new mode 100644 index c91569f1ed..9288c8994a --- a/kubernetes/policy/components/policy-apex-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 OpenInfra Europe. All rights reserved. +# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,15 @@ apiVersion: v2 description: ONAP Policy APEX PDP name: policy-apex-pdp -version: 12.0.0 +version: 16.0.2 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json index 7614a8c5b1..441955f1ed 100755 --- a/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json +++ b/kubernetes/policy/components/policy-apex-pdp/resources/config/OnapPfConfig.json @@ -5,10 +5,10 @@ "port": 6969, "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", - "https": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "https": "false", "prometheus": true }, - "pdpStatusParameters":{ + "pdpStatusParameters": { "pdpGroup": "defaultGroup", "timeIntervalMs": 120000, "pdpType":"apex", @@ -25,18 +25,29 @@ ] }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "fetchTimeout": 15000, - "topicCommInfrastructure" : "dmaap" - }], - "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "topicCommInfrastructure" : "dmaap" - }] + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + }}], + "topicSinks" : [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id" : "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } + }] } } diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml index 5e2caa989f..c67a3284f1 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/configmap.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 Nordix Foundation. # Modifications Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2025 Deutsche Telekom. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,11 +26,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml new file mode 100755 index 0000000000..3b25dc55a3 --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/deployment.yaml @@ -0,0 +1,120 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2018 Ericsson. All rights reserved. +# Modifications Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright © 2022 Nordix Foundation +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: ["/bin/sh", "-cx"] + args: + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; + cd /config-input && for PFILE in `ls -1`; + do envsubst <${PFILE} >/config/${PFILE}; done + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} + volumeMounts: + - mountPath: /config-input + name: apexconfig-input + - mountPath: /config + name: apexconfig + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + containers: + - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: [ "/bin/sh", "-cx" ] + args: + - id apexuser; + cat /home/apexuser/config/OnapPfConfig.json; + /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json + ports: {{ include "common.containerPorts" . | nindent 12 }} + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{- end }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: REPLICAS + value: "{{ .Values.replicaCount }}" + volumeMounts: + - mountPath: /var/log/onap + name: policy-logs + - mountPath: /home/apexuser/config + name: apexconfig + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: policy-logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + - name: apexconfig-input + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: apexconfig + emptyDir: + medium: Memory + sizeLimit: 64Mi + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-apex-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml index 6a4d28bc4b..f96e81074e 100755 --- a/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,29 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - sessionAffinity: None +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml deleted file mode 100755 index 71320dc3eb..0000000000 --- a/kubernetes/policy/components/policy-apex-pdp/templates/statefulset.yaml +++ /dev/null @@ -1,139 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2018 Ericsson. All rights reserved. -# Modifications Copyright (C) 2020 AT&T Intellectual Property. -# Modifications Copyright © 2022 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - serviceName: {{ include "common.servicename" . }} - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 10 }} - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-pass" "key" "password") | indent 10 }} - - name: RESTSERVER_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} - - name: RESTSERVER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} - volumeMounts: - - mountPath: /config-input - name: apexconfig-input - - mountPath: /config - name: apexconfig - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["sh","-c"] - args: ["if [ -f {{ .Values.certInitializer.credsPath }}/.ci ]; then \ - . {{ .Values.certInitializer.credsPath }}/.ci; fi;\ - /opt/app/policy/apex-pdp/bin/apexOnapPf.sh -c /home/apexuser/config/OnapPfConfig.json"] - ports: - - containerPort: {{ .Values.service.externalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.externalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{- end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.externalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: REPLICAS - value: "{{ .Values.replicaCount }}" -{{- if not .Values.global.aafEnabled }} - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-pass" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 12 }} -{{- end }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /var/log/onap - name: policy-logs - - mountPath: /home/apexuser/config - name: apexconfig - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: policy-logs - emptyDir: {} - - name: apexconfig-input - configMap: - name: {{ include "common.fullname" . }}-configmap - defaultMode: 0755 - - name: apexconfig - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml old mode 100755 new mode 100644 index e366c4415e..5a9d211302 --- a/kubernetes/policy/components/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022, 2025 OpenInfra Europe. All rights reserved. +# Modification (C) 2023-2024 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,7 +24,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true persistence: {} ################################################################# @@ -35,16 +35,6 @@ secrets: externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' - - uid: truststore-pass - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: keystore-pass - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - uid: policy-kafka-user externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' type: genericKV @@ -57,7 +47,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-apex-pdp:2.8.1 +image: onap/policy-apex-pdp:4.2.0 pullPolicy: Always # flag to enable debugging - application support required @@ -68,29 +58,6 @@ debugEnabled: false restServer: user: healthcheck password: zb!XztG34 -truststore: - password: Pol1cy_0nap -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-apex-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 101 - gid: 102 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); # default number of instances replicaCount: 1 @@ -114,50 +81,68 @@ readiness: service: type: ClusterIP name: policy-apex-pdp - portName: http - externalPort: 6969 internalPort: 6969 - nodePort: 37 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 10m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 20m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + #Pods Service Account serviceAccount: nameOverride: policy-apex-pdp roles: - read +dirSizes: + logDir: + sizeLimit: 500Mi + metrics: serviceMonitor: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: policy-apex-pdp interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-apex-pdp-restserver-creds @@ -172,22 +157,24 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap kafka: consumer: - groupId: policy-group + groupId: policy-apex app: listener: policyPdpPapTopic: policy-pdp-pap -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# -# Any new property can be added in the env by setting in overrides in the format mentioned below -# All the added properties must be in "key: value" format instead of yaml. + +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-apex + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] diff --git a/kubernetes/policy/components/policy-api/Chart.yaml b/kubernetes/policy/components/policy-api/Chart.yaml old mode 100755 new mode 100644 index 49c067b639..89654873e1 --- a/kubernetes/policy/components/policy-api/Chart.yaml +++ b/kubernetes/policy/components/policy-api/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 OpenInfra Europe. All rights reserved. +# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,18 @@ apiVersion: v2 description: ONAP Policy Design API name: policy-api -version: 12.0.0 +version: 16.0.4 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml index bcee4d35d1..866cd319de 100644 --- a/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml +++ b/kubernetes/policy/components/policy-api/resources/config/apiParameters.yaml @@ -1,6 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. # Modifications Copyright (C) 2022 AT&T Intellectual Property. +# Modification (C) 2023,2025 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024-2025 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,7 +22,9 @@ server: port: {{ .Values.service.internalPort }} ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false + servlet: + context-path: /policy/api/v1 spring: security.user: @@ -28,16 +32,16 @@ spring: password: "${RESTSERVER_PASSWORD}" mvc.converters.preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin - driverClassName: org.mariadb.jdbc.Driver + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin + driverClassName: org.postgresql.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" hikari: - maximumPoolSize: 20 + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 jpa: - properties: - hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect hibernate: ddl-auto: none naming: @@ -48,15 +52,6 @@ policy-api: name: ApiGroup aaf: false -database: - name: PolicyProviderParameterGroup - implementation: org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl - driver: org.mariadb.jdbc.Driver - url: jdbc:mariadb://{{ .Values.db.service.name }}/policyadmin - user: "${SQL_USER}" - password: "${SQL_PASSWORD}" - persistenceUnit: PolicyDb - policy-preload: policyTypes: - policytypes/onap.policies.monitoring.tcagen2.yaml @@ -87,12 +82,15 @@ policy-preload: - policytypes/onap.policies.Match.yaml - policytypes/onap.policies.native.Drools.yaml - policytypes/onap.policies.native.Xacml.yaml + - policytypes/onap.policies.native.ToscaXacml.yaml - policytypes/onap.policies.native.Apex.yaml - policytypes/onap.policies.controlloop.operational.Common.yaml - policytypes/onap.policies.controlloop.operational.common.Apex.yaml - policytypes/onap.policies.controlloop.operational.common.Drools.yaml + - policytypes/onap.policies.native.opa.yaml policies: - policies/sdnc.policy.naming.input.tosca.yaml + - policies/opa.policy.slice.capacity.check.tosca.yaml management: endpoints: diff --git a/kubernetes/policy/components/policy-api/resources/config/db-pg.sh b/kubernetes/policy/components/policy-api/resources/config/db-pg.sh new file mode 100644 index 0000000000..a7fc088d55 --- /dev/null +++ b/kubernetes/policy/components/policy-api/resources/config/db-pg.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# + +#psql() { /usr/bin/psql -h ${PG_HOST} -p ${PG_PORT} "$@"; }; + +export PGPASSWORD=${PG_ADMIN_PASSWORD}; + +echo "Create user ${PG_USER} is created in Host ${PG_HOST}" +psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER \"${PG_USER}\" WITH PASSWORD '${PG_USER_PASSWORD}'" + +for db in migration pooling policyadmin policyclamp operationshistory clampacm +do + echo "Create DB ${db}" + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" + echo "Grant privileges to DB ${db} for user ${PG_USER}" + psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO \"${PG_USER}\";" + echo "Grant privileges to SCHEMA public for user ${PG_USER}" + psql -h ${PG_HOST} -p ${PG_PORT} -d ${db} -U postgres --command "GRANT ALL ON SCHEMA public TO \"${PG_USER}\";" +done diff --git a/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh new file mode 100644 index 0000000000..15a6e3224f --- /dev/null +++ b/kubernetes/policy/components/policy-api/resources/config/db_migrator_pg_policy_init.sh @@ -0,0 +1,32 @@ +#!/bin/sh +{{/* +# Copyright (C) 2022, 2024 Nordix Foundation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +for schema in ${SQL_DB}; do + echo "Initializing $schema..." + /opt/app/policy/bin/prepare_upgrade.sh ${schema} + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o upgrade + rc=$? + + /opt/app/policy/bin/db-migrator-pg -s ${schema} -o report + + if [ "$rc" != 0 ]; then + break + fi +done diff --git a/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-api/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-api/templates/configmap.yaml b/kubernetes/policy/components/policy-api/templates/configmap.yaml index 9ab25fe2ac..a4962b46ed 100755 --- a/kubernetes/policy/components/policy-api/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-api/templates/configmap.yaml @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 Nordix Foundation. # Modified Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# Modification (C) 2025 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,11 +26,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} @@ -37,4 +34,13 @@ binaryData: {{- end }} {{- end }} data: -{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} \ No newline at end of file +{{ tpl (.Files.Glob "resources/config/*.{yaml,xml}").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-db-configmap + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-api/templates/deployment.yaml b/kubernetes/policy/components/policy-api/templates/deployment.yaml index c4946a8263..20c02befae 100755 --- a/kubernetes/policy/components/policy-api/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-api/templates/deployment.yaml @@ -1,39 +1,106 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021-2025 Nordix Foundation. +# Modification (C) 2025 Deutsche Telekom. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-galera-config + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} + - name: {{ include "common.name" . }}-pg-config + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.postgresImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + command: + - /bin/sh + - -cx + - | + /docker-entrypoint-initdb.d/db-pg.sh env: - - name: NAMESPACE + - name: PG_ADMIN_PASSWORD valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + secretKeyRef: + {{- if eq .Values.global.postgres.localCluster true }} + name: '{{ include "common.release" . }}-policy-db-root-password' + {{- else }} + name: '{{ .Values.global.postgres.userRootSecret }}' + {{- end }} + key: password + - name: PG_HOST + value: "{{ .Values.global.postgres.service.name2 }}" + - name: PG_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: PG_USER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: PG_PORT + value: "{{ .Values.global.postgres.service.port }}" + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + volumeMounts: + - mountPath: /docker-entrypoint-initdb.d/db-pg.sh + name: {{ include "common.fullname" . }}-config + subPath: db-pg.sh + - name: {{ include "common.name" . }}-pg-db-migrator + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh + name: {{ include "common.fullname" . }}-config + subPath: db_migrator_pg_policy_init.sh + - mountPath: /opt/app/policy/etc/db/ + name: {{ include "common.fullname" . }}-migration-writable + command: + - /bin/sh + - -cx + - | + /dbcmd-config/db_migrator_pg_policy_init.sh + env: + - name: SQL_HOST + value: "{{ .Values.global.postgres.service.name2 }}" + - name: SQL_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} + - name: SQL_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + - name: SQL_DB + value: {{ .Values.dbmigrator.schemas }} + - name: POLICY_HOME + value: {{ .Values.dbmigrator.policy_home }} + - name: SCRIPT_DIRECTORY + value: "postgres" + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} + resources: {{ include "common.resources" . | nindent 12 }} - command: - sh args: @@ -41,9 +108,9 @@ spec: - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }} - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 12 }} - name: RESTSERVER_PASSWORD @@ -53,29 +120,25 @@ spec: name: apiconfig - mountPath: /config name: apiconfig-processed + name: {{ include "common.name" . }}-update-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 8 }} + resources: + requests: + cpu: 10m + memory: 64Mi + limits: + cpu: 100m + memory: 128Mi + {{ include "common.containerSecurityContext" . | indent 10 | trim }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/api/bin/policy-api.sh /opt/app/policy/api/etc/mounted/apiParameters.yaml"] -{{- else }} command: ["/opt/app/policy/api/bin/policy-api.sh"] args: ["/opt/app/policy/api/etc/mounted/apiParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -84,7 +147,7 @@ spec: port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} + {{- end }} readinessProbe: httpGet: path: {{ .Values.readiness.api }} @@ -92,21 +155,24 @@ spec: httpHeaders: - name: Authorization value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }} - scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} + scheme: HTTP successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/api/etc/logback.xml + subPath: logback.xml + name: apiconfig-processed - mountPath: /opt/app/policy/api/etc/mounted name: apiconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -117,10 +183,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: apiconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -128,5 +190,22 @@ spec: - name: apiconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" \ No newline at end of file + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + - name: {{ include "common.fullname" . }}-migration-writable + emptyDir: + sizeLimit: {{ .Values.dirSizes.migration.sizeLimit }} + - name: {{ include "common.fullname" . }}-config + configMap: + name: {{ include "common.fullname" . }}-db-configmap + defaultMode: 0755 + items: + - key: db-pg.sh + path: db-pg.sh + - key: db_migrator_pg_policy_init.sh + path: db_migrator_pg_policy_init.sh diff --git a/kubernetes/policy/components/policy-api/templates/service.yaml b/kubernetes/policy/components/policy-api/templates/service.yaml index b5dee39e60..abb9a44bbe 100755 --- a/kubernetes/policy/components/policy-api/templates/service.yaml +++ b/kubernetes/policy/components/policy-api/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. +# Modification (C) 2023 Deutsche Telekom. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,28 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml old mode 100755 new mode 100644 index ec80ba82f0..562a0878e7 --- a/kubernetes/policy/components/policy-api/values.yaml +++ b/kubernetes/policy/components/policy-api/values.yaml @@ -1,6 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. +# Modification (C) 2023-2025 Deutsche Telekom. All rights reserved. +# Modifications Copyright © 2024-2025 OpenInfra Europe. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -23,13 +25,18 @@ global: nodePortPrefix: 304 persistence: {} - aafEnabled: true + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig ################################################################# secrets: - - uid: db-creds + - uid: db-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}' login: '{{ .Values.db.user }}' @@ -41,45 +48,23 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-api-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); +################################################################# +# DB configuration defaults. +################################################################# + +dbmigrator: + image: onap/policy-db-migrator:4.2.0 + schemas: "policyadmin clampacm pooling operationshistory" + policy_home: "/opt/app/policy" +postgresImage: library/postgres:17.2 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-api:2.7.1 +image: onap/policy-api:4.2.0 pullPolicy: Always # flag to enable debugging - application support required @@ -87,11 +72,13 @@ debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user - service: - name: policy-mariadb - internalPort: 3306 + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.postgres.service.name2 }}' restServer: user: policyadmin @@ -106,7 +93,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 + initialDelaySeconds: 120 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -118,37 +105,57 @@ readiness: api: /policy/api/v1/healthcheck successThreshold: 1 failureThreshold: 3 - timeout: 60 + timeout: 120 service: type: ClusterIP name: policy-api - portName: http - externalPort: 6969 internalPort: 6969 - nodePort: 40 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + migration: + sizeLimit: 1Gi + +dbReadiness: + retryCount: 3 + #Pods Service Account serviceAccount: nameOverride: policy-api @@ -160,18 +167,25 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true - port: policy-api + port: http + path: /policy/api/v1/metrics interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-api-user-creds externalSecretUserKey: login externalSecretPasswordKey: password + selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml new file mode 100644 index 0000000000..bc980b60dd --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/Chart.yaml @@ -0,0 +1,34 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp A1PMS Participant +name: policy-clamp-ac-a1pms-ppnt +version: 16.0.3 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml new file mode 100755 index 0000000000..0404a8a68c --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/A1pmsParticipantParameters.yaml @@ -0,0 +1,98 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022,2024 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + autoconfigure: + exclude: + - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration + - org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration + security: + user: + name: ${RESTSERVER_USER} + password: ${RESTSERVER_PASSWORD} + +security: + enable-csrf: false + +participant: + intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + reportingTimeIntervalMs: 120000 + description: Participant Description + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c00 + clampAutomationCompositionTopics: + topicSources: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + topicSinks: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.A1PMSAutomationCompositionElement + typeVersion: 1.0.1 + + +management: + endpoints: + web: + base-path: / + exposure: + include: health, metrics, prometheus +server: + port: 8086 + servlet: + context-path: /onap/policy/clamp/acm/a1pmsparticipant + ssl: + enabled: false diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml new file mode 100755 index 0000000000..b0d310e3de --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/resources/config/logback.xml @@ -0,0 +1,103 @@ + + + + + + /var/log/onap/policy/a1pms-participant/error.log + + /var/log/onap/policy/a1pms-participant/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + WARN + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/a1pms-participant/debug.log + + /var/log/onap/policy/a1pms-participant/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/a1pms-participant/network.log + + /var/log/onap/policy/a1pms-participant/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml new file mode 100755 index 0000000000..7ef735bf59 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/configmap.yaml @@ -0,0 +1,32 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{- if .Values.a1pmsconfig }} +{{ tpl (.Files.Glob "resources/config/A1pmsParticipantParameters.yaml").AsConfig . | indent 2 }} +{{ toYaml .Values.a1pmsconfig | indent 4 }} +{{- end }} +{{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml new file mode 100755 index 0000000000..b9eb83b3c5 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/deployment.yaml @@ -0,0 +1,115 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: + - mountPath: /config-input + name: ac-a1pms-ppnt-config + - mountPath: /config + name: ac-a1pms-ppnt-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/a1pms-participant.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/A1pmsParticipantParameters.yaml"] + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-a1pms-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-a1pms-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + volumes: + - name: ac-a1pms-ppnt-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: ac-a1pms-ppnt-config-processed + emptyDir: + medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml new file mode 100755 index 0000000000..3401d7f01f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml new file mode 100644 index 0000000000..66aadf12c7 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2022 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml new file mode 100644 index 0000000000..edee611844 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-a1pms-ppnt/values.yaml @@ -0,0 +1,157 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2022-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + kafkaTopics: + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-ac-a1pms-ppnt:8.2.0 +pullPolicy: Always + +componentName: &componentName policy-clamp-ac-a1pms-ppnt + +# application configuration +restServer: + user: participantUser + password: zb!XztG34 + +a1pmsconfig: + a1pms: + baseUrl: http://a1policymanagement.onap:8081 + headers: + content-type: application/json + endpoints: + health: /a1-policy/v2/rics + services: /a1-policy/v2/services + service: /a1-policy/v2/services/{service_id} + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: http-a1pms-api + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: http-a1pms-api + +service: + type: ClusterIP + name: *componentName + ports: + - name: http-a1pms-api + port: 8086 + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - create + +config: +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml index 1e820fe107..621d42166e 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2022, 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,18 +20,15 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Http Participant name: policy-clamp-ac-http-ppnt -version: 12.0.0 +version: 16.0.2 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml index 51d4b47a15..8b877ffc0d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/resources/config/HttpParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,69 +26,63 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} -{{- if .Values.config.useStrimziKafka }} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} security: enable-csrf: false participant: intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: HttpParticipant0 - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.HttpParticipant - version: 2.3.4 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c01 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false fetchTimeout: 15000 - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# clampAutomationCompositionTopics: -# topicSources: -# - topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# fetchTimeout: 15000 -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.HttpAutomationCompositionElement + typeVersion: 1.0.0 + management: endpoints: @@ -100,5 +94,4 @@ server: servlet: context-path: /onap/httpparticipant ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - + enabled: false diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml index 09cc8cd48f..ff1bc31c3a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/configmap.yaml @@ -23,10 +23,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml index 044be0ff70..dd7db7acee 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -38,10 +40,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-http-ppnt-config @@ -49,25 +52,15 @@ spec: name: ac-http-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/http-participant.sh /opt/app/policy/clamp/etc/mounted/HttpParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/http-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/HttpParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -84,14 +77,17 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-http-ppnt-config-processed - resources: -{{ include "common.resources" . }} + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-http-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -102,10 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-http-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -113,5 +105,11 @@ spec: - name: ac-http-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml index e676ff13d7..be2449f890 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml index 668d911f7e..ad195564b2 100644 --- a/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-http-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023, 2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,12 @@ ################################################################# global: persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -33,54 +39,16 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-http-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-http-ppnt:6.3.1 +image: onap/policy-clamp-ac-http-ppnt:8.2.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-http-ppnt + # application configuration restServer: user: participantUser @@ -98,9 +66,14 @@ affinity: {} ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -108,65 +81,68 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-http-ppnt - useNodePortExt: true + name: *componentName ports: - name: http-api port: 8084 - nodePort: 42 - flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-http-ppnt + nameOverride: *componentName roles: - read config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml index 13507f9e37..19d9fd25c1 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2025 OpenInfra Europe. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2021-2022, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,15 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop K8s Participant name: policy-clamp-ac-k8s-ppnt -version: 12.0.0 +version: 16.0.2 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml index bbe905b282..4616d6643a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/resources/config/KubernetesParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. All rights reserved. +# Copyright (C) 2021-2022,2024 Nordix Foundation. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,18 +26,6 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -46,56 +34,56 @@ participant: localChartDirectory: /home/policy/local-charts infoFileName: CHART_INFO.json intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: K8sParticipant0 - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.KubernetesParticipant - version: 2.3.4 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c02 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false fetchTimeout: 15000 - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} - -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# clampAutomationCompositionTopics: -# topicSources: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# fetchTimeout: 15000 -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.K8SMicroserviceAutomationCompositionElement + typeVersion: 1.0.0 management: endpoints: @@ -110,7 +98,7 @@ server: servlet: context-path: /onap/policy/clamp/acm/k8sparticipant ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false logging: diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml index 54c595cc8f..b17f167286 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/configmap.yaml @@ -23,15 +23,10 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: -{{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} {{- if .Values.repoList }} {{ tpl (.Files.Glob "resources/config/KubernetesParticipantParameters.yaml").AsConfig . | indent 2 }} {{ toYaml .Values.repoList | indent 4 }} +{{- end }} {{ tpl (.Files.Glob "resources/config/*.{json,xml,sh}").AsConfig . | indent 2 }} -{{- end }} \ No newline at end of file diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml index e8650fe350..a97ab22577 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -38,10 +40,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-k8s-ppnt-config @@ -49,25 +52,15 @@ spec: name: ac-k8s-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/kubernetes-participant.sh /opt/app/policy/clamp/etc/mounted/KubernetesParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/kubernetes-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/KubernetesParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -84,14 +77,17 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-k8s-ppnt-config-processed - resources: -{{ include "common.resources" . }} + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-k8s-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -102,10 +98,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-k8s-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -113,5 +105,11 @@ spec: - name: ac-k8s-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml index 2439223192..b32deab311 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/templates/service.yaml @@ -23,11 +23,7 @@ kind: ClusterRoleBinding metadata: name: {{ include "common.namespace" . }}-policy-clamp-ac-k8s-ppnt-binding namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -36,4 +32,3 @@ subjects: - kind: ServiceAccount name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} namespace: {{ include "common.namespace" . }} - diff --git a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml index 3d2eeeec9d..5a05954e30 100644 --- a/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-k8s-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +23,12 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -34,54 +40,16 @@ secrets: login: '{{ .Values.restServer.user }}' password: '{{ .Values.restServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-k8s-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-k8s-ppnt:6.3.1 +image: onap/policy-clamp-ac-k8s-ppnt:8.2.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-k8s-ppnt + # flag to enable debugging - application support required debugEnabled: false @@ -98,7 +66,7 @@ nodeSelector: {} affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -106,43 +74,56 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-k8s-ppnt - useNodePortExt: true + name: *componentName ports: - name: http-api port: 8083 - nodePort: 42 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-k8s-ppnt + nameOverride: *componentName roles: - create # Update the config here for permitting repositories and protocols @@ -161,26 +142,22 @@ repoList: - https config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml new file mode 100644 index 0000000000..741d685405 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/Chart.yaml @@ -0,0 +1,34 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy Clamp Kserve Participant +name: policy-clamp-ac-kserve-ppnt +version: 16.0.2 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml new file mode 100755 index 0000000000..55aa8eb641 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/KserveParticipantParameters.yaml @@ -0,0 +1,113 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +spring: + cloud: + kubernetes: + enabled: false + discovery: + enabled: false + security: + user: + name: ${RESTSERVER_USER} + password: ${RESTSERVER_PASSWORD} + autoconfigure: + exclude: + - org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration + - org.springframework.boot.autoconfigure.jdbc.DataSourceTransactionManagerAutoConfiguration + - org.springframework.boot.autoconfigure.data.web.SpringDataWebAutoConfiguration + - io.kubernetes.client.spring.extended.manifests.config.KubernetesManifestsAutoConfiguration + - io.kubernetes.client.spring.extended.network.config.KubernetesLoadBalancerAutoConfiguration + +security: + enable-csrf: false + +participant: + intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + reportingTimeIntervalMs: 120000 + description: Participant Description + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c04 + clampAutomationCompositionTopics: + topicSources: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + topicSinks: + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.KserveAutomationCompositionElement + typeVersion: 1.0.1 + - + typeName: org.onap.policy.clamp.acm.AutomationCompositionElement + typeVersion: 1.0.0 + +customresourcedefinition: + group: serving.kserve.io + version: v1beta1 + plural: inferenceservices + grace-period: 10 + +management: + endpoints: + web: + base-path: / + exposure: + include: health, metrics, prometheus +server: + port: 8087 + servlet: + context-path: /onap/policy/clamp/acm/kserveparticipant + ssl: + enabled: false diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml new file mode 100755 index 0000000000..897d62a487 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/resources/config/logback.xml @@ -0,0 +1,103 @@ + + + + + + /var/log/onap/policy/kserve-participant/error.log + + /var/log/onap/policy/kserve-participant/error.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + WARN + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/kserve-participant/debug.log + + /var/log/onap/policy/kserve-participant/debug.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + /var/log/onap/policy/kserve-participant/network.log + + /var/log/onap/policy/kserve-participant/network.%d{yyyy-MM-dd}.%i.log.zip + + 50MB + 30 + 10GB + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%t]%m%n + + + + + + + + + + [%d{yyyy-MM-dd'T'HH:mm:ss.SSS+00:00, UTC}|%level|%logger{0}|%thread] %msg%n + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml new file mode 100755 index 0000000000..ae4d6ec973 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/configmap.yaml @@ -0,0 +1,28 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml new file mode 100755 index 0000000000..3d1f4f8ca3 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/deployment.yaml @@ -0,0 +1,115 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + volumeMounts: + - mountPath: /config-input + name: ac-kserve-ppnt-config + - mountPath: /config + name: ac-kserve-ppnt-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-update-config + containers: + - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/opt/app/policy/clamp/bin/kserve-participant.sh"] + args: ["/opt/app/policy/clamp/etc/mounted/KserveParticipantParameters.yaml"] + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-kserve-ppnt-config-processed + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-kserve-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + volumes: + - name: ac-kserve-ppnt-config + configMap: + name: {{ include "common.fullname" . }}-configmap + defaultMode: 0755 + - name: ac-kserve-ppnt-config-processed + emptyDir: + medium: Memory + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml new file mode 100755 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml new file mode 100755 index 0000000000..339fe339c5 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml new file mode 100644 index 0000000000..4092d0ad5c --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/templates/service.yaml @@ -0,0 +1,34 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.namespace" . }}-policy-clamp-ac-kserve-ppnt-binding + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "common.fullname" (dict "suffix" "create" "dot" . )}} + namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml new file mode 100644 index 0000000000..62f833a7ab --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-kserve-ppnt/values.yaml @@ -0,0 +1,147 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2023, 2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} + #Strimzi Kafka properties + kafkaTopics: + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: restserver-secret + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-clamp-ac-kserve-ppnt:8.2.0 +pullPolicy: Always + +componentName: &componentName policy-clamp-ac-kserve-ppnt + +# application configuration +restServer: + user: participantUser + password: zb!XztG34 + +# flag to enable debugging - application support required +debugEnabled: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + +# probe configuration parameters +liveness: + initialDelaySeconds: 60 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + port: kserve-api + +readiness: + initialDelaySeconds: 60 + periodSeconds: 10 + port: kserve-api + +service: + type: ClusterIP + name: *componentName + ports: + - name: kserve-api + port: 8087 + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "700Mi" + requests: + cpu: "0.5" + memory: "700Mi" + large: + limits: + cpu: "2" + memory: "1.4Gi" + requests: + cpu: "1" + memory: "1.4Gi" + unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - create + +config: +# Any new property can be added in the env by setting in overrides in the format mentioned below +# All the added properties must be in "key: value" format instead of yaml. +# additional: +# spring.config.max-size: 200 +# spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml index 59e1ab78f5..e52d03f67a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/Chart.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2022, 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,18 +20,15 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Policy Participant name: policy-clamp-ac-pf-ppnt -version: 12.0.0 +version: 16.0.2 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 - repository: '@local' \ No newline at end of file + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml index f24e0ff8c6..1e7edea091 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/resources/config/PolicyParticipantParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2024 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,18 +26,6 @@ spring: user: name: ${RESTSERVER_USER} password: ${RESTSERVER_PASSWORD} - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} security: enable-csrf: false @@ -51,7 +39,7 @@ participant: port: 6969 userName: ${API_USER} password: ${API_PASSWORD} - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + useHttps: "false" allowSelfSignedCerts: true policyPapParameters: clientName: pap @@ -59,59 +47,59 @@ participant: port: 6969 userName: ${PAP_USER} password: ${PAP_PASSWORD} - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + useHttps: "false" allowSelfSignedCerts: true intermediaryParameters: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} reportingTimeIntervalMs: 120000 description: Participant Description - participantId: - name: org.onap.PM_Policy - version: 1.0.0 - participantType: - name: org.onap.policy.clamp.acm.PolicyParticipant - version: 2.3.1 + participantId: 101c62b3-8918-41b9-a747-d21eb79c6c03 clampAutomationCompositionTopics: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false fetchTimeout: 15000 - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} - -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# clampAutomationCompositionTopics: -# topicSources: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# fetchTimeout: 15000 -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + participantSupportedElementTypes: + - + typeName: org.onap.policy.clamp.acm.PolicyAutomationCompositionElement + typeVersion: 1.0.0 management: endpoints: @@ -124,5 +112,4 @@ server: servlet: context-path: /onap/policyparticipant ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - + enabled: false diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml index 09cc8cd48f..ff1bc31c3a 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/configmap.yaml @@ -23,10 +23,6 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} data: {{ tpl (.Files.Glob "resources/config/*.{xml,yaml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml index a127885cce..c29dca9c7d 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2023 Nordix Foundation. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,6 +28,7 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -46,10 +48,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} -{{- end }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - mountPath: /config-input name: ac-pf-ppnt-config @@ -57,25 +60,15 @@ spec: name: ac-pf-ppnt-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/policy-participant.sh /opt/app/policy/clamp/etc/mounted/PolicyParticipantParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/policy-participant.sh"] args: ["/opt/app/policy/clamp/etc/mounted/PolicyParticipantParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -92,14 +85,17 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/app/policy/clamp/etc/mounted name: ac-pf-ppnt-config-processed - resources: -{{ include "common.resources" . }} + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-pf-ppnt-config-processed + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -110,10 +106,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: ac-pf-ppnt-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -121,5 +113,11 @@ spec: - name: ac-pf-ppnt-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml index e676ff13d7..be2449f890 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/templates/service.yaml @@ -1,21 +1,21 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -{{ include "common.service" . }} +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml index cf20bd1d56..3690eda31b 100644 --- a/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml +++ b/kubernetes/policy/components/policy-clamp-ac-pf-ppnt/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +22,12 @@ ################################################################# global: persistence: {} - aafEnabled: true + #Strimzi Kafka properties + kafkaTopics: + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -45,54 +51,16 @@ secrets: login: '{{ .Values.restServer.pap.user }}' password: '{{ .Values.restServer.pap.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-ac-pf-ppnt-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-ac-pf-ppnt:6.3.1 +image: onap/policy-clamp-ac-pf-ppnt:8.2.0 pullPolicy: Always +componentName: &componentName policy-clamp-ac-pf-ppnt + # flag to enable debugging - application support required debugEnabled: false @@ -114,12 +82,18 @@ restServer: nodeSelector: {} affinity: {} + ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -127,63 +101,69 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-ac-pf-ppnt - useNodePortExt: true + name: *componentName + internalPort: 8085 ports: - name: http-api port: 8085 - nodePort: 42 flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} + +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: - nameOverride: policy-clamp-ac-pf-ppnt + nameOverride: *componentName roles: - read config: -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic + type: topic + operations: [Read, Write] diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml index 12578aba5c..8d0b9e403a 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. All rights reserved. +# Copyright (C) 2021, 2025 OpenInfra Europe. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021-2022 Nordix Foundation +# Modifications Copyright © 2021-2024 Nordix Foundation +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,18 @@ apiVersion: v2 description: ONAP Policy Clamp Controlloop Runtime name: policy-clamp-runtime-acm -version: 12.0.0 +version: 16.0.3 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml index 3d192f4b6a..b9dfe4c6d3 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/resources/config/acRuntimeParameters.yaml @@ -1,5 +1,5 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2025 OpenInfra Foundation Europe. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,12 +21,12 @@ spring: user: name: ${RUNTIME_USER} password: ${RUNTIME_PASSWORD} - http: + mvc: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/clampacm - driverClassName: org.mariadb.jdbc.Driver + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/clampacm + driverClassName: org.postgresql.Driver username: ${SQL_USER} password: ${SQL_PASSWORD} hikari: @@ -42,20 +42,12 @@ spring: implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy properties: hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect + dialect: org.hibernate.dialect.PostgreSQLDialect format_sql: true - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} + +metrics: + security: + disabled: false security: enable-csrf: false @@ -67,59 +59,63 @@ server: error: path: /error ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - + enabled: false runtime: + topics: + operationTopic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + syncTopic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} participantParameters: heartBeatMs: 120000 maxMessageAgeMs: 600000 - maxStatusWaitMs: 100000 + maxStatusWaitMs: {{ .Values.customTimeout.maxStatusWaitMs }} + maxOperationWaitMs: {{ .Values.customTimeout.maxOperationWaitMs }} updateParameters: maxRetryCount: 3 maxWaitMs: 100000 topicParameterGroup: topicSources: - - topic: POLICY-ACRUNTIME-PARTICIPANT - servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + useHttps: false fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + group.id: {{ (first .Values.kafkaUser.acls).name }} + allow.auto.create.topics: false + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} topicSinks: - - topic: POLICY-ACRUNTIME-PARTICIPANT + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeOperationTopic.name }} + topicCommInfrastructure: kafka servers: - - ${topicServer:message-router} - topicCommInfrastructure: dmaap - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} - -# If Strimzi Kafka to be used for communication, replace clampAutomationCompositionTopics configuration with below -# topicParameterGroup: -# topicSources: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# fetchTimeout: 15000 -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} -# topicSinks: -# - -# topic: policy-acruntime-participant -# servers: -# - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 -# topicCommInfrastructure: kafka -# useHttps: true -# additionalProps: -# security.protocol: SASL_PLAINTEXT -# sasl.mechanism: SCRAM-SHA-512 -# sasl.jaas.config: ${JAASLOGIN} + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + - + useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.global.kafkaTopics.acRuntimeSyncTopic.name }} + topicCommInfrastructure: kafka + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + additionalProps: + client.id: {{ (first .Values.kafkaUser.acls).name }}-client-id + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${SASL_JAAS_CONFIG} + acmParameters: + toscaElementName: {{ .Values.customNaming.toscaElementName }} + toscaCompositionName: {{ .Values.customNaming.toscaCompositionName }} management: endpoints: diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml index 66c096d439..397ae817dd 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/configmap.yaml @@ -23,11 +23,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml index 361045af94..79120a3f33 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,21 +28,9 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-galera-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -53,12 +42,15 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - name: RUNTIME_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "login") | indent 10 }} - name: RUNTIME_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "runtime-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} - - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} +{{- if .Values.global.useStrimziKafka }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config {{- end }} volumeMounts: - mountPath: /config-input @@ -67,25 +59,15 @@ spec: name: ac-runtime-config-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/clamp/bin/acm-runtime.sh /opt/app/policy/clamp/etc/mounted/acRuntimeParameters.yaml"] -{{- else }} command: ["/opt/app/policy/clamp/bin/acm-runtime.sh"] args: ["/opt/app/policy/clamp/etc/mounted/acRuntimeParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -102,28 +84,39 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/policy/clamp/etc/mounted - name: ac-runtime-config-processed - resources: -{{ include "common.resources" . }} + - mountPath: /etc/localtime + name: localtime + readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/clamp/etc/logback.xml + subPath: logback.xml + name: ac-runtime-config-processed + - mountPath: /opt/app/policy/clamp/etc/mounted + name: ac-runtime-config-processed + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - name: localtime hostPath: - path: /etc/localtime + path: /etc/localtime + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: ac-runtime-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -131,5 +124,5 @@ spec: - name: ac-runtime-config-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + sizeLimit: 64Mi + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml new file mode 100644 index 0000000000..5601154ddd --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkatopic.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.global.useStrimziKafka }} +{{ include "common.kafkatopic" . }} +{{ end }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml index 7c7d07979b..95b186f640 100644 --- a/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml +++ b/kubernetes/policy/components/policy-clamp-runtime-acm/values.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. +# Copyright (C) 2021-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,7 +23,18 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 + #Strimzi Kafka properties + kafkaTopics: + acRuntimeOperationTopic: + name: &acRuntimeOperationTopic policy-acruntime-participant + acRuntimeSyncTopic: + name: &acRuntimeSyncTopic acm-ppnt-sync ################################################################# # Secrets metaconfig @@ -34,60 +46,22 @@ secrets: login: '{{ .Values.db.user }}' password: '{{ .Values.db.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - uid: runtime-secret type: basicAuth externalSecret: '{{ tpl (default "" .Values.config.appUserExternalSecret) . }}' login: '{{ .Values.config.policyAppUserName }}' password: '{{ .Values.config.policyAppUserPassword }}' passwordPolicy: required - - uid: policy-kafka-user - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-clamp-runtime-acm-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-clamp-runtime-acm:6.3.1 +image: onap/policy-clamp-runtime-acm:8.2.0 pullPolicy: Always +componentName: &componentName policy-clamp-runtime-acm + # flag to enable debugging - application support required debugEnabled: false @@ -95,37 +69,33 @@ debugEnabled: false config: policyAppUserName: runtimeUser policyAppUserPassword: none - -# Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap - kafka: - consumer: - groupId: policy-group - app: - listener: - acRuntimeTopic: policy.policy-acruntime-participant -# If targeting a custom kafka cluster, ie useStrimziKakfa: false -# uncomment below config and target your kafka bootstrap servers, -# along with any other security config. -# -# eventConsumption: -# spring.kafka.bootstrap-servers: :9092 -# spring.kafka.security.protocol: PLAINTEXT -# spring.kafka.consumer.group-id: policy-group -# # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. # additional: # spring.config.max-size: 200 # spring.config.min-size: 10 +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: *componentName + type: group + operations: [Read] + - name: *acRuntimeOperationTopic + type: topic + operations: [Read, Write] + - name: *acRuntimeSyncTopic + type: topic + operations: [Read, Write] + +kafkaTopic: + - name: *acRuntimeOperationTopic + - name: *acRuntimeSyncTopic + db: - user: policy_user + user: policy-user password: policy_user - service: - name: policy-mariadb - internalPort: 3306 # default number of instances replicaCount: 1 @@ -136,7 +106,7 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 20 + initialDelaySeconds: 120 periodSeconds: 10 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container @@ -144,42 +114,68 @@ liveness: port: http-api readiness: - initialDelaySeconds: 20 + initialDelaySeconds: 60 periodSeconds: 10 port: http-api service: type: ClusterIP - name: policy-clamp-runtime-acm - useNodePortExt: true + name: *componentName ports: - name: http-api port: 6969 - nodePort: 42 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: - nameOverride: policy-clamp-runtime-acm + nameOverride: *componentName roles: - read + +readinessCheck: + wait_for: + services: + - policy-api + +customNaming: + toscaElementName: org.onap.policy.clamp.acm.AutomationCompositionElement + toscaCompositionName: org.onap.policy.clamp.acm.AutomationComposition + +customTimeout: + maxStatusWaitMs: 100000 + maxOperationWaitMs: 100000 diff --git a/kubernetes/policy/components/policy-distribution/Chart.yaml b/kubernetes/policy/components/policy-distribution/Chart.yaml old mode 100755 new mode 100644 index 778bfb60c8..a4bd7800c3 --- a/kubernetes/policy/components/policy-distribution/Chart.yaml +++ b/kubernetes/policy/components/policy-distribution/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,15 @@ apiVersion: v2 description: ONAP Policy Distribution name: policy-distribution -version: 12.0.0 +version: 16.0.2 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-distribution/resources/config/config.json b/kubernetes/policy/components/policy-distribution/resources/config/config.json index 1aa9044eab..8def9aebd8 100755 --- a/kubernetes/policy/components/policy-distribution/resources/config/config.json +++ b/kubernetes/policy/components/policy-distribution/resources/config/config.json @@ -3,6 +3,7 @@ # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2023 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,7 +27,7 @@ "port":6969, "userName":"${RESTSERVER_USER}", "password":"${RESTSERVER_PASSWORD}", - "https": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "https": "false", "prometheus": true }, "receptionHandlerParameters":{ @@ -56,27 +57,25 @@ "sdcConfiguration":{ "parameterClassName":"org.onap.policy.distribution.reception.handling.sdc.SdcReceptionHandlerConfigurationParameterGroup", "parameters":{ - "asdcAddress": "sdc-be.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }}", - "messageBusAddress": [ - "message-router.{{ include "common.namespace" . }}" - ], + "environmentName": "AUTO", + "isUseHttpsWithSdc": false, + "keyStorePath": "null", + "keyStorePassword": "null", + "activeserverTlsAuth": false, + "sdcAddress": "sdc-be.{{ include "common.namespace" . }}:8080", "user": "${SDCBE_USER}", "password": "${SDCBE_PASSWORD}", + {{ with (first .Values.kafkaUser.acls) }} + "consumerId": "{{ .name }}-id", + "consumerGroup": "{{ .name }}", + {{ end }} "pollingInterval":20, "pollingTimeout":30, - "consumerId": "policy-id", "artifactTypes": [ "TOSCA_CSAR", "HEAT" ], - "consumerGroup": "policy-group", - "environmentName": "AUTO", - "keyStorePath": "null", - "keyStorePassword": "null", - "activeserverTlsAuth": false, - "isFilterinEmptyResources": true, - "isUseHttpsWithDmaap": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }}, - "isUseHttpsWithSDC": {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + "isFilterinEmptyResources": true } } }, @@ -99,7 +98,7 @@ "port": 6969, "userName": "${API_USER}", "password": "${API_PASSWORD}", - "useHttps": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + "useHttps": "false" }, "papParameters": { "clientName": "policy-pap", @@ -107,7 +106,7 @@ "port": 6969, "userName": "${PAP_USER}", "password": "${PAP_PASSWORD}", - "useHttps": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} + "useHttps": "false" }, "deployPolicies": true } diff --git a/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-distribution/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-distribution/templates/configmap.yaml b/kubernetes/policy/components/policy-distribution/templates/configmap.yaml index 5e2caa989f..050697925a 100755 --- a/kubernetes/policy/components/policy-distribution/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/configmap.yaml @@ -25,11 +25,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml index 4745aac23b..fe08271288 100755 --- a/kubernetes/policy/components/policy-distribution/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,25 +21,14 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: - sh @@ -69,27 +59,22 @@ spec: name: distributionconfig image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/distribution/bin/policy-dist.sh /opt/app/policy/distribution/etc/mounted/config.json"] -{{- else }} + env: + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config command: ["/opt/app/policy/distribution/bin/policy-dist.sh"] args: ["/opt/app/policy/distribution/etc/mounted/config.json"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -105,14 +90,17 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/distribution/etc/logback.xml + subPath: logback.xml + name: distributionconfig - mountPath: /opt/app/policy/distribution/etc/mounted name: distributionconfig - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 10 }} @@ -123,10 +111,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - name: distributionconfig-input configMap: name: {{ include "common.fullname" . }}-configmap @@ -134,5 +118,11 @@ spec: - name: distributionconfig emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + sizeLimit: 64Mi + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml b/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-distribution/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-distribution/templates/service.yaml b/kubernetes/policy/components/policy-distribution/templates/service.yaml index f8fa5415ba..ef4f2613cf 100755 --- a/kubernetes/policy/components/policy-distribution/templates/service.yaml +++ b/kubernetes/policy/components/policy-distribution/templates/service.yaml @@ -19,21 +19,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml old mode 100755 new mode 100644 index 22c8fc4ba9..d2848bb995 --- a/kubernetes/policy/components/policy-distribution/values.yaml +++ b/kubernetes/policy/components/policy-distribution/values.yaml @@ -1,6 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. +# Modifications Copyright (C) 2023, 2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -45,16 +47,6 @@ secrets: login: '{{ .Values.sdcBe.user }}' password: '{{ .Values.sdcBe.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required ################################################################# # Global configuration defaults. @@ -67,13 +59,22 @@ global: # Application configuration defaults. ################################################################# # application image -image: onap/policy-distribution:2.8.1 +image: onap/policy-distribution:4.2.0 pullPolicy: Always # flag to enable debugging - application support required debugEnabled: false -# application configuration +#Strimzi Kafka User def +kafkaUser: + acls: + - name: policy-distribution + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] restServer: user: healthcheck @@ -87,27 +88,6 @@ papParameters: sdcBe: user: policy password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-distribution-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); # default number of instances replicaCount: 1 @@ -131,31 +111,47 @@ readiness: service: type: ClusterIP name: policy-distribution - portName: http - externalPort: 6969 internalPort: 6969 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: policy-pap-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "1Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-distribution @@ -167,18 +163,24 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: policy-distribution interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-distribution-restserver-creds externalSecretUserKey: login externalSecretPasswordKey: password + selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' diff --git a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml old mode 100755 new mode 100644 index 465d16bdf0..870718de27 --- a/kubernetes/policy/components/policy-drools-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/Chart.yaml @@ -1,7 +1,8 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018, 2020 AT&T Intellectual Property # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +19,18 @@ apiVersion: v2 description: ONAP Drools Policy Engine (PDP-D) name: policy-drools-pdp -version: 12.0.0 +version: 16.0.4 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf old mode 100755 new mode 100644 index 22168e8753..decd359239 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/base.conf @@ -2,6 +2,8 @@ # Copyright © 2017-2018 Amdocs, Bell Canada. # Modifications Copyright (C) 2018-2020, 2022 AT&T Intellectual Property. # Modifications Copyright (C) 2021 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright (C) 2025 Deutsche Telekom. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +20,7 @@ # JVM options -JVM_OPTIONS={{.Values.server.jvmOpts}} +JVM_OPTIONS={{ .Values.server.jvmOpts | quote }} # SYSTEM software configuration @@ -40,37 +42,31 @@ REPOSITORY_OFFLINE={{.Values.nexus.offline}} # Relational (SQL) DB access -SQL_HOST={{ .Values.db.name }} -SQL_PORT=3306 -JDBC_URL=jdbc:mariadb://{{ .Values.db.name }}:3306/ +SQL_HOST={{ .Values.global.postgres.service.name2 }} +SQL_PORT={{ .Values.global.postgres.service.port }} +JDBC_URL=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/ JDBC_OPTS= -MYSQL_CMD= +JDBC_DRIVER=org.postgresql.Driver # Liveness LIVENESS_CONTROLLERS=* -# AAF - -AAF={{.Values.aaf.enabled}} -AAF_NAMESPACE=org.onap.policy -AAF_HOST=aaf-locate.{{.Release.Namespace}} - # HTTP Servers -HTTP_SERVER_HTTPS={{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} +HTTP_SERVER_HTTPS="false" PROMETHEUS=true # PDP-D DMaaP configuration channel -PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION -PDPD_CONFIGURATION_SERVERS=message-router +PDPD_CONFIGURATION_TOPIC=pdpd_configuration +PDPD_CONFIGURATION_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} PDPD_CONFIGURATION_CONSUMER_GROUP= PDPD_CONFIGURATION_CONSUMER_INSTANCE= PDPD_CONFIGURATION_PARTITION_KEY= # PAP-PDP configuration channel -POLICY_PDP_PAP_TOPIC=POLICY-PDP-PAP +POLICY_PDP_PAP_TOPIC=policy-pdp-pap POLICY_PDP_PAP_GROUP=defaultGroup POLICY_PDP_PAP_POLICYTYPES=onap.policies.controlloop.operational.common.Drools @@ -91,19 +87,27 @@ GUARD_DISABLED=false # DCAE DMaaP -DCAE_TOPIC=unauthenticated.DCAE_CL_OUTPUT -DCAE_SERVERS=message-router +DCAE_TOPIC=unauthenticated.dcae_cl_output +DCAE_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} DCAE_CONSUMER_GROUP=dcae.policy.shared # Open DMaaP -DMAAP_SERVERS=message-router -DMAAP_HTTPS={{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }} +KAFKA_SERVERS={{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} +KAFKA_ADDITIONAL_PROPS="{ + \"group.id\": \"${GROUP_ID}\", + \"security.protocol\": \"SASL_PLAINTEXT\", + \"sasl.mechanism\": \"${SASL}\", + \"sasl.jaas.config\": \"${JAASLOGIN}\" + }" + +DMAAP_HTTPS="false" +KAFKA_HTTPS="false" # AAI AAI_HOST=aai.{{.Release.Namespace}} -AAI_PORT={{ (eq "true" (include "common.needTLS" .)) | ternary 8443 8080 }} +AAI_PORT=8080 AAI_CONTEXT_URI= # MSO @@ -113,17 +117,11 @@ SO_PORT=8080 SO_CONTEXT_URI=onap/so/infra/ SO_URL=https://so.{{.Release.Namespace}}:8080/onap/so/infra -# VFC - -VFC_HOST= -VFC_PORT= -VFC_CONTEXT_URI=api/nslcm/v1/ - # SDNC SDNC_HOST=sdnc.{{.Release.Namespace}} SDNC_PORT=8282 -SDNC_CONTEXT_URI=restconf/operations/ +SDNC_CONTEXT_URI=rests/operations/ # CDS diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties new file mode 100644 index 0000000000..d30d93378f --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-distributed-locking.properties @@ -0,0 +1,30 @@ +### +# ============LICENSE_START======================================================= +# ONAP +# ================================================================================ +# Copyright (C) 2024-2025 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +#Database properties +jakarta.persistence.jdbc.driver=org.postgresql.Driver +jakarta.persistence.jdbc.url=${envd:JDBC_URL}pooling${envd:JDBC_OPTS} +jakarta.persistence.jdbc.user=${envd:SQL_USER} +jakarta.persistence.jdbc.password=${envd:SQL_PASSWORD} + +# default property values are commented out +#distributed.locking.expire.check.seconds=900 +#distributed.locking.retry.seconds=60 +#distributed.locking.max.retries=2 diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties new file mode 100644 index 0000000000..26e10122da --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-lifecycle.properties @@ -0,0 +1,41 @@ +# ============LICENSE_START======================================================= +# ONAP +# ================================================================================ +# Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2024 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +lifecycle.pdp.group=${envd:POLICY_PDP_PAP_GROUP:defaultGroup} +lifecycle.pdp.type=${envd:POLICY_PDP_PAP_TYPE:drools} + +# Mandatory policy types that this PDP-D must support at a minimum +lifecycle.pdp.policytypes=${envd:POLICY_PDP_PAP_POLICYTYPES} + +kafka.source.topics=${envd:POLICY_PDP_PAP_TOPIC} +kafka.sink.topics=${envd:POLICY_PDP_PAP_TOPIC} + +kafka.source.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS} +kafka.source.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC} +kafka.source.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY} +kafka.source.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET} +kafka.source.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false} +kafka.source.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS} + +kafka.sink.topics.policy-pdp-pap.servers=${envd:KAFKA_SERVERS} +kafka.sink.topics.policy-pdp-pap.effectiveTopic=${envd:POLICY_PDP_PAP_TOPIC} +kafka.sink.topics.policy-pdp-pap.apiKey=${envd:POLICY_PDP_PAP_API_KEY} +kafka.sink.topics.policy-pdp-pap.apiSecret=${envd:POLICY_PDP_PAP_API_SECRET} +kafka.sink.topics.policy-pdp-pap.https=${envd:KAFKA_HTTPS:false} +kafka.sink.topics.policy-pdp-pap.additionalProps=${envd:KAFKA_ADDITIONAL_PROPS} diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf deleted file mode 100755 index 761e8afef8..0000000000 --- a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-dmaap.conf +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright 2018-2019 AT&T Intellectual Property. All rights reserved. -# Modifications Copyright © 2018 Amdocs, Bell Canada. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -POOLING_TOPIC=POOLING diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf new file mode 100755 index 0000000000..c9277b69d3 --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/resources/configmaps/feature-pooling-messages.conf @@ -0,0 +1,19 @@ +{{/* +# Copyright 2018-2019 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs, Bell Canada. +# Modifications Copyright © 2024 Nordix Foundation. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +POOLING_TOPIC=policy-pdp-pooling diff --git a/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf b/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf index a2a34056f1..e03fe447a3 100755 --- a/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf +++ b/kubernetes/policy/components/policy-drools-pdp/resources/secrets/credentials.conf @@ -1,6 +1,7 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2019 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2025 OpenInfra Europe. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,12 +19,6 @@ # ============LICENSE_END========================================================= */}} -{{- if not .Values.global.aafEnabled }} -KEYSTORE_PASSWD={{.Values.keystore.password}} -{{- end }} - -TRUSTSTORE_PASSWD={{.Values.truststore.password}} - TELEMETRY_USER={{.Values.telemetry.user}} TELEMETRY_PASSWORD={{.Values.telemetry.password}} @@ -54,9 +49,6 @@ AAI_PASSWORD={{.Values.aai.password}} SO_USERNAME={{.Values.so.user}} SO_PASSWORD={{.Values.so.password}} -VFC_USERNAME={{.Values.vfc.user}} -VFC_PASSWORD={{.Values.vfc.password}} - SDNC_USERNAME={{.Values.sdnc.user}} SDNC_PASSWORD={{.Values.sdnc.password}} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml index f5661429a1..7e6e2b8fa1 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/configmap.yaml @@ -20,11 +20,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/configmaps/*{.zip,store}" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..1d571df8b7 --- /dev/null +++ b/kubernetes/policy/components/policy-drools-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml index f986994210..e42263cc62 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/secrets.yaml @@ -22,11 +22,7 @@ kind: Secret metadata: name: {{ include "common.fullname" . }}-secret namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} type: Opaque data: {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml index 619d0d4441..3f45b2f6e0 100755 --- a/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/service.yaml @@ -15,34 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort2 }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}-{{ .Values.service.externalPort2 }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml old mode 100755 new mode 100644 index 7dee453771..d7bcccf121 --- a/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/templates/statefulset.yaml @@ -1,6 +1,8 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020, 2022 AT&T Intellectual Property +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,70 +19,87 @@ apiVersion: apps/v1 kind: StatefulSet -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: + selector: {{- include "common.selectors" . | nindent 4 }} serviceName: {{ include "common.servicename" . }} replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} +{{- if not .Values.nexus.offline }} - command: - /app/ready.py args: - - --job-name - - {{ include "common.release" . }}-policy-galera-config + - --service-name + - {{ .Values.nexus.name }} env: - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-db-readiness -{{- if not .Values.nexus.offline }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" +{{- end }} - command: - - /app/ready.py + - sh args: - - --container-name - - {{ .Values.nexus.name }} + - -c + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done env: - - name: NAMESPACE + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.config.kafka.consumer.groupId }} + {{- if .Values.global.useStrimziKafka }} + - name: JAASLOGIN valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- end }} + volumeMounts: + - mountPath: /config-input + name: drools-config + - mountPath: /config + name: drools-config-processed + image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness -{{- end }} -{{ include "common.certInitializer.initContainer" . | indent 6 }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} + name: {{ include "common.name" . }}-update-config containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: ["sh","-c"] - args: ["if [ -f {{ .Values.certInitializer.credsPath }}/.ci ]; then \ - source {{ .Values.certInitializer.credsPath }}/.ci; fi;\ - cp {{ .Values.certInitializer.credsPath }}/org.onap.policy.p12 ${POLICY_HOME}/etc/ssl/policy-keystore;\ - /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot"] - ports: - - containerPort: {{ .Values.service.externalPort }} - - containerPort: {{ .Values.service.externalPort2 }} + args: + - ls /tmp/policy-install; + /opt/app/policy/bin/pdpd-cl-entrypoint.sh boot + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: httpGet: @@ -92,7 +111,7 @@ spec: {{- end }} readinessProbe: tcpSocket: - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -103,36 +122,58 @@ spec: - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true - {{- range $path, $bytes := .Files.Glob "resources/secrets/*" }} - - mountPath: /tmp/policy-install/config/{{ base $path }} - name: drools-secret - subPath: {{ base $path }} - {{- end }} - {{- range $path, $bytes := .Files.Glob "resources/configmaps/*" }} - - mountPath: /tmp/policy-install/config/{{ base $path }} + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/etc/profile.d/base.conf + subPath: base.conf + name: drools-config-processed + - mountPath: /opt/app/policy/etc/profile.d/credentials.conf + subPath: credentials.conf + name: drools-config-processed + - mountPath: /opt/app/policy/etc/profile.d/feature-pooling-messages.conf + subPath: feature-pooling-messages.conf + name: drools-config-processed + - mountPath: /opt/app/policy/config/feature-lifecycle.properties + subPath: feature-lifecycle.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/engine-system.properties + subPath: engine-system.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/feature-distributed-locking.properties + subPath: feature-distributed-locking.properties + name: drools-config-processed + - mountPath: /opt/app/policy/config/logback.xml + subPath: logback.xml name: drools-config - subPath: {{ base $path }} - {{- end }} - resources: -{{ include "common.resources" . }} + - mountPath: /opt/app/policy/config/settings.xml + subPath: settings.xml + name: drools-config-processed + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - name: localtime hostPath: path: /etc/localtime + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: drools-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -142,6 +183,10 @@ spec: path: {{ base $path }} mode: 0755 {{- end }} + - name: drools-config-processed + emptyDir: + medium: Memory + sizeLimit: 64Mi - name: drools-secret secret: secretName: {{ include "common.fullname" . }}-secret @@ -151,5 +196,4 @@ spec: path: {{ base $path }} mode: 0644 {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml old mode 100755 new mode 100644 index 7b55612a9a..1dc1127b8e --- a/kubernetes/policy/components/policy-drools-pdp/values.yaml +++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml @@ -1,6 +1,8 @@ # Copyright © 2017 Amdocs # Copyright © 2017, 2021 Bell Canada # Modifications Copyright © 2018-2022 AT&T Intellectual Property +# Modifications Copyright (C) 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +21,12 @@ ################################################################# global: nodePortPrefix: 302 + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig @@ -41,7 +49,9 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/policy-pdpd-cl:1.11.1 +# The newest images have been tested with SASL and Postgres. The images released next will have the relevant fixes +image: onap/policy-pdpd-cl:3.2.0 + pullPolicy: Always # flag to enable debugging - application support required @@ -70,49 +80,23 @@ readiness: service: type: ClusterIP name: policy-drools-pdp - portName: http internalPort: 6969 - externalPort: 6969 - nodePort: 17 - internalPort2: 9696 - externalPort2: 9696 - nodePort2: 21 + ports: + - name: http + port: 6969 + - name: http-2 + port: 9696 ingress: enabled: false -# Default installation values to be overridden - -certInitializer: - nameOverride: policy-drools-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read server: - jvmOpts: -server -XshowSettings:vm - -aaf: - enabled: "false" - -keystore: - password: Pol1cy_0nap - -truststore: - password: Pol1cy_0nap + jvmOpts: "-server -XshowSettings:vm" telemetry: user: demo@people.osaaf.org @@ -126,8 +110,6 @@ nexus: offline: true db: - name: policy-mariadb - user: policy_user password: policy_user pap: @@ -154,10 +136,6 @@ so: user: InfraPortalClient password: password1$ -vfc: - user: - password: - sdnc: user: admin password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U @@ -183,20 +161,30 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "800Mi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "800Mi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "1.6Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "1.6Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-drools-pdp @@ -208,11 +196,16 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: policy-drools-pdp-9696 interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-drools-pdp-telemetry-creds @@ -220,6 +213,76 @@ metrics: externalSecretPasswordKey: password selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-drools-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-drools-pdp + type: group + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: a1-p-rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: a1-p + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-cl + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-lcm-read + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: appc-lcm-write + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: dcae_cl_rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: unauthenticated.dcae_cl_output + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: dcae_topic + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: policy-cl-mgt + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: sdnr-cl-rsp + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: sdnr-cl + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/components/policy-gui/Chart.yaml b/kubernetes/policy/components/policy-gui/Chart.yaml deleted file mode 100644 index b2769c3e7a..0000000000 --- a/kubernetes/policy/components/policy-gui/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -apiVersion: v2 -description: ONAP Policy GUI -name: policy-gui -version: 12.0.0 - -dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/policy/components/policy-gui/resources/config/application.yml b/kubernetes/policy/components/policy-gui/resources/config/application.yml deleted file mode 100644 index 9be81d8ddd..0000000000 --- a/kubernetes/policy/components/policy-gui/resources/config/application.yml +++ /dev/null @@ -1,25 +0,0 @@ -server: - port: 2443 - ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} -# enabled-protocols: TLSv1.2 -# client-auth: want -# key-store: file:${KEYSTORE} -# key-store-password: ${KEYSTORE_PASSWD} -# trust-store: file:${TRUSTSTORE} -# trust-store-password: ${TRUSTSTORE_PASSWD} - -clamp: - url: - disable-ssl-validation: {{ (eq "true" (include "common.needTLS" .)) | ternary false true }} - disable-ssl-hostname-check: {{ (eq "true" (include "common.needTLS" .)) | ternary false true }} - -apex-editor: - upload-url: - upload-userid: - -management: - endpoints: - web: - exposure: - include: health, metrics, prometheus diff --git a/kubernetes/policy/components/policy-gui/templates/deployment.yaml b/kubernetes/policy/components/policy-gui/templates/deployment.yaml deleted file mode 100644 index 5a43fc71b0..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/deployment.yaml +++ /dev/null @@ -1,154 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: KEYSTORE - value: {{ .Values.certStores.keystoreLocation }} - - name: KEYSTORE_PASSWD - value: {{ .Values.certStores.keyStorePassword }} - - name: TRUSTSTORE - value: {{ .Values.certStores.truststoreLocation }} - - name: TRUSTSTORE_PASSWD - value: {{ .Values.certStores.trustStorePassword }} - - name: POLICY_LOGS - value: {{ .Values.log.path }} - volumeMounts: - - mountPath: /config-input - name: policy-gui-config - - mountPath: /config - name: policy-gui-config-processed - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - command: - - /app/ready.py - args: - - --container-name - - policy-clamp-runtime-acm - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness -{{ include "common.certInitializer.initContainer" . | nindent 6 }} - containers: - # side car containers - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.sidecar" . | nindent 8 }}{{ end }} - # main container - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if not (include "common.onServiceMesh" .) }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;/opt/app/policy/gui/bin/policy-gui.sh"] - env: -{{ else }} - command: ["/opt/app/policy/gui/bin/policy-gui.sh"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{ end }} - - name: CLAMP_URL - value: http://policy-clamp-runtime-acm:6969 - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: logs - mountPath: {{ .Values.log.path }} - - mountPath: /opt/app/policy/gui/etc/application.yml - name: policy-gui-config-processed - subPath: application.yml - - mountPath: /opt/app/policy/gui/etc/logback.xml - name: policy-gui-config-processed - subPath: logback.xml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }} - - name: logs - emptyDir: {} - {{ if .Values.global.centralizedLoggingEnabled }}{{ include "common.log.volumes" . | nindent 8 }}{{ end }} - - name: policy-gui-config - configMap: - name: {{ include "common.fullname" . }}-configmap - defaultMode: 0755 - - name: policy-gui-config-processed - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/policy/components/policy-gui/templates/service.yaml b/kubernetes/policy/components/policy-gui/templates/service.yaml deleted file mode 100644 index 827e93a4f2..0000000000 --- a/kubernetes/policy/components/policy-gui/templates/service.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -# ============LICENSE_START======================================================= -# Copyright (C) 2021 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml deleted file mode 100644 index 330d1fcac8..0000000000 --- a/kubernetes/policy/components/policy-gui/values.yaml +++ /dev/null @@ -1,168 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= - -################################################################# -# Global configuration defaults. -################################################################# -global: # global defaults - nodePortPrefix: 304 - centralizedLoggingEnabled: true - #AAF service - aafEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - keystoreLocation: /opt/app/policy/gui/etc/ssl/policy-keystore - truststoreLocation: /opt/app/policy/gui/etc/ssl/policy-truststore - trustStorePassword: Pol1cy_0nap - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: policy-gui-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export TRUSTSTORE='{{ .Values.credsPath }}/org.onap.policy.trust.jks'" >> {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - echo "export TRUSTSTORE_PASSWD='${cadi_truststore_password}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - -subChartsOnly: - enabled: true - -flavor: small - -# application image -image: onap/policy-gui:2.3.1 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# log configuration -log: - path: /var/log/onap/policy/gui - -################################################################# -# Application configuration defaults. -################################################################# -config: - log: - logstashServiceName: log-ls - logstashPort: 5044 - dataRootDir: /dockerdata-nfs - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - timeoutSeconds: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 3 - -service: - type: NodePort - name: policy-gui - portName: http - internalPort: 2443 - nodePort: 43 - - # see https://wiki.onap.org/display/DW/OOM+NodePort+List - -ingress: - enabled: false - service: - - baseaddr: "policy-ui" - name: "policygui" - port: 2443 - config: - ssl: "redirect" - -#resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -resources: - small: - limits: - cpu: 1 - memory: 200Mi - requests: - cpu: 1m - memory: 50Mi - large: - limits: - cpu: 1 - memory: 500Mi - requests: - cpu: 10m - memory: 50Mi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: policy-gui - roles: - - read diff --git a/kubernetes/policy/components/policy-nexus/Chart.yaml b/kubernetes/policy/components/policy-nexus/Chart.yaml old mode 100755 new mode 100644 index f2f65dd583..59e01d82ea --- a/kubernetes/policy/components/policy-nexus/Chart.yaml +++ b/kubernetes/policy/components/policy-nexus/Chart.yaml @@ -1,7 +1,8 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,18 +19,18 @@ apiVersion: v2 description: ONAP Policy Nexus name: policy-nexus -version: 12.0.0 +version: 15.0.2 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-nexus/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml index 4c945f4605..fe183cfa24 100755 --- a/kubernetes/policy/components/policy-nexus/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,56 +18,43 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - command: ["sh", "-c", "chown -R 200:200 /share"] image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-init volumeMounts: - mountPath: /share name: nexus-data containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.externalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: httpGet: path: {{ .Values.readiness.path }} - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /sonatype-work name: nexus-data resources: @@ -85,9 +73,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "nothing" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: nexus-data {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -95,5 +80,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-nexus/templates/pv.yaml b/kubernetes/policy/components/policy-nexus/templates/pv.yaml index 62e66f1602..1bafeb5d6c 100755 --- a/kubernetes/policy/components/policy-nexus/templates/pv.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/pv.yaml @@ -22,12 +22,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} + labels: {{- include "common.labels" . | nindent 4 }} spec: capacity: storage: {{ .Values.persistence.size }} diff --git a/kubernetes/policy/components/policy-nexus/templates/pvc.yaml b/kubernetes/policy/components/policy-nexus/templates/pvc.yaml index 1cadcc51d5..e5a06e2f64 100755 --- a/kubernetes/policy/components/policy-nexus/templates/pvc.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/pvc.yaml @@ -21,11 +21,7 @@ apiVersion: v1 metadata: name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" + labels: {{- include "common.labels" . | nindent 4 }} {{- if .Values.persistence.annotations }} annotations: {{ toYaml .Values.persistence.annotations | indent 4 }} diff --git a/kubernetes/policy/components/policy-nexus/templates/service.yaml b/kubernetes/policy/components/policy-nexus/templates/service.yaml index 6bec5619f6..8d13879023 100755 --- a/kubernetes/policy/components/policy-nexus/templates/service.yaml +++ b/kubernetes/policy/components/policy-nexus/templates/service.yaml @@ -15,28 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-nexus/values.yaml b/kubernetes/policy/components/policy-nexus/values.yaml old mode 100755 new mode 100644 index ac0028d1d9..cc75a9fe15 --- a/kubernetes/policy/components/policy-nexus/values.yaml +++ b/kubernetes/policy/components/policy-nexus/values.yaml @@ -1,5 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property +# Modifications Copyright © 2024 Deutsche Telekom +# Modifications Copyright (C) 2024 Nordix Foundation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +21,10 @@ global: nodePortPrefix: 302 persistence: {} + postgres: + useInPolicy: false + mariadbGalera: + useInPolicy: true ################################################################# # Application configuration defaults. @@ -56,14 +62,18 @@ readiness: service: type: ClusterIP name: policy-nexus - portName: http - externalPort: 8081 internalPort: 8081 - nodePort: 36 + ports: + - name: http + port: 8081 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + ## Persist data to a persitent volume persistence: enabled: true @@ -79,20 +89,24 @@ resources: flavor: small small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 1m - memory: 0.5Gi + cpu: "1m" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 2m - memory: 1Gi + cpu: "2m" + memory: "1Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + #Pods Service Account serviceAccount: nameOverride: policy-nexus diff --git a/kubernetes/policy/components/policy-opa-pdp/Chart.yaml b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml new file mode 100644 index 0000000000..92df2f43b1 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/Chart.yaml @@ -0,0 +1,36 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +apiVersion: v2 +description: ONAP Policy OPA PDP (PDP-O) +name: policy-opa-pdp +version: 16.0.5 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json new file mode 100755 index 0000000000..bb18a3bacc --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/resources/config/config.json @@ -0,0 +1,27 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{ + "logging": { + "level": "debug" + }, + "decision_logs": { + "console": true + } +} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml new file mode 100755 index 0000000000..e2b4537dc8 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/autoscaling.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/autoscaling.yaml new file mode 100755 index 0000000000..4b2d6d4fa0 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/autoscaling.yaml @@ -0,0 +1,61 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + behavior: + scaleDown: + stabilizationWindowSeconds: {{ .Values.autoscaling.stabilizationWindowSeconds}} + policies: + - type: Pods + value: {{ .Values.autoscaling.podScaleDownCount }} + periodSeconds: {{ .Values.autoscaling.periodSecondsPods }} + - type: Percent + value: {{ .Values.autoscaling.podScaleDownPercent }} + periodSeconds: {{ .Values.autoscaling.periodSecondsPercent }} + selectPolicy: {{ .Values.autoscaling.selectPolicy }} +{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml new file mode 100755 index 0000000000..1942a59f6f --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/configmap.yaml @@ -0,0 +1,28 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap-config + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/*.{sql,json,properties,xml}").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml new file mode 100755 index 0000000000..ba74f1dd43 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/deployment.yaml @@ -0,0 +1,132 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{ end }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} + containers: + - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + env: + - name: UseSASLForKAFKA + value: "{{ .Values.kafka.useSASL }}" + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: GROUPID + value: "{{ .Values.groupIdPrefix }}-$(POD_UID)" + - name: PATCH_GROUPID + value: "{{ .Values.patchGroupIdPrefix }}-$(POD_UID)" + - name: LOG_LEVEL + value: "{{ .Values.log.loglevel }}" + - name: PAP_TOPIC + value: "{{ .Values.kafka.topic }}" + - name: PATCH_TOPIC + value: "{{ .Values.kafka.patchtopic }}" + - name: USE_KAFKA_FOR_PATCH + value: "{{ .Values.useKafkaForPatch }}" + - name: API_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "login") | indent 10 }} + - name: API_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "api-creds" "key" "password") | indent 10 }} + - name: RESTSERVER_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} + - name: RESTSERVER_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - name: opa-config + mountPath: /app/config + - name: opa-bundles + mountPath: /app/bundles + - name: logs + mountPath: /var/logs + - mountPath: /opt/policies/ + name: opt-policies + - mountPath: /opt/data/ + name: opt-data + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: opa-config + configMap: + name: {{ include "common.fullname" . }}-configmap-config + defaultMode: 0755 + - name: opa-bundles + emptyDir: + sizeLimit: {{ .Values.dirSizes.bundleDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} + - name: opt-policies + emptyDir: + sizeLimit: {{ .Values.dirSizes.optPolicies.sizeLimit }} + - name: opt-data + emptyDir: + sizeLimit: {{ .Values.dirSizes.optData.sizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml new file mode 100755 index 0000000000..faf315356c --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/kafkauser.yaml @@ -0,0 +1,20 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml new file mode 100755 index 0000000000..0c47a8bd77 --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml new file mode 100755 index 0000000000..1d45a0baef --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/service.yaml @@ -0,0 +1,21 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml new file mode 100755 index 0000000000..96774208de --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/templates/serviceMonitor.yaml @@ -0,0 +1,23 @@ +{{/* +# ============LICENSE_START======================================================= +# Copyright (c) 2024 Deutsche Telekom +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at + +# http://www.apache.org/licenses/LICENSE-2.0 + +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +{{- if .Values.global.prometheusEnabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} diff --git a/kubernetes/policy/components/policy-opa-pdp/values.yaml b/kubernetes/policy/components/policy-opa-pdp/values.yaml new file mode 100644 index 0000000000..d4d77fe94f --- /dev/null +++ b/kubernetes/policy/components/policy-opa-pdp/values.yaml @@ -0,0 +1,251 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2025 Deutsche Telekom Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: {} +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: api-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.apiServer.credsExternalSecret) . }}' + login: '{{ .Values.apiServer.user }}' + password: '{{ .Values.apiServer.password }}' + passwordPolicy: required + - uid: restserver-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.restServer.credsExternalSecret) . }}' + login: '{{ .Values.restServer.user }}' + password: '{{ .Values.restServer.password }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/policy-opa-pdp:1.0.7 + +pullPolicy: Always + +componentName: &componentName policy-opa-pdp + +# flag to enable debugging - application support required +debugEnabled: false + +log: + loglevel: "debug" + +# application configuration + +permissions: + uid: 100 + gid: 102 + +restServer: + user: healthcheck + password: zb!XztG34 + +apiServer: + user: policyadmin + password: zb!XztG34 + +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 + +securityContext: + user_id: 1000 + group_id : 1000 + +kafka: + groupid: "policy-opa-pdp" + topic: "policy-pdp-pap" + patchtopic: "opa-pdp-data" + useSASL: "true" + brokers: "onap-strimzi-kafka-bootstrap.onap:9092" + +useKafkaForPatch: false + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 20 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 20 + periodSeconds: 10 + +readinessCheck: + wait_for: + services: + - 'policy-pap' + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 70 + stabilizationWindowSeconds: 60 + podScaleDownCount: 1 + periodSecondsPods: 60 + podScaleDownPercent: 10 + periodSecondsPercent: 60 + selectPolicy: "Min" + +service: + type: ClusterIP + name: *componentName + internalPort: 8282 + ports: + - name: http + port: 8282 + +ingress: + enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datafile-collector-read + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read + - serviceAccount: dcae-heartbeat-read + - serviceAccount: dcae-hv-ves-collector-read + - serviceAccount: dcae-kpi-ms-read + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: dcae-pmsh-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-restconf-collector-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-snmptrap-collector-read + - serviceAccount: dcae-son-handler-read + - serviceAccount: dcae-tcagen2-read + - serviceAccount: dcae-ves-collector-read + - serviceAccount: dcae-ves-mapper-read + - serviceAccount: dcae-ves-openapi-manager-read + - serviceAccount: strimzi-kafka-read + - serviceAccount: oof-read + - serviceAccount: sdnc-read + +flavor: small +resources: + small: + limits: + cpu: "1" + memory: "1Gi" + requests: + cpu: "0.5" + memory: "1Gi" + large: + limits: + cpu: "2" + memory: "2Gi" + requests: + cpu: "1" + memory: "2Gi" + unlimited: {} + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + policyDir: + sizeLimit: 100Mi + bundleDir: + sizeLimit: 5Gi + optPolicies: + sizeLimit: 500Mi + optData: + sizeLimit: 500Mi + +groupIdPrefix: opa-pdp +patchGroupIdPrefix: opa-pdp-data + +#Pods Service Account +serviceAccount: + nameOverride: *componentName + roles: + - read + +metrics: + serviceMonitor: + # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. + # The default operator for prometheus enforces the below label. + labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' + release: prometheus + enabled: true + port: http + interval: 60s + path: /metrics + isHttps: false + basicAuth: + enabled: true + externalSecretNameSuffix: policy-opa-pdp-api-creds + externalSecretUserKey: login + externalSecretPasswordKey: password + selector: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + +config: + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: opa-pdp + type: group + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: opa-pdp-data + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] diff --git a/kubernetes/policy/components/policy-pap/Chart.yaml b/kubernetes/policy/components/policy-pap/Chart.yaml old mode 100755 new mode 100644 index 41ec369108..7bfcffabe2 --- a/kubernetes/policy/components/policy-pap/Chart.yaml +++ b/kubernetes/policy/components/policy-pap/Chart.yaml @@ -1,8 +1,9 @@ # ============LICENSE_START======================================================= -# Copyright (C) 2019 Nordix Foundation. +# Copyright (C) 2019 OpenInfra Europe. All rights reserved. # Modified Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,18 +23,18 @@ apiVersion: v2 description: ONAP Policy Administration (PAP) name: policy-pap -version: 12.0.0 +version: 16.0.4 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml index b68e8d6a71..ef1334a288 100644 --- a/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml +++ b/kubernetes/policy/components/policy-pap/resources/config/papParameters.yaml @@ -1,6 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2025 Nordix Foundation # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -26,78 +26,91 @@ spring: converters: preferred-json-mapper: gson datasource: - url: jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort}}/policyadmin - driverClassName: org.mariadb.jdbc.Driver + url: jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/policyadmin + driverClassName: org.postgresql.Driver username: "${SQL_USER}" password: "${SQL_PASSWORD}" hikari: - maximumPoolSize: 20 + connectionTimeout: 30000 + idleTimeout: 600000 + maxLifetime: 1800000 + maximumPoolSize: 10 jpa: - properties: - hibernate: - dialect: org.hibernate.dialect.MariaDB103Dialect hibernate: ddl-auto: none naming: physical-strategy: org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl implicit-strategy: org.onap.policy.common.spring.utils.CustomImplicitNamingStrategy - kafka: - consumer: - group-id: {{ .Values.config.kafka.consumer.groupId }} -{{- if .Values.config.useStrimziKafka }} - bootstrap-servers: {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 - security.protocol: SASL_PLAINTEXT - properties.sasl: - mechanism: SCRAM-SHA-512 - jaas.config: ${JAASLOGIN} -{{ else }} -{{ toYaml .Values.config.eventConsumption | nindent 2 }} -{{- end }} server: port: 6969 ssl: - enabled: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + enabled: false + servlet: + context-path: /policy/pap/v1 pap: name: PapGroup - aaf: false + topic: + pdp-pap.name: {{ .Values.config.kafka.topics.policyPdpPap }} + notification.name: {{ .Values.config.kafka.topics.policyNotification }} + heartbeat.name: {{ .Values.config.kafka.topics.policyHeartbeat }} pdpParameters: heartBeatMs: 120000 updateParameters: maxRetryCount: 1 - maxWaitMs: 30000 + maxWaitMs: 36000 stateChangeParameters: maxRetryCount: 1 - maxWaitMs: 30000 - savePdpStatisticsInDb: false + maxWaitMs: 36000 + savePdpStatisticsInDb: true topicParameterGroup: topicSources: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - fetchTimeout: 15000 - topicCommInfrastructure: dmaap - - topic: POLICY-HEARTBEAT - effectiveTopic: POLICY-PDP-PAP - consumerGroup: policy-pap - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - fetchTimeout: 15000 - topicCommInfrastructure: dmaap + - useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + - useHttps: false + fetchTimeout: 15000 + topic: {{ .Values.config.kafka.topics.policyHeartbeat }} + effectiveTopic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} topicSinks: - - topic: POLICY-PDP-PAP - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - topicCommInfrastructure: dmaap - - topic: POLICY-NOTIFICATION - servers: - - message-router - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - topicCommInfrastructure: dmaap + - useHttps: false + topic: {{ .Values.config.kafka.topics.policyPdpPap }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + - useHttps: false + topic: {{ .Values.config.kafka.topics.policyNotification }} + servers: + - {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + topicCommInfrastructure: kafka + additionalProps: + group.id : {{ .Values.config.kafka.consumer.groupId }} + security.protocol: SASL_PLAINTEXT + sasl.mechanism: {{ .Values.kafkaUser.authenticationType | upper }} + sasl.jaas.config: ${JAASLOGIN} + # If Strimzi Kafka to be used for communication, replace following configuration for topicSources and topicSinks # servers: # - {{ include "common.release" . }}-{{ .Values.config.kafkaBootstrap }}:9092 @@ -113,20 +126,8 @@ pap: port: 6969 userName: "${API_USER}" password: "${API_PASSWORD}" - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + useHttps: false basePath: policy/api/v1/healthcheck - - clientName: distribution - hostname: policy-distribution - port: 6969 - userName: "${DISTRIBUTION_USER}" - password: "${DISTRIBUTION_PASSWORD}" - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - basePath: healthcheck - - clientName: dmaap - hostname: message-router - port: {{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }} - useHttps: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} - basePath: topics management: endpoints: diff --git a/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-pap/templates/configmap.yaml b/kubernetes/policy/components/policy-pap/templates/configmap.yaml index ee03f70b00..c84fcf0533 100755 --- a/kubernetes/policy/components/policy-pap/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-pap/templates/configmap.yaml @@ -24,11 +24,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-pap/templates/deployment.yaml b/kubernetes/policy/components/policy-pap/templates/deployment.yaml old mode 100755 new mode 100644 index e05204249e..5722563b47 --- a/kubernetes/policy/components/policy-pap/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-pap/templates/deployment.yaml @@ -2,6 +2,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. # Modifications Copyright (C) 2022 Bell Canada. All rights reserved. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,21 +30,9 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-galera-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -65,9 +55,12 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "login") | indent 10 }} - name: DISTRIBUTION_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "distribution-secret" "key" "password") | indent 10 }} -{{- if .Values.config.useStrimziKafka }} +{{- if .Values.global.useStrimziKafka }} - name: JAASLOGIN - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "policy-kafka-user" "key" "sasl.jaas.config") | indent 10 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config {{- end }} volumeMounts: - mountPath: /config-input @@ -76,25 +69,18 @@ spec: name: papconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml"] -{{- else }} - command: ["/opt/app/policy/pap/bin/policy-pap.sh"] - args: ["/opt/app/policy/pap/etc/mounted/papParameters.yaml"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} + + command: [ "/bin/sh", "-cx" ] + args: + - cat /opt/app/policy/pap/etc/mounted/papParameters.yaml; + /opt/app/policy/pap/bin/policy-pap.sh /opt/app/policy/pap/etc/mounted/papParameters.yaml ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container @@ -112,35 +98,46 @@ spec: httpHeaders: - name: Authorization value: Basic {{ printf "%s:%s" .Values.restServer.user .Values.restServer.password | b64enc }} - scheme: {{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }} + scheme: "HTTP" successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeout }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /opt/app/policy/pap/etc/mounted - name: papconfig-processed - resources: -{{ include "common.resources" . }} + - mountPath: /etc/localtime + name: localtime + readOnly: true + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/pap/etc/logback.xml + subPath: logback.xml + name: papconfig-processed + - name: papconfig-processed + mountPath: /opt/app/policy/pap/etc/mounted + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - name: localtime - hostPath: - path: /etc/localtime + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: papconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -148,5 +145,5 @@ spec: - name: papconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + sizeLimit: 64Mi + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/policy/components/policy-pap/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml index 1d1561cd7c..8370f63e2a 100755 --- a/kubernetes/policy/components/policy-pap/values.yaml +++ b/kubernetes/policy/components/policy-pap/values.yaml @@ -2,7 +2,8 @@ # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019-2021 AT&T Intellectual Property. # Modifications Copyright (C) 2020-2022 Bell Canada. All rights reserved. -# Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2022-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,7 +26,12 @@ global: nodePortPrefixExt: 304 persistence: {} - aafEnabled: true + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig @@ -55,16 +61,6 @@ secrets: login: '{{ .Values.healthCheckRestClient.distribution.user }}' password: '{{ .Values.healthCheckRestClient.distribution.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - uid: policy-kafka-user externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' type: genericKV @@ -73,34 +69,11 @@ secrets: value: '{{ .Values.config.someConfig }}' policy: generate -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-pap-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-pap:2.7.1 +image: onap/policy-pap:4.2.0 pullPolicy: Always # flag to enable debugging - application support required @@ -109,11 +82,8 @@ debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user - service: - name: policy-mariadb - internalPort: 3306 restServer: user: policyadmin @@ -155,33 +125,50 @@ readiness: service: type: ClusterIP name: policy-pap - useNodePortExt: true ports: - name: http-api port: 6969 - nodePort: 42 + - name: debug-port + port: 5005 + protocol: tcp ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: strimzi-kafka-read + - serviceAccount: portal-app-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "3" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "1" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "4" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "2" + memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + #Pods Service Account serviceAccount: nameOverride: policy-pap @@ -193,11 +180,17 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true port: http-api + path: /policy/pap/v1/metrics interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-pap-user-creds @@ -207,14 +200,17 @@ metrics: # application configuration config: # Event consumption (kafka) properties - useStrimziKafka: true - kafkaBootstrap: strimzi-kafka-bootstrap kafka: + topics: + policyHeartbeat: policy-heartbeat + policyNotification: policy-notification + policyPdpPap: policy-pdp-pap consumer: - groupId: policy-group + groupId: policy-pap app: listener: policyPdpPapTopic: policy-pdp-pap + # If targeting a custom kafka cluster, ie useStrimziKakfa: false # uncomment below config and target your kafka bootstrap servers, # along with any other security config. @@ -226,3 +222,26 @@ config: # # Any new property can be added in the env by setting in overrides in the format mentioned below # All the added properties must be in "key: value" format instead of yaml. +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-pap + type: group + operations: [Create, Describe, Read, Write] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-heartbeat + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + - name: policy-notification + type: topic + patternType: prefix + operations: [Create, Describe, Read, Write] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml old mode 100755 new mode 100644 index 4a5e8d15fa..2494382592 --- a/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/Chart.yaml @@ -1,7 +1,8 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2020 AT&T Intellectual Property. All rights reserved. # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2021, 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,18 +22,18 @@ apiVersion: v2 description: ONAP Policy XACML PDP (PDP-X) name: policy-xacml-pdp -version: 12.0.0 +version: 16.0.4 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json index 0f1744a9e4..7bf6707136 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/config.json @@ -26,7 +26,7 @@ "port": 6969, "userName": "${RESTSERVER_USER}", "password": "${RESTSERVER_PASSWORD}", - "https": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "https": "false", "aaf": false, "prometheus": true }, @@ -35,25 +35,37 @@ "port": 6969, "userName": "${API_USER}", "password": "${API_PASSWORD}", - "useHttps": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "useHttps": "false", "aaf": false }, "applicationParameters": { "applicationPath": "/opt/app/policy/pdpx/apps" }, "topicParameterGroup": { - "topicSources" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "fetchTimeout" : 15000, - "topicCommInfrastructure" : "dmaap" + "topicSources": [{ + "topic": "${PAP_TOPIC}", + "useHttps": false, + "fetchTimeout": 15000, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } }], "topicSinks" : [{ - "topic" : "POLICY-PDP-PAP", - "servers" : [ "message-router" ], - "useHttps" : {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, - "topicCommInfrastructure" : "dmaap" - }] + "topic": "${PAP_TOPIC}", + "useHttps": false, + "servers": [ "${KAFKA_URL}" ], + "topicCommInfrastructure": "kafka", + "additionalProps": { + "group.id": "${GROUP_ID}", + "security.protocol": "SASL_PLAINTEXT", + "sasl.mechanism": "${SASL}", + "sasl.jaas.config": "${JAASLOGIN}" + } + }] } } diff --git a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties old mode 100755 new mode 100644 index d2e9c62edf..8641165d3c --- a/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties +++ b/kubernetes/policy/components/policy-xacml-pdp/resources/config/xacml.properties @@ -1,4 +1,23 @@ {{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2024-2025 Nordix Foundation. All rights reserved. +# Modifications (C) 2025 Deutsche Telekom. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + # # Properties that the embedded PDP engine uses to configure and load # @@ -49,8 +68,8 @@ xacml.pip.engines=count-recent-operations,get-operation-outcome # # JPA Properties # -eclipselink.target-database=MySQL -javax.persistence.jdbc.driver=org.mariadb.jdbc.Driver -javax.persistence.jdbc.url=jdbc:mariadb://{{ .Values.db.service.name }}:{{ .Values.db.service.internalPort }}/operationshistory -javax.persistence.jdbc.user=${SQL_USER} -javax.persistence.jdbc.password=${SQL_PASSWORD} +eclipselink.target-database=PostgreSQL +jakarta.persistence.jdbc.driver=org.postgresql.Driver +jakarta.persistence.jdbc.url=jdbc:postgresql://{{ .Values.global.postgres.service.name2 }}:{{ .Values.global.postgres.service.port }}/operationshistory +jakarta.persistence.jdbc.user=${SQL_USER} +jakarta.persistence.jdbc.password=${SQL_PASSWORD} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..5a9baa822f --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/autoscaling.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml index 3b1a12399e..f93d6a8d46 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/configmap.yaml @@ -24,11 +24,7 @@ kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + labels: {{- include "common.labels" . | nindent 4 }} {{- with .Files.Glob "resources/config/*store" }} binaryData: {{- range $path, $bytes := . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml old mode 100755 new mode 100644 index 2da0035fa0..cd23866263 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/deployment.yaml @@ -1,6 +1,8 @@ {{/* # ============LICENSE_START======================================================= # Copyright (C) 2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2024-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,45 +22,28 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{ end }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-policy-galera-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness + {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - JAASLOGIN=`echo $JAASLOGIN | tr -d '"'`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done env: - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} @@ -72,6 +57,23 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - name: SQL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} + - name: JAASLOGIN + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + - name: KAFKA_URL + value: {{ include "common.release" . }}-{{ .Values.global.kafkaBootstrap }} + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: SASL + value: {{ .Values.kafkaUser.authenticationType | upper }} + - name: GROUP_ID + value: {{ .Values.groupIdPrefix }}-$(POD_UID) + - name: PAP_TOPIC + value: {{ .Values.config.app.listener.policyPdpPapTopic }} volumeMounts: - mountPath: /config-input name: pdpxconfig @@ -79,27 +81,16 @@ spec: name: pdpxconfig-processed image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 8 | trim }} name: {{ include "common.name" . }}-update-config -{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{- if .Values.global.aafEnabled }} - command: ["sh","-c"] - args: ["source {{ .Values.certInitializer.credsPath }}/.ci;\ - /opt/app/policy/pdpx/bin/policy-pdpx.sh /opt/app/policy/pdpx/etc/mounted/config.json"] -{{- else }} command: ["/opt/app/policy/pdpx/bin/policy-pdpx.sh"] args: ["/opt/app/policy/pdpx/etc/mounted/config.json"] - env: - - name: KEYSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 12 }} - - name: TRUSTSTORE_PASSWD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 12 }} -{{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} @@ -115,28 +106,87 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} + - name: policy-guard + mountPath: /opt/app/policy/pdpx/apps/guard + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/guard/xacml.properties + subPath: xacml.properties + - name: policy-match + mountPath: /opt/app/policy/pdpx/apps/match + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/match/xacml.properties + subPath: xacml.properties + - name: policy-monitoring + mountPath: /opt/app/policy/pdpx/apps/monitoring + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/monitoring/xacml.properties + subPath: xacml.properties + - name: policy-naming + mountPath: /opt/app/policy/pdpx/apps/naming + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/naming/xacml.properties + subPath: xacml.properties + - name: policy-native + mountPath: /opt/app/policy/pdpx/apps/native + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/native/xacml.properties + subPath: xacml.properties + - name: policy-optimization + mountPath: /opt/app/policy/pdpx/apps/optimization + - name: pdpxconfig-processed + mountPath: /opt/app/policy/pdpx/apps/optimization/xacml.properties + subPath: xacml.properties + - name: logs + mountPath: /var/log/onap + - name: empty-dir + mountPath: /tmp + subPath: tmp-dir + - mountPath: /opt/app/policy/pdpx/etc/logback.xml + subPath: logback.xml + name: pdpxconfig-processed + - mountPath: /opt/app/policy/pdpx/etc/mounted + name: pdpxconfig-processed - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: /opt/app/policy/pdpx/etc/mounted - name: pdpxconfig-processed - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} + - name: policy-guard + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-match + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-monitoring + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-naming + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-native + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: policy-optimization + emptyDir: + sizeLimit: {{ .Values.dirSizes.policyDir.sizeLimit }} + - name: empty-dir + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} + - name: logs + emptyDir: + sizeLimit: {{ .Values.dirSizes.logDir.sizeLimit }} - name: localtime - hostPath: - path: /etc/localtime + emptyDir: + sizeLimit: {{ .Values.dirSizes.emptyDir.sizeLimit }} - name: pdpxconfig configMap: name: {{ include "common.fullname" . }}-configmap @@ -144,5 +194,5 @@ spec: - name: pdpxconfig-processed emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + sizeLimit: 64Mi + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml new file mode 100644 index 0000000000..1d571df8b7 --- /dev/null +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml index 42995c8985..6dabd951b9 100755 --- a/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/templates/service.yaml @@ -18,22 +18,4 @@ # ============LICENSE_END========================================================= */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml old mode 100755 new mode 100644 index 691e9ce855..061ceed3cd --- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml +++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml @@ -1,5 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019-2021 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2024-2025 OpenInfra Europe. All rights reserved. +# Modifications Copyright © 2024-2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,7 +23,12 @@ ################################################################# global: persistence: {} - aafEnabled: true + postgres: + service: + name: policy-postgres + name2: policy-pg-primary + name3: policy-pg-replica + port: 5432 ################################################################# # Secrets metaconfig @@ -45,58 +52,24 @@ secrets: login: '{{ .Values.apiServer.user }}' password: '{{ .Values.apiServer.password }}' passwordPolicy: required - - uid: keystore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.keyStorePassword }}' - passwordPolicy: required - - uid: truststore-password - type: password - externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' - password: '{{ .Values.certStores.trustStorePassword }}' - passwordPolicy: required - -certStores: - keyStorePassword: Pol1cy_0nap - trustStorePassword: Pol1cy_0nap - -certInitializer: - nameOverride: policy-xacml-pdp-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: policy - fqi: policy@policy.onap.org - public_fqdn: policy.onap.org - cadi_latitude: "0.0" - cadi_longitude: "0.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - uid: 100 - gid: 101 - aaf_add_config: > - echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci; - echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci; - chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }}); - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/policy-xacml-pdp:2.7.1 +image: onap/policy-xacml-pdp:4.2.0 pullPolicy: Always +componentName: &componentName policy-xacml-pdp + # flag to enable debugging - application support required debugEnabled: false # application configuration db: - user: policy_user + user: policy-user password: policy_user - service: - name: policy-mariadb - internalPort: 3306 restServer: user: healthcheck @@ -108,6 +81,12 @@ apiServer: # default number of instances replicaCount: 1 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 nodeSelector: {} @@ -125,37 +104,83 @@ readiness: initialDelaySeconds: 20 periodSeconds: 10 +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 80 + service: type: ClusterIP - name: policy-xacml-pdp - portName: http - externalPort: 6969 + name: *componentName internalPort: 6969 + ports: + - name: http + port: 6969 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: dcae-datafile-collector-read + - serviceAccount: dcae-datalake-admin-ui-read + - serviceAccount: dcae-datalake-des-read + - serviceAccount: dcae-datalake-feeder-read + - serviceAccount: dcae-heartbeat-read + - serviceAccount: dcae-hv-ves-collector-read + - serviceAccount: dcae-kpi-ms-read + - serviceAccount: dcae-pm-mapper-read + - serviceAccount: dcae-pmsh-read + - serviceAccount: dcae-prh-read + - serviceAccount: dcae-restconf-collector-read + - serviceAccount: dcae-slice-analysis-ms-read + - serviceAccount: dcae-snmptrap-collector-read + - serviceAccount: dcae-son-handler-read + - serviceAccount: dcae-tcagen2-read + - serviceAccount: dcae-ves-collector-read + - serviceAccount: dcae-ves-mapper-read + - serviceAccount: dcae-ves-openapi-manager-read + - serviceAccount: strimzi-kafka-read + - serviceAccount: oof-read + - serviceAccount: sdnc-read + flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} +securityContext: + user_id: 100 + group_id: 102 + +groupIdPrefix: policy-xacml-pdp + +dirSizes: + emptyDir: + sizeLimit: 1Gi + logDir: + sizeLimit: 500Mi + policyDir: + sizeLimit: 100Mi + #Pods Service Account serviceAccount: - nameOverride: policy-xacml-pdp + nameOverride: *componentName roles: - read @@ -164,11 +189,17 @@ metrics: # Override the labels based on the Prometheus config parameter: serviceMonitorSelector. # The default operator for prometheus enforces the below label. labels: + app: '{{ include "common.name" . }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + version: '{{ .Chart.Version | replace "+" "_" }}' release: prometheus enabled: true - port: policy-xacml-pdp + port: http + path: /metrics interval: 60s - isHttps: true + isHttps: false basicAuth: enabled: true externalSecretNameSuffix: policy-xacml-pdp-restserver-creds @@ -176,6 +207,33 @@ metrics: externalSecretPasswordKey: password selector: app: '{{ include "common.name" . }}' - chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' - release: '{{ include "common.release" . }}' - heritage: '{{ .Release.Service }}' + helm.sh/chart: '{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}' + app.kubernetes.io/instance: '{{ include "common.release" . }}' + app.kubernetes.io/managed-by: '{{ .Release.Service }}' + +config: + # Event consumption (kafka) properties + kafka: + consumer: + groupId: policy-xacml-pdp + app: + listener: + policyPdpPapTopic: policy-pdp-pap + +# Strimzi Kafka config +kafkaUser: + authenticationType: scram-sha-512 + acls: + - name: policy-xacml-pdp + type: group + patternType: prefix + operations: [ Create, Describe, Read, Write ] + - name: policy-pdp-pap + type: topic + patternType: prefix + operations: [ Create, Describe, Read, Write ] + +readinessCheck: + wait_for: + services: + - policy-api diff --git a/kubernetes/policy/resources/config/db-pg.sh b/kubernetes/policy/resources/config/db-pg.sh deleted file mode 100644 index f26a80fad7..0000000000 --- a/kubernetes/policy/resources/config/db-pg.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/sh -# -# ============LICENSE_START======================================================= -# Copyright (C) 2021-2022 Nordix Foundation. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -# - -#psql() { /usr/bin/psql -h ${PG_HOST} -p ${PG_PORT} "$@"; }; - -export PGPASSWORD=${PG_ADMIN_PASSWORD}; - -psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE USER ${PG_USER} WITH PASSWORD '${PG_USER_PASSWORD}'" - -for db in migration pooling policyadmin policyclamp operationshistory clampacm -do - psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "CREATE DATABASE ${db};" - psql -h ${PG_HOST} -p ${PG_PORT} -U postgres --command "GRANT ALL PRIVILEGES ON DATABASE ${db} TO ${PG_USER};" -done diff --git a/kubernetes/policy/resources/config/db.sh b/kubernetes/policy/resources/config/db.sh deleted file mode 100755 index 866d422c14..0000000000 --- a/kubernetes/policy/resources/config/db.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -{{/* -# Copyright © 2017 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018, 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -mysql() { /usr/bin/mysql -h ${MYSQL_HOST} -P ${MYSQL_USER} "$@"; }; - -for db in migration pooling policyadmin policyclamp operationshistory clampacm -do - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" - mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" -done - -mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh deleted file mode 100644 index 53921ab751..0000000000 --- a/kubernetes/policy/resources/config/db_migrator_pg_policy_init.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -{{/* -# Copyright (C) 2022 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} -/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o upgrade -rc=$? -/opt/app/policy/bin/db-migrator-pg -s ${SQL_DB} -o report -exit $rc diff --git a/kubernetes/policy/resources/config/db_migrator_policy_init.sh b/kubernetes/policy/resources/config/db_migrator_policy_init.sh deleted file mode 100644 index d1cc108fec..0000000000 --- a/kubernetes/policy/resources/config/db_migrator_policy_init.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh -{{/* -# Copyright (C) 2021 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -/opt/app/policy/bin/prepare_upgrade.sh ${SQL_DB} -/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o upgrade -rc=$? -/opt/app/policy/bin/db-migrator -s ${SQL_DB} -o report -exit $rc diff --git a/kubernetes/policy/templates/configmap.yaml b/kubernetes/policy/templates/configmap.yaml deleted file mode 100755 index c8b01ccb81..0000000000 --- a/kubernetes/policy/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2022 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-db-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/*.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/policy/templates/job.yaml b/kubernetes/policy/templates/job.yaml deleted file mode 100755 index 0df26568e5..0000000000 --- a/kubernetes/policy/templates/job.yaml +++ /dev/null @@ -1,369 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T Intellectual Property -# Modifications Copyright (C) 2022 Nordix Foundation. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-galera-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-galera-init - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-galera-init - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-init - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-mariadb-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - - --container-name - - {{ index .Values "mariadb-galera" "service" "name" }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-galera-config - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadb.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/db.sh - name: {{ include "common.fullname" . }}-config - subPath: db.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db.sh - env: - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 10 }} - - name: MYSQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: MYSQL_PORT - value: "{{ index .Values "mariadb-galera" "service" "internalPort" }}" - resources: -{{ include "common.resources" . }} - {{- if (include "common.onServiceMesh" .) }} - - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-config -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db.sh - path: db.sh - -{{ if .Values.global.postgres.localCluster }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-pg-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-pg-init - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-pg-init - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-pg-init - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: {{ if .Values.global.postgres.localCluster }}{{ include "common.readinessCheck.waitFor" . | nindent 6 }}{{ end }} - containers: - - name: {{ include "common.name" . }}-pg-config - image: {{ .Values.repository }}/{{ .Values.postgresImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /docker-entrypoint-initdb.d/db-pg.sh - name: {{ include "common.fullname" . }}-config - subPath: db-pg.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /docker-entrypoint-initdb.d/db-pg.sh - env: - - name: PG_ADMIN_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-root-pass" "key" "password") | indent 12 }} - - name: PG_HOST - value: "{{ .Values.postgres.service.name2 }}" - - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 12 }} - - name: PG_USER_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }} - - name: PG_PORT - value: "{{ .Values.postgres.service.internalPort }}" - resources: -{{ include "common.resources" . }} - {{- if (include "common.onServiceMesh" .) }} - - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-config -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db-pg.sh - path: db-pg.sh -{{ end }} - ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-galera-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-galera-config - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-galera-config - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-galera-config - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-galera-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-galera-db-migrator - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/db_migrator_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_policy_init.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_policy_init.sh - env: - - name: SQL_HOST - value: "{{ index .Values "mariadb-galera" "service" "name" }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schema }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "sql" - resources: -{{ include "common.resources" . }} - {{- if (include "common.onServiceMesh" .) }} - - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-galera-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db_migrator_policy_init.sh - path: db_migrator_policy_init.sh - -{{ if .Values.global.postgres.localCluster }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-pg-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-pg-config - release: {{ include "common.release" . }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-pg-config - release: {{ include "common.release" . }} - name: {{ include "common.name" . }}-pg-config - spec: - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-pg-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-pg-db-migrator - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dbmigrator.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - mountPath: /dbcmd-config/db_migrator_pg_policy_init.sh - name: {{ include "common.fullname" . }}-config - subPath: db_migrator_pg_policy_init.sh - command: - - /bin/sh - - -cx - - | - {{- if include "common.onServiceMesh" . }} - echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - /dbcmd-config/db_migrator_pg_policy_init.sh - env: - - name: SQL_HOST - value: "{{ .Values.postgres.service.name2 }}" - - name: SQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: SQL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - - name: SQL_DB - value: {{ .Values.dbmigrator.schema }} - - name: POLICY_HOME - value: {{ .Values.dbmigrator.policy_home }} - - name: SCRIPT_DIRECTORY - value: "postgres" - - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - resources: -{{ include "common.resources" . }} - {{- if (include "common.onServiceMesh" .) }} - - name: policy-service-mesh-wait-for-job-container - image: nexus3.onap.org:10001/onap/oom/readiness:4.1.0 - imagePullPolicy: Always - command: - - /bin/sh - - "-c" - args: - - echo "waiting 10s for istio side cars to be up"; sleep 10s; - /app/ready.py --service-mesh-check {{ include "common.name" . }}-pg-db-migrator -t 45; - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - {{- end }} - restartPolicy: Never - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: {{ include "common.fullname" . }}-config - configMap: - name: {{ include "common.fullname" . }}-db-configmap - defaultMode: 0755 - items: - - key: db_migrator_pg_policy_init.sh - path: db_migrator_pg_policy_init.sh -{{ end }} diff --git a/kubernetes/policy/templates/policy-kafka-topics.yaml b/kubernetes/policy/templates/policy-kafka-topics.yaml index 1894d62a42..0f71ae1a2b 100644 --- a/kubernetes/policy/templates/policy-kafka-topics.yaml +++ b/kubernetes/policy/templates/policy-kafka-topics.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2022 Nordix Foundation +# Modifications Copyright ©2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,24 +14,12 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.config.useStrimziKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: {{ .Values.config.acRuntimeTopic.name }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - partitions: {{ .Values.config.acRuntimeTopic.partitions }} - config: - retention.ms: {{ .Values.config.acRuntimeTopic.retentionMs }} - segment.bytes: {{ .Values.config.acRuntimeTopic.segmentBytes }} ---- + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: name: {{ .Values.config.policyPdpPapTopic.name }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: partitions: {{ .Values.config.policyPdpPapTopic.partitions }} @@ -42,7 +31,7 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: name: {{ .Values.config.policyHeartbeatTopic.name }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: partitions: {{ .Values.config.policyHeartbeatTopic.partitions }} @@ -54,11 +43,22 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaTopic metadata: name: {{ .Values.config.policyNotificationTopic.name }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: partitions: {{ .Values.config.policyNotificationTopic.partitions }} config: retention.ms: {{ .Values.config.policyNotificationTopic.retentionMs }} segment.bytes: {{ .Values.config.policyNotificationTopic.segmentBytes }} -{{- end }} +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaTopic +metadata: + name: {{ .Values.config.opaPdpDataTopic.name }} + labels: {{- include "common.labels" . | nindent 4 }} + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: + partitions: {{ .Values.config.opaPdpDataTopic.partitions }} + config: + retention.ms: {{ .Values.config.opaPdpDataTopic.retentionMs }} + segment.bytes: {{ .Values.config.opaPdpDataTopic.segmentBytes }} diff --git a/kubernetes/policy/templates/policy-kafka-user.yaml b/kubernetes/policy/templates/policy-kafka-user.yaml index 43edb64c83..86ee725c42 100644 --- a/kubernetes/policy/templates/policy-kafka-user.yaml +++ b/kubernetes/policy/templates/policy-kafka-user.yaml @@ -1,6 +1,6 @@ {{/* -# Copyright © 2022 Nordix Foundation -# Modifications Copyright © 2022 Nordix Foundation +# Copyright © 2022-2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,12 +14,12 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- if .Values.config.useStrimziKafka }} + apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: @@ -29,22 +29,21 @@ spec: acls: - resource: type: group - name: {{ .Values.config.acRuntimeTopic.consumer.groupId }} - operation: All - - resource: - type: topic - name: {{ .Values.config.acRuntimeTopic.name }} - operation: All + name: {{ .Values.config.policyPdpPapTopic.consumer.groupId }} + operations: + - All - resource: type: topic name: {{ .Values.config.policyPdpPapTopic.name }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyHeartbeatTopic.name }} - operation: All + operations: + - All - resource: type: topic name: {{ .Values.config.policyNotificationTopic.name }} - operation: All -{{- end }} + operations: + - All diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml old mode 100755 new mode 100644 index b3297278a9..2f7f141fe3 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018-2020 AT&T Intellectual Property -# Modifications Copyright (C) 2021-2022 Nordix Foundation. +# Modifications Copyright (C) 2021-2025 Nordix Foundation. +# Modifications Copyright © 2024-2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,27 +19,27 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true - mariadb: - # '&mariadbConfig' means we "store" the values for later use in the file - # with '*mariadbConfig' pointer. - config: &mariadbConfig - mysqlDatabase: policyadmin - service: &mariadbService - name: &policy-mariadb policy-mariadb - internalPort: 3306 - prometheusEnabled: false + prometheusEnabled: true postgres: - localCluster: false + localCluster: true + # flag to enable the DB creation via pgo-operator + useOperator: false service: - name: pgset - name2: tcp-pgset-primary - name3: tcp-pgset-replica - container: - name: postgres - kafkaBootstrap: strimzi-kafka-bootstrap + name: &postgresName policy-postgres + name2: &postgresName2 policy-pg-primary + name3: &postgresName3 policy-pg-replica + port: &postgresPort 5432 + nameOverride: *postgresName + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: + kafkaBootstrap: strimzi-kafka-bootstrap:9092 policyKafkaUser: policy-kafka-user - + useStrimziKafka: true + kafkaTopics: + acRuntimeOperationTopic: + name: policy-acruntime-participant + acRuntimeSyncTopic: + name: acm-ppnt-sync ################################################################# # Secrets metaconfig ################################################################# @@ -46,15 +47,29 @@ secrets: - uid: db-root-password name: &dbRootPassSecretName '{{ include "common.release" . }}-policy-db-root-password' type: password - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "policy-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' - password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' + externalSecret: '{{ .Values.global.postgres.localCluster | ternary + ( hasSuffix "policy-db-root-password" (index .Values "postgres" "config" "pgRootPasswordExternalSecret") | ternary + "" + (tpl (default "" (index .Values "postgres" "config" "pgRootPasswordExternalSecret")) .) + ) + ( not (empty (default "" .Values.global.postgres.userRootSecret)) | ternary + .Values.global.postgres.userRootSecret + (include "common.postgres.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.postgres.nameOverride) + ) + ) + }}' + password: '{{ (index .Values "postgres" "config" "pgRootPassword") }}' policy: generate - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-policy-db-secret' type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "db" "externalSecret")) .) (hasSuffix "policy-db-secret" (index .Values "mariadb-galera" "db" "externalSecret"))}}' - login: '{{ index .Values "mariadb-galera" "db" "user" }}' - password: '{{ index .Values "mariadb-galera" "db" "password" }}' + externalSecret: '{{ hasSuffix "policy-db-secret" (index .Values "postgres" "config" "pgUserExternalSecret") | ternary + "" + (tpl (default "" (index .Values "postgres" "config" "pgUserExternalSecret")) .) + }}' + login: '{{ (index .Values "postgres" "config" "pgUserName") }}' + password: '{{ (index .Values "postgres" "config" "pgUserPassword") }}' passwordPolicy: generate - uid: policy-app-user-creds name: &policyAppCredsSecret '{{ include "common.release" . }}-policy-app-user-creds' @@ -77,19 +92,6 @@ secrets: login: '{{ .Values.restServer.policyApiUserName }}' password: '{{ .Values.restServer.policyApiUserPassword }}' passwordPolicy: required - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-policy-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "policy-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-policy-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "policy-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate db: &dbSecretsHook credsExternalSecret: *dbSecretName @@ -124,56 +126,36 @@ policy-drools-pdp: db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-distribution: +policy-opa-pdp: enabled: true - db: *dbSecretsHook config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' +policy-distribution: + enabled: true + db: *dbSecretsHook policy-clamp-ac-k8s-ppnt: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-pf-ppnt: enabled: true restServer: apiUserExternalSecret: *policyApiCredsSecret papUserExternalSecret: *policyPapCredsSecret - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' policy-clamp-ac-http-ppnt: enabled: true - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-nexus: - enabled: false - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' +policy-clamp-ac-a1pms-ppnt: + enabled: true +policy-clamp-ac-kserve-ppnt: + enabled: true policy-clamp-runtime-acm: enabled: true db: *dbSecretsHook config: appUserExternalSecret: *policyAppCredsSecret - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -policy-gui: +policy-nexus: enabled: false config: jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.policyKafkaUser }}' -################################################################# -# DB configuration defaults. -################################################################# - -repository: nexus3.onap.org:10001 -pullPolicy: Always - -mariadb: - image: mariadb:10.5.8 - -dbmigrator: - image: onap/policy-db-migrator:2.5.1 - schema: policyadmin - policy_home: "/opt/app/policy" - subChartsOnly: enabled: true @@ -183,9 +165,9 @@ debugEnabled: false # default number of instances replicaCount: 1 -nodeSelector: {} +nodeSelector: { } -affinity: {} +affinity: { } # probe configuration parameters liveness: @@ -199,17 +181,8 @@ readiness: initialDelaySeconds: 10 periodSeconds: 10 - config: policyAppUserName: runtimeUser - useStrimziKafka: true - acRuntimeTopic: - name: policy-acruntime-participant - partitions: 10 - retentionMs: 7200000 - segmentBytes: 1073741824 - consumer: - groupId: policy-group policyPdpPapTopic: name: policy-pdp-pap partitions: 10 @@ -231,51 +204,34 @@ config: segmentBytes: 1073741824 consumer: groupId: policy-group + opaPdpDataTopic: + name: opa-pdp-data + partitions: 10 + retentionMs: 7200000 + segmentBytes: 1073741824 someConfig: blah -mariadb-galera: - # mariadb-galera.config and global.mariadb.config must be equals - db: - user: policy_user - # password: - externalSecret: *dbSecretName - name: &mysqlDbName policyadmin - rootUser: - externalSecret: *dbRootPassSecretName - nameOverride: *policy-mariadb - # mariadb-galera.service and global.mariadb.service must be equals - service: *mariadbService - replicaCount: 1 - persistence: - enabled: true - mountSubPath: policy/maria/data - serviceAccount: - nameOverride: *policy-mariadb - -postgresImage: library/postgres:latest # application configuration override for postgres postgres: nameOverride: &postgresName policy-postgres service: name: *postgresName - name2: policy-pg-primary - name3: policy-pg-replica + name2: *postgresName2 + name3: *postgresName3 + internalPort: *postgresPort container: name: - primary: policy-pg-primary - replica: policy-pg-replica + primary: *postgresName2 + replica: *postgresName3 persistence: mountSubPath: policy/postgres/data mountInitPath: policy + size: 3Gi config: - pgUserName: policy_user + pgUserName: policy-user pgDatabase: policyadmin - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName - -readinessCheck: - wait_for: - - '{{ ternary .Values.postgres.service.name "postgres" .Values.global.postgres.localCluster }}' + pgUserExternalSecret: *dbSecretName + pgRootPasswordExternalSecret: *dbRootPassSecretName restServer: policyPapUserName: policyadmin @@ -289,19 +245,23 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 4Gi + cpu: "1" + memory: "4Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "100m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 200m - memory: 2Gi - unlimited: {} + cpu: "200m" + memory: "2Gi" + unlimited: { } + +securityContext: + user_id: 100 + group_id: 65533 #Pods Service Account serviceAccount: diff --git a/kubernetes/portal-ng/.helmignore b/kubernetes/portal-ng/.helmignore new file mode 100644 index 0000000000..5483707e0d --- /dev/null +++ b/kubernetes/portal-ng/.helmignore @@ -0,0 +1,33 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Project/CI/CD related items +.gitlab +.gitlab-ci.yml +.dockerignore +# Helm build files +.helmignore +.cache/ +.config/ +.local/ +# OOM specific dirs +components/ + diff --git a/kubernetes/portal-ng/Chart.yaml b/kubernetes/portal-ng/Chart.yaml new file mode 100644 index 0000000000..649b1cd790 --- /dev/null +++ b/kubernetes/portal-ng/Chart.yaml @@ -0,0 +1,35 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP Next Generation Portal +name: portal-ng +version: 14.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: portal-ng-bff + version: ~13.x-0 + repository: '@local' + - name: portal-ng-preferences + version: ~14.x-0 + repository: '@local' + - name: portal-ng-history + version: ~14.x-0 + repository: '@local' + - name: portal-ng-ui + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/vfc/Makefile b/kubernetes/portal-ng/Makefile similarity index 100% rename from kubernetes/vfc/Makefile rename to kubernetes/portal-ng/Makefile diff --git a/kubernetes/portal-ng/README.md b/kubernetes/portal-ng/README.md new file mode 100644 index 0000000000..82813a6705 --- /dev/null +++ b/kubernetes/portal-ng/README.md @@ -0,0 +1,19 @@ + +# Helm Chart for the Portal Application \ No newline at end of file diff --git a/kubernetes/portal-ng/components/Makefile b/kubernetes/portal-ng/components/Makefile new file mode 100644 index 0000000000..08ed7cb9da --- /dev/null +++ b/kubernetes/portal-ng/components/Makefile @@ -0,0 +1,58 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) +OUTPUT_DIR := $(ROOT_DIR)/../dist +PACKAGE_DIR := $(OUTPUT_DIR)/packages +SECRET_DIR := $(OUTPUT_DIR)/secrets + +EXCLUDES := dist resources templates charts docker +HELM_BIN := helm +ifneq ($(SKIP_LINT),TRUE) + HELM_LINT_CMD := $(HELM_BIN) lint +else + HELM_LINT_CMD := echo "Skipping linting of" +endif + +HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) + +.PHONY: $(EXCLUDES) $(HELM_CHARTS) + +all: $(HELM_CHARTS) + +$(HELM_CHARTS): + @echo "\n[$@]" + @make package-$@ + +make-%: + @if [ -f $*/Makefile ]; then make -C $*; fi + +dep-%: make-% + @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi + +lint-%: dep-% + @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi + +package-%: lint-% + @mkdir -p $(PACKAGE_DIR) + @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi + @sleep 3 + #@$(HELM_BIN) repo index $(PACKAGE_DIR) + +clean: + @rm -f */Chart.lock + @rm -f *tgz */charts/*tgz + @rm -rf $(PACKAGE_DIR) +%: + @: diff --git a/kubernetes/portal-ng/components/portal-ng-bff/.helmignore b/kubernetes/portal-ng/components/portal-ng-bff/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml new file mode 100644 index 0000000000..457e5fbeae --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/Chart.yaml @@ -0,0 +1,45 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-bff +description: Helm chart of the backend for ONAP portal. This micro service follows the backend for frontend approach. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.1.2 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-bff/README.md b/kubernetes/portal-ng/components/portal-ng-bff/README.md new file mode 100644 index 0000000000..4baa4f2d08 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/README.md @@ -0,0 +1,8 @@ +# Portal-bff helm chart +This repository contains the chart for the portal-bff. + +# Redis chart +The app has a dependency to Redis. The chart for this was obtained from [artifacthub](https://artifacthub.io/packages/helm/bitnami/redis). For updates to that chart, go there click on `Install` and copy the direct link. Then do a +``` bash +wget -P charts/ https://charts.bitnami.com/bitnami/redis-16.8.7.tgz +``` diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml new file mode 100644 index 0000000000..f41d630f02 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml new file mode 100644 index 0000000000..7d521cf1cb --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + - secretRef: + name: {{ include "common.fullname" . }}-secret + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + resources: {{ include "common.resources" . | nindent 12 }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml new file mode 100644 index 0000000000..b686ac998b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml new file mode 100644 index 0000000000..a47b707284 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-secret + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + {{- range $key, $val := .Values.secretEnv }} + {{ $key }}: {{ $val | b64enc | quote }} + {{- end -}} \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-bff/values.yaml b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml new file mode 100644 index 0000000000..90ac470abe --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-bff/values.yaml @@ -0,0 +1,105 @@ +global: + env: + KEYCLOAK_URL: http://keycloak-http.keycloak + KEYCLOAK_REALM: onap + COLLECTOR_HOST: jaeger-collector.istio-config + COLLECTOR_PORT: 9411 + +## Default values for portal-ng-bff. +## This is a YAML-formatted file. +## Declare variables to be passed into your templates. + +## +## Specifies the details of the Docker image to be used for deployment. +## +image: + ## The name of the Docker image. + imageName: onap/portal-ng/bff + ## The policy that indicates when the image should be pulled. + ## "Always" means the image will be pulled on every deployment. + pullPolicy: Always + ## Overrides the image tag. The default is the chart appVersion. + ## An empty value means the default tag will be used. + # tag: 0.1.0 + +## Number of Pods to deploy +replicaCount: 2 + +## Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +## Custom selector label (for bigger namespaces with other components) +partOf: portal + +## +## Service +## +service: + ## Use ClusterIP as the service type to expose the service on an internal IP + type: ClusterIP + port: 9080 + ## The port on which the service is exposed + ports: + - name: http + port: 9080 + +## +## Autoscaling +## +autoscaling: + ## Autoscaling is disabled. When set to true, the Horizontal Pod Autoscaler is enabled. + enabled: false + ## Minimum number of replicas to maintain. + minReplicas: 1 + ## Maximum number of replicas to maintain. + maxReplicas: 2 + ## Target CPU utilization percentage at which the Horizontal Pod Autoscaler adds or removes replicas. + targetCPUUtilizationPercentage: 80 + +resources: + small: + limits: + cpu: "4" + memory: "1Gi" + requests: + cpu: "50m" + memory: "256Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "100m" + memory: "256Mi" + unlimited: {} + +## +## Readiness and liveness probes +## +probes: + # Configuration of the readiness probe to check if the container is ready. + readiness: + ## Wait before performing the first probe + initialDelaySeconds: 20 + ## Number of consecutive failures allowed before marking probe as failed. + failureThreshold: 4 + # Configuration of the liveness probe to check if the container is alive. + liveness: + ## Wait before performing the first probe + initialDelaySeconds: 20 + ## Number of consecutive failures allowed before marking probe as failed. + failureThreshold: 4 + +env: + HISTORY_URL: http://portal-ng-history:9002 + PREFERENCES_URL: http://portal-ng-preferences:9001 + TRACING_ENABLED: true + RBAC_EXCLUDED_ENDPOINTS: '' + +secretEnv: + KEYCLOAK_CLIENT_ID: portal-bff + KEYCLOAK_CLIENT_SECRET: pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr + +securityContext: + user_id: 65534 + group_id: 65534 diff --git a/kubernetes/portal-ng/components/portal-ng-history/.helmignore b/kubernetes/portal-ng/components/portal-ng-history/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml new file mode 100644 index 0000000000..bd9a531333 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/Chart.yaml @@ -0,0 +1,55 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-history +description: Helm chart of the history. This micro service provides the latest user actions of the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 14.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.2.1 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + condition: global.postgres.localCluster + - name: postgres-init + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-history/README.md b/kubernetes/portal-ng/components/portal-ng-history/README.md new file mode 100644 index 0000000000..0c0e7b34bb --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/README.md @@ -0,0 +1,2 @@ +# History helm chart +This repository contains the chart for the history service. \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml new file mode 100644 index 0000000000..b81e796c75 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml new file mode 100644 index 0000000000..9f41df54e4 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/deployment.yaml @@ -0,0 +1,63 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + env: + - name: HISTORY_DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 14 }} + - name: HISTORY_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 14 }} + - name: HISTORY_DB_HOST + value: {{ ternary .Values.postgres.service.name2 .Values.global.postgres.service.name2 .Values.global.postgres.localCluster }} + - name: HISTORY_DB_PORT + value: {{ ternary .Values.postgres.service.externalPort2 .Values.global.postgres.service.externalPort2 .Values.global.postgres.localCluster | quote}} + - name: HISTORY_DB + value: {{ .Values.postgres.config.pgDatabase }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + resources: {{ include "common.resources" . | nindent 12 }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml new file mode 100644 index 0000000000..9ac9406eda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/hpa.yaml @@ -0,0 +1,47 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml new file mode 100644 index 0000000000..ba5ef58dc3 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-history/values.yaml b/kubernetes/portal-ng/components/portal-ng-history/values.yaml new file mode 100644 index 0000000000..af99e188c9 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-history/values.yaml @@ -0,0 +1,142 @@ +global: + env: + KEYCLOAK_URL: http://keycloak-http.keycloak + KEYCLOAK_REALM: onap + COLLECTOR_HOST: jaeger-collector.istio-config + COLLECTOR_PORT: 9411 + #Service Names of the postgres db to connect to. + postgres: + localCluster: false + service: + name: pgset + externalPort: 5432 + name2: tcp-pgset-primary + externalPort2: 5432 + name3: tcp-pgset-replica + externalPort3: 5432 + container: + name: postgres + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-portal-ng-history-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "portal-ng-history-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-portal-ng-history-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "portal-ng-history-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +image: + imageName: onap/portal-ng/history + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +imagePullSecrets: + - name: onap-docker-registry-key +nameOverride: "" +fullnameOverride: "" + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9002 + ports: + - name: http + port: 9002 + +resources: + small: + limits: + cpu: "1" + memory: "512Mi" + requests: + cpu: "200m" + memory: "256Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "200m" + memory: "256Mi" + unlimited: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 30 + failureThreshold: 5 + liveness: + initialDelaySeconds: 30 + failureThreshold: 5 + +env: + TRACING_ENABLED: true + +################################################################# +# Postgres overriding defaults in the postgres +################################################################# +postgres: + nameOverride: &postgresName portal-ng-history-postgres + service: + name: *postgresName + externalPort: 5432 + name2: portal-ng-history-pg-primary + externalPort2: 5432 + name3: portal-ng-history-pg-replica + externalPort3: 5432 + container: + name: + primary: portal-ng-history-pg-primary + replica: portal-ng-history-pg-replica + persistence: + mountSubPath: portal-ng-history/data + mountInitPath: portal-ng-history + config: + pgUserName: portalnghistory + pgDatabase: history + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + +postgres-init: + nameOverride: portal-ng-history-postgres-init + config: + pgUserName: portalnghistory + pgDatabase: history + pgDataPath: data + pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: portal-ng-history-postgres-init + + # pgPrimaryPassword: password + # pgUserPassword: password + # pgRootPassword: password + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-history + roles: + - read + +securityContext: + user_id: 65534 + group_id: 65534 diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore b/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml new file mode 100644 index 0000000000..9afd8591d4 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/Chart.yaml @@ -0,0 +1,55 @@ +# Copyright (C) 2024 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-preferences +description: Helm chart of the preferences. This micro service provides the user preferences for the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 14.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.2.1 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + condition: global.postgres.localCluster + - name: postgres-init + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/README.md b/kubernetes/portal-ng/components/portal-ng-preferences/README.md new file mode 100644 index 0000000000..4ae034609d --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/README.md @@ -0,0 +1,2 @@ +# Preferences helm chart +This repository contains the chart for the preferences service. \ No newline at end of file diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml new file mode 100644 index 0000000000..b81e796c75 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/configmap.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml new file mode 100644 index 0000000000..3ce98fee41 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/deployment.yaml @@ -0,0 +1,63 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + env: + - name: PREFERENCES_DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 14 }} + - name: PREFERENCES_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 14 }} + - name: PREFERENCES_DB_HOST + value: {{ ternary .Values.postgres.service.name2 .Values.global.postgres.service.name2 .Values.global.postgres.localCluster }} + - name: PREFERENCES_DB_PORT + value: {{ ternary .Values.postgres.service.externalPort2 .Values.global.postgres.service.externalPort2 .Values.global.postgres.localCluster | quote }} + - name: PREFERENCES_DB + value: {{ .Values.postgres.config.pgDatabase }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: /actuator/health/liveness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: /actuator/health/readiness + port: {{ .Values.service.port }} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + resources: {{ include "common.resources" . | nindent 12 }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml new file mode 100644 index 0000000000..9ac9406eda --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/hpa.yaml @@ -0,0 +1,47 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} + {{- end }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml new file mode 100644 index 0000000000..ba5ef58dc3 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml new file mode 100644 index 0000000000..3639dace48 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2024 Deutsche Telekom. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..327df40ef6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/templates/tests/test-connection.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "common.fullname" . }}-test-connection + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "common.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml new file mode 100644 index 0000000000..a008091412 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-preferences/values.yaml @@ -0,0 +1,143 @@ +global: + env: + KEYCLOAK_URL: http://keycloak-http.keycloak + KEYCLOAK_REALM: onap + COLLECTOR_HOST: jaeger-collector.istio-config + COLLECTOR_PORT: 9411 + #Service Names of the postgres db to connect to. + postgres: + localCluster: false + service: + name: pgset + externalPort: 5432 + name2: tcp-pgset-primary + externalPort2: 5432 + name3: tcp-pgset-replica + externalPort3: 5432 + container: + name: postgres + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-portal-ng-preferences-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "portal-ng-preferences-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-portal-ng-preferences-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "portal-ng-preferences-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +# Default values for preferences. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/preferences + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +nameOverride: "" +fullnameOverride: "" + +# Custom selector label (for bigger namespaces with other components) +partOf: portal + +service: + type: ClusterIP + port: 9001 + ports: + - name: http + port: 9001 + +resources: + small: + limits: + cpu: "1" + memory: "512Mi" + requests: + cpu: "100m" + memory: "256Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "200m" + memory: "256Mi" + unlimited: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 30 + failureThreshold: 5 + liveness: + initialDelaySeconds: 30 + failureThreshold: 5 + +env: + TRACING_ENABLED: true + +################################################################# +# Postgres overriding defaults in the postgres +################################################################# +postgres: + nameOverride: &postgresName portal-ng-preferences-postgres + service: + name: *postgresName + externalPort: 5432 + name2: portal-ng-preferences-pg-primary + externalPort2: 5432 + name3: portal-ng-preferences-pg-replica + externalPort3: 5432 + container: + name: + primary: portal-ng-preferences-pg-primary + replica: portal-ng-preferences-pg-replica + persistence: + mountSubPath: portal-ng-preferences/data + mountInitPath: portal-ng-preferences + config: + pgUserName: portalngpreferences + pgDatabase: preferences + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + +postgres-init: + nameOverride: portal-ng-preferences-postgres-init + config: + pgUserName: portalngpreferences + pgDatabase: preferences + pgDataPath: data + pgUserExternalSecret: *pgUserCredsSecretName + serviceAccount: + nameOverride: portal-ng-preferences-postgres-init + + # pgPrimaryPassword: password + # pgUserPassword: password + # pgRootPassword: password + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-preferences + roles: + - read + +securityContext: + user_id: 65534 + group_id: 65534 diff --git a/kubernetes/portal-ng/components/portal-ng-ui/.helmignore b/kubernetes/portal-ng/components/portal-ng-ui/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml new file mode 100644 index 0000000000..b323a92cf5 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/Chart.yaml @@ -0,0 +1,48 @@ +# Copyright (C) 2022 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: portal-ng-ui +description: Helm chart of the UI part of the ONAP portal. + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 13.0.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: 0.1.3 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/acl.json b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/acl.json new file mode 100644 index 0000000000..a8a505b291 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/acl.json @@ -0,0 +1,5 @@ +{ + "portal_admin": {{ .Values.acl.portal_admin | toPrettyJson }}, + "portal_operator": {{ .Values.acl.portal_operator | toPrettyJson }}, + "portal_designer": {{ .Values.acl.portal_designer | toPrettyJson }} +} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/env.js b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/env.js new file mode 100644 index 0000000000..81a71c39d7 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/env.js @@ -0,0 +1,11 @@ +(function(window) { + window["env"] = window["env"] || {}; + window["env"]["keycloak"] = window["env"]["keycloak"] || {}; + + // Environment variables + window["env"]["customStyleEnabled"] = "{{ .Values.env.CUSTOM_STYLE_ENABLED }}"; + window["env"]["keycloak"]["hostname"] = "{{ .Values.env.KEYCLOAK_EXTERNAL_URL }}"; + window["env"]["keycloak"]["realm"] = "{{ .Values.env.KEYCLOAK_REALM | default .Values.global.env.KEYCLOAK_REALM }}"; + window['env']['keycloak']['clientId'] = '{{ .Values.env.KEYCLOAK_CLIENT_ID }}'; + window["env"]["loggingEnabled"]= '{{ .Values.env.LOGGING_ENABLED }}'; +})(this); diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/version.json b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/version.json new file mode 100644 index 0000000000..4f56a1f070 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/assets/version.json @@ -0,0 +1,3 @@ +{ + "number": "{{ .Values.image.tag | default .Chart.AppVersion }}" +} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/default.conf b/kubernetes/portal-ng/components/portal-ng-ui/resources/default.conf new file mode 100644 index 0000000000..0c64588840 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/default.conf @@ -0,0 +1,49 @@ +resolver {{ .Values.env.NAME_SERVER }}; +server { + listen {{ .Values.env.NGINX_PORT }}; + listen [::]:{{.Values.env.NGINX_PORT}}; # listen on ipv6 + location / { + root /usr/share/nginx/html; + index index.html; + try_files $uri $uri/ /index.html =404; + } + location /api/ { + set $upstream {{ .Values.env.BFF_URL }}; + rewrite /api/(.*) /$1 break; + add_header Access-Control-Allow-Origin *; + proxy_pass $upstream/$1$is_args$args; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + } + location /auth/ { + set $upstream {{ .Values.env.KEYCLOAK_URL | default .Values.global.env.KEYCLOAK_URL }}.svc.cluster.local; + rewrite /auth/(.*) /$1 break; + add_header Access-Control-Allow-Origin *; + proxy_pass $upstream/$1$is_args$args; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Proto $scheme; + } +} +## +# Gzip Settings +## +gzip on; +gzip_vary on; +gzip_proxied any; +gzip_min_length 1100; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg new file mode 100644 index 0000000000..a203d519ed --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/cds.svg @@ -0,0 +1,220 @@ + + + + + + image/svg+xml + + + + + + + logo + Created with Sketch. + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg new file mode 100644 index 0000000000..2015be22f6 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/onap.svg @@ -0,0 +1,157 @@ + + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg new file mode 100644 index 0000000000..84f9eeda35 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdc.svg @@ -0,0 +1,96 @@ + + + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg new file mode 100644 index 0000000000..6b93a58db5 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-dg.svg @@ -0,0 +1,534 @@ + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg new file mode 100644 index 0000000000..6b93a58db5 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/icons/sdnc-odl.svg @@ -0,0 +1,534 @@ + + + + + + + + + + diff --git a/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json new file mode 100644 index 0000000000..a69855d639 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/resources/tiles/tiles.json @@ -0,0 +1,128 @@ +{ + "items": [ + { + "id": 1, + "title": "Service Design and Creation (SDC)", + "description": "Open the SDC in a new tab", + "tooltipDE": "SDC ist das visuelle Modellierungs- und Designtool von ONAP. Es erstellt interne Metadaten, die Assets beschreiben, die von allen ONAP-Komponenten verwendet werden, sowohl zur Entwurfszeit als auch zur Laufzeit.", + "tooltipEN": "SDC is the ONAP visual modeling and design tool. It creates internal metadata that describes assets used by all ONAP components, both at design time and run time.", + "imageUrl": "sdc.svg", + "imageAltText": "SDC image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDC_URL) }}/sdc1/", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 3, + "title": "Policy Framework", + "description": "Open Policy GUI in a new tab", + "tooltipDE": "Das ONAP Policy Framework legt die Architektur des Frameworks dar und zeigt die APIs, die anderen Komponenten bereitgestellt werden, die mit dem Framework zusammenarbeiten.", + "tooltipEN": "ONAP Policy Framework lays out the architecture of the framework and shows the APIs provided to other components that interwork with the framework.", + "imageUrl": "onap.svg", + "imageAltText": "Policy image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.POLICY_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN" + ] + }, + { + "id": 4, + "title": "Service Orchestration (SO) Monitoring", + "description": "Open SO-Monitoring in a new tab", + "tooltipDE": "Der ONAP Service Orchestrator bietet die höchste Ebene der Service-Orchestrierung in der ONAP-Architektur.", + "tooltipEN": "The ONAP Service Orchestrator provides the highest level of service orchestration in the ONAP architecture.", + "imageUrl": "onap.svg", + "imageAltText": "SO-Monitoring image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SO_URL) }}", + "groups": [], + "roles": [ + "PORTAL_OPERATOR" + ] + }, + { + "id": 7, + "title": "Controller Design Studio (CDS)", + "description": "Open CDS in a new tab", + "tooltipDE": "Die CDS Designer Benutzeroberfläche ist ein Framework zur Automatisierung der Auflösung von Ressourcen für die Instanziierung und aller Konfigurationsbereitstellung, wie z. B. die Konfiguration von Day0, Day1 oder Day2.", + "tooltipEN": "CDS Designer UI is a framework to automate the resolution of resources for instantiation and any config provisioning operation, such as day0, day1, or day2 configuration.", + "imageUrl": "cds.svg", + "imageAltText": "CDS image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.CDS_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 9, + "title": "Holmes Rules", + "description": "Open Holmes in a new tab", + "tooltipDE": "Das Holmes-Projekt bietet Alarmkorrelation und -analyse für Telekommunikations-Cloudinfrastruktur und -Dienste, einschließlich Hosts, Vims, VNFs und NSs.", + "tooltipEN": "Holmes project provides alarm correlation and analysis for Telecom cloud infrastructure and services, including hosts, vims, VNFs and NSs.", + "imageUrl": "onap.svg", + "imageAltText": "Holmes image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.HOLMES_URL) }}/iui/holmes/default.html", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 10, + "title": "A&AI Browser", + "description": "Open the A&AI Browser in a new tab", + "tooltipDE": "AAI ist eine Komponente der ONAP-Laufzeit (Echtzeitansichten von Ressourcen, Services, Produkten, Kundenabonnements und deren Beziehungen).", + "tooltipEN": "AAI is a component of ONAP runtime (Real-time views of Resources, Services, Products, Customer Subscriptions and their relationships).", + "imageUrl": "onap.svg", + "imageAltText": "A&AI Browser image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.AAI_URL) }}/services/aai/webapp/index.html#/browse", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 11, + "title": "SDN-C Directed Graph Builder (SDC-C DGB)", + "description": "Open the SDN-C Directed Graph Builder in a new tab", + "tooltipDE": "SDNC DG soll eine Ausführungsumgebung für schnell geschriebene und hochgradig angepasste Serviceabläufe bereitstellen.", + "tooltipEN": "SDNC DG is to provide an execution environment for quickly written and highly customized service flows.", + "imageUrl": "sdnc-dg.svg", + "imageAltText": "SDN-C DG image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDNCDG_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + }, + { + "id": 12, + "title": "SDN-C Open Daylight UI (SDN-C ODL)", + "description": "Open the SDN-C Open Daylight UI (SDN-C ODL) in a new tab", + "tooltipDE": "Das OpenDaylight Project ist ein kollaboratives Open-Source-Projekt, das von der Linux Foundation gehostet wird. Das Projekt dient als Plattform für Software-Defined Networking (SDN) zur offenen, zentralisierten Überwachung von Netzwerkgeräten.", + "tooltipEN": "The OpenDaylight Project is a collaborative open-source project hosted by The Linux Foundation. The project serves as a platform for software-defined networking (SDN) for open, centralized, network device monitoring.", + "imageUrl": "sdnc-odl.svg", + "imageAltText": "SDN-C ODL image", + "redirectUrl": "https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" .Values.tiles.SDNCODL_URL) }}", + "groups": [], + "roles": [ + "PORTAL_ADMIN", + "PORTAL_OPERATOR", + "PORTAL_DESIGNER" + ] + } + ] +} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-assets.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-assets.yaml new file mode 100644 index 0000000000..0db7d5637c --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-assets.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-assets + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + env_js: {{ tpl (.Files.Get "resources/assets/env.js") . | quote }} + acl_json: {{ tpl (.Files.Get "resources/assets/acl.json") . | quote }} + version_json: {{ tpl (.Files.Get "resources/assets/version.json") . | quote }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-nginx-config.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-nginx-config.yaml new file mode 100644 index 0000000000..81a5407209 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-nginx-config.yaml @@ -0,0 +1,27 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-nginx-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/default.conf").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml new file mode 100644 index 0000000000..33d9cf3a51 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles-icons.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-tiles-icons + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/tiles/icons/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml new file mode 100644 index 0000000000..ef4ee2ea2c --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-tiles.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-tiles-json + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/tiles/tiles.json").AsConfig . | indent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-version-json.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-version-json.yaml new file mode 100644 index 0000000000..79182a4e51 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap-version-json.yaml @@ -0,0 +1,26 @@ +{{/* +# Copyright © 2024 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-version-json + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/assets/version.json").AsConfig . | nindent 2 }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml new file mode 100644 index 0000000000..337cbc455e --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/configmap.yaml @@ -0,0 +1,32 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + {{- range $key, $val := .Values.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} + {{- range $key, $val := .Values.global.env }} + {{ $key }}: {{ $val | quote }} + {{- end -}} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml new file mode 100644 index 0000000000..e9562bc302 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/deployment.yaml @@ -0,0 +1,122 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- include "common.templateMetadata" . | indent 6 }} + spec: + {{- include "common.imagePullSecrets" . | nindent 6 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.imageName }}:{{ .Values.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + ports: {{ include "common.containerPorts" . | nindent 12 }} + livenessProbe: + httpGet: + path: / + port: {{ .Values.service.internalPort}} + initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: / + port: {{ .Values.service.internalPort}} + initialDelaySeconds: {{ .Values.probes.readiness.initialDelaySeconds }} + failureThreshold: {{ .Values.probes.readiness.failureThreshold }} + volumeMounts: + - name: tiles-icons + mountPath: {{ .Values.nginx.tilesIconsPath }} + readOnly: true + - name: tiles-json + mountPath: {{ .Values.nginx.tilesPath }} + subPath: tiles.json + readOnly: true + - name: nginx-config + mountPath: /etc/nginx/conf.d/default.conf + subPath: default.conf + readOnly: true + - name: assets + mountPath: /usr/share/nginx/html/assets/env.js + subPath: env.js + readOnly: true + - name: assets + mountPath: /usr/share/nginx/html/assets/acl.json + subPath: acl.json + readOnly: true + - name: assets + mountPath: /usr/share/nginx/html/assets/version.json + subPath: version.json + readOnly: true + - name: tmp-volume + mountPath: /tmp + - name: nginx-cache-volume + mountPath: /var/cache/nginx + resources: {{ include "common.resources" . | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 10 }} + {{- end }} + volumes: + - name: tiles-icons + configMap: + name: {{ include "common.fullname" . }}-tiles-icons + - name: tiles-json + configMap: + name: {{ include "common.fullname" . }}-tiles-json + items: + - key: tiles.json + path: tiles.json + - name: nginx-config + configMap: + name: {{ include "common.fullname" . }}-nginx-config + - name: assets + configMap: + name: {{ include "common.fullname" . }}-assets + items: + - key: env_js + path: env.js + - key: acl_json + path: acl.json + - key: version_json + path: version.json + - name: tmp-volume + emptyDir: + sizeLimit: 64Mi + - name: nginx-cache-volume + emptyDir: + sizeLimit: 64Mi diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml new file mode 100644 index 0000000000..bc2d2bc363 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml b/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml new file mode 100644 index 0000000000..301d358c3b --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/portal-ng/components/portal-ng-ui/values.yaml b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml new file mode 100644 index 0000000000..f806c4c928 --- /dev/null +++ b/kubernetes/portal-ng/components/portal-ng-ui/values.yaml @@ -0,0 +1,144 @@ +# Copyright © 2022, Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global: + env: + KEYCLOAK_URL: http://keycloak-http.keycloak + KEYCLOAK_REALM: onap + ingress: + virtualhost: + # Default Ingress base URL + # can be overwritten in component by setting ingress.baseurlOverride + baseurl: "simpledemo.onap.org" + # prefix for baseaddr + # can be overwritten in component by setting ingress.preaddrOverride + preaddr: "" + # postfix for baseaddr + # can be overwritten in component by setting ingress.postaddrOverride + postaddr: "" + +# Default values for ui. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + imageName: onap/portal-ng/ui + pullPolicy: Always + # Overrides the image tag whose default value is the chart appVersion. + # tag: 0.1.0 + +replicaCount: 1 + +# Specifies how many old replicas will be retained in a deployment +revisionHistoryLimit: 2 + +nameOverride: "" +fullnameOverride: "" +# This is the overall name on which this component is ar part of. +partOf: portal + +service: + type: ClusterIP + internalPort: 8080 + ports: + - name: http + port: 8080 + port_protocol: http + +ingress: + enabled: true + service: + - baseaddr: "portal-ng-ui" + name: "portal-ng-ui" + port: 8080 + config: + ssl: "redirect" + +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "50m" + memory: "128Mi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "100m" + memory: "256Mi" + unlimited: {} + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + +probes: + readiness: + initialDelaySeconds: 20 + failureThreshold: 4 + liveness: + initialDelaySeconds: 20 + failureThreshold: 4 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +env: + NAME_SERVER: coredns.kube-system + BFF_URL: http://portal-ng-bff.onap.svc.cluster.local:9080 + NGINX_PORT: 8080 + +#Pods Service Account +serviceAccount: + nameOverride: portal-ng-ui + roles: + - read + +nginx: + tilesPath: /usr/share/nginx/html/assets/tiles/tiles.json + tilesIconsPath: /usr/share/nginx/html/assets/images/tiles + +tiles: + SDC_URL: "sdc-fe-ui" + POLICY_URL: "policy-ui" + SO_URL: "so-admin-cockpit-ui" + CDS_URL: "cds-ui" + HOLMES_URL: "holmes-rule-mgmt-ui" + AAI_URL: "aai-sparkybe-api" + SDNCDG_URL: "sdnc-dgbuilder-ui" + SDNCODL_URL: "sdnc-web-ui" + +acl: + portal_admin: + - users.administration.list + - users.administration.detail + - users.administration.create + - users.administration.edit + - users.administration.delete + - dashboard.tile.USER_LAST_ACTION_TILE + portal_operator: + - dashboard.tile.USER_LAST_ACTION_TILE + portal_designer: + - dashboard.tile.USER_LAST_ACTION_TILE + +securityContext: + user_id: 101 + group_id: 101 diff --git a/kubernetes/portal-ng/values.yaml b/kubernetes/portal-ng/values.yaml new file mode 100755 index 0000000000..12862a1930 --- /dev/null +++ b/kubernetes/portal-ng/values.yaml @@ -0,0 +1,19 @@ +# Copyright (C) 2021 Bell Canada +# Modifications Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# + diff --git a/kubernetes/portal/.helmignore b/kubernetes/portal/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/portal/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/portal/Chart.yaml b/kubernetes/portal/Chart.yaml deleted file mode 100644 index 5b0816eba5..0000000000 --- a/kubernetes/portal/Chart.yaml +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Web Portal -name: portal -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: portal-app - version: ~12.x-0 - repository: 'file://components/portal-app' - - name: portal-cassandra - version: ~12.x-0 - repository: 'file://components/portal-cassandra' - - name: portal-mariadb - version: ~12.x-0 - repository: 'file://components/portal-mariadb' - - name: portal-sdk - version: ~12.x-0 - repository: 'file://components/portal-sdk' - - name: portal-widget - version: ~12.x-0 - repository: 'file://components/portal-widget' diff --git a/kubernetes/portal/Makefile b/kubernetes/portal/Makefile deleted file mode 100644 index eea1b7aefb..0000000000 --- a/kubernetes/portal/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := dist resources templates charts docker -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/portal/components/Makefile b/kubernetes/portal/components/Makefile deleted file mode 100644 index f09e21e75c..0000000000 --- a/kubernetes/portal/components/Makefile +++ /dev/null @@ -1,59 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) -HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/portal/components/portal-app/.helmignore b/kubernetes/portal/components/portal-app/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-app/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-app/Chart.yaml b/kubernetes/portal/components/portal-app/Chart.yaml deleted file mode 100644 index 276f44f8fa..0000000000 --- a/kubernetes/portal/components/portal-app/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Portal application -name: portal-app -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties deleted file mode 100755 index 7020a40bb4..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/fusion.properties +++ /dev/null @@ -1,63 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# domain settings -#domain_class_location = - -# validator settings -#default_error_message = Default error message - -login_url_no_ret_val = https://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -user_attribute_name = user - -# User Session settings -roles_attribute_name = roles -role_functions_attribute_name = role_functions - -# menu settings -menu_query_name = menuData -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -business_direct_menu_set_name = BD -business_direct_menu_attribute_name = businessDirectMenuData - -# ECOMP settings -ecomp_app_id = 1 -# Role settings -sys_admin_role_id = 1 -account_admin_role_id = 999 -restricted_app_role_id = 900 - -# Home Page index html -home_page = /index.html - -authentication_mechanism =DBAUTH - -login.error.hrid.empty = Login failed, please contact system administrator. -login.error.hrid.not-found = User not found, please contact system administrator. -login.error.user.inactive = Account is disabled, please contact system administrator. - -# -# Number of seconds to poll health (database operational, etc.) -# -health_poll_interval_seconds = 5 -# -# If a component is down a log entry will be written that triggers an alert. This parameter specifies how often this alert should be triggered -# if the component remains down. For example a value of 30, would translate to 30 * 60 seconds = 1800 seconds, or every 30 minutes -# -health_fail_alert_every_x_intervals = 30 diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties deleted file mode 100644 index 791853db8f..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/key.properties +++ /dev/null @@ -1,4 +0,0 @@ -{{/* -# Encrypted Properties -*/}} -cipher.enc.key = ${CIPHER_ENC_KEY} diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml deleted file mode 100644 index 325da8e9e3..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/logback.xml +++ /dev/null @@ -1,300 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${applicationLoggerPattern} - - - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - - ${logDirectory}/${generalLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${applicationLoggerPattern} - - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - - ${logDirectory}/${auditLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${auditLoggerPattern} - - - - 256 - - - - - ${logDirectory}/${metricsLogName}.log - - - ${logDirectory}/${metricsLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${metricsLoggerPattern} - - - - - - 256 - - - - - ${logDirectory}/${errorLogName}.log - - - ${logDirectory}/${errorLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${errorLoggerPattern} - - - - - 256 - - - - - ${debugLogDirectory}/${debugLogName}.log - - - ${logDirectory}/${debugLogName}.log.%d{yyyy-MM-dd}.zip - - 30 - - - ${defaultLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties deleted file mode 100644 index 1fc99383cd..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/music.properties +++ /dev/null @@ -1,35 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -music.version = v2 -music.keyspace = keyspaces -music.session.keyspace = portal -music.tables = tables -music.session.attr.tables = spring_session_attributes -music.session.meta.tables = spring_session -music.consistency.info = type -music.consistency.info.value = eventual -music.cache = false -music.session.max.inactive.interval.seconds = 1800 -music.serialize.compress = true - -#By default it's eventual -music.atomic.get = false -music.atomic.put = false -cassandra.host={{.Values.cassandra.service.name}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties deleted file mode 100755 index 63533621f7..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/openid-connect.properties +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -authentication_server_url = http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/ -ecomp_openid_connect_client = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/openid_connect_login -ecomp_redirect_uri = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/welcome.htm diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties deleted file mode 100755 index 4da4854188..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/portal.properties +++ /dev/null @@ -1,45 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# Not used by portal -portal.api.impl.class = org.onap.portalsdk.core.onboarding.client.OnBoardingApiServiceImpl.not.used.by.portal -portal.api.prefix = /api -max.idle.time = 5 -user.attribute.name = user_attribute - -# for single sign on -ecomp_redirect_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -# URL of the ECOMP Portal REST API -ecomp_rest_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/auxapi - -ueb_listeners_enable = true - -ueb_app_key = 7GkVcrO6sIDb3ngW -ueb_app_secret = uCYgKjWKK5IxPGNNZzYSSWo9 -ueb_app_mailbox_name = ECOMP-PORTAL-INBOX - -ueb_url_list = message-router -ecomp_portal_inbox_name = ECOMP-PORTAL-INBOX - -# Consumer group name for UEB topic. -# Use the special tag to generate a unique one for each sdk-app server. -ueb_app_consumer_group_name = {UUID} - -role_access_centralized = remote - -ext_req_connection_timeout = 15000 -ext_req_read_timeout = 20000 diff --git a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties deleted file mode 100755 index 34c7f1dee0..0000000000 --- a/kubernetes/portal/components/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties +++ /dev/null @@ -1,127 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -#mysql -db.driver = org.mariadb.jdbc.Driver -db.connectionURL = jdbc:mariadb:failover://portal-db:3306/portal -db.userName =${PORTAL_DB_USER} -db.password =${PORTAL_DB_PASSWORD} -db.hib.dialect = org.hibernate.dialect.MySQLDialect -db.min_pool_size = 5 -db.max_pool_size = 10 -hb.dialect = org.hibernate.dialect.MySQLDialect -hb.show_sql = false -hb.db_reconnect = true -hb.idle_connection_test_period = 3600 - -app_display_name = Portal -files_path = /tmp -context_root = ONAPPORTAL -# menu settings -menu_query_name = menuData -menu_properties_file_location = /WEB-INF/fusion/menu/ -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -application_menu_properties_name = menu.properties -business_direct_menu_set_name = BD -business_direct_menu_properties_name = bd.menu.properties -business_direct_menu_attribute_name = businessDirectMenuData - -application_user_id = 30000 -post_default_role_id = 1 - -#Enable Fusion Mobile capabilities for the application -mobile_enable = false - -cache_config_file_path = /WEB-INF/conf/cache.ccf -cache_switch = 1 -cache_load_on_startup = false - -user_name = fullName -decryption_key = AGLDdG4D04BKm2IxIWEr8o== - - -#Cron Schedules -cron_site_name = one -log_cron = 0 * * * * ? * -sessiontimeout_feed_cron = 0 0/5 * * * ? * - -#Front end URL -frontend_url = https://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/applicationsHome - - -# An Unqiue 128-bit value defined to indentify a specific version of -# ECOMP Portal deployed on a specific virtual machine. -# This value must be generated and updated at the time of -# the deployment. -# Online Unique UUID generator - https://www.uuidgenerator.net/ -instance_uuid = 90bc9497-10e6-49fe-916b-dcdfaa972383 - -elastic_search_url = http:// -contact_us_link = http:// -user_guide_link = http:// - -# Contact Us page properties -ush_ticket_url = http:// -feedback_email_address = portal@lists.onap.org -portal_info_url = https:// - -#Online user bar refresh interval, in seconds -online_user_update_rate = 30 - -#Online user bar refresh total duration, in seconds -online_user_update_duration = 300 - -#authenticate user server -authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/allUsers - -#window width threshold to collapse left/right menu when page onload -window_width_threshold_left_menu = 1400 -window_width_threshold_right_menu = 1350 - -# User notification refresh interval and duration, in seconds -notification_update_rate = 90 -notification_update_duration = 900 - -#Microservices Related Properties for Portal -microservices.widget.protocol = http -microservices.widget.hostname = portal-widget -microservices.widget.username = widget_user -microservices.widget.password = M+KcrCMVrR1rAxtiFE49n1uXC3FCkNBqFgeYsubEC/U= -#This property won't be needed after consul is functional on VMs - -microservices.widget.local.port = 8082 -microservices.m-learn.local.port = 8083 -#HALO API enable flag -external_access_enable = false - -#delete auditlog from number of days ago -auditlog_del_day_from = 365 - -#External system notification URL -external_system_notification_url= https://jira.onap.org/browse/ - -#cookie domain -cookie_domain = onap.org - -# External Central Auth system access -remote_centralized_system_access = {{.Values.global.aafEnabled}} - -# External Access System Basic Auth Credentials & Rest endpoint -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = demo123456! -ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-app/resources/server/server.xml b/kubernetes/portal/components/portal-app/resources/server/server.xml deleted file mode 100644 index 38391ae774..0000000000 --- a/kubernetes/portal/components/portal-app/resources/server/server.xml +++ /dev/null @@ -1,157 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {{ if .Values.global.aafEnabled }} - - {{ end }} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/resources/server/web.xml b/kubernetes/portal/components/portal-app/resources/server/web.xml deleted file mode 100644 index 7c4f2a7275..0000000000 --- a/kubernetes/portal/components/portal-app/resources/server/web.xml +++ /dev/null @@ -1,155 +0,0 @@ - - - - - fusion - - - - - - - - - - - org.onap.portalapp.portal.listener.UserSessionListener - - - - CorsFilter - org.apache.catalina.filters.CorsFilter - - cors.allowed.origins - http://www.portal.onap.org:9200,http://www.portal.onap.org:9000 - - - cors.allowed.methods - GET,POST,HEAD,OPTIONS,PUT,DELETE - - - cors.allowed.headers - EPService,JSESSIONID,X-ECOMP-RequestID,X-Widgets-Type,Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers - - - cors.exposed.headers - Access-Control-Allow-Origin,Access-Control-Allow-Credentials - - - cors.support.credentials - true - - - cors.preflight.maxage - 10 - - - - - CorsFilter - /* - - - - SecurityXssFilter - org.onap.portalapp.filter.SecurityXssFilter - - - - SecurityXssFilter - /* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-app/templates/NOTES.txt b/kubernetes/portal/components/portal-app/templates/NOTES.txt deleted file mode 100644 index 9a67a4c9bb..0000000000 --- a/kubernetes/portal/components/portal-app/templates/NOTES.txt +++ /dev/null @@ -1,19 +0,0 @@ -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ template "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-app/templates/configmap.yaml b/kubernetes/portal/components/portal-app/templates/configmap.yaml deleted file mode 100644 index a6d8234ee6..0000000000 --- a/kubernetes/portal/components/portal-app/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapportal - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTAL/*").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-app/templates/deployment.yaml b/kubernetes/portal/components/portal-app/templates/deployment.yaml deleted file mode 100644 index 02926f59d6..0000000000 --- a/kubernetes/portal/components/portal-app/templates/deployment.yaml +++ /dev/null @@ -1,192 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-portal-db-config - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portal-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.xml` - do - cp ${PFILE} /config - chmod 0755 /config/${PFILE} - done - cd /config-input && \ - for PFILE in `ls -1 *.properties` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - - name: CIPHER_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapportal-scrubbed - - mountPath: /config - name: properties-onapportal -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c"] - {{- if .Values.global.aafEnabled }} - args: ["export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0);\ - export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ - /start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] - env: - - name: CATALINA_OPTS - value: > - -Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}" - -Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}" - {{- else }} - args: ["/start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"] - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - - containerPort: {{ .Values.service.internalPort4 }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 8 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/fusion/conf/fusion.properties" - subPath: fusion.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/openid-connect.properties" - subPath: openid-connect.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/conf/system.properties" - subPath: system.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/portal.properties" - subPath: portal.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties" - subPath: key.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/music.properties" - subPath: music.properties - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/logback.xml" - subPath: logback.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" - subPath: server.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/web.xml" - subPath: web.xml - - name: properties-onapportal - mountPath: "{{ .Values.global.env.tomcatDir }}/temp" - - name: var-log-onap - mountPath: "{{ .Values.log.path }}" - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.log.sidecar" . | nindent 6 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: -{{ include "common.certInitializer.volumes" . | indent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapportal - emptyDir: - medium: Memory - - name: properties-onapportal-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapportal - defaultMode: 0755 - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - - name: var-log-onap - emptyDir: {} - - name: portal-tomcat-logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-app/templates/ingress.yaml b/kubernetes/portal/components/portal-app/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/portal/components/portal-app/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/portal/components/portal-app/templates/secret.yaml b/kubernetes/portal/components/portal-app/templates/secret.yaml deleted file mode 100644 index 78fc709202..0000000000 --- a/kubernetes/portal/components/portal-app/templates/secret.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# Modifications Copyright © 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-app/templates/service.yaml b/kubernetes/portal/components/portal-app/templates/service.yaml deleted file mode 100644 index 523b950f8b..0000000000 --- a/kubernetes/portal/components/portal-app/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "portal", - "version": "v2", - "url": "/", - "protocol": "REST" - "port": "{{ .Values.service.externalPort }}", - "visualRange":"1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{ if or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer") -}} - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} - name: {{ .Values.service.portName }}4 - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}3 - {{- end }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml deleted file mode 100644 index 483a7f3568..0000000000 --- a/kubernetes/portal/components/portal-app/values.yaml +++ /dev/null @@ -1,179 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018,2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - env: - tomcatDir: "/usr/local/tomcat" - nodePortPrefix: 302 - #AAF service - aafEnabled: true - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-cass - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}' - login: '{{ .Values.cassandra.config.cassandraUsername }}' - password: '{{ .Values.cassandra.config.cassandraPassword }}' - passwordPolicy: required - - uid: cipher-enc-key - type: password - externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' - password: '{{ .Values.config.cipherEncKey }}' - passwordPolicy: required - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: onap/portal-app:3.4.2 -pullPolicy: Always - -# application configuration -config: - # cipherEncKeyExternalSecret: some secret - cipherEncKey: AGLDdG4D04BKm2IxIWEr8o==! - -#AAF local config - -aafURL: https://aaf-service:8100/authz/ -certInitializer: - nameOverride: portal-app-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: portal - fqi: portal@portal.onap.org - public_fqdn: portal.onap.org - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - permission_user: 1000 - permission_group: 999 - keystoreFile: "org.onap.portal.p12" - truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: LoadBalancer - name: portal-app - portName: portal-app - externalPort: 8989 - internalPort: 8080 - nodePort: 15 - externalPort2: 8006 - internalPort2: 8005 - nodePort2: 13 - externalPort3: 8010 - internalPort3: 8009 - nodePort3: 14 - externalPort4: 8443 - internalPort4: 8443 - nodePort4: 25 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - # cassandraExternalSecret: some secret - cassandraUsername: root - cassandraPassword: Aa123456 -messageRouter: - service: - name: message-router - -ingress: - enabled: false - service: - - baseaddr: portal-ui - name: "portal-app" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2.2 - memory: 800Mi - requests: - cpu: 30m - memory: 460Mi - large: - limits: - cpu: 4 - memory: 15Gi - requests: - cpu: 2 - memory: 8Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -#Pods Service Account -serviceAccount: - nameOverride: portal-app - roles: - - read diff --git a/kubernetes/portal/components/portal-cassandra/.helmignore b/kubernetes/portal/components/portal-cassandra/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-cassandra/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-cassandra/Chart.yaml b/kubernetes/portal/components/portal-cassandra/Chart.yaml deleted file mode 100644 index 21ec14daef..0000000000 --- a/kubernetes/portal/components/portal-cassandra/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal cassandra -name: portal-cassandra -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql deleted file mode 100644 index 21715a9e2a..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal.cql +++ /dev/null @@ -1,72 +0,0 @@ -// Copyright (c) 2018 Amdocs, Bell Canada, AT&T -// Modifications Copyright (c) 2020 Nokia -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -CREATE KEYSPACE IF NOT EXISTS portal - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portal.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portal.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - -CREATE TABLE portal.health_check (primary_id text PRIMARY KEY, creation_time text); -insert into portal.health_check (primary_id,creation_time) values ('ECOMPPortal-25927','2018-05-25T20:14:39.408Z'); diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql deleted file mode 100644 index a9771bfa5d..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portal_single.cql +++ /dev/null @@ -1,145 +0,0 @@ -// Copyright © 2018 Amdocs, Bell Canada, AT&T -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - - -CREATE KEYSPACE IF NOT EXISTS admin - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - -CREATE TABLE IF NOT EXISTS admin.keyspace_master ( - uuid uuid, - keyspace_name text, - application_name text, - is_api boolean, - password text, - username text, - is_aaf boolean, - PRIMARY KEY (uuid) -); - - -CREATE KEYSPACE IF NOT EXISTS portal - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portal.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portal.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - - -CREATE KEYSPACE IF NOT EXISTS portalsdk - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portalsdk.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portalsdk.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; \ No newline at end of file diff --git a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql b/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql deleted file mode 100644 index 4f6148e3f1..0000000000 --- a/kubernetes/portal/components/portal-cassandra/resources/config/cassandra/docker-entrypoint-initdb.d/portalsdk.cql +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright © 2018 Amdocs, Bell Canada, AT&T -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -CREATE KEYSPACE IF NOT EXISTS portalsdk - WITH REPLICATION = { - 'class' : 'SimpleStrategy', - 'replication_factor': 1 - } - AND DURABLE_WRITES = true; - - -CREATE TABLE portalsdk.spring_session ( - primary_id text PRIMARY KEY, - creation_time text, - expiry_time text, - last_access_time text, - max_inactive_interval text, - principal_name text, - session_id text, - vector_ts text -) WITH bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '10'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; - - -CREATE TABLE portalsdk.spring_session_attributes ( - primary_id text, - attribute_name text, - attribute_bytes blob, - vector_ts text, - PRIMARY KEY (primary_id, attribute_name) -) WITH CLUSTERING ORDER BY (attribute_name ASC) - AND bloom_filter_fp_chance = 0.01 - AND caching = {'keys': 'ALL', 'rows_per_partition': '1'} - AND comment = '' - AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} - AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} - AND crc_check_chance = 1.0 - AND dclocal_read_repair_chance = 0.1 - AND default_time_to_live = 0 - AND gc_grace_seconds = 864000 - AND max_index_interval = 2048 - AND memtable_flush_period_in_ms = 0 - AND min_index_interval = 128 - AND read_repair_chance = 0.0 - AND speculative_retry = '99PERCENTILE'; diff --git a/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt b/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt deleted file mode 100644 index ee7a285cc0..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml b/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml deleted file mode 100644 index 5cd33b43a2..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-docker-entry-initd - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/cassandra/docker-entrypoint-initdb.d/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml b/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml deleted file mode 100644 index 9becdaa707..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/deployment.yaml +++ /dev/null @@ -1,158 +0,0 @@ -{{/* -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /bin/bash - - -c - - | - /opt/bitnami/scripts/cassandra/entrypoint.sh /opt/bitnami/scripts/cassandra/run.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - - containerPort: {{ .Values.service.internalPort3 }} - - containerPort: {{ .Values.service.internalPort4 }} - - containerPort: {{ .Values.service.internalPort5 }} - {{ if eq .Values.liveness.enabled true }} - livenessProbe: - exec: - command: - - /bin/bash - - -ec - - | - nodetool status - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} - successThreshold: {{ .Values.liveness.successThreshold }} - failureThreshold: {{ .Values.liveness.failureThreshold }} - {{ end }} - readinessProbe: - exec: - command: - - /bin/bash - - -ec - - | - nodetool status | grep -E "^UN\\s+${POD_IP}" - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} - successThreshold: {{ .Values.readiness.successThreshold }} - failureThreshold: {{ .Values.readiness.failureThreshold }} - lifecycle: - preStop: - exec: - command: - - bash - - -ec - - nodetool decommission - env: - - name: CASSANDRA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "login") | indent 12}} - - name: CASSANDRA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-creds" "key" "password") | indent 12}} - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: CASSANDRA_PASSWORD_SEEDER - value: "yes" - - name: BITNAMI_DEBUG - value: "true" - - name: CASSANDRA_CLUSTER_NAME - value: cassandra - - name: CASSANDRA_NUM_TOKENS - value: "256" - - name: CASSANDRA_DATACENTER - value: dc1 - - name: CASSANDRA_ENDPOINT_SNITCH - value: SimpleSnitch - - name: CASSANDRA_RACK - value: rack1 - - name: CASSANDRA_ENABLE_RPC - value: "true" - {{- $flavor := include "common.flavor" . }} - {{- $heap := pluck $flavor .Values.heap | first }} - {{- if (hasKey $heap "max") }} - - name: MAX_HEAP_SIZE - value: {{ $heap.max }} - {{- end }} - {{- if (hasKey $heap "new") }} - - name: HEAP_NEWSIZE - value: {{ $heap.new }} - {{- end }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: cassandra-docker-entrypoint-initdb - mountPath: /docker-entrypoint-initdb.d/aaa_portal.cql - subPath: portal.cql - - name: {{ include "common.fullname" . }}-data - mountPath: /var/lib/cassandra/data - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: cassandra-docker-entrypoint-initdb - configMap: - name: {{ include "common.fullname" . }}-docker-entry-initd - - name: localtime - hostPath: - path: /etc/localtime - {{- if .Values.persistence.enabled }} - - name: {{ include "common.fullname" . }}-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-cassandra/templates/pv.yaml b/kubernetes/portal/components/portal-cassandra/templates/pv.yaml deleted file mode 100644 index e10b003570..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml b/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml deleted file mode 100644 index 1cadcc51d5..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml b/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-cassandra/templates/service.yaml b/kubernetes/portal/components/portal-cassandra/templates/service.yaml deleted file mode 100644 index 8f486c2175..0000000000 --- a/kubernetes/portal/components/portal-cassandra/templates/service.yaml +++ /dev/null @@ -1,72 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort3 }} - name: {{ .Values.service.portName }}3 - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} - name: {{ .Values.service.portName }}4 - - port: {{ .Values.service.externalPort5 }} - targetPort: {{ .Values.service.internalPort5 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort5 }} - name: {{ .Values.service.portName }}5 - - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName }}2 - - port: {{ .Values.service.externalPort3 }} - targetPort: {{ .Values.service.internalPort3 }} - name: {{ .Values.service.portName }}3 - - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - name: {{ .Values.service.portName }}4 - - port: {{ .Values.service.externalPort5 }} - targetPort: {{ .Values.service.internalPort5 }} - name: {{ .Values.service.portName }}5 - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-cassandra/values.yaml b/kubernetes/portal/components/portal-cassandra/values.yaml deleted file mode 100644 index c3ffb4ffec..0000000000 --- a/kubernetes/portal/components/portal-cassandra/values.yaml +++ /dev/null @@ -1,148 +0,0 @@ -# Copyright (c) 2017 Amdocs, Bell Canada -# Modifications Copyright (c) 2018 AT&T -# Modifications Copyright (c) 2020 Nokia, Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: # global defaults - nodePortPrefix: 302 - persistence: {} - - -# application image -image: bitnami/cassandra:3.11.9-debian-10-r30 -pullPolicy: Always - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: 'db-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.cassandraExternalSecret) . }}' - login: '{{ .Values.config.cassandraUsername }}' - password: '{{ .Values.config.cassandraPassword }}' - -# application configuration -config: - cassandraUsername: root - cassandraPassword: Aa123456 -# cassandraCredsExternalSecret: some secret - cassandraJvmOpts: -Xmx2536m -Xms2536m - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: portal/cassandra/data - -service: - type: ClusterIP - name: portal-cassandra - portName: portal-cassandra - externalPort: 9160 - internalPort: 9160 - externalPort2: 7000 - internalPort2: 7000 - externalPort3: 7001 - internalPort3: 7001 - externalPort4: 7199 - internalPort4: 7199 - externalPort5: 9042 - internalPort5: 9042 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 500m - memory: 3.75Gi - requests: - cpu: 160m - memory: 3.1Gi - large: - limits: - cpu: 4 - memory: 10Gi - requests: - cpu: 2 - memory: 6Gi - unlimited: {} - -heap: - # Heap size is tightly correlated to RAM limits. - # If limit > 8G, Cassandra should define itself the best value. - # If not, you must set up it in a coherent way with limits set - # Refer to https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/operations/opsTuneJVM.html#Determiningtheheapsize - # for more informations. - small: - max: 3G - new: 100M - large: {} - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-cassandra - roles: - - read diff --git a/kubernetes/portal/components/portal-mariadb/.helmignore b/kubernetes/portal/components/portal-mariadb/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-mariadb/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-mariadb/Chart.yaml b/kubernetes/portal/components/portal-mariadb/Chart.yaml deleted file mode 100644 index c12659d903..0000000000 --- a/kubernetes/portal/components/portal-mariadb/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: MariaDB Service -name: portal-mariadb -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh deleted file mode 100644 index 709877943c..0000000000 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ /dev/null @@ -1,384 +0,0 @@ -#!/bin/bash - -set -eo pipefail - -# logging functions -mysql_log() { - local type - type="$1"; shift - printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*" -} -mysql_note() { - mysql_log Note "$@" -} -mysql_warn() { - mysql_log Warn "$@" >&2 -} -mysql_error() { - mysql_log ERROR "$@" >&2 - exit 1 -} - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var - var="$1" - local fileVar - fileVar="${var}_FILE" - local def - def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - mysql_error "Both $var and $fileVar are set (but are exclusive)" - fi - local val - val="$def" - # val="${!var}" - # val="$(< "${!fileVar}")" - # eval replacement of the bashism equivalents above presents no security issue here - # since var and fileVar variables contents are derived from the file_env() function arguments. - # This method is only called inside this script with a limited number of possible values. - if [ "${!var:-}" ]; then - eval val=\$$var - elif [ "${!fileVar:-}" ]; then - val="$(< "$(eval echo "\$$fileVar")")" - fi - export "$var"="$val" - unset "$fileVar" -} - - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions -docker_process_init_files() { - # mysql here for backwards compatibility "${mysql[@]}" - mysql=( docker_process_sql ) - - echo - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - mysql_note "$0: running $f" - "$f" - else - mysql_note "$0: sourcing $f" - . "$f" - fi - ;; - *.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;; - *.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; - *.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; - *) mysql_warn "$0: ignoring $f" ;; - esac - echo - done -} - -mysql_check_config() { - local toRun - local errors - toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) - if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then - mysql_error "$(printf 'mysqld failed while attempting to check config\n\tcommand was: ')${toRun[*]}$(printf'\n\t')$errors" - fi -} - -# Fetch value from server config -# We use mysqld --verbose --help instead of my_print_defaults because the -# latter only show values present in config files, and not server defaults -mysql_get_config() { - local conf - conf="$1"; shift - "$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \ - | awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }' - # match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)" -} - -# Do a temporary startup of the MySQL server, for init purposes -docker_temp_server_start() { - "$@" --skip-networking --socket="${SOCKET}" & - mysql_note "Waiting for server startup" - local i - for i in $(seq 30 -1 0); do - # only use the root password if the database has already been initializaed - # so that it won't try to fill in a password file when it hasn't been set yet - extraArgs="" - if [ "$DATABASE_ALREADY_EXISTS" = "false" ]; then - extraArgs=${extraArgs}" --dont-use-mysql-root-password" - fi - if echo 'SELECT 1' |docker_process_sql ${extraArgs} --database=mysql >/dev/null 2>&1; then - break - fi - sleep 1 - done - if [ "$i" = 0 ]; then - mysql_error "Unable to start server." - fi -} - -# Stop the server. When using a local socket file mysqladmin will block until -# the shutdown is complete. -docker_temp_server_stop() { - if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then - mysql_error "Unable to shut down server." - fi -} - -# Verify that the minimally required password settings are set for new databases. -docker_verify_minimum_env() { - if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then - mysql_error "$(printf'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD')" - fi -} - -# creates folders for the database -# also ensures permission for user mysql of run as root -docker_create_db_directories() { - local user - user="$(id -u)" - - # TODO other directories that are used by default? like /var/lib/mysql-files - # see https://github.com/docker-library/mysql/issues/562 - mkdir -p "$DATADIR" - - if [ "$user" = "0" ]; then - # this will cause less disk access than `chown -R` - find "$DATADIR" \! -user mysql -exec chown mysql '{}' + - fi -} - -# initializes the database directory -docker_init_database_dir() { - mysql_note "Initializing database files" - installArgs=" --datadir=$DATADIR --rpm " - if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then - # beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password - # see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3 - # (this flag doesn't exist in 10.0 and below) - installArgs=${installArgs}" --auth-root-authentication-method=normal" - fi - # "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here) - mysql_install_db ${installArgs} "$(echo ${@} | sed 's/^ *[^ ]* *//')" - mysql_note "Database files initialized" -} - -if [ -z "$DATADIR" ]; then - DATADIR='unknown' -fi -if [ -z "$SOCKET" ]; then - SOCKET='unknown' -fi -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - DATABASE_ALREADY_EXISTS='false' -fi - -# Loads various settings that are used elsewhere in the script -# This should be called after mysql_check_config, but before any other functions -docker_setup_env() { - # Get config - DATADIR="$(mysql_get_config 'datadir' "$@")" - SOCKET="$(mysql_get_config 'socket' "$@")" - - # Initialize values that might be stored in a file - file_env 'MYSQL_ROOT_HOST' '%' - file_env 'MYSQL_DATABASE' - file_env 'MYSQL_USER' - file_env 'MYSQL_PASSWORD' - file_env 'MYSQL_ROOT_PASSWORD' - file_env 'PORTAL_DB_TABLES' - - if [ -d "$DATADIR/mysql" ]; then - DATABASE_ALREADY_EXISTS='true' - fi -} - -# Execute sql script, passed via stdin -# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args] -# ie: docker_process_sql --database=mydb <<<'INSERT ...' -# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb /dev/null; then - set -- mysqld "$@" - fi - - # skip setup if they aren't running mysqld or want an option that stops mysqld - if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then - mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started." - - mysql_check_config "$@" - # Load various environment variables - docker_setup_env "$@" - docker_create_db_directories - - # If container is started as root user, restart as dedicated mysql user - if [ "$(id -u)" = "0" ]; then - mysql_note "Switching to dedicated user 'mysql'" - exec gosu mysql "$0" "$@" - fi - - # there's no database, so it needs to be initialized - if [ "$DATABASE_ALREADY_EXISTS" = "false" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir "$@" - - mysql_note "Starting temporary server" - docker_temp_server_start "$@" - mysql_note "Temporary server started." - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - for i in $(echo $PORTAL_DB_TABLES | sed "s/,/ /g") - do - echo "Granting portal user ALL PRIVILEGES for table $i" - echo "GRANT ALL ON \`$i\`.* TO '$MYSQL_USER'@'%' ;" | "${mysql[@]}" - done - - mysql_note "Stopping temporary server" - docker_temp_server_stop - mysql_note "Temporary server stopped" - - echo - mysql_note "MySQL init process done. Ready for start up." - echo - fi - fi - exec "$@" -} - -# If we are sourced from elsewhere, don't perform any further actions -# https://stackoverflow.com/questions/2683279/how-to-detect-if-a-script-is-being-sourced/2942183#2942183 -if [ "$(basename $0)" = "docker-entrypoint.sh" ]; then - _main "$@" -fi diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql deleted file mode 100644 index f9db78ba4d..0000000000 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/oom_updates.sql +++ /dev/null @@ -1,95 +0,0 @@ -/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -*/ - -USE portal; -/* -Any updates required by OOM to the portaldb are made here. -1. split up SDC-FE and SDC-BE. Originally both FE and BE point to the same IP -while the OOM K8s version has these service split up. -*/ --- app_url is the FE, app_rest_endpoint is the BE ---portal-sdk => TODO: doesn't open a node port yet -update fn_app set app_url = 'https://{{.Values.config.portalSdkHostName}}:{{.Values.config.portalSdkPort}}/ONAPPORTALSDK/welcome.htm', app_rest_endpoint = 'https://portal-sdk:8443/ONAPPORTALSDK/api/v3' where app_name = 'xDemo App'; ---dmaap-bc => the dmaap-bc doesn't open a node port.. -update fn_app set app_url = 'http://{{.Values.config.dmaapBcHostName}}:{{.Values.config.dmaapBcPort}}/ECOMPDBCAPP/dbc#/dmaap', app_rest_endpoint = 'http://dmaap-bc:8989/ECOMPDBCAPP/api/v2' where app_name = 'DMaaP Bus Ctrl'; ---sdc-be => 8443:30204 ---sdc-fe => 8181:30206, 9443:30207 -update fn_app set app_url = 'https://{{.Values.config.sdcFeHostName}}:{{.Values.config.sdcFePort}}/sdc1/portal', app_rest_endpoint = 'https://sdc-be:8443/api/v3' where app_name = 'SDC'; ---pap => 8443:30219 -update fn_app set app_url = 'https://{{.Values.config.papHostName}}:{{.Values.config.papPort}}/onap/policy', app_rest_endpoint = 'https://pap:8443/onap/api/v3' where app_name = 'Policy'; ---vid => 8080:30200 -update fn_app set app_url = 'https://{{.Values.config.vidHostName}}:{{.Values.config.vidPort}}/vid/welcome.htm', app_rest_endpoint = 'https://vid:8443/vid/api/v3' where app_name = 'Virtual Infrastructure Deployment'; ---sparky => TODO: sparky doesn't open a node port yet -update fn_app set app_url = 'https://{{.Values.config.aaiSparkyHostName}}:{{.Values.config.aaiSparkyPort}}/services/aai/webapp/index.html#/viewInspect', app_rest_endpoint = 'https://aai-sparky-be.{{.Release.Namespace}}:8000/api/v2' where app_name = 'A&AI UI'; ---cli => 8080:30260 -update fn_app set app_url = 'https://{{.Values.config.cliHostName}}:{{.Values.config.cliPort}}/', app_type = 1 where app_name = 'CLI'; ---msb-iag => 80:30280 -update fn_app set app_url = 'https://{{.Values.config.msbHostName}}:{{.Values.config.msbPort}}/iui/microservices/default.html' where app_name = 'MSB'; - - -/* -Create SO-Monitoring App -*/ -INSERT IGNORE INTO `fn_app` (`app_id`, `app_name`, `app_image_url`, `app_description`, `app_notes`, `app_url`, `app_alternate_url`, `app_rest_endpoint`, `ml_app_name`, `ml_app_admin_id`, `mots_id`, `app_password`, `open`, `enabled`, `thumbnail`, `app_username`, `ueb_key`, `ueb_secret`, `ueb_topic_name`, `app_type`,`auth_central`,`auth_namespace`) VALUES -(10, 'SO-Monitoring', 'images/cache/portal-345993588_92550.png', NULL, NULL, 'http://{{.Values.config.soMonitoringHostName}}:{{.Values.config.soMonitoringPort}}', NULL, 'http://so-monitoring:30224', '', '', NULL, 'password', 'Y', 'Y', NULL, 'user', '', '', '', 1,'N','SO-Monitoring'); - -/* -Add SO Monitoring to Default apps -*/ -INSERT IGNORE INTO `fn_pers_user_app_sel` VALUES (10,1,10,'S'); - -/* -Add Contact information for SO Monitoring -*/ -INSERT IGNORE INTO `fn_app_contact_us` (app_id, contact_name, contact_email, url, active_yn, description) VALUES ( 10,"SO Team","so@lists.onap.org","https://wiki.onap.org/display/DW/Approved+Projects",NULL, "Service Orchestration (SO)."); - -/* -Additionally, some more update statments; these should be refactored to another SQL file in future releases -*/ - --- portal -update fn_app set auth_central = 'Y' , auth_namespace = 'org.onap.portal' where app_id = 1; --- portal-sdk -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='ueb_key' where app_id = 2; --- SDC -update fn_app set app_username='sdc', app_password='j85yNhyIs7zKYbR1VlwEfNhS6b7Om4l0Gx5O8931sCI=', ueb_key='ueb_key' where app_id = 4; --- policy -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='ueb_key_5', auth_central = 'Y' , auth_namespace = 'org.onap.policy' where app_id = 5; --- vid -update fn_app set app_username='Default', app_password='2VxipM8Z3SETg32m3Gp0FvKS6zZ2uCbCw46WDyK6T5E=', ueb_key='2Re7Pvdkgw5aeAUD', auth_central = 'Y' , auth_namespace = 'org.onap.vid' where app_id = 6; --- aai sparky -update fn_app set app_username='aaiui', app_password='4LK69amiIFtuzcl6Gsv97Tt7MLhzo03aoOx7dTvdjKQ=', ueb_key='ueb_key_7' where app_id = 7; - --- Disabled Policy APP -UPDATE fn_app fa SET fa.enabled = 'N' WHERE app_name = 'Policy'; --- Disabled AAIUI APP -UPDATE fn_app fa SET fa.enabled = 'N' WHERE app_name = 'A&AI UI'; -/* -Replace spaces with underscores for role names to match AAF role names -*/ -UPDATE fn_role SET role_name= REPLACE(role_name, ' ', '_') WHERE active_yn= 'Y' AND role_id NOT IN (999); - - -/* -Onboard LF Acumos App -*/ -INSERT IGNORE INTO `fn_app` (`app_id`, `app_name`, `app_image_url`, `app_description`, `app_notes`, `app_url`, `app_alternate_url`, `app_rest_endpoint`, `ml_app_name`, `ml_app_admin_id`, `mots_id`, `app_password`, `open`, `enabled`, `thumbnail`, `app_username`, `ueb_key`, `ueb_secret`, `ueb_topic_name`, `app_type`,`auth_central`,`auth_namespace`) VALUES -(11, 'LF Acumos Marketplace', 'images/cache/portal_907838932_26954.png', NULL, NULL, 'https://marketplace.acumos.org/#/home', NULL, NULL, '', '', NULL, '', 'Y', 'Y', NULL, '', '', '', '', 2,'N',NULL); - - --- add Acumos thumbnail -UPDATE`fn_app`SET`thumbnail`=0x89504E470D0A1A0A0000000D494844520000010D0000004408060000009B326018000000017352474200AECE1CE90000000467414D410000B18F0BFC6105000000097048597300000EC400000EC401952B0E1B000051D749444154785EED7D07605555D6F54AEFBDF742120221F41E7A930E0A2A36D451B18E7DFC6C63EF3ACE388EBD6043054511A448EFBD844012D27BEFBD27FF5EFBBD28202558E67766B2E0E625EFB673CB5E67ED7DF639C7A443803F289A9BDB50515E8F152BE2B07A6D124C4C4DE0E06085871F9A0467672B242695A0ADDD048BBF3884E69676B8B8D962D8207F0C1FE887A8084F24A69600268087AB9D2CB63031913FBAD18D6EFC2AFC7F278DC2FC2AC41F2F4479692D2CADCD919F5B0D5F7F27F48EF6C5FAB509D8B93B0BA56575B077B4468B10C3002185E8DEDE58BE2A1E0E7696080E71C5965DE9B07790F56D406D630B5AE592AEBA241A3985B5D8B43713013E8E1814ED8388101739A329C2839CD13FD2D350806E74A31B1784FF6FA471707726962CDE8F92E21A2585BBFE321EC34787E2F18757A3674F2F9C482E415646194C2DCC6061618EC6D636F8783BE1A69B87E3B3250771F0483EEEBF672C3E5A72081DA6663033073ACC4CE507D0C2A5AD1D174F8BC489CC0A1C8C2B8095ADA5F085095ADADB10E2EB84293121F074B3C194E1C1C61275A31BDDE80AFEADA4D12A522023A504AFBFB811B107F2E02C465B5BDB8C19F3FBE1BE4726EB36CDB2CDE5733ED46D69E8266626686BEB40B390C05F1F9D821DBB32F0FDDA440C1D120467576BECDA93250AC502EDE27A989ACBB67239266666FA49A2B9624E1F1C4E2844625AB91CCF02AD72ACB0205704F9D8E3D3D589880872C193B78E44DF080F3D7F37BAD18D7343AAE6DF1759A92538B8331DFF7A76039EB9F73B3C74F357488E2F4280B8080162BC93A6F746700F77E3D6404E6639AAAB1B6069694E6140E180CAAA465CBB70308A44956CDB960A7B714B7CBCEC91935D095321156E632A3FDB4918F20779D054AECC4294C7722198FE3D3D1112E084E6A656D9B203365666B2AD097C3DEC515AD18067DFDF8BC389C5D87630475C20F171BAD18D6E9C15664F088CBFFF66686D6EC3C615C7F1CE4B9B4425B4E3BD57B6E2C89E0CE48991F78CF6C6806181E83F34182EEE7628CCADC4FEDD194200E5B016C5B0757332FAF4F545427C21CCC5E8EBEA5B3054B69F32B5279E7AEA079889AB626F6F891E611E481443178610C63085528709DD13611A3287280F33F9BEADBD0369D9559838320825E50DA8AC6D52F78401D29CC26A580939719BB6D60EFCE3B343D8775C084D088984D28D6E74E3E7F85D94464D5503CA4BAA111EE585CDDFC5C3D1C91A73AE1E827B9F9A0EDF405714E455E3DB2507B0EEDB38A48B12A14BB272D951EC1215B172591CEA6B9A71DB9DA34519B4C04388E5A2A99178F491756AE02489800017716B1A505BD748DB97A55D7F76B4B70B6F1874877E25DB9A8B5C696C6EC5EAADE9983C32183616E2CAC8AACADA46833221C7D0B591ED6C6DCC91955F855B9EDA886D877265AB6E74A31BA7E3778D6964A79562C95BBBE0EBE78CF8B83C242714C1CCDC1466A220CCADCDD121864AA36D1745D0DED20107676BF419E087E5CB6231624C18EEB8670C7C7D9CF0FE7B7BF1CD3747E1EC6A8792D25ADC7DCF587CF6C5117525CCCDCD657F03515068B4CBF13AC465818919AF4E8F4D57A54A148BAD9D05AE9E1D8DE89EEE2815D5F1F83BBB61696E8656F15AE64EEC818D7BB3515A590F37671B0CE8E981876E18063B1B0BC3C574A31BDD50FCA64AA3AEA6D1F89B01813DDC917EA2108BFFB90D19C9C5B013B7C2D6C61216E286988A410B65A82230E96817B7C314B9D915080C71839D9D158E1ECA868DAD052CACCC30615218EAEB5A9095550E7F21A0CCCC72545634A83A686B6B13C26947B3587E93B8450DCDED528E6654563608C1D4A1A0A81AC5A58D701542F2F3B4C7F4B1A1880EF7C0787179E68C0FD37D064779E2C68BFBE09EAB07E0A2114118D4CB03E5D54D4817D7A91BDDE8C6A9F8554AA3BDAD1DA50535D8BF351947F765236A4000D62F3F8A1B1F9D2CC6EF8A7D5B528420CC912A0AE3D8A11C5494D5A343C8C2C2C2523EDBD101337527DACD4415886BD1D8D486E8817EDAA272FC7821264C8D40AFDEBED8B02E11B32FE98BB008778486BAE39147D6E0E0915CB8B8DA6A1CC4D28A8B1C43140609C743C8C1DBD3019E1E767075B245634B2BF28A6B909255851BE747CB3A43BCE2D977F748194CB070566F04FA38EA77052535C8C8AB4589B85835428225423E61FECE18290AC84DDCAC6E74E37F1DBF9834F2324A11BB3303C7850C18836453C7F6EFE331686C0F210A4B34D43521490C7FD2DC3E6896DA9F6E4987FC4B4F2A467A6AA9A80E2B3172C377A6421A8C2FB4B677C02FD0052E1EF6D8B92D0DD3E74623E158018E1D2FC082AB07E3EE7BC7EAB95B455D3CF6F8063838580A5998CB37A259E4FC248DBAFA6694890A2912822A1157A356DC121373463D4C34DFE396AB07C2C949CE2D0AE799F7F68942E9C0B0BEDE78EECE51F866630A36EDCF4190B783B6CA3434B6C2CFCB1EF72F1CACE7ED4637BAF10B5B4FF2C43D483A9287A37BB3509A5F8D82AC0AA4C717C1D1CD0EA3A6F4C2F6B509E839C01F1525B5C84B2F478F282FA42516A140DC8F7E4383316058104E08193436B4AA719A98507188D10B5A5BDBE01BE08ADCCC32F41F1C80C2C26A3489F13258397D666FDD265548870961B1B105881342C9C8AC405A7A2952A55C39B955281375C0E42E4BB6B4385AC1C6CA12E6421C57CE89C2CE43F958B53515FE5E0EC82DAA858D28A176718F2AC5A5F97455BC0665738A6A905520D75552872BA74522C4CF49CF7B5814934F77AB4A37FEC771C1A4919F5186D59F1DC4CAC507909F5E863A632B04839AA3A7F5C291BD99A8AD6A847FB02B6A6B9A502D069C23063D767A14F2B24BB16753AAB8297598B770089CDCAC5155DE246E40931CD9A038D844EBE5EB888A8A460487B9232DA5144D0D2D98785124BEFD260E8D8D2D78E7ED3DEABE4C9A180E5F712B68E8241636B1527958989B69BC8344441DD5D8D48A9821816810923A9258289E503B22A47CCDADEDC828A8C2A59323B0799F2826E12D531353398E09A2C40D9A363A04EF7E7D0CF58D4DC82DAE45627A051EFEE72E38DA5B2032C4CD7043FECD484F4F47515109CA2BCA51525A8ABABA7A383B1B48AD1BDD381D35627F6952515695D6A1BCA0064599557016F5CCC688AE808E48E29E6C146654222FA904D6F69617E69E241ECEC1130B3F1735D00E7B91F8CC99606442BC0538B9DAA0F7D020ECDD9484E6A6360C1917266AA11C456294B4DC167103E6888B117F24178971F9AA307A0D0C44786F4F0D5A1E3D948B8AF23A315C33F41DE48FCAAA06F48EF6C1DAD509983AB30FF2F32AB17D7B3A1A8520DE7C6B3EEEB9F73B58D95868BE464888AB2809536489CA484A2B81B98519CC2CCDE59CEDA86F6E4564B827860DF4C7D2D5F13057774688A4A51DF75E3F148FBDB113B72D18802FD69D1032E980BBB30D068B32AAAD6FC57E51316CAE8D94E3975736C2CED60243FAF860E59654FCF5E6E188E9EFA7C7FA77A1AABA1AB7DF719794A54AAED70C2D52B6007F3FBCFBF6BF8C5B74A31BA762C9939BF1F1131BE1225E80982A8ACA2BB1F8E87D081197BC2B6066F69F7ABC8AAAE27A5434D5E2910F1674BDF5A4A2B806FFBCFF3B357647210833062F850C5833D78981470F0B46767231DA9A8546C4F8E84EB0C6679E9585F61F31C3FA15C7101EE58D9E7D7D5401A4C4E763CDD77128CAADC678511293448D58DB98225D8E13262A836C16DDD7175555F538723817F6F656183E2C5093BF7AF7F28295A5190A0A2AB1735726E2C4DD610BC96C513BE13DDC515FD3027F512C7D7A0A610CF0C39ACD295A16930EBA432668686A41AAB84B93C4553A72A244FE6EC55021A9182197A32965D829E446E5C126597B21272F775BA464552253C86BEAA810DCF7CA367CBE26D17073FE4D484FCF40756DAD90A2B9DE7F0B21C6CAEA2AE4648B4AEA4637CE80836B93606B632DCA9BFDB3E49D811992F6753D07898A9DEADD5AD4B5B5ECCD0AB9CBA4B14C6AE48AA23A58DB592963197E98A059DC054F7F6771356C912A866B2E86CC55861805C39C063010DA2A35E3C6157188EAEF8F3031FA56A9ED2D8484524F1461D5D223C813A39C3AA72FAEB969246EBD672C6EBC7524C27B7A61DBA614588B8190A7AEB86AB09245CCA8505538E6723318AFA8AA6EC4814379DA2BD65A2EF2963F0DC67BAFCEC11BCFCF10C337415E41B5121E6326CCEFA04B532F6ECF8BF78DC590686F5C3A25920D381AEF2816F7C9C64A6E2F133CE41A790D24391B6B33511F4568927D678DED81E73ED8872FD69CD0EBFB7720AFA040DD370B7323695858A05648242D33D3B84537BA712AF2922A602D0A99F6672A2E899D8D0DF67C7B21EFAC89DA0DED598EA079555D228DF48442EC58190F4B1BB28C9108E4477B7B1B3AE40833AF1A88AFDED90D3B472B35311EB8435E6EF57CD4E2E4D4F2BB419D9862F597471035C01F3DA37C34186A618C43241ECFC3CA2F631112E6AAB5285B3B7CFD1C515FDB2C46DE8AFEB24F546F2F9E1DE3C6F5808BB315DAC405A172A08B66656586868666ACDB90AC01CE4E8C1911848B64FB61E24E0CECE38D3E111E1810E98587160DD7F5D7CEEA8D84F412EC1275C1E0A9A5B02955462778CD3C07FFD94859576E4D839790E4D491C178FE83FD2828A9356EF9FB8171A3B4D474BDA72C0BC1CF367906054226DDE8C6E9488BCD47637DB3D8DD4F66CEE127B2C49E7F0DBA441A6B3E3E8086DA4635640365C84B2BFF5B5B3A10D9CF1FC70FE648ED4F16922FD53581760E63A733F15594343AC42DE0BE06C633C1C695C7111CEE8E883EBE68A8695426B31515D3D6DA8A7D3B33F4BC3C46B528883113C25059D1881917472361733ABE7C6E2B02029C1112EA8626512F3421AA045E0CF7099675B572B30A8A6BD1246EC8079FC7E2D0D13CA46694A1B8B4566E648B2A0DF639518821E617D769CCC2688FA7C2F825B7A65C73B4B5C4C7AB12B4235C94B851EF7F7B4CD7FF9E686C6840764E8E14C55066067309733373A4A6A58B826267BC5F86D2B2721C8F4F405CDC71A4A4A619BF3D376A6AEB909B9B2F845588A2A2626D81EA0A2A2A2A919F5F8002594A4B4B8DDF1A617C1C67425171313233B3905F58A0EE6F5751585884CCAC6C3DE7AF459DA8BAE494541C8D3BA69F3535BFAEB2A895FD4F2425EBBD4FCFC8D0BCA7DF12E9B185686E6E517BEB7C5F482035E50D28C9ADD2BF7F09BA14089DEEFD28BC825C55DEB00F28E3027CC2ACFD46CDE885C3DB33505FDF045331AE0E133331E416F4ECE7AB599EF187F345013065DCF0A2B38584BBD34D6017F68BE6F5D5CE6C69C92586B13398013AAD0F32334A515C5CA3B189B03E5E181113825917F7C513B33E959B51808F33EE475C6201EEB97B259C5D6DF5980CC07AFB3A62D28470AC589D48FEC29851C158B12E093636426062F0ADCC3597B25709A98C1E1288BBAE1BA22FE15FFEBE0D85A5F5E2FF9D9A36CE817FFAF52439B5235148874A8460F9A9662E9D128135DB33B1E485E9FAFDEF85FCC2423CF0E0C342A2B55A067D09E47EF3A5F0F1F6C2DF5F7E11F60E17D61CBC69F3567CBBE23B949697CBF3AB5715C3B47C6727470C1F3E14575F7105ECECEC8C5B9F8AE5DFACC0DBEF7F0027074778C9F99F7FFA49383A3A18D79E1D7FFBFB6BD8BE63973C810EF4EAD51B2F3EFBA4710DB0E09AEBE4FEDBA0AAAA0A77DE7E0B468F1A854F967C8E6DDB7748F91A9418593E2B2B4B840405E3F65B6F86A7E7CF8734A8936B79F783C5883B7A4C5CD07AC37EF2AED9D8DA62C4D0A1B8FCF2F9728D5D6F714A494DC5871F7E82ACDC6C51B28D72CF9BA542B494725821223C0CB7DF7233BCBCBA3EA8D3B1F8447CF8F147282E2CD6B2F259D2D5B4B1B6469F3E5172BC9BE020F7F5D7E2ADBB5663CD5BFBE1E06A2395B229DAE59DA50D971556E3E9D50B31647A4FE39667477B5B076E897A0DD5ECEC595287073E9D7F6EA5D12086F5C683AB60EF6CA3014FC801CC483152DBD5D736A1F7E0409497D6A1A2A446D7EB2A13210659DF202E859DAD35CF4A7A817C6DD88635921C877EB954F5F8F6A3FD881A148879D70CC6F5778CC6B44BFA234708E3C4B17CD456376B3F921D9B92111AE18E385119C7B6666A6C65F9ABBBD02FDA0F11F27D436D0B5AEA5BD1A7B73762860663F98A63A8AD6B4249592DECACE56188E2618F59AA040B59AC84CCE86A4489D2197BF5122CF93E01D7CE8ED2DEAD4CE8D20B3905244983DAE8045B2FAAEB5AB0646D12E64D0A47A5361BFF7E28CC93DAB9A0486B0A7B0707C4C4C4FC68E4256565C8931AB8ABC8CECDC51D77DD8FBF3CF81032B2B2D0D8D8A8C7B1104320A83C967CB10CD366CEC5DE7DFBF4BBD3D1D6D62A06D480C6A646DDBFD3653A1F9A5B9AE51E1BF669967D4F46BEB859C5A228D84AF4C3C64D983BEF727CF0E1C7A248CA757B1A575353132A2BABB067FF7E4C9F7B095E7BFD0D253C82EB972DFF0613264FC3AA55DFCB7594EAF6BA9F187A9990E3E7CB9661C6EC8BF1DDCAD57AFFCE052A89E75F7A190BAFBF09878FC66AF336AFD35A8C9B9FBCFE3DFBF663EEA597E39DF73F947B72EE6115CA45653DFEE4B3B8F6FA3F21E944326AEAEAF438DA7F4ACA585D5383F51B3763F28C3958FAF572E35EBF0C3C5EC2CE6CD8DA5BA2BAAC01F31F18A53DB9F96ED3ED4FDCFDCB83E767250DD6BE2FDFFE35B689013AB8D8A9AA2028723AE4E4D622D1C3A27D70786BAA30B8A53E00C37BC3D609533437081B4B4DCCDD648D128D6E4349201BF2A218CD6564F6E0F6345C77C718CC5D301033E645235E5C89BABA66D4892196145523BABF1FA2A27CF1BDB02607E4616067C757F168916D66CC8C4265553D2688E17A78D861D5DA04348BE133586A21ECCA1A8DA9EB94CFDA7222A4C1E65F17276B0D74BA3AD9606F5C81E68AF41577C35D58992ECF8FC4219FBC2EC3B59D0AC63758CE6FB6A42221B5144542A0BF1732A59663262CEF2163436347C7E82789902F7757E5774949291EFEEB13E2D2A4A0478F1EF2C25AA8D151FE17899AA9A8A8D04BF7F4F080938B339E7AF605AC5DFB8361E79340C94BD7882F3C09B9ABE0B6BA8F2CA7E70A58496DCB1A9C2A80AE9289AC670DCE6746A2A91405C2C06F9BBC3BF6A280820202F0FDDA75F8EB134FE9FEFF7AE36DBCFFFE62F8F9F9C2D5D555BFA3A1733FD6E87C193DDCDDE12ECBEB6FBD850F167FACDB9C0D4F3EFBBCAA315F5F1FD8DBDB0B41CAFB5852823CA36BC5BF1D85C0BDBDBCF09518F94B7FFB8771CF9F83E57FE6F917B06BCF6EBDEF241E920CCB5626A4CF67C867EB2AF7DCC7CB1B1F8852FAE8E34F8D7B5F38CAF36B64A916F56E8EA6D666F41E1988B0413E1AE360AA42AA7800BF14674DEE7A6CC12738BE37138ECEB654F5F222D1E06485B046A348E27173FB885B928646A9E5D90C43FFA3C354B7926DE4B593173A24D203A9C70B35B6C17C0E53715D94DDE580A6F2A9BD5CE54F4BB988590B06E879EDEDAD11D4C31DC347F5C0D09860F4EAE38BEB6F1B898AAC2ABC7AC7D770F370D2F3652617C23BD415D32FEF2F72DD547CC20AEC3B98A301513359CF7270F42E929BB5FC5D5ED5242445E33741ADB852F32E8AC4BA9DE92AD7AA453579BAD9A1ACAA01BD42DD902B6E115B584C29E984A4BC3D6C95344BCAEB7FF6A233685A2EFB6517D6A0A2BA51D3CE1DD8C2F41BE3BD0F3E16D96EE84047497CF5950BB062E52A91CAAD526337C1C5D909C3447A9F0F575F7B83D468D56A04AC29298BC78C1E2D527F11E6CE9E8D5E3D7B222B3B5B6B452B3160BA905BB76F47FF7E7DD5383A91909888FD070EC34A5E7E1AF094C993D46D381F76EFD9A33106C2C3C35DF7EB045D114AFECEDA97464E92701302183A7408264F1C0FFFA000A914C4784BCB94F429E9A950D6AD5F8FB8E3C7F5BA181C6E1077C64B5C9751A34662C2D831F0F1F4929ABD560D94C4642DE7D9272AC1598C3452AEF974BC4A376AD72EB9AFCEF22EB4A84B327CC810DC74D30D5878CD9518346080BA3D1999D9FA4ED8885B159F9080D696560C1CD0DF78949FF0F853CFE2C8915838CBF1E8BEB7C812E8EF8FF9975C82C99326C0C7C70BE5E5157ADFA90458C69DBB760B89B8213232C27894AEE3C09A64ECFE3651EE9189DC232B2C78740C9A4419EFFB3E09B68E56EA098CB9AC0F6CD89DE31C904780EFDFDC87A686568D05C65CD2FBCC4A63E5077B706C4F269CC490280CC8017439A8325A9ADBE017ECA646999F5AA63108AD8D4D459AB5B33A66CD2E062B37CFD2D2C2A8500CF91C1DF2309581A4A6903DE49FB8398DCDB0B631C7210EC493558E171F5E8D6D1B92B07CC9413CF9C04A1CDE9F096F4F47ACF8FB6E5881B2507615B8B838E0D34737CB31A05DEF776C4F959ACA4C5F24BD5259CC854CB2B32B85D9DD34206A2A17C3264B27B9515413F57213581C5B7161761CCA41CF6057EC3E928FE9A3427558C056B600C975B3A4C6D39E11DCFF84943D59CE157BA2CCF8ED6F8BD8B8A35A3B35CB0B1C121CA4DF458485C97535C2567CF5838762F5BB73E1F32FBE446945191CC4B0688CBD7AF5C45BFF7A0D0FDC77B71A419FA8DE98356B063E7AFF5D5C77F55572EC668D05D0C0FEFEFABF37818CB5708B18EAEC9933F0F187EFE1A1BFDC87CB2F9D8F3B6FB9056FFFEB9F78F2AF8FC8B336536366DC8535353F196B6240F1E6458BB058AEE39E3BFF8CCB64BFBBEFFE3316BFF70E16CA7551E5B2F2721445B3F893CF548D9C8CC38763B165C74E5511748B78DCA79F7C0C4F3CF608468F1C81F0D0508C17227AF2B147657958899704C2ED7FD8B0116969E9C62319B07BEF3EECD8B1038E8E8E5A5E1AF1C30FDE8FB7DFF827165C360F53A74CC6AD52DE8F3E7817375EBF50EF3B89D343D4DE3FFEF5CBEE7B6A6C3E5A44713339CB23C409F62EB6088CF65295C177B9AEBC1129877E99DAF8196964261661E5FB7BE12CB52B0FAE8BFC508540F690DFC3C52D39BE3F1B162C00BF5362309000C17DF467A7C1A9111BBEE3EFBC2134C60631DAB09E5E183ABA075E796C2D567C7608DB37266947B7F0080F5C76CD50F1170DAC3DED96A1B2B761842DC2D2DA0C1585B558FBEE014D275F70C540D48BABC0726A49F8299BB68A9131C78365D77F42062E4EB6A8956D35182BFC45366EA86F456E41B52671ED921B3E634CA8BA68243D5E3F8F792E38D858E2B0DCBBDDE25A192FF637035D8616216183F2694770908134FAF58BD60021C939F53CAD1ED5D5D5D82852DB450C852F2E7B1A3FFDC4E3521B9F3980B7E0F24B317BC674A9F92AB416E5F11910FC77A15E8C75EA9429B8E3B65BF4BA4FC730511E7F11B2A30A2009D070F91E9697970B09DE8B8B67CF306E792AAEBAE2725CB56081920CF761D075CBB6EDC6B506ACDFB4194D727E3E75BA7F2C0349F54C60396EF8D3427DB7E82E928C491227E34371833A039B54770FFDDF5F306AE448FDFB74CC9F7709AEBEEA0A7D5EBC6E12E3CA95DF1BD7761D25A2CCD95193EEBC5F989BAA73EF1017B87839C87B2DA421AA9895FE2FC1CF9EC6966F8EA2B2B816E63434351543FC81710AB624048A31338DBC30B35C5B4714F45BC44E9434E4C119BE6BD702F36FD11946E313C333AE673F10BF00174D375FF7F551B4092BDAD859C0D6CE5A7BC86E589388267123464F88C0076FED127FCC1753FE3408B5150DBA3FCF66EF6C8DE57FDB857629CF94291122A17D3536A18511B074626BAA2AACD9314DCAC37F9C07A5B8ACE1470223B998C90D8E4D2A45FF087764E456A348D6C70CF4937D0DC1ADCECB3A1B781C2A8E8DFBB2B16C7D8AF1DBDF06FB0F1E9617DC102C6300B957642FFD3EB26784948BD7C001884C909A7E76E2484E4ED5788685100C9B3D6FBDF90695F6E7C22D37DF68787EB2588A81B1D5E3DF01D6DA2E4E8E5824AEC0B9307CD8505C24C4525D5D23F700A815831C346800468B4B722E5C76E9251ADBE0794888DB4E228D969666ECD9BB57BF671075A8B82431230CF93C67C3B42917A17764A46E4F1C893DAACF8AA8A8AC404E7E9E1CCF5ACB396EDC580C1057EF5CB85208DBD3C35355A5B5EC177BEC9851B1770D65F9D5C84928D1CA84EF65483F43CAB8930801375F074365292E555EF26F401AC53995D8BD3A01760E56CA467C59D4E4E95AC817EDE287450D0F46DCAE74B918CA1C59ABEE0037960388FCEFBCB48E16832B63705FD8A2C24D643B395693280CBF00678C98148E355F1E5212222B32BB9379086672A1ACE5A7CCEA836C21A74FDED98D155FC7E2EA47C7C3C9D356FD4682637514A557206177365C84087A84BAA15F5F1F7978CCDD907F72523605B734B7C3D5C95A1E244B67026747A9618469D9BB5624882CE2CA48F92AAA1B50585287617D3DB1F560166CAD2C101DE681EA9A6634C98D56123C07D8FFC55AAE978AE3B704E3077413784F2CAD2DD5FF2502038244C2BA6A6D6B67678B6DDBCF6ED46C31696D6F55A5E2E4ECA43182AE60CCA81891EF75EA021D3B9E60FCF6F705DD8551725EBEF4E743CC88611A07E1B36D1675306FEE6CE39A7363FEFCB9DA4A43E24C3C9164FC562A98C616E4E6E4684C81EFFFC8E1C38C6BCE8DBE7DFB295170BFC2C242D4D51B82E2F1F189F23E1B62798C7D4C1A3F5EBF3F1FA65E344594739D3E77E69A5455767D402806414BB2AB74747E33331304F531BC2F768ED608161785E66A25B6937A300F7555A7B6607505A79046E2A16CD456366820B1D33C9406C48829FDFB8F0D436E7209AAA5B6A7B8A0612AC882FC9555B63C3CB23E13A7DAA586B79207CF422A64A7C6BA4678FA3961A4B8141BBE3D267FB3ED9DC3FD71F42ED9460ED1D0206E4BA427060E0BC28A2F63E5C19A61C907FBE01AEC8411737AA159540A37ACAF6AC2A069E1881CE10F6F0F7B79099A7464AF1E216E22C1DB34D8CA547533291753CB99A52AF7105E6EF6C6B472C335D018D98E6D29E5D87D341F23FBFA098199E2EB8DC9880872C64DF3FB625A4C885E42A9DC9FCA9A46540AE9742E0C80F2B35C1E4095289DEADA66DDF6B7006B85DCDC3C7D199BA416EC21FE742748141E6E547E2D2AB5D3334EF5A54F4683B1F5802D0FCE22959953D315D8D9DBA3B2AA5ADDA092B262E3B7BF2F5AE47AFC7C7C8C7F9D1B0E0EF64268361A0321B1D9D9762D57C5D7DB5B2B1FD6C4AD6DAD3FAA847A1A3B5F0C45071C1CBB962FC15C1955D282063916DD498284AB55AFDC7B4B2B4B25ECAE80DB65E7E46AAB566E5EBEC656BA8A8C6345FADEF09C76A2C67D420D2D490CFA07F47297EFDBD55D29CCA84055E9A9F19CAEE014D2387120076D2DA22CA486A6FD134A00626C6CC2ECD93F0087B7A569932779829B74928AFE4572503211C2905A9929DE6C52D56C41594D77C3D5C31113664561FD37C7502B8646C6E30BCC6DD984C7E1726A2A1BB170D1485494D661FBA6243839D92991FC202ECBC2C727C88368D45A9F893637BD320DFB572763EDBBFB70D32DC3F1AD10D184096172BA0E1D538342889DD148029CBA31C0D711F945D55A460E2DCA1B687CD61ADBE0A03D8744294C1D1D8A8AAA0684FA3962402F4FCC1A1B8AC76E1E81CBA7F4C49FE646E3964BFBE3D605FD71BB2C775C3E00B75D219FF2FB7D0B0763D2B04075E57E0B544A0D939797A7A4C09A67D8905307040A09095183A1FF5B595125EE598D71CD69A00AD440B53C1F7DEAC68B3E0F2E131FFBEF2FBF80179E7B1AF7DF738FF1DBDF0F343C4A71ED72D005E8BB6ABC14EE4BF2EF0AD8818BEF00F7E1313A732CA8167E245429C78F15E379C0B3D21E0883ED18FEB21322D3E3C8319988D7D0D0B566F9A183066AC21E03B0F7DF7B175C5C9C8D6BCE8F9443B91AFBA38DDA89C20E8AFA296EE51DEAA2F796EF404B633B724E9418D7741DA7DCE18C8442F179E526C9C90C2F9618BFBC68EC68367EDE006CFEFAB0484133BDA97A33C528F9A9FE96BC94FCCAB4DD38C0AFB0378D941314313FA2A9A1195E3ECE9830A70F562E39887AA9ADA942E404421386F8079B4E1BEADA30626C0F0C15A37DFD858D1ADF3097F7C7CAD214CB3EDE0F73776B4CBB7E08F28A4B31E78E91F00A71C66B37ADC0A78F6D85B3BD15AEBD76089E7F710B6EBF6504EC6C2CF502B3322BE1EFEF84DADA464C1EDD039B77640A9919A2C86C5161F9DAE5A5E1C3B61355B3FB709E267A3197C3C5591EBA11EEAED6281195B5431ECA27E2C6BDF6E921FC4B94D0BBDFC4E1BDAFE2F0CED771787F791C5EFA683F46DFB014B9856731E00B405A7ABA1099210988FD6F4EF7D7478E1CAEE3A3B28992E9DC59523B9D11BC58230CAF73D7C0969A91E2D30F1D3CE8BCBEF8FF179C7631AC2CBA02D6C23F816F89F1067512C685A2B3963D0D43878B1BA8F6C23398E09D7717D3AA0C2BCF011F1F6FCC9C310D93274C5017D1DADAC6B8E6FC48DE97AFEA9D15B157D0A9CAA6FFC41EB07660ACC3545CB166C46D3CBB3A3D1B4E218D9A8A7AED1B42A864978BA50FECEEE388C6FA46D494378A9F644898D25B4072E00DE08DD687209FFC2F44D32E4CD72612894A8299A5B6F6D61833B31776AC494093B83A1C8D9C7E0B9B67D97B8E8F9B29E6249149337BA3A2BC16FB76A58B3CB4963398889C3247B1B814EBBF4BC0C26726C0C5CA5EB3DC7EF8E020EA2AC43510F5B0E38B384C9FDD0B9EEE36F8528C79EA9408D8D858A0B4B4162E0EC2B801CE48CF2A975A9BE794F24A99D98AC3739BC9C568DC465D1513EC8DCDC7A8FE7E282EAFC396FDD9D8139B87A7DEDEAB4DC4D1E1EE9837310C574FEF8D20512E0DE2073343D456AE89FD57DC8468189C5DB7FBD7F73E4DCFCC56A5C71AD0CFD7578E7F6A5A3765B185B156A6FB525C7AE13547377E3F589A5B62A8A843B642D9DBDB69B0FAF1279E4195B87CBF07182FCC4B2D85A58DB9DA59FF2961C6350670D6421B3B4B7D9F989290117FE1F1B71F49E318FB7F70701C3118150DF283E4502F7E7ACF8101C817FF877E9A2637899D71ADEE2E864716FD31206A0447CBAA979ABD4E5C0D5B29E4DCEB0663EDD2232893DA9783F7980AB1F03CCA32240F35D876788B22183BB5173EFCC70E752998F04D22A1BAB1950B7EFBD5ED70F575C23F0FDD0A3731D88F1FD9A8AD288E2EB678EF8175F076B3C784F111484E29C521510C93C7856917782670B9CA368C653053B4336783B114CDD9901BDCC84C5271919CED2DE1EFE380C76F1B816F37A6E858A22BB7A7A14CAEE5586A197E103258B72B03C9B9E5983F290C8F2E1A0E2F371B1D098C933BD12D627F1B8ED3F16B9199912EB7A75D9B49434282B46FC6C9707674D20C48CA6B76F6CB48EBEE26FF47C3BD77DEAEA3ABD58A7BC96CD783878F60D16D7760F3D66DC62D7E3B146555C87B5AAD71C9BAB6460C9BF9F3C4B5DE314168A869520249FB0599A14A1A1C1323764B0AE6DC3412EE62904DA20C18372053B9FB39C1C5D316F1FB45D25B5BA87A205DD0255135220BA55EBB100AFD282693B00DD83FC405F3E478D73F380193E6F5C35AA9F91B6A9A6121F29F2D2406CA919F240C2106D6FD9C64E9D607262235B110077667E81406EA73CA5A06312D2C99CCD3847FBDBA4DFC342FBC7AFD724346AAA5B996ADAAB4012BFEB60B77DF351A33847838C87071492DA6882AE817ED8D0517472345589803F070D8401DB9DCCD4E7BAA4E1BDF03B3274660EA9810CC1A178E948C723C2BCAA257A8AB8E48EEED6AAF2D23D65206A6423736B7214988F4F9F70FE05D714BA68E0CC575B3A330634C0FF879D8C9353139ECDC7D11CE07F695C8C894FB6E69A81998CCD5D93FA413EE1E1CA13D5454468B3E07E652B0A9AE1B7F1C383939E31FAFBC02773737CDBF60C09681D7871E7D1CB7FDF96E6CDBB14353D27F0B6CFF2A1EB626563ACBA1B7872B3C835C8C6B7EC2F8ABFBA1BAA9415B368BCA2A50947D6153752869EC5A158F0DAA02AAD137A607265F31087D4784E0CFAFCCC5D34BAFC5C7CF6D109FCA122DA21E480C6D523B33D049D7857641DF89C1155B276BB8793B20A8A71716DE3701BD06FA638818A0871051694115CCA590745D0C1E5E2759C83F2111CAF946510403460663A39487C4C5E09E12926CC920255B66786E9F00839F66EF62A8753BFD53DE845DDF26A043882BBCA79BEC63AA599DE3C78661DAE49E18C39EB25323316E6408A68CEB81417DBC1115E1A199A4F12925D8272EC88A0DC958FCCD511D7478EBC11C8C18E0077B212492048FC773D17DE1EF9CF1CD5B08A249CAF4CED7B1F876530AF28A6A30B09717668E09C56C39C7D603BFBC6310D38AF30B0AF53E30101A1814605C732AD8078339272497DCDC5C7476E0EAC61F0741F2EC9E79F2714446466A65400406F823332B0B2FBCF8373CFED433DA09EFD722767D0A6C1CACD44DE931E0CC2D503DFAF9E8085E740C6C618D436B928D6BBA06531AFE916DA93A18F0814D4958FEC6766C5F1187BFBC7D29864B6DEDE6ED88EB1E9A8251337B63D2E5FD31FD9AC1987DE308CCBB3D0657DC331E57DD370E57DF3B1E178B441F3F371AFD4785C027D8552CD9780601ED9DC4221667F446D86221EA41B7216130FFC00C834787A24654CA66210D8EDD41462365304F84CA8663657096B57997F65797E28697A68A41B175C770322B31EE9423F9D8B5E204E6CCED8394B412AC597B420C4EB95131697C1876EFCBC61E21841DFBB2B079473A62138A5020245121F780238939DA5BA9A2609EC6BA1D9998333E140919A5F017426C6939E9C204BC060B7353383958A34E48EF6872093E5D2DC425DFD7335FBFE997AB8DA2E222D4371A92D94808BE3EBEFAFBE90813A541523113D78A636ED49E9616DD8D3F06820203F0F2F3CFE09A2BAF906754ABFD4CA83A98C075FC783C9E78F2193CF4C863F2DC7FB95B5B985E29B6648E5679EF7A0CF8A9AFD0C9B077B5416098A776ECB411577CEFAA9FF254BA025376712F2F96DA5164F54221873B5EB9180327448832F829505353598F0431B24352936E5A1E8B95EFEFC1672F6FC63B7FFD1E6F3FB2066F3DFA3D168B1AF9F2F5ED58FDD1416C5F790C6F3EB606B13BD3B1EA9383CA1F0347F740A3B827DAB4C51A5B3844DD0E59C7C2F71D168CC131A178FDC91FB4C544C7E0602C83D4411746544643631BFEFC9771422C0DB8FDFA2FD061698A2B1E9B809A52C3602854004C8679FFFEB5B0B630C7FD778FC30DD70FC3B7DFC5232BBB02B97955F87C692C6EB87A304244B63166C24E6DA41473EDB569D0403C17E3289C802921AD0C6EAEB64A003D7C1DB5A5E24C20A9B1BF8A839D05AE9D19A54DC45BF7E768B098B3D177AAA10BC1A1234785C4D853B8035EEE1E67CD5D0809098615631DBC4FB26D6CEC61E39A6EFCD1C044B43F5DB7102BBF5A863933A76B9C83791DAC141C1C1CE499C7E28AABAFC5D7DF7E6BDCA3EB483A90AB7147BE031636E6E815136C5CF373840AA1508D305C50927981EE495D7513FC42DC44DA5B60F3D24358F2D206EC5C791C2F2D5AAA999F6545D5F8FCD5ADA82AAB456579BD32189B73EC1DADE1222A84B9EC74495CDC1DE0EC6E0B7B7151189D8D1A1288951FEDC7472F6D4296487F374F7B8C12D78064A18381C8C9D54151FB6CC7F4F9FD34B6B26D5D229C5D6CB58F080D98A0BDB536B76B7F940917F5C292C5FB112B3768B3A888E9370D82AB9FA3BA4E848DA395104411F6AF4A44CC9860EC946BF8E18713D8BD374B5B4E366F4FC357E27E70D4F1A913C230415C155F2F3BED7BD2748A2A10BA1235C4806E49590382FD9C747473954AA741B311C5250A0B70C68C3161A811D2B3B1B1E421B06A5B1A0E8992F97194B00BC0891349DA94DA2244E5EEE90157D79FFBA704BF0FF0F3D52659F6F2DCBE73AF714D37FEA8B0B5B7C39D77DC867FBCF222A64C9CA041F9BADA3A1DC888CB3BEF7D88F73E586CDCBA6BC8385A8016A9586963D6527985449F7DC4F188C1FEE0F0066C8D600C3233AEEB43009A16A4976205E711D99381FADA16F1D54596DB5AA238BF123F2C398C6FDEDC8509F3FAE928E3E652B36B2F52A9D1D5748C06CF58039B2E69DCFC9B391001611EC816A9CE74F3CA925A241DCD07C79E9872991C4B24BEE6BF930C5ADAE1EC668721A274BE786B37EC8470D80CABAC42188D8DA9E131E37BE8EF5F7E7C4088C5068BDFDE0D07773B4CB8B29F0E61C6425125B8393AE3B3C736C3D9DE1AC1E22A31C18C6AA1A8B01691E11E62D4CD58BF350D1BB7A6A2A2A20183FBF9E1C605FDD4FD282EA9D332F1CEB37C74AD9233CB94102A850C1CE56118D2D10DA0A1322374CAF0204C1C1E28F7A70385A50D3ADEE8D1A462047A39A24E941453E32F046C2D292D2B53D260AB88CF394686622DC5E658068959932526FE7B4749EFC62F07BBE5DF7BD79FF1F4937F4540803F8AC535A1EBCEE106BE5CF6B528E365C62DCF8FA28C4AD99759C4EDDAC7C4DEEDECB91D3D870B6998339E086DA02848AF30AE393F4CD9D468C3E1C96D3962B1D81D9BFCE540AC299D4439FC20EEC584CB07E877ED5299B79BB2B615A391B39930218A2422166E224C492A61EE7EAF210128C828456D65A3924CA618CF00914ABBD726E2D8DE6C5C7CE3102513C628CA8BAB71FF0BB3502424B5ED87C41FBBEE1A5A650C6569935ADCDDDD1E975E33043B36A760E2E4484C9DD95B9487A7D4C6459871CB5078048A1210E324380072F689526CF9E408EEBB6F9C1CC29038969C528C90401725167BB95E2A8BA30985F86A550296AF49C298C101B87FD17084FA3B69AC84528F6549CAAC90BF4D10E0E928FB59A94B43E2600CC3C1D61A2FDC3D0AE181AE3896528A2FD625238E5339C87AE66E84C8B102BDEDD575BA10A4A6A7A3B4A44449835DA5274E9E685C73660CECD74F5B6BF8C23112CFDE9EDDF8CF41BFE868BCFBD6BF70E7ED37EBF3A68BE1E4E488D7DF780B79F9EC397D6ED063483B92AFF6D82236D86F620FED437636F845B88B7DDBFF58D1A7C7757DE43753361FAA0F6F30553A0CCA09CCA560B771CE7770684312A245C63333D4A49D244183E6468CC08A93A1BBCABE721CFAF011D17E38B63F5B0393661626282BA84695D4E8034787E284D4C0DBBE4BC084397DE1E5EB8C88BE7E88ECE78B4DDFC5EBCC6B8651A0581E39243FE43CEC421F332E14B93995080876C34D778FC6D5370CC3ED42081C04C725D809E3456D340A01B25C6C6DE0540AABDF3B085771A3E6CC8E467E7E2D32B32A101AE26A28BB94952D3296B29D9D101573393E581A8BAF57272042B699383C5849C4C3C55AC8A34DF335C60FF597ED9AB58F4B656D232EBB28024FDF3142DC8F627C2E84C8D6160645D9A396E5E6F1796CED9A7F81E0C8E324015E8B95B5158EC6C6E29B15DFE1ABE5CB65F9E6A7E5EBE558F9FDF7481192E1B817DC9E2FC1B1F87F4FE7B26EFCB6983F6F9E0E88545D53AB158093A323967DF58D71EDD951535E8FC2CC4A7539F8EEB3C3DA9A77F6E3DB5777FD6C59F18F5DD8F6459C0805434F769A5BE6B1628D2D7605A694EE6CC6645E01FF913668549A192AFF5970BA199E81CEFA1D5B334C384AB06CA3C627309A3838E3975F30272A6A5077A1B3431893BBB67D770C03C6F68083938D065E37AF8843589437FEFCF4547DC9BFFBE4006CAD2DF5B86421CDCC947F3CBA9DB8043BB7A4E1A15B97E1D13BBFC1BD8B96E1BE9B97E1DE5B64B9F56B2CFBEC10AE7C688C468D7F6C491125C131128F6E4AC14D8B862127AF123672FCA3C70A10DDDB5BBBBCB3FC1A8A95FF9672B399365E55DB84EFB7A462F7E15C1416D761D4403FDC7EE5202109A6B39BE1D93B47A177A80B5EBD7F9CB82C4EF8DBC787B0666786AE77B4B352A2E03D6339388A57567E159284AC2E14F1274E68649D65A454FDECF3A5F8F0A34FF0F1A79FCBB2E4A7E5B3CFF1EEFB8BB166ED3A1DA487E7668A704ECED99B7A0DF7B56BE0F81094CC1C8794A35E75827EF34FE8FAF10C3D8BFFC030BED3178E9FEEC12F3D4227664C9B8A9E11E1A238E49D13A599939BA7CFE15C28CDAD464D5983D4E326B0167B8BDD9C8EC5FFB71E4B9EDAF2B3E5B327B6E08BA7B7EA40C10C3990688A33CBD54BE80A4CFB8882182FEE0787FFD2F13B694672E3A812B42399D47625F2E2536A734224E10CD9C4D8642ABFAB3010A3E7AD62EFD369570FD6002883A1541DDC486B4BA971F74B6D3D6C4298BEB4D515F5483E96877031E0379F5A8FFABA4698B269942FBD1C8BC76F2741C93FC6591A1B9BD022EE446B738B2A1E76086BD79EACED58F9751C6A65DBB9778D447589B12545F6E7B066FFBC7535AC85EC82839CB5DFCC8103391832C01FEDA21E38D298216E21D7A9D740F210E5214CCD818953B2CA7532A42FD724E05F0F4D4044B00BA2C33DB0F8E969784FCEF9D06BBB74B268E67970391924A5882017A4E5566A30F54271F8D0E11FC7BBD0B89180B930675B884E12E7D81709423AECFDFA230C8F563FB4AF5017F1F77FBE81F1932FC28CD997E0C65B6F377E2BC791676AA8643ACBD7B56372F01B92DAAF35ACDF0B1C6782D765FCEBA4DFCF0DDE03DE0B425EA71FC151DBA3070DC5C0A131183966220A8BBA1670E4A8E91CB087A4C18E881C55FD5C483B9CA7E3E0680F7516597EB0572B33B8CFB4A87D69A7B60E4D6FC84FAD40614AD75C5A534EA9D8536A53CE92C64E657A93E4803459551642240C0C166494212CDA57FB91E8CD64A1C4C6F57D919BC40998A3470623E14096DE3C164A098672C558B0A29C72588A02E0A44AECBA3E536A709E6FD7BA24383A1A460AE3B979D19DF79D464DF2E09804ACC5C98A3AC51C2F5C162A25E698ACFDEE38163C3C46FBA8D09D20AC44A1E4A596E1E0EA645C76697FA9B90DA33B151454C1DBC7116D1D0CC692FC486C72CD525E9687F79C44C5291939C749B9B8565FAEFD6956AAACBC2A1C4F2B83A7AB8DBA477AADA7A15594928F9B1D0A4AEBE1E57EE66900CE869CBC3C343637C9359A89E1B78203F0B05584CAC3D6EE0C8B7CCFF51CA087DB731C8ABCBC7C1DF4A5133A7E279FAB2C8CD2333FA72B607ABF7F4000BCBD3C11141068FC167075711165D962385E5D9D066EBB8292B252AD80FEA8B0B3B5F98904E5B1F25E7505159595FADE12EC02CF1EDB849B9B1B02FDFC34B9CBCBDB531B00BA829A9A6A2566123C9FA799E9B95DDC13FB7235B99121022EECDD7AB6854998EC326FEB64C81CA51D5557D6212FFDB47968CE02531BF1F9930FE5E222510864A956AD15A50611A3616D4EB140D97F58247BDFD1A172435928F9928662346E1A1E47F10A087347F2913C0D721AEF1FDF3A250F1EA7A1AE1935158D70F77680A7AF232E12435EFAF61EA989D9E1CB50FBE8D080DC4DFE19F238A42C727C133929D790C4F82DB7D36EEDB295958D39562C3B8A7629C3FCFB63502F464E704B5B7B2B2C7D7EBBFC06EDE9CA099D2BAB9B0C83F2880B61A89D0DE7309CCB703D1A9F91752437C635DC9D6DB1F5500E12D2CBB0725B1AAE9ADE4B5D1236959D0E9EAB455E0E1F4F079455D623A6DF9993B2CE866371C775AC07AA3C1AE5FDF7DE83575E7C0E2F3DFF0C5E7AEE0C8B7CFFEACB2FE0964537FDE80B9F3E423913C3CC85184944CC484C4AE95A16E0AE3D7BB5BF0BC7D3080BFB692C8FE0C040796686347F9E335194CDF9C0E9127440602A23C363FEC3C1C2C20A9E9E46E3960779E4E851E39A73233E21514D82DDDF3DDCDD748E152258C8822A966A9BC316242777EDBEEF3F74489526DF2F573717D8D99FBBE239B42E453B85D6D73463C49C9E7879C78D787ADDC2332ECF70F9E15A3CB7E13AB8F9396843839585250EAFEBDA708E1AD31832B9273E7F79132EBD638CD6B0CDF5AD70F5B64779A1B01D6B76B9199C6D7DFBB7719830BF9F14CC3031924E0B205293FD51DCBD9D34A6515956A76A8037DCC0D7F276F0006280249F435B5310DADB1757DC3E4AB7FDE1AB233ACC5F3BEFB8323C771283E501480CF2A9E792DF4822BACE786E1D514CD650113088FAE9E27DB8445C144F7145D83243D83A5822F9601E762D3D8E5973FBA81B51284AC3CBD35E4981C76302998EF921903368994972754DCD70177299240AAAB4BC16474F94E0AB0DC9F8E0DBE33AD6C68D17B3AB78C78F430276822D2775A2DA4843574EEB85C1515D9BA1BB13CCEA646DC7C5D1C911D17DFAC0C7DB1B01FEFE675D38D667AFC8087848CD462264EDCF7E2B9D888C0C878BA883565122EC3CF5F2DFFE6E5C73762CF972A98E5942894C793C6ECC58E31AC0D3CB4B0726E67C2224EF4F3EFB5CC7DB3C17962FFF56D50F0DE88F0A2AB211C386E9FD638C68CBB66D421C71C6B567C6E123B13878E8883677F399F5EDD3D730AF8F20383858542087D86B5512F8F093CFF4FB7361EBB6EDC8C9310CBCD4228A93CDB20C729F0B59E5C53A921DFB8BF51D1FAA9D39D94272B6C537CC4D47F38F1CEEAF95B99DA88E1DCBE28D473B37F4E9C5CCEE83E1D322717C6F16864CE9A9BD533DFC9CB52F8A8EAA25352F3B6BA51E2BD06EF29438ECD36130E676D9BE19BD0607203BA9C4207B69D86230AA066886ACB5655B1A24E550716E39C6CF89C6AA4F0FEAC44794AB6C62E5365AC3CB86DC9FBF185E2F2A1EFE4697C8401C9AF7A0E7D1CDE026AEC277CBE26029AA20E6E2DEDAFCCA6311ECCCB6EADDFDF076B1434C4C30F272AB35B8AA2D353C8CA194FCC5B08FFCA72209957B103328003FECC84474B82736EFCD86AB8395CE4EBF715F0E9232CB7199DC2F3B5B73ED1E4FF0A5610AFAD5337A6340A40716CE8ED2EFBB8A26794972F3F38CAE491B0244DA1A5A94CE0F66147A7B7B8942E460BB1D48CFCC32AEA13BE18A0913C669976C1A0695C3934F3F7B4A70B313725BB16ACD1A2CFB6A39DCDD5C512B12BD57644FF489328C4D4AB09BF784F163B4C2E0580F59D93978F99557751CD2D34137E69F6FBEA5031B53FEFFD13169FC58706A0682D7F7AF37DE4262D29953AD3945E3ABAFBDAEC4C967EF24CF60A2DC979371D51597EA044F2495E2A2623CF5CCF3670D6C1E3A74186FBCF39EDE5F1E8FCF72F6AC99C6B567C6A1F529B083B855627BECDF151875E6F4F133217C903F9A1B9B6126EF6C517DD73243F56D64C0E4FAC7A78B4F648EF0817E08EDE32335B4853695AA918A66679E013B9115E757232852E41B7D211AB9487C4E6F10DAC70B2744BE33804AA353A3979F6A8CD4FC84F049B3B822A3C5A0483A3BD7246AEE3B41C3D7FD68C4F283718AD2C21A21AE2A9415F1B31A25F2C9EF4AE5B3443F6BF5772EE525F528CAAFC23B6FEEC482BF8ED3B66A553902BA4BC9FBF270684D126EBB7524B2732B35DF42E76311E3523747889165E6B93938F1005107FD7B7963F9FA2444043AA3A8B45ED58521B80B384AB90F1C2FC49E6385B8E2A2489D74A95ECE49CE614D7AF3BCBEF076BFB069120906BDF272F3953438C176787898F62BE90A6CC42003FCFDF4771DA13C2DED94CE6BD72DBC5A0CDC4A0983C3E9D3F5B8FFA147F0F5B72B703C3E5E0D63EFFE0378FCA9A7F0C69BEFE8C3A06A69696952D7E774CC9E3153550E87C82361ED97DAF69E071EC4A79F7FAE83F3EE93637DB362251E78F8117CBB6215382CDF1F59657482031B0DECDF4FE3191C60989D0639C114A73B88157785F795E9DE1F7CF4311E7BF269255E2A810A515A13268CD75EC72763EEEC590811C541F562B8EF7BF0E0238F61FD864DEA4272F024BA776FBFF73E9E78F6397068463E738EC171F97C4E2179EE2107F7AF4A82BDB85574339C3DEC11D4BBEB534486F6F796774D14BBBCB876B042E2DEF377B0FC31BAC2D60E670F3B1CDF9D89DB5E9C85C29C4A94FE7D3B9C7D1CC0742B1AA08D9D15920E6461D0A4089C607F0A21010ED9B7F0FF26E1CBBF6F3510006B7F1ABE18A1928DC18AF41C4CD5EED9DF1F638434BE7E772F8AC54D7072B553A3A5356A70553E2BCBEA3145DC20E66F68CC408EA5E6AF0C64000FCB2011D54E87B8C83C678B7824765206067AC65CDE073BBE4A80935C135D2C96FFAB9777E3852DD763EEDC286CD8948298618158B5EE84A6BE931B9BDBDAB483D99431A1DA0D7FE58624396E07FACB43D8B23F476A7C294A1B0D89E733D1795FD3B22B7440E22BA6F7C2AA2DA93A695249533D9E7E771F5EB96FAC3C90930ADD05B069939319A9DF2FF017A5D155D0B50C0D09C6D6ED3BF4A54B4FCB503F9A815282B4F8CA0BCFE3C147FFAA64C2F12FCB4ACBF0DEFB1FEAF36259194761F77BC31C22ADA8961AF1BA85D760C8A0817A8C93C111B6FFF6D2F39877D9023508D68E35D5D558F2F952AD25F97C34A02C04E6E6EAA25DF6CDF89D5C1B9FD71F1574B9FFFAC843B8EA9AEB9408D8E4CD7773E9B2AFF0E5D265EAAE711C535E1B49850BA7B21C36648890EBCF4750E7F11E79E87E3CF0D05F75A63706ADE982BEFCEA6B4AA40C74733065B531516D266295548423860DC5CD37FDC97894B32337A9545C130B6DB0F00CB1D5F86257D163901FAC39F1BA54FED61652117E9F845EC3CFDC9BBA13A71CFD4F8F4F4573430B5EFFCB4A78FA3A63E845BDE013E40A8EE8C52EF17CA94A447D70EED4E09E5EDA8E1C18E6AE69E295A575F2B21903A07293A828749C42F993B33355091188A7838B6FE4E8CE2658FAC64E4D19570B145E2068884C170FEAE18E9BEE1B8F11E3C231606810068E08C26059060DE7673006CA2753CA675ED2176326C93603033072540F8C1DD703FDFAF9A9AB70FB5B73B4F5847116C256DC8A235B5370786D326EBE79848E72CE4994B4CBBD180C035896F2325C3CAD9794B705AB44F2F1A58F08729732B523471416F98B1DE9D83242854270C0E2CAAA267CFC5D3CC60D0D44BF084F6DBD49CFA9405ED1858FCE94949CA44A802F2967E3EA9CE3A4AB080A0C82995C07F7E7485E1C9CF664F4E9D31BAFFFE35584F508155553A1D7C8DACFD1D15E89C2C9C949FD71CE2BCA87F7D003F76BAFCCB381FD24967EFE29060E1820954283BE139DC7E1EC641CF897E0E0C4ECC2EFE9E1AE711212C8E92D092C73E7A227EF0AE4F1F1BD3979E90A0CDB1A9A1ECF94ADCB9C9CCF3EF950E31B3A676D63A31A3B1515631D8E0E8E62F076DAE18CD73C67F64CEDC17A36848785E395979E5352E7B8AF8493B383D894A912B5AD9D0D1CE4BE3536362801733472CE4B73BE314F8B332B509455295E82A9A64D746552E793C1F003E743610308BB7F7465CCD09F4DCB386862381C9C6DF08F3BBF86BDB32D82C5151934210279A925282FAE5557860F2A6C801FE2F76469A6684176B9CE2A4D52A1BB4217A2471F6FF41B1D8AFD9B9231784218068D0B130272C1BC453158F6F62E1CDB9BA9FDFE69B0ACE6492F7C88ECE13AF38A81E83B2C08775CF2117E5811872DDF27602397EF8ECB673C36AC3A8ECD3F9C407A4A99B82CB53828C77AEDF94D58BFE604D6CAFA43077230636EB4DED0E403F986D4747939A84AD20E17E0F2FB462129B51469E9A5F2825B2135BD0C2EE25E5C3CB3378E9D28466C62B1BC14E27F0A11DE75C3507CB93A0135F52DB85AD65F33BBB7908B09F61D37B44C903BF89ED637B6E28410D188BEDEE2AAD8E9C03DECE41626AECD8560DD0F1B919C9CA24AC1D9C901D75C75E505497A1AC096AD3BB409942ACD4B8C748048ED934163E6140116E616C8CDCB4392B825242AB68270F46B1B2B6B796927E1969B6ED0C980CE07D6B49CFC2730D05F95526A4AAA48EE2254881F5F2D06E2EDEDA3D348DEBAE8464D3ACBCACE52A3F4F5F5C6A489138C4701FEF1FA9BE2F636699F9B98E1237406F5F38123757FFEE5328DA5D0B59B3C792202859CCE07B66230598E6AAA54D4D69FAE5DA83187934125312A66A4AABD4271218E27C4A3DA38323B9545AD10EB6859BF48D4C0FC8BE71AF73A3BD84C1D337284E6D1C4279CD0B14FD8558144C1C1798AA51C51BD7A61D10D7FC282CBE7FF184C3D17328F1763C34747947C2A6A6B70E3F353E1117061EF5C567C1112F7E4AA1B4F5BE488FFD6C6B001F9FBF469194D84D5CF48E9B1DBD2F0F7BB966BFF11F6629D76ED10ED0D7760638ACE123FE1D2FED8B3F604068D0FC3AEB589689603D2FE59F871F3A371D363D35057D3888DCB8E222DBE0015A5F578E0F58BB5167FE8AA4F74EA0253710118EE603095E383729E14B61DBFB5F2267CF9F61E2C7D6F9761A01D3930678FD7CA87AA5DC8852D142DB2C8AF888CF2C5485119BB7666205B082025A5046F2CBE12FE2EB67868CA6234D5B66A6A2D512DE57870C9A570EAE781D7FFB90BFF77FF387CF5ED71F8FAD863F5C65454D43408C958EAA85FE346896F6AD681551BD3A4E6B4C6BA0F2F37C478044FBCB90719F99CEF94B107B906294B93288C1AD96FECA00084073AC1CED60A13879EFF053E19372CBA0545620094F7C3870FC5630F3D685CD375DC7EE73D2A7FD93B3632A227FEF1B7178D6BCE8C86FA46A4A4A7A901F9FAF8C0DB537C62C365FE22B0E6A4EA68E96885A39D83925EA702E8541252BF6B4571322132E8C7BFB9DEE0C29CBF10DC873912DC962D602ECE2E6A94E7836116F932254E96F7E4796ACF06AA8DDCFC7C550A6CAD62D099FBFF52F058B1B171AA5438E136E780E5B4141782556FECC5470F6F04C7E26516F6E2CCFBE0EED7B569173A11B72D1D778D7B073E5E2E6A6B8F7D770522871B72729896704BD46B2A0A9841FAC0A7F34F754F4E46FFB13DF0F69EBBB1E899E9DA99EDBD27D662DB37C7102E0A234A5440A330CF9839D1422AF57072B5C1D46B8660D153D3F0ECD26B953008469EE3F766A9B1370A8130857C87D4DA745538A319BF37280C060B20C4528B990B06A97FC5161AAA1AB22D0740E55817ECD7C10995D89AC098839DF87136E2129D905AFF9DD7B68BEF698911A26EA832D67E2F4410E18E81E2BE90213BC1710656BF770091216EF8DBCBD31112EC8207EE198D5DFBB2919EC597C84C034A541A21FE8E58BF3503D1911E1831D00FA5E2A6119C28DADCC204413E8EF0F37480AF879D2C0E08F37746FF9E9EC82BAE4190AF1396AE4D425965D7679267F43B39254D836A7C910644471BD75C18428383757F4EE0CC0C440654CF051B5B6BF4955A9DC13F2671FD1AC22068F0F6E296B8383AFFCCF855F19144847C4F5750868184E4F9CA33EF0A6110DC8706C719D3BC3C3CBB441804EF8DAF2820EED715C220E89670C0A3C103076A00F8D71006E1EFEB8B99D3A762DEC5737494F90B250C2223AE5087C264BF91F021BEDA747AA17074B38713BB2C48E5D7D2D4725E17E59CBA973D5D99F4F5D4B2EBF1D28A1B31EBC661FAA07B0F0DC645570DC2FCDB6370F1AD3178EEABEB71ED4313B50B7D70AF9F1E80A38B9DF84966F861E9617171C2A550EDD8FC350796F9A9E661B32C0BC1D803DD8839A268BEFE600F7233C475B0B712792BFE3D7D8076D624861A9D39186CC9A9AD6D1235D3A4DFB393D8813D9938202495256EC7A25B47E9F1E7FFDF281D4A908C4930269172300F8736A4C0CEE6A71B3C636A4FCC99162935A3A5D4D0ED080970D159E22F9F1585406F27A46654E0FE97B6E0B3550978EBCB58AC1676DE7E384F3BA9ED389287DD4773B12B2E1FFB8F152036A90471C9A5F2029B8ADBD2B50C4022252D55DC0AC358911C6BB577EFDEFAFB85222666B8DC9B7A35BEA2C2229414772DD3AF1BFF59A8AF6E425E5299E645913442FB79E37CB3C09F092E5E7608EAE5A1EF1C6D2B33FEDC93629D93343AE1EC6E873E234230FBA691B8ED85999875C3308408397034E390DE3EB0170571368C9D172D4AC416972C1A81551F1F405672B148294B250B064059E3B4494DC85C8F85F71A92872A8A6A1110EA2A6ECA0D98BB70B02A0506CD982549C5C13960FB0E0EC00431F28BE6F4C1745966CDED8B05B2ED1C21AE71137B225B4887F00B77C7E8CB7A8B7433D4F89C82817D58963D6798BFB3BAB6116BD625E1D57FEE444E5E35268FEFA1C1D01993C2E0266A67BD90C3CE83D9AA2EB265FDD6FDD93A0607550E7BB072FE562E36425A9CA18D04E6CF56A89452F878DAC2435CA4AE62CBB6ADDAA24137C1D3D3FD825A4E4EC6B061C3447E372AC153B227249E3F5BB31BFF7928C9AD448E9006BB68507987F6BFB0CCE34EB0853128DA5BFB74B11B46C69142B1B9B3770BE81269FC1A440D0EC45D2FCFD63E221F3EB74147F832382572724E712656C65EB67E212E9879C560BCFDEC7A24C6E662F69583E1244AE5BABBC6E2D29B8663F61503B140486BFAFCFE8888F2D666BCA2FC6A51156548901A7EFB96547CF3E511BCFFE60E7C2A4AE5D9277EC0F2A547B41975C123E361290A824C4AD0F5D9BF2B055922ED92D2CA5052560B1B295F5656053E5A7204ABD69F406D5D0BD66E4943430365BE19D88A65239F1C48884153114BAA9C7E822172CF5884AFA73D0AC4D5AAAC6ED6D695AE62F79E7D7A5F2AABAA743E13ED2FF20B400DC77E22F4BD793C1EB71BFF7D284CAB40B6284956AA8CED0544BA19D75C3882A23C34219236727C5B262A0A8CC96752B973C8090ED5590F4E37D9F6F3D693DF1A4C180B0CF7C0AAC5FB10BB3313B6F686082DC9828954FCC75EA093850CFA8F0846FCFE1CF885BA232CCA47833BE525B5F8E2AD5DD8BF231DC70E6423510822536AF182BC4A9496D4E9D48DB5E2A270B83F364F31026C6B6FA9C65227EE4B4E76A52A92C2D47224EDCF85B5A8232D57BB39D28F16E0DA07C7A1548EC1418539DD818383B5BA27CC300D0A70425246A5AA9B0E792A2C76A3105C9F080FA4E6541A5C7FFAE77A44DEDF0E6D8E1D35C05FE74519D1D71723BBC8FE6D6DAD484E4D838F97B712C6C8E1C3D1BB57A471ED85A34194065B0342434234159D6DFEDDF8EF425662319A4A9B7552E7F0813E187559F42F724F08CEED5A5DDA28C4E3AE794E232FE90D07171B55AAD90986A131BCBC5D307466CFB3B79EFC96600EC7D3377C89A2DC0A5508AA6F8430A83728E739C8CE927DF760DBEA04BCF9F85A38893B34EB1A511AE2D65455D463D907FBB4B9D4D482E6C95610A9E1A5AA67C169E034544B210BED15C86F59E38B298F9ED0035B36A6E0ED8FAE40656A251E9EF6B1F67F610B0F150107567D76ED4258063961F386147CF1F55138898A68956344F5F602F3483834E0816385B0B7B7469B1CB55DC863E2C820EC3C92A70462222E49A75C63E7B6405F7B784AB9B71DCAC3E72F4C47B04FD726FCE56360993A633DA707092F143C5EE7A3E527038CDDF8EFC28F3D95B5F2950F63CBDE2F058F6750CBF2BEC87BDD093D0FDF4B798FD838F1EBDECC2E62C3B223C8482CD20B6312155501A3B42DCDED282FAAC1C5370CD3C140367E15ABBE59CCE49E58BFFC285EBC6F05F66E4EC5A8493DC5CFE70D22D1C885D1A0C41E1807F1F275C4CC79FDF5780C9872E6341A092F8C199BCC5578E78DDDE8393200E31744A34AD409E516C7FE681417E4A3BF6E42A89F13A2FA78C2C3C3FEC7D1C639F6C6A61D19888AF094DADF5EDBD3CDE4A88C379495D523C0DB41632C1A9B11F0A3555899FD55E2D3CA71FDECA82E1306C18745C32659FC5AC22078BCCE637513C67F27D480B90859FC5AC220782C1EE764C2203ACFC14FFD5B7FFE8EA8A96CC09EB509DA2C6BEB680D3B59989D692B6E000730F60974C1823B4661EBCAE3B0B435C7DC1B86EBD080A585B5F0F67541765A29EC1DADE0EA61A7FE166F0D0DB4AABC1E4E2EB678F0B999B86AD17078783A68162A099142C44248884DB7BC4066BBB1DFC8C5F7C6207CB02F027A792030CA1311F23BB35D930FE461C4902084063133AECD7002F9EF2EF26CC50F27306A70A02A9D36F9C76629E663B0795789DEB0A91295159B6B65F71E4242375CFCCB9A4BBBD18D3F3A7E77F784929B4921741FD4BA3A21C6CD7C0B0ECBC7AEB90B635E5337E5E9C557E2E8DE4C6C59755C13B8B80BE310532F1D80CFDFDA21BF5B81B3BF47447BE3FE6767C237C030ACFFD60D27F0FCC3E2DAE808CCA67076B3D51696B5ABE2316E5284C6396EBF734CA785EB3E945D9462ECF64F6CDF9581C79ED90807676B0C88F6436A56B9E6668C1E1E846A295BACA8252689798BF288E8E18EF5BB3285F82C741EDB7A59EFED618BD9637BE09249E1BF685CD06E74E33F01BF7B20943299C119B69E309ED0B950E6337FE3C4913C6C13C33EBA3B13B73C3E056F3FB55E8D7AFCAC28241CCE57E5C04E710D421481E19EA8AE6EC00DF78EC3ED8F4CD164B14E048B11B3D973F7D634915880978F231C9DAC909F5785BEFDFCF0DD8A63484F2FC3F163F9D8BD371B3BC4E05DDD6DB176433212840CBE5F93A0EE0C07182E29AD87AFAF834E1ACDF94C720B6B103324007945B53A7646496523268F0CC6A1F822ED6CC48C42073B2BDC77ED604C1F15AA64D88D6EFCB7E277278DB38135B6A3932DAA2B840C22DC5122C6DD50D7826431EAC2EC0A9D2680533CC6EEC9D06DD971EEF2452330EB8A811830FCCC3347F51672A03F76787F964EB844C5502C6E4E5884078EC515A020B74A08A204A9C9C538129BAF81CED8238699F2BF5F73029C152D44CE939E5E0E5F219DDAFA66B0031D83ADB50DAD1831D81FC7924A8448DA1133D01F87138AC0FE369CCB756A4C302E9D72619D85BAD18DFF44FC5B5A4FBA024E0F59905589F88359A8969A9CB3D68F9C14090F76CDB7B280A30BBB10772DA0979D518655DFC4A9CAA0C2E1644699A2323A5B6E74DC53B96C27671B8C1063DF2BCA63842887152BE371E55503F0E55771888EF64171591D0AC5B5E25CB0354228532786EBDF7B8FE663DCC8203470DE9494523409A9DCB37030E6895BD28D6EFCB7E30F431ABF0798F895975B89679F58077B7191D84D8AF1070D6C88BAE04CF0D3A6478AEA2880BBB82A2666667070B0425E418DBA50B50DCDC82FAED5EEC36DE22771E0A0CBE74663A5B834754D2DB8E692BE78E38B23B011B7E6A367A722F0025A4BBAD18DFF54FC573BDF41A16EDA52C33142080EA843BED01616015B44E2138A316448000E1ECE852B9359841882039D35B5DD446E0F9B54C9AB1C5E902D27FB8FE422667080E668B03F0B6769EB27EE55376174E37F05FFF511BBFE03FCD1B3B70FAAAA0C23940B0B0871086BC887B9A50952928AB5F9D4CFD719078438CCCCCDD0BB1747A366A28B6104746D02975F2C2C4C90262E948D85B99084233272AA7454F3FBAF3BFF9813DDE8C67F0BFE27C2FCCFFE6D16BC4509D45437EB781E1C48954DC166F28FB922DFAD3A8EB9B3A390935581FCC22A9DCB64D8C0001D7884DD63D4ADE9304C914802D9B8271DE3449D5454D5E38DC726C3CFFBC2C62FE84637FE93F15F1DD338194585D5D8BB2B13E9E9A548882FD2690C6AEB5B60EF60ADAEC6C409E1422C0E183A2C10FEBE4E282CAEC57D0FAF41AD900CBBECB3058789951DF283718E6103FDF1C89F4769E7B46E74E37F09FF33A4D1095E6E4D75132ACAEB70F46801F6EFCF425A6639FCFC9DF1E273D3D53D216A6A9B448124205BC885638032C9ABACAA11CD6D1D183AC00F57CF8B4678B0AB6EDB8D6EFCEF00F87F9ED91B4B4AFAE0D90000000049454E44AE426082 WHERE `app_id`='11' and `app_name` = 'LF Acumos Marketplace'; diff --git a/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt b/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt deleted file mode 100644 index ee7a285cc0..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml b/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml deleted file mode 100644 index eaa0cfb259..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-mariadb - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/mariadb/*").AsConfig . | indent 2 }} - diff --git a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml b/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml deleted file mode 100644 index 1d0d5bc5e5..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/deployment.yaml +++ /dev/null @@ -1,122 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ['sh', '-c', 'chmod -R 777 /var/lib/mysql'] - volumeMounts: - - mountPath: /var/lib/mysql - name: mariadb-data - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MYSQL_HOST - value: "{{ include "common.servicename" . }}" - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: db-root-password - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: backend-db-user - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "common.fullname" . }} - key: backend-db-password - - name: PORTAL_DB_TABLES - value: {{ .Values.config.backend_portal_tables }} - volumeMounts: - - mountPath: /var/lib/mysql - name: mariadb-data - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: /usr/local/bin/docker-entrypoint.sh - subPath: docker-entrypoint.sh - name: docker-entry - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - {{- if .Values.persistence.enabled }} - - name: mariadb-data - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }} - {{- else }} - emptyDir: {} - {{- end }} - - name: localtime - hostPath: - path: /etc/localtime - - name: docker-entry - configMap: - name: {{ include "common.fullname" . }}-mariadb - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-mariadb/templates/job.yaml b/kubernetes/portal/components/portal-mariadb/templates/job.yaml deleted file mode 100644 index 5a66bb96bd..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/job.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-config - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.name" . }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - containers: - - name: {{ include "common.name" . }}-job - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbInitImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DB_HOST - value: "{{ include "common.servicename" . }}" - - name: DB_USER - value: {{ .Values.config.mariadbUser }} - - name: DB_PASS - valueFrom: - secretKeyRef: {name: {{ include "common.fullname" . }}, key: db-root-password} - - name: SQL_SRC_DIR - value: {{ .Values.config.sqlSourceDirectory }} - - name: {{ include "common.name" . }}-oom-update-job - image: {{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.mariadbInitImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: DB_HOST - value: "{{ include "common.servicename" . }}" - - name: DB_USER - value: {{ .Values.config.mariadbUser }} - - name: DB_PORT - value: "{{ .Values.service.internalPort }}" - - name: DB_PASS - valueFrom: - secretKeyRef: - name: {{ include "common.fullname" . }} - key: db-root-password - command: - - /bin/sh - - -x - - -c - - "mysql -vv --user=$DB_USER --password=$DB_PASS --host=$DB_HOST --port=$DB_PORT < /tmp/oom_updates.sql" - volumeMounts: - - name: portal-mariadb-sql - mountPath: /tmp/oom_updates.sql - subPath: oom_updates.sql - volumes: - - name: portal-mariadb-sql - configMap: - name: {{ include "common.fullname" . }}-mariadb - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never diff --git a/kubernetes/portal/components/portal-mariadb/templates/pv.yaml b/kubernetes/portal/components/portal-mariadb/templates/pv.yaml deleted file mode 100644 index e10b003570..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.persistence.size}} - accessModes: - - {{ .Values.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml b/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml deleted file mode 100644 index 1cadcc51d5..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.persistence.size }} -{{- end -}} diff --git a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml b/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml deleted file mode 100644 index c0800e0275..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: - db-root-password: {{ .Values.config.mariadbRootPassword | b64enc | quote }} -stringData: - backend-db-user: {{ .Values.config.backendDbUser }} - backend-db-password: {{ .Values.config.backendDbPassword }} diff --git a/kubernetes/portal/components/portal-mariadb/templates/service.yaml b/kubernetes/portal/components/portal-mariadb/templates/service.yaml deleted file mode 100644 index 7b9ef91900..0000000000 --- a/kubernetes/portal/components/portal-mariadb/templates/service.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.externalPort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - name: {{ .Values.service.portName }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-mariadb/values.yaml b/kubernetes/portal/components/portal-mariadb/values.yaml deleted file mode 100644 index a7fdb54d78..0000000000 --- a/kubernetes/portal/components/portal-mariadb/values.yaml +++ /dev/null @@ -1,153 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for mariadb. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: # global defaults - nodePortPrefix: 302 - persistence: {} - -# application image -image: onap/portal-db:3.4.1 -pullPolicy: Always -mariadbInitImage: oomk8s/mariadb-client-init:3.0.0 - -# application configuration -config: - mariadbUser: root - mariadbRootPassword: Aa123456 - backendDbUser: portal - backendDbPassword: portal - #backend_portal_tables is a comma delimited string listing back-end tables - #that backendDbUser needs access to, such as to portal and ecomp_sdk tables - backend_portal_tables: portal,ecomp_sdk - #The directory where sql files are found in the projects gerrit repo. - sqlSourceDirectory: portal/deliveries - # sdc frontend assignment for port 9443 - sdcFePort: "30207" - # application's front end hostname. Must be resolvable on the client side environment - sdcFeHostName: "sdc.api.fe.simpledemo.onap.org" - # policy pap ui assignment for port 8443 - papPort: "30219" - # application's front end hostname. Must be resolvable on the client side environment - papHostName: "policy.api.simpledemo.onap.org" - # vid ui assignment for port 8443 - vidPort: "30200" - # application's front end hostname. Must be resolvable on the client side environment - vidHostName: "vid.api.simpledemo.onap.org" - # aai sparky ui assignment for port 8080 - aaiSparkyPort: "30220" - # application's front end hostname. Must be resolvable on the client side environment - aaiSparkyHostName: "aai.ui.simpledemo.onap.org" - # cli ui assignment for port 8080 - cliPort: "30260" - # application's front end hostname. Must be resolvable on the client side environment - cliHostName: "cli.api.simpledemo.onap.org" - # portal sdk (demo app) ui assignment for port 8990 - portalSdkPort: "30212" - # application's front end hostname. Must be resolvable on the client side environment - portalSdkHostName: "portal-sdk.simpledemo.onap.org" - # dmaap bus controller ui assignment for port ? - dmaapBcPort: "" # TODO: populate with - # application's front end hostname. Must be resolvable on the client side environment - dmaapBcHostName: "dmaap-bc.simpledemo.onap.org" - # msb IAG ui assignment for port 80 - msbPort: "30283" - # application's front end hostname. Must be resolvable on the client side environment - msbHostName: "msb.api.simpledemo.onap.org" - # SO Monitoring assignment for port 30224 - soMonitoringPort: "30224" - # application's front end hostname. Must be resolvable on the client side environment - soMonitoringHostName: "so-monitoring" - - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 450 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 450 - periodSeconds: 10 - -## Persist data to a persitent volume -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - volumeReclaimPolicy: Retain - - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" - accessMode: ReadWriteOnce - size: 2Gi - mountPath: /dockerdata-nfs - mountSubPath: portal/mariadb/data - -service: - type: ClusterIP - name: portal-db - portName: portal-db - externalPort: 3306 - internalPort: 3306 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 460m - memory: 175Mi - requests: - cpu: 10m - memory: 100Mi - large: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 800m - memory: 1Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-db - roles: - - read diff --git a/kubernetes/portal/components/portal-sdk/.helmignore b/kubernetes/portal/components/portal-sdk/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-sdk/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-sdk/Chart.yaml b/kubernetes/portal/components/portal-sdk/Chart.yaml deleted file mode 100644 index 7f3ff1d8b5..0000000000 --- a/kubernetes/portal/components/portal-sdk/Chart.yaml +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal software development kit -name: portal-sdk -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties deleted file mode 100644 index 895de10a4f..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/fusion.properties +++ /dev/null @@ -1,51 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -# login settings -login_method_backdoor = backdoor -login_method_attribute_name = login_method - -# These properties will be removed after SingleSignOnController is cleaned -authentication_mechanism = BOTH -login_method_csp = csp -login_method_web_junction = web_junction - -#login message -login.error.hrid.empty = Login failed, please contact system administrator. -login.error.hrid.not-found = User not found, please contact system administrator. -login.error.user.inactive = Account is disabled, please contact system administrator. - -# User Session settings -user_attribute_name = user -roles_attribute_name = roles -role_function_list = role_function_list -role_functions_attribute_name = role_functions - -# Import-user LDAP settings -post_initial_context_factory = com.sun.jndi.ldap.LdapCtxFactory -post_provider_url = ldap://ldap.mycompany.com:389 -post_security_principal = ou=people,o=mycompany,c=us -post_max_result_size = 499 - -# menu settings -menu_query_name = menuData -application_menu_set_name = APP -application_menu_attribute_name = applicationMenuData -business_direct_menu_set_name = BD -business_direct_menu_attribute_name = businessDirectMenuData - -# Role settings -sys_admin_role_id = 1 diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties deleted file mode 100644 index a5160457ec..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/key.properties +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -### -# ============LICENSE_START========================================== -# ONAP Portal SDK -# =================================================================== -# Copyright © 2017 AT&T Intellectual Property. All rights reserved. -# =================================================================== -# -# Unless otherwise specified, all software contained herein is licensed -# under the Apache License, Version 2.0 (the “License”); -# you may not use this software except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# Unless otherwise specified, all documentation contained herein is licensed -# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); -# you may not use this documentation except in compliance with the License. -# You may obtain a copy of the License at -# -# https://creativecommons.org/licenses/by/4.0/ -# -# Unless required by applicable law or agreed to in writing, documentation -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# ============LICENSE_END============================================ -# -# -### -*/}} - -# Properties read by the ECOMP Framework library (epsdk-fw) -cipher.enc.key = ${CIPHER_ENC_KEY} diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml deleted file mode 100644 index 2c2cd00f1c..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/logback.xml +++ /dev/null @@ -1,225 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${defaultLoggerPattern} - - - - - - - - ${logDirectory}/${generalLogName}.log - - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${applicationLoggerPattern} - - - - - 256 - - true - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${auditLoggerPattern} - - - - 256 - - - - ${logDirectory}/${metricsLogName}.log - - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${metricsLoggerPattern} - - - - 256 - - - - ${logDirectory}/${errorLogName}.log - - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${errorLoggerPattern} - - - - 256 - - - - ${debugLogDirectory}/${debugLogName}.log - - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip - - 30 - 3GB - - - ${defaultLoggerPattern} - - - - 256 - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties deleted file mode 100644 index 3e215647e5..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/music.properties +++ /dev/null @@ -1,36 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -music.version = v2 -music.keyspace = keyspaces -music.session.keyspace = portalsdk -music.tables = tables -music.session.attr.tables = spring_session_attributes -music.session.meta.tables = spring_session -music.consistency.info = type -music.consistency.info.value = eventual -music.cache = false -music.session.max.inactive.interval.seconds = 1800 -music.serialize.compress = true - -#By default it's eventual -music.atomic.get = false -music.atomic.put = false - -cassandra.host={{.Values.cassandra.service.name}} -cassandra.user=${CASSA_USER} -cassandra.password=${CASSA_PASSWORD} diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties deleted file mode 100755 index 4d26240be4..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/portal.properties +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -# Properties read by ECOMP Framework library, ecompFW.jar - -########################################################################## -# The following properties should NOT be changed by partner applications. -########################################################################## - -portal.api.prefix = /api -max.idle.time = 5 -user.attribute.name = user_attribute - -#Use REST API instead of UEB to fetch the functional menu data -use_rest_for_functional_menu=true - -########################################################################## -# The following properties MUST be changed by partner applications. -########################################################################## - -# Name of java class that implements the OnBoardingApiService interface. -# epsdk 1.3 uses org.onap prefix -portal.api.impl.class = org.onap.portalapp.service.OnBoardingApiServiceImpl - -# CSP Global Log On for single sign on -ecomp_redirect_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalFEPort}}/ONAPPORTAL/login.htm - -# URL of the ECOMP Portal REST API - -ecomp_rest_url = http://{{.Values.global.portalHostName}}:{{.Values.global.portalPort}}/ONAPPORTAL/auxapi - -# Applications do not need to run a UEB listener in 1610. -ueb_listeners_enable = false - -# UEB Configuration -ueb_url_list = message-router -# ECOMP Portal listens on this UEB topic -ecomp_portal_inbox_name = ECOMP-PORTAL-INBOX -# Replace these 3 default values with the ones for your specific App, -# as shown on the on-boarding page on the ECOMP Portal web application. -ueb_app_key = jQd4a9zVNi4ePyBp -ueb_app_secret = P0HpqEBhKJvxjRYdw2sCTUll -ueb_app_mailbox_name = ECOMP-PORTAL-OUTBOX-APP1 -# Consumer group name for UEB topic. -# Use the special tag '{UUID}' to generate a unique one for each sdk-app server. -ueb_app_consumer_group_name = {UUID} - -decryption_key = AGLDdG4D04BKm2IxIWEr8o== diff --git a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties deleted file mode 100755 index 3873da13a9..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - - -# Properties read by ECOMP Core library, ecompSDK-core.jar - -########################################################################## -# The following properties should NOT be changed by partner applications. -########################################################################## - -application_user_id = 30000 -post_default_role_id = 16 -clustered = true - -#Enable Fusion Mobile capabilities for the application -mobile_enable = false - -# Cache config file is needed on the classpath -cache_config_file_path = /WEB-INF/classes/cache.ccf -cache_switch = 199 -cache_load_on_startup = false - -user_name = fullName -decryption_key = AGLDdG4D04BKm2IxIWEr8o== - -########################################################################## -# The following properties MAY require changes by partner applications. -########################################################################## - -db.driver = org.mariadb.jdbc.Driver -db.connectionURL = jdbc:mariadb://portal-db:3306/ecomp_sdk -db.userName =${PORTAL_DB_USER} -db.password =${PORTAL_DB_PASSWORD} -db.min_pool_size = 5 -db.max_pool_size = 10 -hb.dialect = org.hibernate.dialect.MySQLDialect -# SQL statements are logged to stdout -hb.show_sql = true -hb.idle_connection_test_period = 3600 - -app_display_name = Demo App -files_path = /tmp - -#element map files -element_map_file_path = /tmp -element_map_icon_path = app/fusionapp/icons/ - -#Cron Schedules -log_cron = 0 0/1 * * * ?; -mylogins_feed_cron = 0 0/60 * * * ?; -#sessiontimeout_feed_cron = 0 * * * * ? * -my_login_feed_output_dir = /tmp/MyLogins - -# Link shown in Help menu -contact_us_link = https://todo_contact_us_link.com - -# An Unique 128-bit value defined to identify a specific version -# of an application deployed on a specific virtual machine. -# This value must be generated and updated by the application -# which is using the ECOMP SDK at the time of its deployment. -# Online Unique UUID generator - https://www.uuidgenerator.net/ -instance_uuid=8da691c9-987d-43ed-a358-00ac2f35685d - -# R Cloud feature - configure this property to enable notebook feature - for more details on RCloud please visit https://rcloud.social/index.html -guard_notebook_url= - -#authenticate user server -#TODO: what is this URL supposed to be pointing to? Nothing in portal opens 8383 -authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-connect-server-webapp/allUsers - -#cookie domain -cookie_domain = onap.org - -# External Central Auth system access -remote_centralized_system_access = {{.Values.global.aafEnabled}} - -# External Access System Basic Auth Credentials & Rest endpoint -# External Access System Basic Auth Credentials & Rest endpoint -ext_central_access_user_name = aaf_admin@people.osaaf.org -ext_central_access_password = demo123456! -ext_central_access_url = {{.Values.aafURL}} -ext_central_access_user_domain = @people.osaaf.org diff --git a/kubernetes/portal/components/portal-sdk/resources/server/server.xml b/kubernetes/portal/components/portal-sdk/resources/server/server.xml deleted file mode 100644 index 1cea5ab8f8..0000000000 --- a/kubernetes/portal/components/portal-sdk/resources/server/server.xml +++ /dev/null @@ -1,155 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - {{ if .Values.global.aafEnabled }} - - {{ end }} - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/portal/components/portal-sdk/templates/NOTES.txt b/kubernetes/portal/components/portal-sdk/templates/NOTES.txt deleted file mode 100644 index 496dd8d1a5..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-sdk/templates/configmap.yaml b/kubernetes/portal/components/portal-sdk/templates/configmap.yaml deleted file mode 100644 index 30d2009c3e..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapportalsdk - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTALSDK/*").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml b/kubernetes/portal/components/portal-sdk/templates/deployment.yaml deleted file mode 100644 index 66e80651c3..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/deployment.yaml +++ /dev/null @@ -1,183 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018,2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "portal-db" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portalsdk-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.xml` - do - cp ${PFILE} /config - chmod 0755 /config/${PFILE} - done - cd /config-input && \ - for PFILE in `ls -1 *.properties` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: CASSA_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "login") | indent 12 }} - - name: CASSA_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-cass" "key" "password") | indent 12 }} - - name: CIPHER_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cipher-enc-key" "key" "password") | indent 12 }} - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapportalsdk-scrubbed - - mountPath: /config - name: properties-onapportalsdk -{{ include "common.certInitializer.initContainer" . | indent 6 }} - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["bash","-c"] - {{- if .Values.global.aafEnabled }} - args: ["export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0);\ - export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ - -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\ - /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] - env: - - name: CATALINA_OPTS - value: > - -Djavax.net.ssl.keyStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }}" - -Djavax.net.ssl.trustStore="{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }}" - {{- else }} - args: ["/start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"] - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 8 }} - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml" - subPath: server.xml - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/fusion/conf/fusion.properties" - subPath: fusion.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/conf/system.properties" - subPath: system.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/portal.properties" - subPath: portal.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/classes/key.properties" - subPath: key.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/music.properties" - subPath: music.properties - - name: properties-onapportalsdk - mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTALSDK/WEB-INF/classes/logback.xml" - subPath: logback.xml - - name: portal-tomcat-logs - mountPath: "{{ .Values.global.env.tomcatDir }}/logs" - - name: var-log-onap - mountPath: "{{ .Values.log.path }}" - resources: -{{ include "common.resources" . }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - {{ include "common.log.sidecar" . | nindent 6 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapportalsdk - emptyDir: - medium: Memory - - name: properties-onapportalsdk-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapportalsdk - defaultMode: 0755 - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - - name: var-log-onap - emptyDir: {} - - name: portal-tomcat-logs - emptyDir: {} -{{ include "common.certInitializer.volumes" . | indent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-sdk/templates/ingress.yaml b/kubernetes/portal/components/portal-sdk/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/portal/components/portal-sdk/templates/secrets.yaml b/kubernetes/portal/components/portal-sdk/templates/secrets.yaml deleted file mode 100644 index 06a17b4009..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-sdk/templates/service.yaml b/kubernetes/portal/components/portal-sdk/templates/service.yaml deleted file mode 100644 index 56a65227a1..0000000000 --- a/kubernetes/portal/components/portal-sdk/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml deleted file mode 100644 index 1bc6b44852..0000000000 --- a/kubernetes/portal/components/portal-sdk/values.yaml +++ /dev/null @@ -1,173 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - env: - tomcatDir: "/usr/local/tomcat" - nodePortPrefix: 302 - persistence: {} - #AAF service - aafEnabled: true - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-cass - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.cassandra.config.cassandraExternalSecret) . }}' - login: '{{ .Values.cassandra.config.cassandraUsername }}' - password: '{{ .Values.cassandra.config.cassandraPassword }}' - passwordPolicy: required - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - - uid: cipher-enc-key - type: password - externalSecret: '{{ .Values.config.cipherEncKeyExternalSecret}}' - password: '{{ .Values.config.cipherEncKey }}' - passwordPolicy: required - -################################################################# -# Application configuration defaults. -################################################################# - -# application image -image: onap/portal-sdk:3.4.2 -pullPolicy: Always - -# application configuration -config: - # cipherEncKeyExternalSecret: some secret - cipherEncKey: AGLDdG4D04BKm2IxIWEr8o== - - -#AAF local config -aafURL: https://aaf-service:8100/authz/ -certInitializer: - nameOverride: portal-sdk-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: portal - fqi: portal@portal.onap.org - public_fqdn: portal.onap.org - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - app_ns: org.osaaf.aaf - permission_user: 1000 - permission_group: 999 - keystoreFile: "org.onap.portal.p12" - truststoreFile: "org.onap.portal.trust.jks" - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: portal-sdk - portName: portal-sdk - internalPort: 8443 - externalPort: 8443 - nodePort: 12 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - # cassandraExternalSecret: some secret - cassandraUsername: root - cassandraPassword: Aa123456 -messageRouter: - service: - name: message-router - -ingress: - enabled: false - service: - - baseaddr: portal-sdk-api - name: "portal-sdk" - port: 8443 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 600m - memory: 1.6Gi - requests: - cpu: 10m - memory: 1.3Gi - large: - limits: - cpu: 8 - memory: 20Gi - requests: - cpu: 4 - memory: 10Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' -#Pods Service Account -serviceAccount: - nameOverride: portal-sdk - roles: - - read diff --git a/kubernetes/portal/components/portal-widget/.helmignore b/kubernetes/portal/components/portal-widget/.helmignore deleted file mode 100644 index daebc7da77..0000000000 --- a/kubernetes/portal/components/portal-widget/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/portal/components/portal-widget/Chart.yaml b/kubernetes/portal/components/portal-widget/Chart.yaml deleted file mode 100644 index b9adb0ca5c..0000000000 --- a/kubernetes/portal/components/portal-widget/Chart.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: Portal widgets micro service application -name: portal-widget -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties deleted file mode 100644 index f5a900e8ce..0000000000 --- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.properties +++ /dev/null @@ -1,32 +0,0 @@ -## General App Properties -server.contextPath=/widget -server.port=8082 -spring.http.multipart.max-file-size=128MB -spring.http.multipart.max-request-size=128MB -microservice.widget.location=/tmp - -## App DB Properties -spring.datasource.url=jdbc:mysql://portal-db:3306/portal -spring.datasource.username=${PORTAL_DB_USER} -spring.datasource.password=${PORTAL_DB_PASSWORD} -spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQLDialect -spring.database.driver.classname=org.mariadb.jdbc.Driver -spring.jpa.show-sql=false -spring.jpa.properties.hibernate.format_sql=false - -## Basic Authentication Properties -security.user.name=${WIDGET_USER} -security.user.password=${WIDGET_PASSWORD} - -initialization.default.widgets=true -initialization.widgetData.url=http://portal-app:{{.Values.global.portalPort}}/ONAPPORTAL/commonWidgets - -## Account Basic Authentication Properties -account.user.name=${ACC_USER} -account.user.password=${ACC_PASSWORD} - -## Certificate Properties -#server.ssl.key-store=classpath:widget-keystore.p12 -#server.ssl.key-store-password=ENC(DiIYnAMab4u7rEW2yKhF9zBL00uU55q8) -#server.ssl.keyStoreType=PKCS12 -#server.ssl.keyAlias=widget-microservice diff --git a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml b/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml deleted file mode 100644 index f3da66f882..0000000000 --- a/kubernetes/portal/components/portal-widget/resources/config/deliveries/properties/ONAPWIDGETMS/application.yml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -jasypt: - encryptor: - password: ${JASYPT_ENC_KEY} diff --git a/kubernetes/portal/components/portal-widget/templates/NOTES.txt b/kubernetes/portal/components/portal-widget/templates/NOTES.txt deleted file mode 100644 index 496dd8d1a5..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ include "common.name" . }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/portal/components/portal-widget/templates/configmap.yaml b/kubernetes/portal/components/portal-widget/templates/configmap.yaml deleted file mode 100644 index 58acd42a69..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/configmap.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-onapwidgetms - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPWIDGETMS/*").AsConfig . | indent 2 }} diff --git a/kubernetes/portal/components/portal-widget/templates/deployment.yaml b/kubernetes/portal/components/portal-widget/templates/deployment.yaml deleted file mode 100644 index e9ecece41e..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/deployment.yaml +++ /dev/null @@ -1,141 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: - - name: {{ include "common.name" . }}-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - "portal-db" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: {{ include "common.name" . }}-portal-widget-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - cd /config-input && \ - for PFILE in `ls -1 *.*` - do - envsubst <${PFILE} >/config/${PFILE} - chmod 0755 /config/${PFILE} - done - env: - - name: PORTAL_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "login") | indent 12 }} - - name: PORTAL_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-backend-db" "key" "password") | indent 12 }} - - name: WIDGET_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "login") | indent 12 }} - - name: WIDGET_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-widget" "key" "password") | indent 12 }} - - name: ACC_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "login") | indent 12 }} - - name: ACC_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "portal-account" "key" "password") | indent 12 }} - - name: JASYPT_ENC_KEY - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "jasypt-enc-key" "key" "password") | indent 12 }} - volumeMounts: - - mountPath: /config-input - name: properties-onapwidgetms-scrubbed - - mountPath: /config - name: properties-onapwidgetms - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /start-wms.sh - ports: - - containerPort: {{ .Values.service.internalPort }} - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - name: properties-onapwidgetms - mountPath: "/application.properties" - subPath: application.properties - - name: properties-onapwidgetms - mountPath: "/application.yml" - subPath: application.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: properties-onapwidgetms - emptyDir: - medium: Memory - - name: properties-onapwidgetms-scrubbed - configMap: - name: {{ include "common.fullname" . }}-onapwidgetms - defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/portal/components/portal-widget/templates/secret.yaml b/kubernetes/portal/components/portal-widget/templates/secret.yaml deleted file mode 100644 index 9a3f011e80..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/components/portal-widget/templates/service.yaml b/kubernetes/portal/components/portal-widget/templates/service.yaml deleted file mode 100644 index 5197841189..0000000000 --- a/kubernetes/portal/components/portal-widget/templates/service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/portal/components/portal-widget/values.yaml b/kubernetes/portal/components/portal-widget/values.yaml deleted file mode 100644 index dfa51d8c7b..0000000000 --- a/kubernetes/portal/components/portal-widget/values.yaml +++ /dev/null @@ -1,132 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################ -# Secrets metaconfig -################################################################# - -secrets: - - uid: portal-backend-db - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - - uid: portal-widget - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.widgetCredsExternalSecret) . }}' - login: '{{ .Values.config.widgetUsername }}' - password: '{{ .Values.config.widgetPassword }}' - passwordPolicy: required - - uid: portal-account - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.accountCredsExternalSecret) . }}' - login: '{{ .Values.config.accountUsername }}' - password: '{{ .Values.config.accountPassword }}' - passwordPolicy: required - - uid: jasypt-enc-key - type: password - externalSecret: '{{ .Values.config.jasyptEncKeyExternalSecret}}' - password: '{{ .Values.config.jasyptEncKey }}' - passwordPolicy: required - -config: - widgetUsername: widget_user - widgetPassword: widget_pass -# widgetCredsExternalSecret: some secret - accountUsername: portal - accountPassword: portal -# accountCredsExternalSecret: some secret - jasyptEncKey: EncryptionKey - # jasyptEncKeyExternalSecret: some secret - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/portal-wms:3.4.2 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -mariadb: - service: - name: portal-db - config: - # backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal - -service: - type: ClusterIP - name: portal-widget - portName: portal-widget - externalPort: 8082 - internalPort: 8082 - -ingress: - enabled: false - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 1 - memory: 430Mi - requests: - cpu: 1m - memory: 360Mi - large: - limits: - cpu: 2 - memory: 8Gi - requests: - cpu: 1 - memory: 4Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: portal-widget - roles: - - read \ No newline at end of file diff --git a/kubernetes/portal/docker/init/mariadb-client/Dockerfile b/kubernetes/portal/docker/init/mariadb-client/Dockerfile deleted file mode 100644 index 72f60d35ad..0000000000 --- a/kubernetes/portal/docker/init/mariadb-client/Dockerfile +++ /dev/null @@ -1,54 +0,0 @@ -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -FROM boxfuse/flyway:5.0.7-alpine - -ARG branch=3.0.0-ONAP -ENV no_proxy "localhost,127.0.0.1,.cluster.local,$KUBERNETES_SERVICE_HOST" -# Setup Corporate proxy -ENV https_proxy ${HTTP_PROXY} -ENV http_proxy ${HTTPS_PROXY} - -RUN apk add --update \ - mariadb-client=10.1.32-r0 \ - git \ - && rm -rf /var/cache/apk/* - -ENV so_branch=$branch -#ENV policy_branch: $branch -ENV portal_branch=$branch -#ENV sdnc_branch: $branch -#ENV vid_branch: $branch -#ENV clamp_branch: $branch - -#ENV appc_repo: http://gerrit.onap.org/r/appc/deployment.git -ENV so_repo=http://gerrit.onap.org/r/so/docker-config.git -#ENV policy_repo: http://gerrit.onap.org/r/policy/docker.git -ENV portal_repo=http://gerrit.onap.org/r/portal.git -#ENV sdnc_repo: http://gerrit.onap.org/r/sdnc/oam.git -#ENV vid_repo: http://gerrit.onap.org/r/vid.git -#ENV clamp_repo: http://gerrit.onap.org/r/clamp.git - -RUN mkdir -p /onap-sources -WORKDIR /onap-sources - -RUN git clone -b $branch $portal_repo && cd portal && git checkout HEAD -RUN git clone -b $branch $so_repo && cd docker-config && git checkout HEAD - -VOLUME /onap-sources - -COPY db_migrate.sh /root - -RUN chmod a+x /root/db_migrate.sh -ENTRYPOINT /root/db_migrate.sh diff --git a/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh b/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh deleted file mode 100644 index 2b90a994c3..0000000000 --- a/kubernetes/portal/docker/init/mariadb-client/db_migrate.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh -x - -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -SQL_DEST_DIR=${SQL_DEST_DIR:-/tmp/sql} -DB_PORT=${DB_PORT:-3306} - -[ -z "$SQL_SRC_DIR" ] && { echo "Error: SQL_SRC_DIR must be provided as an environment variable"; exit 1; } -[ -z "$DB_USER" ] && { echo "Error: DB_USER must be provided as an environment variable"; exit 1; } -[ -z "$DB_PASS" ] && { echo "Error: DB_PASS must be provided as an environment variable"; exit 1; } -[ -z "$DB_HOST" ] && { echo "Error: DB_HOST must be provided as an environment variable"; exit 1; } - -mkdir -p $SQL_DEST_DIR - -#Find all sql files and copy them to the destination directory -find "/onap-sources/$SQL_SRC_DIR" -type f -iname "*.sql" | awk -v dest="$SQL_DEST_DIR" '{n=split($1,a,"/"); system(sprintf( "cp %s %s", $1, dest"/"a[n])) }' - - -#Not needed right now? -#--database=$DB_NAME - -#--force to deal with duplicate records in absense of "insert ignore" -##ERROR 1062 (23000) at line 382: Duplicate entry '2' for key 'PRIMARY' - -cd $SQL_DEST_DIR -cat *.sql | mysql -vv --user=$DB_USER --password=$DB_PASS --host=$DB_HOST --port=$DB_PORT --force diff --git a/kubernetes/portal/resources/config/log/filebeat/filebeat.yml b/kubernetes/portal/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 56ed10a50c..0000000000 --- a/kubernetes/portal/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada, AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/portal/templates/configmap.yaml b/kubernetes/portal/templates/configmap.yaml deleted file mode 100644 index 681f24eff3..0000000000 --- a/kubernetes/portal/templates/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.log.configMap" . }} diff --git a/kubernetes/portal/templates/secrets.yaml b/kubernetes/portal/templates/secrets.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/portal/templates/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml deleted file mode 100644 index 0e6c9d63f5..0000000000 --- a/kubernetes/portal/values.yaml +++ /dev/null @@ -1,90 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2018, 2020 AT&T -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - env: - tomcatDir: "/usr/local/tomcat" - # portal frontend port - portalPort: "8989" - portalFEPort: "30225" - # application's front end hostname. Must be resolvable on the client side environment - portalHostName: "portal.api.simpledemo.onap.org" - - centralizedLoggingEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: portal-cass - name: &dbSecretName '{{ include "common.release" . }}-portal-cass-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.casandraCredsExternalSecret) . }}' - login: '{{ .Values.config.cassandraUsername }}' - password: '{{ .Values.config.cassandraPassword }}' - - uid: portal-backend-db - name: &backendDbSecretName '{{ include "common.release" . }}-portal-backend-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.mariadb.config.backendDbExternalSecret) . }}' - login: '{{ .Values.mariadb.config.backendUserName }}' - password: '{{ .Values.mariadb.config.backendPassword }}' - passwordPolicy: required - -config: - logstashServiceName: log-ls - logstashPort: 5044 - cassandraUsername: root - cassandraPassword: Aa123456 -# casandraCredsExternalSecret: some secret - -portal-mariadb: - nameOverride: portal-db -mariadb: - service: - name: portal-db - config: -# backendDbExternalSecret: some secret - backendUserName: portal - backendPassword: portal - -widget: - service: - name: portal-widget -cassandra: - service: - name: portal-cassandra - config: - cassandraExternalSecret: *dbSecretName -portal-app: - mariadb: - config: - backendDbExternalSecret: *backendDbSecretName - cassandra: - config: - cassandraExternalSecret: *dbSecretName - logConfigMapNamePrefix: '{{ include "common.release" . }}-portal' -portal-sdk: - mariadb: - config: - backendDbExternalSecret: *backendDbSecretName - cassandra: - config: - cassandraExternalSecret: *dbSecretName - logConfigMapNamePrefix: '{{ include "common.release" . }}-portal' -messageRouter: - service: - name: message-router -ingress: - enabled: false diff --git a/kubernetes/robot/Chart.yaml b/kubernetes/robot/Chart.yaml index 343279ce1d..d1f835342b 100644 --- a/kubernetes/robot/Chart.yaml +++ b/kubernetes/robot/Chart.yaml @@ -17,18 +17,18 @@ apiVersion: v2 description: A helm Chart for kubernetes-ONAP Robot name: robot -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/robot/demo-k8s.sh b/kubernetes/robot/demo-k8s.sh index 3f8ac9deec..0e8f11afcc 100755 --- a/kubernetes/robot/demo-k8s.sh +++ b/kubernetes/robot/demo-k8s.sh @@ -55,9 +55,6 @@ usage () echo " demo-k8s.sh preload " echo " - Preload data for VNF for the " echo " " - echo " demo-k8s.sh appc " - echo " - provide APPC with vFW module mount point for closed loop" - echo " " echo " demo-k8s.sh init_robot [ ]" echo " - Initialize robot after all ONAP VMs have started" echo " " @@ -168,16 +165,6 @@ do VARIABLES="$VARIABLES -v MODULE_NAME:$1" shift ;; - appc) - TAG="APPCMountPointDemo" - shift - if [ $# -ne 1 ];then - echo "Usage: demo-k8s.sh appc " - exit - fi - VARIABLES="$VARIABLES -v MODULE_NAME:$1" - shift - ;; instantiateVFW) TAG="instantiateVFW" VARIABLES="$VARIABLES -v GLOBAL_BUILD_NUMBER:$$" diff --git a/kubernetes/robot/ete-k8s.sh b/kubernetes/robot/ete-k8s.sh index 82bf836ade..aa02e17867 100755 --- a/kubernetes/robot/ete-k8s.sh +++ b/kubernetes/robot/ete-k8s.sh @@ -31,7 +31,7 @@ if [ "$1" = "" ] || [ "$2" = "" ]; then echo " InitDistribution, PreloadDemo, deleteVNF, instantiateDemoVFWCL, instantiateVFW, " echo " instantiateVFWCL, instantiateVFWDT, instantiateVFWCLDN" echo "" - echo " health-check.robot: health, core, small, medium, 3rdparty, api, datarouter, externalapi, health-aaf, health-aai, health-appc," + echo " health-check.robot: health, core, small, medium, 3rdparty, api, datarouter, externalapi, health-aaf, health-aai," echo " health-clamp, health-cli, health-dcae, health-dmaap, health-log, health-modeling, health-msb," echo " health-multicloud, health-oof, health-policy, health-pomba, health-portal, health-sdc, health-sdnc," echo " health-so, health-uui, health-vfc, health-vid, health-vnfsdk, healthdist, healthlogin, healthmr," diff --git a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py index 8365c68297..e52e48c548 100644 --- a/kubernetes/robot/resources/config/eteshare/config/robot_properties.py +++ b/kubernetes/robot/resources/config/eteshare/config/robot_properties.py @@ -16,8 +16,6 @@ GLOBAL_INJECTED_AAF_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aaf-service") }}' GLOBAL_INJECTED_AAI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aai") }}' -GLOBAL_INJECTED_APPC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "appc") }}' -GLOBAL_INJECTED_APPC_CDT_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "appc-cdt") }}' GLOBAL_INJECTED_ARTIFACTS_VERSION = '{{.Values.demoArtifactsVersion}}' GLOBAL_INJECTED_ARTIFACTS_REPO_URL = "{{ .Values.demoArtifactsRepoUrl }}" GLOBAL_INJECTED_CLAMP_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "policy-gui") }}' @@ -27,11 +25,11 @@ GLOBAL_INJECTED_DCAE_COLLECTOR_IP = "{{ .Values.dcaeCollectorIp }}" GLOBAL_INJECTED_DCAE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-healthcheck") }}' GLOBAL_INJECTED_DCAE_MS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-ms-healthcheck") }}' GLOBAL_INJECTED_DCAE_VES_HOST = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-ves-collector") }}' -GLOBAL_INJECTED_DMAAP_DR_PROV_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-prov") }}' -GLOBAL_INJECTED_DMAAP_DR_NODE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-node") }}' GLOBAL_INJECTED_DNS_IP_ADDR = 'N/A' GLOBAL_INJECTED_DOCKER_VERSION = '1.2-STAGING-latest' GLOBAL_INJECTED_EXTERNAL_DNS = 'N/A' +GLOBAL_INJECTED_HOLMES_ENGINE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "holmes-engine-mgmt") }}' +GLOBAL_INJECTED_HOLMES_RULE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "holmes-rule-mgmt") }}' GLOBAL_INJECTED_LOG_ELASTICSEARCH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-es") }}' GLOBAL_INJECTED_LOG_KIBANA_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-kibana") }}' GLOBAL_INJECTED_LOG_LOGSTASH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "log-ls-http") }}' @@ -46,8 +44,6 @@ GLOBAL_INJECTED_POMBA_KIBANA_IP_ADDR = '{{include "robot.ingress.svchost" (dict GLOBAL_INJECTED_POMBA_ELASTIC_SEARCH_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "pomba-es") }}' GLOBAL_INJECTED_POMBA_CONTEX_TAGGREGATOR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "pomba-contextaggregator") }}' GLOBAL_INJECTED_KEYSTONE = '{{ .Values.openStackKeyStoneUrl }}' -GLOBAL_INJECTED_MR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' -GLOBAL_INJECTED_BC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-bc") }}' GLOBAL_INJECTED_MUSIC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "music") }}' GLOBAL_INJECTED_NBI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "nbi") }}' GLOBAL_INJECTED_NETWORK = '{{ .Values.openStackPrivateNetId }}' @@ -60,6 +56,14 @@ GLOBAL_INJECTED_OOF_HOMING_IP_ADDR = '{{include "robot.ingress.svchost" (dict "r GLOBAL_INJECTED_OOF_SNIRO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "oof-osdf") }}' GLOBAL_INJECTED_OOF_CMSO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "oof-cmso") }}' GLOBAL_INJECTED_MSB_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "msb-iag") }}' +GLOBAL_INJECTED_MC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud") }}' +GLOBAL_INJECTED_MC_PIKE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-pike") }}' +GLOBAL_INJECTED_MC_PROMETHEUS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-prometheus") }}' +GLOBAL_INJECTED_MC_STARLINGX_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-starlingx") }}' +GLOBAL_INJECTED_MC_TC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-titaniumcloud") }}' +GLOBAL_INJECTED_MC_VIO_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-vio") }}' +GLOBAL_INJECTED_MC_K8S_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-k8s") }}' +GLOBAL_INJECTED_MC_FCAPS_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "multicloud-fcaps") }}' GLOBAL_INJECTED_OPENSTACK_API_KEY = '{{ .Values.config.openStackEncryptedPasswordHere}}' GLOBAL_INJECTED_OPENSTACK_TENANT_ID = '{{ .Values.openStackTenantId }}' GLOBAL_INJECTED_OPENSTACK_USERNAME = '{{ .Values.openStackUserName }}' @@ -69,6 +73,7 @@ GLOBAL_INJECTED_OPENSTACK_USER_DOMAIN = '{{ .Values.openStackUserDomain }}' GLOBAL_INJECTED_OPENSTACK_KEYSTONE_API_VERSION = '{{ .Values.openStackKeystoneAPIVersion }}' GLOBAL_INJECTED_REGION_THREE = '{{ .Values.openStackRegionRegionThree }}' GLOBAL_INJECTED_KEYSTONE_REGION_THREE = '{{ .Values.openStackKeyStoneUrlRegionThree }}' +GLOBAL_INJECTED_MODEL_PARSER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "modeling-etsicatalog") }}' GLOBAL_INJECTED_OPENSTACK_KEYSTONE_API_VERSION_REGION_THREE = '{{ .Values.openStackKeystoneAPIVersionRegionThree }}' GLOBAL_INJECTED_OPENSTACK_USERNAME_REGION_THREE = '{{ .Values.openStackUserNameRegionThree }}' GLOBAL_INJECTED_OPENSTACK_SO_ENCRYPTED_PASSWORD_REGION_THREE = '{{ .Values.openSackMsoEncryptdPasswordRegionThree }}' @@ -114,6 +119,14 @@ GLOBAL_INJECTED_SO_VNFM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root GLOBAL_INJECTED_SO_NSSMF_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "so-nssmf-adapter") }}' GLOBAL_INJECTED_UBUNTU_1404_IMAGE = '{{ .Values.ubuntu14Image }}' GLOBAL_INJECTED_UBUNTU_1604_IMAGE = '{{ .Values.ubuntu16Image }}' +GLOBAL_INJECTED_UUI_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "uui-server") }}' +GLOBAL_INJECTED_VFC_GVNFMDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-generic-vnfm-driver") }}' +GLOBAL_INJECTED_VFC_HUAWEIVNFMDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-huawei-vnfm-driver") }}' +GLOBAL_INJECTED_VFC_NSLCM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-nslcm") }}' +GLOBAL_INJECTED_VFC_VNFLCM_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnflcm") }}' +GLOBAL_INJECTED_VFC_VNFMGR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnfmgr") }}' +GLOBAL_INJECTED_VFC_VNFRES_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-vnfres") }}' +GLOBAL_INJECTED_VFC_ZTEVNFDRIVER_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "vfc-zte-vnfm-driver") }}' GLOBAL_INJECTED_VM_IMAGE_NAME = '{{ .Values.ubuntu14Image }}' GLOBAL_INJECTED_DANOS_IMAGE_NAME = '{{ .Values.danosImage }}' GLOBAL_INJECTED_DANOS_FLAVOR = '{{ .Values.danosFlavor }}' @@ -129,37 +142,28 @@ GLOBAL_AAF_PASSWORD = '{{ .Values.aafPassword }}' GLOBAL_AAF_AUTHENTICATION = [GLOBAL_AAF_USERNAME, GLOBAL_AAF_PASSWORD] # aai info - everything is from the private oam network (also called onap private network) GLOBAL_AAI_SERVER_PROTOCOL = '{{ include "common.scheme" . }}' -GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" ( ternary 8443 80 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_AAI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aai" "port" 80 ) }}' GLOBAL_AAI_USERNAME = '{{ .Values.aaiUsername }}' GLOBAL_AAI_PASSWORD = '{{ .Values.aaiPassword}}' GLOBAL_AAI_AUTHENTICATION = [GLOBAL_AAI_USERNAME, GLOBAL_AAI_PASSWORD] -# appc info - everything is from the private oam network (also called onap private network) -GLOBAL_APPC_SERVER_PROTOCOL = "https" -GLOBAL_APPC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "appc" "port" 8443) }}' -GLOBAL_APPC_USERNAME = '{{ .Values.appcUsername }}' -GLOBAL_APPC_PASSWORD = '{{ .Values.appcPassword }}' -GLOBAL_APPC_AUTHENTICATION = [GLOBAL_APPC_USERNAME, GLOBAL_APPC_PASSWORD] -GLOBAL_APPC_CDT_SERVER_PROTOCOL = "https" -GLOBAL_APPC_CDT_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "appc-cdt" "port" 18080) }}' -GLOBAL_APPC_CDT_USERNAME = "demo" # sdc info - everything is from the private oam network (also called onap private network) -GLOBAL_SDC_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_SDC_FE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-fe" "port" ( ternary 9443 8181 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDC_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-be" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDC_BE_ONBOARD_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-onboarding-be" "port" ( ternary 8445 8081 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_SDC_SERVER_PROTOCOL = 'http' +GLOBAL_SDC_FE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-fe" "port" 8181) }}' +GLOBAL_SDC_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-be" "port" 8080) }}' +GLOBAL_SDC_BE_ONBOARD_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-onboarding-be" "port" 8081) }}' GLOBAL_SDC_DCAE_BE_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdc-dcae-be" "port" 8444) }}' GLOBAL_SDC_USERNAME = '{{ .Values.sdcUsername }}' GLOBAL_SDC_PASSWORD = '{{ .Values.sdcPassword }}' GLOBAL_SDC_AUTHENTICATION = [GLOBAL_SDC_USERNAME, GLOBAL_SDC_PASSWORD] # clamp info - everything is from the private oam network (also called onap private network) -GLOBAL_CLAMP_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_CLAMP_SERVER_PROTOCOL = 'http' GLOBAL_CLAMP_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "policy-gui" "port" 2443) }}' # nbi info - everything is from the private oam network (also called onap private network) -GLOBAL_NBI_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_NBI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "nbi" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_NBI_SERVER_PROTOCOL = 'http' +GLOBAL_NBI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "nbi" "port" 8080) }}' # cli info - everything is from the private oam network (also called onap private network) -GLOBAL_CLI_SERVER_PROTOCOL = "https" -GLOBAL_CLI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "cli" "port" 443) }}' +GLOBAL_CLI_SERVER_PROTOCOL = "http" +GLOBAL_CLI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "cli" "port" 8080) }}' # dcae info - everything is from the private oam network (also called onap private network) GLOBAL_DCAE_SERVER_PROTOCOL = "http" GLOBAL_DCAE_HEALTH_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-healthcheck" "port" 80) }}' @@ -175,27 +179,44 @@ GLOBAL_DCAE_AUTHENTICATION = [GLOBAL_DCAE_USERNAME, GLOBAL_DCAE_PASSWORD] # dcae hv-ves info GLOBAL_DCAE_HVVES_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dcae-hv-ves-collector") }}' GLOBAL_DCAE_HVVES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-hv-ves-collector" "port" 6061) }}' -# data router info - everything is from the private oam network (also called onap private network) -GLOBAL_DMAAP_DR_PROV_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_DMAAP_DR_PROV_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-dr-prov" "port" 443) }}' -GLOBAL_DMAAP_DR_NODE_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_DMAAP_DR_NODE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmapp-dr-node" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' -# dmaap message router info + +#DMAAP +# message router info - everything is from the private oam network (also called onap private network) +GLOBAL_MR_SERVER_PROTOCOL = "http" +GLOBAL_MR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' +GLOBAL_INJECTED_MR_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' GLOBAL_DMAAP_MESSAGE_ROUTER_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router") }}' GLOBAL_DMAAP_MESSAGE_ROUTER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' -# dmaap kafka info -GLOBAL_DMAAP_KAFKA_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "message-router-kafka") }}' -GLOBAL_DMAAP_KAFKA_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router-kafka" "port" 9092) }}' -GLOBAL_DMAAP_KAFKA_JAAS_USERNAME = '{{ .Values.kafkaJaasUsername }}' -GLOBAL_DMAAP_KAFKA_JAAS_PASSWORD = '{{ .Values.kafkaJaasPassword }}' +# bus controller info +GLOBAL_INJECTED_BC_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-bc") }}' +GLOBAL_BC_SERVER_PROTOCOL = 'http' +GLOBAL_BC_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-bc" "port" 8080) }}' +GLOBAL_BC_USERNAME = '{{ .Values.bcUsername }}' +GLOBAL_BC_PASSWORD = '{{ .Values.bcPassword }}' +# data router info - everything is from the private oam network (also called onap private network) +GLOBAL_DMAAP_DR_PROV_SERVER_PROTOCOL = 'http' +GLOBAL_DMAAP_DR_PROV_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-dr-prov" "port" 8080) }}' +GLOBAL_INJECTED_DMAAP_DR_PROV_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-prov") }}' +GLOBAL_DMAAP_DR_NODE_SERVER_PROTOCOL = 'http' +GLOBAL_DMAAP_DR_NODE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmapp-dr-node" "port" 8080) }}' +GLOBAL_INJECTED_DMAAP_DR_NODE_IP_ADDR = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "dmaap-dr-node") }}' + # strimzi kafka GLOBAL_KAFKA_BOOTSTRAP_SERVICE = '{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092' -GLOBAL_KAFKA_USER = '{{ .Values.strimziKafkaJaasUsername }}' +GLOBAL_KAFKA_USER = '{{ .Values.strimziKafkaUsername }}' + # DROOL server port and credentials GLOBAL_DROOLS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "policy-drools-pdp" "port" 9696) }}' GLOBAL_DROOLS_USERNAME = '{{ .Values.droolsUsername }}' GLOBAL_DROOLS_PASSWORD = '{{ .Values.droolsPassword }}' GLOBAL_DROOLS_AUTHENTICATION = [GLOBAL_DROOLS_USERNAME, GLOBAL_DROOLS_PASSWORD] + +# holmes info +GLOBAL_HOLMES_ENGINE_SERVER_PROTOCOL = 'http' +GLOBAL_HOLMES_ENGINE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "holmes-engine-mgmt" "port" 9102) }}' +GLOBAL_HOLMES_RULE_SERVER_PROTOCOL = 'http' +GLOBAL_HOLMES_RULE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "holmes-rule-mgmt" "port" 9101) }}' + # log server config - NOTE: no log server is run in HEAT; only on OOM GLOBAL_LOG_SERVER_PROTOCOL = "http" GLOBAL_LOG_ELASTICSEARCH_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "log-es" "port" 9200) }}' @@ -216,16 +237,27 @@ GLOBAL_POMBA_ELASTICSEARCH_PORT = '{{include "robot.ingress.port" (dict "root" . GLOBAL_POMBA_CONTEXTAGGREGATOR_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "pomba-contextaggregator" "port" 9529) }}' # microservice bus info - everything is from the private oam network (also called onap private network) -GLOBAL_MSB_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_MSB_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "msb-iag" "port" ( ternary 443 80 (eq "true" (include "common.needTLS" . )))) }}' -# message router info - everything is from the private oam network (also called onap private network) -GLOBAL_MR_SERVER_PROTOCOL = "http" -GLOBAL_MR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "message-router" "port" 3904) }}' -# bus controller info -GLOBAL_BC_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_BC_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dmaap-bc" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_BC_USERNAME = '{{ .Values.bcUsername }}' -GLOBAL_BC_PASSWORD = '{{ .Values.bcPassword }}' +GLOBAL_MSB_SERVER_PROTOCOL = 'http' +GLOBAL_MSB_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "msb-iag" "port" 80) }}' + +# multicloud info +GLOBAL_MC_SERVER_PROTOCOL = 'http' +GLOBAL_MC_PIKE_SERVER_PROTOCOL = 'http' +GLOBAL_MC_PROMETHEUS_SERVER_PROTOCOL = 'http' +GLOBAL_MC_STARLINGX_SERVER_PROTOCOL = 'http' +GLOBAL_MC_TC_SERVER_PROTOCOL = 'http' +GLOBAL_MC_VIO_SERVER_PROTOCOL = 'http' +GLOBAL_MC_K8S_SERVER_PROTOCOL = 'http' +GLOBAL_MC_FCAPS_SERVER_PROTOCOL = 'http' +GLOBAL_MC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud" "port" 9001) }}' +GLOBAL_MC_PIKE_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-pike" "port" 9007) }}' +GLOBAL_MC_PROMETHEUS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-prometheus" "port" 9090) }}' +GLOBAL_MC_STARLINGX_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-starlingx" "port" 9009) }}' +GLOBAL_MC_TC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-titaniumcloud" "port" 9005) }}' +GLOBAL_MC_VIO_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-vio" "port" 9004) }}' +GLOBAL_MC_K8S_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-k8s" "port" 9015) }}' +GLOBAL_MC_FCAPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "multicloud-fcaps" "port" 9011) }}' + # dcae inventory and deployment handler info GLOBAL_INVENTORY_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "inventory") }}' GLOBAL_INVENTORY_SERVER_PROTOCOL = "https" @@ -286,11 +318,14 @@ GLOBAL_SO_VFC_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VFC_IP_ADDR + ':' + GLOB GLOBAL_SO_VNFM_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VNFM_IP_ADDR + ':' + GLOBAL_SO_VNFM_SERVER_PORT GLOBAL_SO_NSSMF_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_NSSMF_IP_ADDR + ':' + GLOBAL_SO_NSSMF_SERVER_PORT #GLOBAL_SO_VNFM_ENDPOINT = 'http://' + GLOBAL_INJECTED_SO_VNFM_IP_ADDR + ':' + GLOBAL_SO_VNFM_SERVER_PORT +# modeling info +GLOBAL_MODEL_PARSER_SERVER_PROTOCOL = "http" +GLOBAL_MODEL_PARSER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "modeling-etsicatalog" "port" 8806) }}' # music info - everything is from the private oam network (also called onap private network) GLOBAL_MUSIC_SERVER_PROTOCOL = "https" GLOBAL_MUSIC_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "music" "port" 8443) }}' # oof global info - everything is from the private oam network (also called onap private network) -GLOBAL_OOF_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_OOF_SERVER_PROTOCOL = 'http' # oof-homing info - everything is from the private oam network (also called onap private network) GLOBAL_OOF_HOMING_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "oof-has-api" "port" 8091) }}' GLOBAL_OOF_HOMING_USERNAME="{{ .Values.oofHomingUsername }}" @@ -304,7 +339,7 @@ GLOBAL_OOF_OSDF_PASSWORD="{{ .Values.oofPassword }}" GLOBAL_OOF_PCI_USERNAME="{{ .Values.oofOsdfPciOptUsername }}" GLOBAL_OOF_PCI_PASSWORD="{{ .Values.oofOsdfPciOptPassword }}" # oof cmso global info - everything is from the private oam network (also called onap private network) -GLOBAL_OOF_CMSO_PROTOCOL = "https" +GLOBAL_OOF_CMSO_PROTOCOL = "http" GLOBAL_OOF_CMSO_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "oof-cmso" "port" 8080) }}' GLOBAL_OOF_CMSO_USERNAME = "{{ .Values.oofCmsoUsername }}" GLOBAL_OOF_CMSO_PASSWORD = "{{ .Values.oofCmsoPassword }}" @@ -315,7 +350,7 @@ GLOBAL_PACKET_GENERATOR_USERNAME = "admin" GLOBAL_PACKET_GENERATOR_PASSWORD = "admin" GLOBAL_PGN_PORT = "2831" # policy info - everything is from the private oam network (also called onap private network) -GLOBAL_POLICY_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_POLICY_SERVER_PROTOCOL = 'http' GLOBAL_POLICY_SERVER_PORT = "8081" GLOBAL_POLICY_HEALTHCHECK_PORT = "6969" GLOBAL_POLICY_AUTH = '{{ .Values.policyAuth}}' @@ -332,9 +367,9 @@ GLOBAL_PORTAL_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "host GLOBAL_PORTAL_USERNAME = '{{ .Values.portalUsername }}' GLOBAL_PORTAL_PASSWORD = '{{ .Values.portalPassword }}' # sdnc info - everything is from the private oam network (also called onap private network) -GLOBAL_SDNC_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_SDNC_REST_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc" "port" ( ternary 8443 8282 (eq "true" (include "common.needTLS" . )))) }}' -GLOBAL_SDNC_ADMIN_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc-portal" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_SDNC_SERVER_PROTOCOL = 'http' +GLOBAL_SDNC_REST_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc" "port" 8282) }}' +GLOBAL_SDNC_ADMIN_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "sdnc-portal" "port" 8080) }}' GLOBAL_SDNC_USERNAME = '{{ .Values.sdncUsername }}' GLOBAL_SDNC_PASSWORD = '{{ .Values.sdncPassword }}' GLOBAL_SDNC_AUTHENTICATION = [GLOBAL_SDNC_USERNAME, GLOBAL_SDNC_PASSWORD] @@ -342,6 +377,24 @@ GLOBAL_SDNC_AUTHENTICATION = [GLOBAL_SDNC_USERNAME, GLOBAL_SDNC_PASSWORD] GLOBAL_SMS_SERVER_PROTOCOL = "https" GLOBAL_SMS_SERVER_NAME = '{{include "robot.ingress.svchost" (dict "root" . "hostname" "aaf-sms") }}' GLOBAL_SMS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "aaf-sms" "port" 10443) }}' +# uui info +GLOBAL_UUI_SERVER_PROTOCOL = "http" +GLOBAL_UUI_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "uui-server" "port" 8082) }}' +# vfc info +GLOBAL_VFC_GVNFMDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_GVNFMDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-generic-vnfm-driver" "port" 8484) }}' +GLOBAL_VFC_HUAWEIVNFMDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_HUAWEIVNFMDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-huawei-vnfm-driver" "port" 8482) }}' +GLOBAL_VFC_NSLCM_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_NSLCM_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-nslcm" "port" 8403) }}' +GLOBAL_VFC_VNFLCM_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFLCM_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnflcm" "port" 8801) }}' +GLOBAL_VFC_VNFMGR_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFMGR_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnfmgr" "port" 8803) }}' +GLOBAL_VFC_VNFRES_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_VNFRES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-vnfres" "port" 8802) }}' +GLOBAL_VFC_ZTEVNFDRIVER_SERVER_PROTOCOL = 'http' +GLOBAL_VFC_ZTEVNFDRIVER_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "vfc-zte-vnfm-driver" "port" 8410) }}' # vid info - everything is from the private oam network (also called onap private network) GLOBAL_VID_SERVER_PROTOCOL = '{{ .Values.vidServerProtocol }}' GLOBAL_VID_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "clamp" "port" (.Values.vidServerPort | default 0 | int)) }}' @@ -350,13 +403,13 @@ GLOBAL_VID_PASSWORD = '{{ .Values.vidPassword}}' GLOBAL_VID_HEALTH_USERNAME = '{{ .Values.vidHealthUsername }}' GLOBAL_VID_HEALTH_PASSWORD = '{{ .Values.vidHealthPassword }}' # vnfsdk info - everything is from the private oam network (also called onap private network) -GLOBAL_VNFSDK_SERVER_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' +GLOBAL_VNFSDK_SERVER_PROTOCOL = 'http' GLOBAL_VNFSDK_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "refrepo" "port" 8703) }}' GLOBAL_DCAE_VES_PROTOCOL = "http" GLOBAL_DCAE_VES_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector" "port" 8080) }}' GLOBAL_DCAE_VES_HTTPS_PROTOCOL = 'http{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}' -GLOBAL_DCAE_VES_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector-https" "port" ( ternary 8443 8080 (eq "true" (include "common.needTLS" . )))) }}' +GLOBAL_DCAE_VES_HTTPS_SERVER_PORT = '{{include "robot.ingress.port" (dict "root" . "hostname" "dcae-ves-collector-https" "port" 8080) }}' GLOBAL_DCAE_VES_USERNAME = 'sample1' GLOBAL_DCAE_VES_PASSWORD = 'sample1' diff --git a/kubernetes/robot/templates/deployment.yaml b/kubernetes/robot/templates/deployment.yaml index 7d588e4de4..cd556e4b32 100644 --- a/kubernetes/robot/templates/deployment.yaml +++ b/kubernetes/robot/templates/deployment.yaml @@ -66,9 +66,6 @@ spec: volumeMounts: - name: dshm mountPath: /dev/shm - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: robot-eteshare mountPath: /share/config - name: robot-lighttpd @@ -77,8 +74,13 @@ spec: mountPath: /etc/lighttpd/ssl - name: robot-logs mountPath: /share/logs - resources: -{{ include "common.resources" . }} + resources: {{ include "common.resources" . | nindent 10 }} + env: + - name: KAFKA_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.strimziKafkaUsername }} + key: password {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} @@ -98,9 +100,6 @@ spec: - name: dshm emptyDir: medium: Memory - - name: localtime - hostPath: - path: /etc/localtime - name: robot-eteshare configMap: name: {{ include "common.fullname" . }}-eteshare-configmap @@ -113,5 +112,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-lighttpd-ssl-configmap defaultMode: 0600 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml index bf11e1306e..32dfa2330b 100644 --- a/kubernetes/robot/values.yaml +++ b/kubernetes/robot/values.yaml @@ -22,7 +22,7 @@ global: # global defaults # application image repository: nexus3.onap.org:10001 -image: onap/testsuite:1.11.1 +image: onap/testsuite:1.14.0 pullPolicy: Always ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 @@ -44,14 +44,6 @@ config: enabled: true https: true hostname: aai.api.sparky - appc: - enabled: true - https: true - hostname: appc.api - appc_cdt: - enabled: true - https: true - hostname: appccdt clamp: enabled: true https: true @@ -65,13 +57,20 @@ config: dcae_ves_colector_https: enabled: false https: true + message_router: + enabled: false + https: false + dmaap_bc: + enabled: true + https: false + hostname: dmaapbc dmaap_dr_prov: enabled: true - https: true + https: false hostname: dmaapdrprov dmaap_dr_node: enabled: true - https: true + https: false hostname: dmaapdrnode log_es: enabled: false @@ -99,13 +98,6 @@ config: enabled: false pomba_contextaggregator: enabled: false - message_router: - enabled: false - https: true - dmaap_bc: - enabled: true - https: true - hostname: dmaapbc music: enabled: false https: true @@ -138,8 +130,6 @@ config: enabled: false policy_apex_pdp: enabled: false - policy_distribution: - enabled: false portal_app: enabled: false https: true @@ -194,8 +184,6 @@ config: hostname: blueprintsprocessorhttp dcae_hv_ves_collector: enabled: false - message_router_kafka: - enabled: false inventory: enabled: false https: true @@ -319,9 +307,6 @@ aafPassword: "demo123456!" # AAI aaiUsername: "aai@aai.onap.org" aaiPassword: "demo123456!" -# APPC -appcUsername: "appc@appc.onap.org" -appcPassword: "demo123456!" # SDC sdcUsername: "beep" sdcPassword: "boop" @@ -361,16 +346,13 @@ vidUsername: "demo" vidPassword: "Kp8bJ4SXszM0WX" vidHealthUsername: "Default" vidHealthPassword: "AppPassword!1" + # DMAAP BC bcUsername: "dmaap-bc@dmaap-bc.onap.org" bcPassword: "demo123456!" -# DMAAP KAFKA JAAS -kafkaJaasUsername: "admin" -kafkaJaasPassword: "admin_secret" - -# STRIMZI KAFKA JAAS -strimziKafkaJaasUsername: "strimzi-kafka-admin" +# STRIMZI KAFKA +strimziKafkaUsername: "strimzi-kafka-admin" #OOF oofUsername: "oof@oof.onap.org" @@ -400,18 +382,18 @@ flavor: small resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "2000m" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "4000m" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1000m" + memory: "2Gi" unlimited: {} # probe configuration parameters diff --git a/kubernetes/sdc/Chart.yaml b/kubernetes/sdc/Chart.yaml index aaa3ac29b7..68ee222c8a 100644 --- a/kubernetes/sdc/Chart.yaml +++ b/kubernetes/sdc/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 ZTE # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,30 +19,33 @@ apiVersion: v2 description: Service Design and Creation Umbrella Helm charts name: sdc -version: 12.0.0 +version: 13.0.7 dependencies: + - name: common + version: ~13.x-0 + repository: '@local' - name: sdc-be - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-be' - name: sdc-cs - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-cs' - name: sdc-fe - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-fe' - name: sdc-onboarding-be - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-onboarding-be' - name: sdc-wfd-be - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-wfd-be' condition: sdc-wfd.enabled - name: sdc-wfd-fe - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-wfd-fe' condition: sdc-wfd.enabled - name: sdc-helm-validator - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/sdc-helm-validator' condition: sdcHelmValidator.enabled diff --git a/kubernetes/sdc/components/sdc-be/Chart.yaml b/kubernetes/sdc/components/sdc-be/Chart.yaml index e4052afc3d..eec4106067 100644 --- a/kubernetes/sdc/components/sdc-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-be/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 AT&T, ZTE # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +19,18 @@ apiVersion: v2 description: ONAP Service Design and Creation Backend API name: sdc-be -version: 12.0.0 +version: 13.0.5 dependencies: - - name: certInitializer - version: ~12.x-0 + - name: common + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/configuration.yaml b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/configuration.yaml new file mode 100644 index 0000000000..ae2e2f54fe --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/configuration.yaml @@ -0,0 +1,1253 @@ +identificationHeaderFields: + - HTTP_IV_USER + - HTTP_CSP_FIRSTNAME + - HTTP_CSP_LASTNAME + - HTTP_IV_REMOTE_ADDRESS + - HTTP_CSP_WSTYPE + + +# catalog backend hostname +beFqdn: {{ .Values.beFqdn }} + +# catalog backend http port +beHttpPort: {{ .Values.beHttpPort }} + +# catalog backend http context +beContext: /sdc/rest/config/get + +# catalog backend protocol +beProtocol: http + +tlsCert: {{ .Values.tlsCert }} +tlsKey: {{ .Values.tlsKey }} +caCert: {{ .Values.caCert }} + +# catalog backend ssl port +beSslPort: {{ .Values.beSslPort }} +version: 1.1.0 +released: 2012-11-30 +toscaConformanceLevel: 11.0 +minToscaConformanceLevel: 3.0 + +janusGraphCfgFile: {{ .Values.janusgraph.cfgFile }} +janusGraphInMemoryGraph: {{ .Values.janusgraph.graph.inMemory }} +janusGraphLockTimeout: {{ .Values.janusgraph.graph.lockTimeout }} +#startup: connect to JanusGraph DB when it is down during ASDC--More-- (2% of 27930 bytes) +janusGraphReconnectIntervalInSeconds: {{ .Values.janusgraph.reconnectInterval }} + +# The read timeout towards JanusGraph DB when health check is invoked: +janusGraphHealthCheckReadTimeout: {{ .Values.janusgraph.healthCheckReadTimeout }} + + #startup: connect to Elasticsearch when it is down during ASDC--More-- (3% of 27930 bytes) + +uebHealthCheckReconnectIntervalInSeconds: 15 +uebHealthCheckReadTimeout: 4 + +# Protocols +protocols: + - http + - https + +# Default imports +defaultImports: + - nodes: + file: nodes.yml + - datatypes: + file: data.yml + - capabilities: + file: capabilities.yml + - relationships: + file: relationships.yml + - groups: + file: groups.yml + - policies: + file: policies.yml + - annotations: + file: annotations.yml + +# Global CSAR Import Files +globalCsarImports: + - annotations.yml + - artifacts.yml + - capabilities.yml + - data.yml + - groups.yml + - interfaces.yml + - nodes.yml + - policies.yml + - relationships.yml + +# Users +users: + tom: passwd + bob: passwd + +basicAuth: + enabled: {{ .Values.basicAuthConfig.enabled }} + userName: {{ .Values.basicAuth.userName }} + userPass: {{ .Values.basicAuth.userPass }} + excludedUrls: "/sdc2/rest/healthCheck" + + +cassandraConfig: + cassandraHosts: [{{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local] + cassandraPort: {{ .Values.cassandra.port }} + localDataCenter: {{ .Values.global.sdc_cassandra.dataCenter }} + reconnectTimeout : 30000 + socketReadTimeout: {{ .Values.cassandraConfig.socketReadTimeout }} + socketConnectTimeout: {{ .Values.cassandraConfig.socketConnectTimeout }} + authenticate: true + username: {{ .Values.cassandra.cassandraUsername }} + password: {{ .Values.cassandra.cassandraPassword }} + ssl: {{ .Values.cassandraConfig.ssl }} + keystorePath: {{ .Values.cassandraConfig.keystorePath }} + keystorePassword: {{ .Values.cassandraConfig.keystorePassword }} + truststorePath: {{ .Values.cassandraConfig.truststorePath }} + truststorePassword: {{ .Values.cassandraConfig.truststorePassword }} + keySpaces: + - { name: dox, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdcaudit, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdcartifact, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdccomponent, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdcrepository, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} +licenseTypes: + - User + - Installation + - CPU + +#Deployment artifacts placeHolder +resourceTypes: &allResourceTypes + - VFC + - CP + - VL + - VF + - CR + - VFCMT + - Abstract + - CVFC + - Configuration + - ServiceProxy + - PNF + +componentAllowedInstanceTypes: + Resource: + VF: + - VFC + - VF + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + CVFC: + - VFC + - VF + - CR + - CP + - PNF + - CVFC + - VL + - ServiceProxy + - Abstract + PNF: + - VF + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + CR: + - VF + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + VL: + - VL + Service: + "*": + - VF + - VFC + - CR + - CP + - PNF + - CVFC + - VL + - Configuration + - ServiceProxy + - Abstract + +artifacts: + - type: CONTROLLER_BLUEPRINT_ARCHIVE + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - zip + - type: HELM + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - tgz + - type: YANG_XML + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: VNF_CATALOG + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: MODEL_INVENTORY_PROFILE + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: MODEL_QUERY_SPEC + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: UCPE_LAYER_2_CONFIGURATION + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + #AAI Artifacts + - type: AAI_SERVICE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: AAI_VF_MODULE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + - type: AAI_VF_INSTANCE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: + acceptedTypes: + - xml + #Plan + - type: PLAN + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: + - VF + - VFC + acceptedTypes: + - xml + - type: WORKFLOW + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - RESOURCE + resourceTypes: + - VFC + - CP + - VL + - VF + - CR + - VFCMT + - Abstract + - CVFC + - PNF + acceptedTypes: + - type: HEAT + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_VOL + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_NET + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_NESTED + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - yaml + - yml + - type: HEAT_ARTIFACT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: CLOUD_TECHNOLOGY_SPECIFIC_ARTIFACT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - zip + - tgz + - csar + - type: VNF_CATALOG + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: VF_LICENSE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: VENDOR_LICENSE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: MODEL_INVENTORY_PROFILE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: MODEL_QUERY_SPEC + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - xml + - type: LIFECYCLE_OPERATIONS + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFC + acceptedTypes: + - yaml + - yml + - type: VES_EVENTS + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: + - VFC + - CP + - VL + - VF + - CR + - VFCMT + - Abstract + - CVFC + - PNF + acceptedTypes: + - yaml + - yml + - type: PERFORMANCE_COUNTER + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - csv + - type: APPC_CONFIG + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + acceptedTypes: + - type: DCAE_TOSCA + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - yml + - yaml + - type: DCAE_JSON + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - json + - type: DCAE_POLICY + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - emf + - type: DCAE_DOC + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - type: DCAE_EVENT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFCMT + acceptedTypes: + - type: AAI_VF_MODEL + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + acceptedTypes: + - xml + - type: AAI_VF_MODULE_MODEL + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + acceptedTypes: + - xml + - type: OTHER + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: + - VFC + - CVFC + - CP + - VL + - VF + - VFCMT + - Abstract + - PNF + acceptedTypes: + - type: SNMP_POLL + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: SNMP_TRAP + categories: + - DEPLOYMENT + - INFORMATIONAL + componentTypes: + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: PM_DICTIONARY + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - yaml + - yml + - type: YANG_MODULE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - yang + - type: ANSIBLE_PLAYBOOK + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - yaml + - yml + - type: ONBOARDED_PACKAGE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - csar + - zip + - type: ETSI_PACKAGE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - csar + - zip + - type: ASD_PACKAGE + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE + resourceTypes: + - VF + - PNF + acceptedTypes: + - csar + - zip + - type: HEAT_ENV + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - env + - type: VF_MODULES_METADATA + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - json + - type: DCAE_INVENTORY_TOSCA + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - yml + - yaml + - type: DCAE_INVENTORY_JSON + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - json + - type: DCAE_INVENTORY_POLICY + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - emf + - type: DCAE_INVENTORY_DOC + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - type: DCAE_INVENTORY_BLUEPRINT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - type: DCAE_INVENTORY_EVENT + categories: + - DEPLOYMENT + componentTypes: + - RESOURCE_INSTANCE + resourceTypes: + acceptedTypes: + - type: CHEF + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: PUPPET + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: SHELL + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: YANG + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: BPEL + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: DG_XML + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: MURANO_PKG + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: PNF_SW_INFORMATION + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: + - PNF + acceptedTypes: + - yaml + - yml + - type: GUIDE + categories: + - INFORMATIONAL + componentTypes: + - RESOURCE + resourceTypes: + - VF + - VFC + - CVFC + - PNF + acceptedTypes: + - yaml + - yml + - type: FLOW + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + resourceTypes: *allResourceTypes + acceptedTypes: + - type: SHELL_SCRIPT + categories: + - DEPLOYMENT + componentTypes: + - SERVICE + - SERVICE_INSTANCE + - RESOURCE + - RESOURCE_INSTANCE + resourceTypes: *allResourceTypes + acceptedTypes: + - sh + - type: TOSCA_CSAR + categories: + - TOSCA + componentTypes: + resourceTypes: + acceptedTypes: + - csar + - type: TOSCA_TEMPLATE + categories: + - TOSCA + componentTypes: + resourceTypes: + acceptedTypes: + - yml + - yaml + - type: NETWORK_CALL_FLOW + categories: + componentTypes: + resourceTypes: + acceptedTypes: + - type: ICON + categories: + componentTypes: + resourceTypes: + acceptedTypes: + +deploymentResourceArtifacts: + +deploymentResourceInstanceArtifacts: + heatEnv: + displayName: "HEAT ENV" + type: HEAT_ENV + description: "Auto-generated HEAT Environment deployment artifact" + fileExtension: "env" + VfHeatEnv: + displayName: "VF HEAT ENV" + type: HEAT_ENV + description: "VF Auto-generated HEAT Environment deployment artifact" + fileExtension: "env" + +#tosca artifacts placeholders +toscaArtifacts: + assetToscaTemplate: + artifactName: -template.yml + displayName: Tosca Template + type: TOSCA_TEMPLATE + description: TOSCA representation of the asset + assetToscaCsar: + artifactName: -csar.csar + displayName: Tosca Model + type: TOSCA_CSAR + description: TOSCA definition package of the asset + +#Informational artifacts placeHolder +excludeResourceCategory: + - Generic +excludeResourceType: + - PNF + - CR +informationalResourceArtifacts: + features: + displayName: Features + type: OTHER + capacity: + displayName: Capacity + type: OTHER + vendorTestResult: + displayName: Vendor Test Result + type: OTHER + testScripts: + displayName: Test Scripts + type: OTHER + CloudQuestionnaire: + displayName: Cloud Questionnaire (completed) + type: OTHER + HEATTemplateFromVendor: + displayName: HEAT Template from Vendor + type: HEAT + resourceSecurityTemplate: + displayName: Resource Security Template + type: OTHER + +excludeServiceCategory: + +informationalServiceArtifacts: + serviceArtifactPlan: + displayName: Service Artifact Plan + type: OTHER + summaryOfImpactsToECOMPElements: + displayName: Summary of impacts to ECOMP elements,OSSs, BSSs + type: OTHER + automationCompositionFunctions: + displayName: Automation Composition Functions + type: OTHER + dimensioningInfo: + displayName: Dimensioning Info + type: OTHER + affinityRules: + displayName: Affinity Rules + type: OTHER + operationalPolicies: + displayName: Operational Policies + type: OTHER + serviceSpecificPolicies: + displayName: Service-specific Policies + type: OTHER + engineeringRules: + displayName: Engineering Rules (ERD) + type: OTHER + distributionInstructions: + displayName: Distribution Instructions + type: OTHER + certificationTestResults: + displayName: TD Certification Test Results + type: OTHER + deploymentVotingRecord: + displayName: Deployment Voting Record + type: OTHER + serviceQuestionnaire: + displayName: Service Questionnaire + type: OTHER + serviceSecurityTemplate: + displayName: Service Security Template + type: OTHER + +serviceApiArtifacts: + configuration: + displayName: Configuration + type: OTHER + instantiation: + displayName: Instantiation + type: OTHER + monitoring: + displayName: Monitoring + type: OTHER + reporting: + displayName: Reporting + type: OTHER + logging: + displayName: Logging + type: OTHER + testing: + displayName: Testing + type: OTHER + +additionalInformationMaxNumberOfKeys: 50 + +systemMonitoring: + enabled: false + isProxy: false + probeIntervalInSeconds: 15 +heatArtifactDeploymentTimeout: + defaultMinutes: 30 + minMinutes: 1 + maxMinutes: 120 + +unLoggedUrls: + - /sdc2/rest/monitoring + - /sdc2/rest/healthCheck + +cleanComponentsConfiguration: + cleanIntervalInMinutes: 1440 + componentsToClean: + - Resource + - Service + +artifactsIndex: resources + +heatEnvArtifactHeader: "" +heatEnvArtifactFooter: "" + +onboarding: + host: {{ .Values.ONBOARDING_BE.host }} + protocol: {{ if .Values.disableHttp }}https{{ else }}http{{ end }} + port: {{ if .Values.disableHttp }}{{ .Values.ONBOARDING_BE.httpsPort }}{{ else }}{{ .Values.ONBOARDING_BE.httpPort }}{{ end }} + getVspPackageUri: "/onboarding-api/v1.0/vendor-software-products/packages/%s?versionId=%s" # /onboarding-api/v1.0/vendor-software-products/packages/:vspId?versionId=:vspVersionId + getLatestVspPackageUri: "/onboarding-api/v1.0/vendor-software-products/packages/%s" # /onboarding-api/v1.0/vendor-software-products/packages/:vspId + getVspUri: "/onboarding-api/v1.0/vendor-software-products/%s/versions/%s" # /onboarding-api/v1.0/vendor-software-products/:vspId/versions/:vspVersionId + getLatestVspUri: "/onboarding-api/v1.0/vendor-software-products/%s" # /onboarding-api/v1.0/vendor-software-products/:vspId + healthCheckUri: "/onboarding-api/v1.0/healthcheck" + +# #GSS IDNS +switchoverDetector: + gBeFqdn: + gFeFqdn: + beVip: 1.2.3.4 + feVip: 1.2.3.4 + beResolveAttempts: 3 + feResolveAttempts: 3 + enabled: false + interval: 60 + changePriorityUser: ecompasdc + changePriorityPassword: ecompasdc123 + publishNetworkUrl: + publishNetworkBody: '{"note":"comment"}' + groups: + beSet: { changePriorityUrl: "", changePriorityBody: '{"name":"","uri":"","no_ad_redirection":false,"v4groups":{"failover_groups":["","","failover_policy":["FAILALL"]},"comment":"","intended_app_proto":"DNS"}'} + feSet: { changePriorityUrl: "", changePriorityBody: '{"name":"","uri":"","no_ad_redirection":false,"v4groups":{"failover_groups":["",""],"failover_policy":["FAILALL"]},"comment":"","intended_app_proto":"DNS"}'} +applicationL1Cache: + datatypes: + enabled: true + firstRunDelay: 10 + pollIntervalInSec: 60 + +applicationL2Cache: + enabled: false + catalogL1Cache: + enabled: false + resourcesSizeInCache: 300 + servicesSizeInCache: 200 + productsSizeInCache: 100 + queue: + syncIntervalInSecondes: 43200 + waitOnShutDownInMinutes: 10 + numberOfCacheWorkers: 4 + +toscaValidators: + stringMaxLength: 2500 + +disableAudit: false + +vfModuleProperties: + min_vf_module_instances: + forBaseModule: 1 + forNonBaseModule: 0 + max_vf_module_instances: + forBaseModule: 1 + forNonBaseModule: + initial_count: + forBaseModule: 1 + forNonBaseModule: 0 + vf_module_type: + forBaseModule: Base + forNonBaseModule: Expansion + +genericAssetNodeTypes: + VFC: org.openecomp.resource.abstract.nodes.VFC + CVFC: org.openecomp.resource.abstract.nodes.VFC + VF : org.openecomp.resource.abstract.nodes.VF + CR : org.openecomp.resource.abstract.nodes.CR + PNF: org.openecomp.resource.abstract.nodes.PNF + Service: org.openecomp.resource.abstract.nodes.service + ETSI NFV Network Service: tosca.nodes.nfv.NS + +# Defines the base types for Services +# : +# required: //if the base type is mandatory or not +# baseTypes: //the base types. Required if the base type is required. +# If not provided, the category will have no base type. +serviceBaseNodeTypes: + ETSI NFV Network Service: + required: true + baseTypes: + - tosca.nodes.nfv.NS + AutomationComposition: + required: false + +workloadContext: Production + +environmentContext: + defaultValue: General_Revenue-Bearing + validValues: + - Critical_Revenue-Bearing + - Vital_Revenue-Bearing + - Essential_Revenue-Bearing + - Important_Revenue-Bearing + - Needed_Revenue-Bearing + - Useful_Revenue-Bearing + - General_Revenue-Bearing + - Critical_Non-Revenue + - Vital_Non-Revenue + - Essential_Non-Revenue + - Important_Non-Revenue + - Needed_Non-Revenue + - Useful_Non-Revenue + - General_Non-Revenue + +gabConfig: + - artifactType: 'VES_EVENTS' + pathsAndNamesDefinitions: + - + friendlyName: "Action" + path: "event.action[2]" + searchable: true + - + friendlyName: "Comment" + path: "event.comment" + searchable: true + - + friendlyName: "Alarm Additional Information" + path: "event.structure.faultFields.structure.alarmAdditionalInformation.comment" + searchable: true + - artifactType: 'PM_DICTIONARY' + pathsAndNamesDefinitions: + - + friendlyName: "measType" + path: "pmMetaData.pmFields.measType" + searchable: true + - + friendlyName: "measDescription" + path: "pmMetaData.pmFields.measDescription" + searchable: true + - + friendlyName: "measCondition" + path: "pmMetaData.pmFields.measCondition" + searchable: false + - + friendlyName: "measResultUnits" + path: "pmMetaData.pmFields.measResultUnits" + searchable: false + - + friendlyName: "measResultRange" + path: "pmMetaData.pmFields.measResultRange" + searchable: false + - + friendlyName: "measObjClass" + path: "pmMetaData.pmFields.measObjClass" + searchable: true + - + friendlyName: "measCollectionMethod" + path: "pmMetaData.pmFields.measCollectionMethod" + searchable: false + - + friendlyName: "measInfoId" + path: "pmMetaData.pmFields.measInfoId" + searchable: true + - + friendlyName: "iMeasInfoId" + path: "pmMetaData.pmFields.iMeasInfoId" + searchable: false +dmaapConsumerConfiguration: + active: {{ .Values.dmaapConsumerConfiguration.active }} + hosts: localhost:3905 + consumerGroup: sdc + consumerId: mama + timeoutMs: 15000 + limit: 1 + pollingInterval: 2 + topic: topic + latitude: 32.109333 + longitude: 34.855499 + version: 1.0 + serviceName: localhost/events + environment: TEST + partner: BOT_R + routeOffer: MR1 + protocol: https + contenttype: application/json + dme2TraceOn: true + aftEnvironment: AFTUAT + aftDme2ConnectionTimeoutMs: 15000 + aftDme2RoundtripTimeoutMs: 240000 + aftDme2ReadTimeoutMs: 50000 + dme2preferredRouterFilePath: DME2preferredRouter.txt + timeLimitForNotificationHandleMs: 120000 + credential: + username: user + password: + aftDme2SslEnable: true + aftDme2ClientSslCertAlias: certman + +dmaapProducerConfiguration: + active: {{ .Values.dmaapProducerConfiguration.active }} + hosts: {{ .Values.dmaapProducerConfiguration.hosts }} + consumerGroup: sdc-{{ .Values.chefEnvironment }}-1730226683 + consumerId: sdc-{{ .Values.chefEnvironment }}1-1730226683 + timeoutMs: 15000 + limit: 1 + pollingInterval: 2 + topic: {{ .Values.dmaapProducerConfiguration.topic }} + latitude: 32.109333 + longitude: 34.855499 + version: 1.0 + serviceName: {{ .Values.dmaapProducerConfiguration.serviceName }} + environment: {{ .Values.dmaapProducerConfiguration.environment }} + partner: BOT_R + routeOffer: MR1 + protocol: {{ .Values.dmaapProducerConfiguration.protocol }} + contenttype: application/json + dme2TraceOn: true + aftEnvironment: {{ .Values.dmaapProducerConfiguration.aftEnvironment }} + aftDme2ConnectionTimeoutMs: 15000 + aftDme2RoundtripTimeoutMs: 240000 + aftDme2ReadTimeoutMs: 50000 + dme2preferredRouterFilePath: {{ .Values.dmaapProducerConfiguration.dme2preferredRouterFilePath }} + timeLimitForNotificationHandleMs: 120000 + credential: + username: {{ .Values.dmaapProducerConfiguration.username }} + password: {{ .Values.dmaapProducerConfiguration.password }} + aftDme2SslEnable: true + aftDme2ClientSslCertAlias: certman + +# ToDo: AF - had to remove due to configuration laod class failure +#dmeConfiguration: +# lookupUriFormat: "http://DME2RESOLVE/service=%s/version=1.0.0/envContext=%s/routeOffer=DEFAULT" +# dme2Search: DME2SEARCH +# dme2Resolve: DME2RESOLVE + +excludedPolicyTypesMapping: +# VF: +# - a.b.c +# - c.d.e +#CR: +# - x.y.z + +excludedGroupTypesMapping: + CR: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + PNF: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + VF: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + Service: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - org.openecomp.groups.Group + - tosca.groups.Root + +healthStatusExclude: + - DE + - DMAAP + - DMAAP_PRODUCER + - ON_BOARDING + - DCAE + - PORTAL + - External API + +#Auto Healing +enableAutoHealing: false +appVersion: {{ .Values.appVersion }} + +artifactGeneratorConfig: Artifact-Generator.properties +resourcesForUpgrade: + 8.0: + - org.openecomp.resource.cp.extCP + - tosca.nodes.network.Network + - tosca.nodes.network.Port + - org.openecomp.resource.cp.nodes.network.SubInterface +skipUpgradeFailedVfs: true +skipUpgradeVSPs: true +autoHealingOwner: jh0003 +supportAllottedResourcesAndProxy: true +deleteLockTimeoutInSeconds: 60 +maxDeleteComponents: 10 + +# This configuration entry lists all node type names prefix that shall be allowed on SDC. +definedResourceNamespace: + - org.openecomp.resource. + - org.onap.policy.clamp.acm. + - tosca.nodes. + +# This configuration entry lists all Directives values that shall be allowed on SDC. +directives: + - select + - selectable + - substitute + - substitutable + +externalCsarStore: + storageType: NONE # NONE, MINIO + endpoint: + host: 127.0.0.1 + port: 9000 + secure: false + credentials: + accessKey: "login" + secretKey: "password" + tempPath: "/home/onap/temp/" + uploadPartSize: 200000000 + +#This configuration specifies the delimiter used to differentiate instance name and count +componentInstanceCounterDelimiter: " " + +# Comma separated list of excluded URLs by the DataValidatorFilter +dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize" + +#Space separated list of permitted ancestors +permittedAncestors: {{ .Values.permittedAncestors }} diff --git a/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/distribution-engine-configuration.yaml b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/distribution-engine-configuration.yaml new file mode 100644 index 0000000000..f096b13fcc --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/distribution-engine-configuration.yaml @@ -0,0 +1,84 @@ +uebServers: + - no-message-router.onap + - no-message-router.onap + +uebPublicKey: {{ .Values.uebPublicKey }} +uebSecretKey: {{ .Values.uebSecretKey }} + +distributionNotifTopicName: {{ if .Values.distributionNotifTopicName }}{{ .Values.distributionNotifTopicName }}{{- else }}SDC-DISTR-NOTIF-TOPIC{{- end }} + +distributionStatusTopicName: {{ if .Values.distributionStatusTopicName }}{{ .Values.distributionStatusTopicName }}{{- else }}SDC-DISTR-STATUS-TOPIC{{- end }} + +kafkaBootStrapServers: {{ .Values.kafkaBootStrapServers }} + +initRetryIntervalSec: 5 +initMaxIntervalSec: 60 + +distribNotifServiceArtifactTypes: + info: + - MURANO-PKG + +distribNotifResourceArtifactTypes: + lifecycle: + - HEAT + - DG-XML + +environments: + - {{ .Values.chefEnvironment }} + +distributionStatusTopic: + pollingIntervalSec: 60 + fetchTimeSec: 15 + consumerGroup: sdc-{{ .Values.chefEnvironment }} + consumerId: sdc-{{ .Values.chefEnvironment }}1 + + +distributionNotificationTopic: + minThreadPoolSize: 0 + maxThreadPoolSize: 10 + maxWaitingAfterSendingSeconds: 5 + +createTopic: + partitionCount: 1 + replicationCount: 1 + +startDistributionEngine: true + +#This is false by default, since ONAP Dmaap currently doesn't support https +useHttpsWithDmaap: false +opEnvRecoveryIntervalSec: 180 +allowedTimeBeforeStaleSec: 300 + +aaiConfig: + httpRequestConfig: + serverRootUrl: https://localhost:8443 + resourceNamespaces: + operationalEnvironments: /aai/v12/cloud-infrastructure/operational-environments + + httpClientConfig: + timeouts: + readTimeoutMs: 5000 + connectTimeoutMs: 1000 + clientCertificate: + keyStore: /app/jetty/base/be/etc/non-prod.jks + keyStorePassword: hmXYcznAljMSisdy8zgcag== + headers: + X-FromAppId: asdc + numOfRetries: 3 + +msoConfig: + httpRequestConfig: + serverRootUrl: http://127.0.0.1:8080/onap/mso/infra/modelDistributions/v1 + resourceNamespaces: + distributions: /distributions + + httpClientConfig: + timeouts: + readTimeoutMs: 2000 + connectTimeoutMs: 500 + basicAuthorization: + userName: asdc + password: OTLEp5lfVhYdyw5EAtTUBQ== + numOfRetries: 3 + +currentArtifactInstallationTimeout: 120 diff --git a/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/janusgraph.properties b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/janusgraph.properties new file mode 100644 index 0000000000..6e4a43f9aa --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/catalog-be/janusgraph.properties @@ -0,0 +1,33 @@ +storage.backend={{ .Values.janusgraph.storage.backend }} +storage.hostname={{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local +storage.port={{ .Values.cassandra.port }} +storage.username={{ .Values.cassandra.cassandraUsername }} +storage.password={{ .Values.cassandra.cassandraPassword }} +storage.connection-timeout={{ .Values.janusgraph.storage.connectionTimeout }} +storage.cql.keyspace={{ .Values.janusgraph.keyspace }} +storage.cql.ssl.enabled={{ .Values.cassandra.cassandraSslEnabled }} +{{- if .Values.cassandra.cassandraSslEnabled }} +storage.cql.ssl.keystore.location={{ .Values.cassandra.keystoreLocation }} +storage.cql.ssl.keystore.password={{ .Values.cassandra.keystorePassword }} +storage.cql.ssl.truststore.location={{ .Values.cassandra.truststoreLocation }} +storage.cql.ssl.truststore.password={{ .Values.cassandra.truststorePassword }} +{{- end }} + +storage.cql.read-consistency-level={{ .Values.cassandra.readConsistencyLevel }} +storage.cql.write-consistency-level={{ .Values.cassandra.writeConsistencyLevel }} +storage.cql.replication-strategy-class=NetworkTopologyStrategy + +storage.cql.replication-strategy-options={{ .Values.global.sdc_cassandra.dataCenter }},{{ .Values.global.sdc_cassandra.replicaCount }} +storage.cql.local-datacenter={{ .Values.global.sdc_cassandra.dataCenter }} + +cache.db-cache={{ .Values.janusgraph.dbCache.enabled }} +{{- if .Values.janusgraph.dbCache.enabled }} +cache.db-cache-clean-wait={{ .Values.janusgraph.dbCache.cleanWait }} +cache.db-cache-time={{ .Values.janusgraph.dbCache.time }} +cache.db-cache-size={{ .Values.janusgraph.dbCache.size }} +{{- end }} + +cache.tx-cache-size={{ .Values.janusgraph.txCache.size }} + +storage.lock.retries={{ .Values.janusgraph.storage.lockRetries }} +graph.replace-instance-if-exists={{ .Values.janusgraph.graph.replaceInstance }} diff --git a/kubernetes/sdc/components/sdc-be/resources/config/logging/logback.xml b/kubernetes/sdc/components/sdc-be/resources/config/logging/logback.xml index fcbca71f33..59c34b9812 100644 --- a/kubernetes/sdc/components/sdc-be/resources/config/logging/logback.xml +++ b/kubernetes/sdc/components/sdc-be/resources/config/logging/logback.xml @@ -34,6 +34,9 @@ + + + @@ -205,16 +208,16 @@ ${queueSize} - - + + diff --git a/kubernetes/sdc/components/sdc-be/resources/config/ready-probe.sh b/kubernetes/sdc/components/sdc-be/resources/config/ready-probe.sh new file mode 100644 index 0000000000..4bad479d91 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/ready-probe.sh @@ -0,0 +1,9 @@ +#!/bin/sh +health_check_http_code=$(curl -k --max-time 5 -o /dev/null -w '%{http_code}' {{ if .Values.global.disableHttp }}https://127.0.0.1:{{ .Values.beSslPort }}{{- else -}}http://127.0.0.1:{{ .Values.beHttpPort }}{{- end -}}/sdc2/rest/healthCheck) + +if [ "$health_check_http_code" -eq 200 ]; then + exit 0 +else + echo "Health check http status: $health_check_http_code" + exit 1 +fi diff --git a/kubernetes/sdc/components/sdc-be/resources/config/resource/key.properties b/kubernetes/sdc/components/sdc-be/resources/config/resource/key.properties new file mode 100644 index 0000000000..72fd2f6440 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/resource/key.properties @@ -0,0 +1,41 @@ +### +# ============LICENSE_START========================================== +# ONAP Portal SDK +# =================================================================== +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the ?License?); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the ?License?); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# +### + +# Properties read by the ECOMP Framework library (epsdk-fw) + +cipher.enc.key = AGLDdG4D04BKm2IxIWEr8o== diff --git a/kubernetes/sdc/components/sdc-be/resources/config/resource/portal.properties b/kubernetes/sdc/components/sdc-be/resources/config/resource/portal.properties new file mode 100644 index 0000000000..c3ba1b1aa0 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/resource/portal.properties @@ -0,0 +1,89 @@ +### +# ============LICENSE_START========================================== +# ONAP Portal SDK +# =================================================================== +# Copyright (C) 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the ?License?); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the ?License?); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# +### +# Properties read by ECOMP Framework library, ecompFW.jar + +########################################################################## +# The following properties should NOT be changed by partner applications. +########################################################################## + +portal.api.prefix = /api +max.idle.time = 5 +user.attribute.name = user_attribute + +#Use REST API instead of UEB to fetch the functional menu data +use_rest_for_functional_menu=true + + +########################################################################## +# The following properties MUST be changed by partner applications. +########################################################################## + +# Name of java class that implements the OnBoardingApiService interface. +portal.api.impl.class = org.openecomp.sdc.be.ecomp.PortalRestApiCentralServiceImpl +role_access_centralized = remote + +# Cookie set by CSP-SSO +#csp_cookie_name = onapCsp + +# CSP setting, most use PROD; DEV also recognized +csp_gate_keeper_prod_key = PROD + +# URL of the Portal where this app is onboarded +ecomp_redirect_url = https://portal-app.onap:30225/ONAPPORTAL/login.htm + +# URL of the ECOMP Portal REST API +ecomp_rest_url = https://portal-app.onap:8443/ONAPPORTAL/auxapi + +# Connection and Read timeout values +ext_req_connection_timeout = 15000 +ext_req_read_timeout = 20000 + +# Name of java class that implements the OnBoardingApiService interface. +portal.api.impl.class = org.openecomp.sdc.be.ecomp.PortalRestApiCentralServiceImpl + +#Portal user & key +portal_app_name = Ipwxi2oLvDxctMA1royaRw1W0jhucLx+grHzci3ePIA= +portal_pass = j85yNhyIs7zKYbR1VlwEfNhS6b7Om4l0Gx5O8931sCI= +portal_user = Ipwxi2oLvDxctMA1royaRw1W0jhucLx+grHzci3ePIA= + + +# UEB key generated while on-boarding +ueb_app_key = "" + +# Applications do not need to run a UEB listener after 1607. +ueb_listeners_enable = false diff --git a/kubernetes/sdc/components/sdc-be/resources/config/start.d/http.ini b/kubernetes/sdc/components/sdc-be/resources/config/start.d/http.ini new file mode 100644 index 0000000000..e637e2378d --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/start.d/http.ini @@ -0,0 +1,29 @@ +# --------------------------------------- +# Module: http +--module=http + +### HTTP Connector Configuration + +## Connector host/address to bind to +# jetty.http.host=0.0.0.0 + +## Connector port to listen on +jetty.http.port= {{ .Values.jetty.httpPort }} + +## Connector idle timeout in milliseconds +jetty.http.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.http.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.http.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.http.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.http.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.http.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-be/resources/config/start.d/https.ini b/kubernetes/sdc/components/sdc-be/resources/config/start.d/https.ini new file mode 100644 index 0000000000..68c36e8c57 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/start.d/https.ini @@ -0,0 +1,29 @@ +# --------------------------------------- +# Module: https +--module=https + +### HTTPS Connector Configuration + +## Connector host/address to bind to +# jetty.https.host=0.0.0.0 + +## Connector port to listen on +jetty.https.port={{ .Values.jetty.httpsPort }} + +## Connector idle timeout in milliseconds +jetty.https.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.https.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.https.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.https.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.https.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.https.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-be/resources/config/start.d/ssl.ini b/kubernetes/sdc/components/sdc-be/resources/config/start.d/ssl.ini new file mode 100644 index 0000000000..43941594de --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/resources/config/start.d/ssl.ini @@ -0,0 +1,100 @@ +# --------------------------------------- +# Module: ssl +--module=ssl + +### TLS(SSL) Connector Configuration + +## Connector host/address to bind to +# jetty.ssl.host=0.0.0.0 + +## Connector port to listen on +jetty.ssl.port={{ .Values.jetty.httpsPort }} + +## Connector idle timeout in milliseconds +# jetty.ssl.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.ssl.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.ssl.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.ssl.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.ssl.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.ssl.acceptorPriorityDelta=0 + +## Whether request host names are checked to match any SNI names +# jetty.ssl.sniHostCheck=true + +## max age in seconds for a Strict-Transport-Security response header (default -1) +# jetty.ssl.stsMaxAgeSeconds=31536000 + +## include subdomain property in any Strict-Transport-Security header (default false) +# jetty.ssl.stsIncludeSubdomains=true + +### SslContextFactory Configuration +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html + +## Keystore file path (relative to $jetty.base) +{{- if .Values.jetty.keystorePath }} +jetty.sslContext.keyStorePath={{ .Values.jetty.keystorePath }} +{{- end }} + +## Truststore file path (relative to $jetty.base) +{{- if .Values.jetty.truststorePath }} +i +jetty.sslContext.trustStorePath={{ .Values.jetty.truststorePath }} +{{- end }} + +## Keystore password +{{- if .Values.jetty.keystorePassword }} +jetty.sslContext.keyStorePassword={{ .Values.jetty.keystorePassword }} +{{- end }} + +## Keystore type and provider +# jetty.sslContext.keyStoreType=JKS +# jetty.sslContext.keyStoreProvider= + +## KeyManager password +{{- if .Values.jetty.keystorePassword }} +jetty.sslContext.keyManagerPassword={{ .Values.jetty.keystorePassword }} +{{- end }} + +## Truststore password +# tp{{ .Values.jetty.truststorePassword }}end +# kp{{ .Values.jetty.keystorePassword }}end +{{- if .Values.jetty.truststorePassword }} +jetty.sslContext.trustStorePassword={{ .Values.jetty.truststorePassword }} +{{- end }} + +## Truststore type and provider +# jetty.sslContext.trustStoreType=JKS +# jetty.sslContext.trustStoreProvider= + +## whether client certificate authentication is required +jetty.sslContext.needClientAuth={{ .Values.jetty.truststorePassword | quote | default "false" | not | toString }} + +## Whether client certificate authentication is desired +# jetty.sslContext.wantClientAuth=false + +## Whether cipher order is significant (since java 8 only) +# jetty.sslContext.useCipherSuitesOrder=true + +## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at +## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites + +## Set the size of the SslSession cache +# jetty.sslContext.sslSessionCacheSize=-1 + +## Set the timeout (in seconds) of the SslSession cache timeout +# jetty.sslContext.sslSessionTimeout=-1 + +## Allow SSL renegotiation +# jetty.sslContext.renegotiationAllowed=true +# jetty.sslContext.renegotiationLimit=5 diff --git a/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-be/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-be/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-be/templates/configmap.yaml b/kubernetes/sdc/components/sdc-be/templates/configmap.yaml index 332cd74661..77b70a2c81 100644 --- a/kubernetes/sdc/components/sdc-be/templates/configmap.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/configmap.yaml @@ -27,5 +27,81 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/logging/*").AsConfig . | indent 2 }} - - +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-http-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/http.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-https-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/https.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-ssl-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/ssl.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-catalog-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/catalog-be/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-catalog-be-resource-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/resource/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-be-ready-probe-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/ready-probe.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml index 16fc57aa92..ad635a119d 100644 --- a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml @@ -20,109 +20,47 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - "sdc-onboarding-be" - {{- if not .Values.global.kafka.useKafka }} - - --container-name - - "message-router" - {{- end }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-sdc-onboarding-be-cassandra-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - {{- end }} + initContainers: + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.wait_for_service) | nindent 8 }} + - name: {{ include "common.name" . }}-copy-jetty + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/sh","-c"] + args: ['cp -a /app/jetty/ /app/jetty_rw/; mkdir /app/jetty_rw/jetty/ruby_temp'] + resources: + limits: + cpu: 400m + memory: 400Mi + requests: + cpu: 30m + memory: 200Mi + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - name: {{ include "common.fullname" . }}-jetty + mountPath: /app/jetty_rw containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - sed -i '/trustStorePassword/d' ${JETTY_BASE}/startup.sh - ${JETTY_BASE}/startup.sh - {{- end }} - ports: {{ include "common.containerPorts" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} {{ if eq .Values.liveness.enabled true }} livenessProbe: httpGet: - path: /sdc2/rest/healthCheck + path: {{ .Values.liveness.path }} port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} @@ -132,17 +70,16 @@ spec: {{ end }} readinessProbe: httpGet: - path: /sdc2/rest/healthCheck + path: {{ .Values.readiness.path }} port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} - resources: {{ include "common.resources" . | nindent 12 }} startupProbe: httpGet: - path: /sdc2/rest/healthCheck + path: {{ .Values.startup.path }} port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} @@ -151,65 +88,124 @@ spec: failureThreshold: {{ .Values.startup.failureThreshold }} resources: {{ include "common.resources" . | nindent 12 }} env: - - name: ENVNAME - value: {{ .Values.env.name }} + - name: TMPDIR + value: '/app/jetty/ruby_temp' - name: JAVA_OPTIONS value: {{ .Values.config.javaOptions }} - name: cassandra_ssl_enabled value: {{ .Values.config.cassandraSslEnabled | quote }} + - name: TLS_CERT + value: {{ .Values.be.tlsCert }} + - name: TLS_KEY + value: {{ .Values.be.tlsKey }} + - name: TLS_PASSWORD + value: {{ .Values.be.tlsPassword }} + - name: KEYSTORE_PATH + value: {{ .Values.be.keystorePath }} + - name: KEYSTORE_PASSWORD + value: {{ .Values.be.keystorePassword }} + - name: CA_CERT + value: {{ .Values.be.caCert }} + - name: TRUSTSTORE_PATH + value: {{ .Values.be.truststorePath }} + - name: TRUSTSTORE_PASSWORD + value: {{ .Values.be.truststorePassword }} - name: HOST_IP valueFrom: fieldRef: fieldPath: status.podIP {{- if .Values.global.kafka.useKafka }} - name: SASL_JAAS_CONFIG - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdc-be-kafka-secret" "key" "sasl.jaas.config") | indent 12 }} + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config - name: USE_KAFKA value: {{ .Values.global.kafka.useKafka | quote }} {{- end }} volumeMounts: - - name: sdc-environments - mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-be/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-be/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - - name: logs + - name: {{ include "common.fullname" . }}-jetty + mountPath: /app/jetty + subPath: jetty + - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap + - name: {{ include "common.fullname" . }}-tmp + mountPath: /tmp - name: logback mountPath: /tmp/logback.xml subPath: logback.xml + - name: http-config + mountPath: /app/jetty/start.d/http.ini + subPath: http.ini + - name: https-config + mountPath: /app/jetty/start.d/https.ini + subPath: https.ini + - name: ssl-config + mountPath: /app/jetty/start.d/ssl.ini + subPath: ssl.ini + - name: catalog-be-config + mountPath: /app/jetty/config/catalog-be/janusgraph.properties + subPath: janusgraph.properties + - name: catalog-be-config + mountPath: /app/jetty/config/catalog-be/distribution-engine-configuration.yaml + subPath: distribution-engine-configuration.yaml + - name: catalog-be-config + mountPath: /app/jetty/config/catalog-be/configuration.yaml + subPath: configuration.yaml + - name: catalog-be-resource-config + mountPath: /app/jetty/resources/key.properties + subPath: key.properties + - name: catalog-be-resource-config + mountPath: /app/jetty/resources/portal.properties + subPath: portal.properties + - name: ready-probe-config + mountPath: /app/jetty/ready-probe.sh + subPath: ready-probe.sh + lifecycle: postStart: exec: - command: ["/bin/sh", "-c", "export LOG=wait_logback.log; touch $LOG; export SRC=/tmp/logback.xml; export DST=/app/jetty/config/catalog-be/; while [ ! -e $DST ]; do echo 'Waiting for $DST...' >> $LOG; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done' >> $LOG"] + command: ["/bin/sh", "-c", "export SRC=/tmp/logback.xml; export DST=/app/jetty/config/catalog-be/; while [ ! -e $DST ]; do echo 'Waiting for $DST...'; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done copying logback.xml' ; echo 'Running BE_3_setup_key_and_trust_store.sh...' ; /app/jetty/BE_3_setup_key_and_trust_store.sh ; echo 'BE_3_setup_key_and_trust_store.sh completed' "] # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime + {{ include "common.podSecurityContext" . | indent 6 | trim }} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - - name: sdc-environments - {{- if .Values.global.aafEnabled }} - emptyDir: { medium: "Memory" } - - name: sdc-environments-input - {{- end }} + - name: {{ include "common.fullname" . }}-logs + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: {{ include "common.fullname" . }}-tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: {{ include "common.fullname" . }}-jetty + emptyDir: + sizeLimit: {{ .Values.volumes.jettySizeLimit }} + - name: http-config + configMap: + name: {{ include "common.release" . }}-sdc-http-be-configmap + defaultMode: 0755 + - name: https-config + configMap: + name: {{ include "common.release" . }}-sdc-https-be-configmap + defaultMode: 0755 + - name: ssl-config + configMap: + name: {{ include "common.release" . }}-sdc-ssl-be-configmap + defaultMode: 0755 + - name: catalog-be-config + configMap: + name: {{ include "common.release" . }}-sdc-catalog-be-configmap + defaultMode: 0755 + - name: catalog-be-resource-config + configMap: + name: {{ include "common.release" . }}-sdc-catalog-be-resource-configmap + defaultMode: 0755 + - name: ready-probe-config configMap: - name: {{ include "common.release" . }}-sdc-environments-configmap + name: {{ include "common.release" . }}-sdc-be-ready-probe-configmap defaultMode: 0755 - - name: logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-be/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-be/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-be/templates/job.yaml b/kubernetes/sdc/components/sdc-be/templates/job.yaml index 5f70991e6f..c14de0b6e1 100644 --- a/kubernetes/sdc/components/sdc-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/job.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, AT&T, Bell Canada # Modifications Copyright © 2018 ZTE +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,9 +19,14 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-config-backend + name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} - labels: {{- include "common.labels" . | nindent 4 }} + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -32,61 +38,78 @@ spec: app.kubernetes.io/managed-by: {{ .Release.Service }} spec: restartPolicy: Never + securityContext: + {{- toYaml .Values.jobPodSecurityContext | nindent 8 }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - - sdc-be - - "-t" - - "35" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.job_wait_for) | nindent 8 }} containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.backendInitImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + command: + - /bin/sh + - -c + - | + /home/onap/create_consumer_and_user.sh + /home/onap/check_backend.sh + /home/onap/import_normatives.sh volumeMounts: - name: {{ include "common.fullname" . }}-environments mountPath: /home/onap/chef-solo/environments/ - - name: sdc-logs + - name: {{ include "common.fullname" . }}-logs mountPath: /home/onap/logs + - name: {{ include "common.fullname" . }}-tmp + mountPath: /tmp + - name: {{ include "common.fullname" . }}-var-tmp + mountPath: /var/tmp env: + - name: TMPDIR + value: '/home/onap/chef-solo/ruby_temp' - name: ENVNAME value: {{ .Values.env.name }} - name: HOST_IP valueFrom: fieldRef: fieldPath: status.podIP + - name: BE_IP + value: {{ .Values.beInit.beIp }} + - name: DISABLE_HTTP + value: {{ .Values.disableHttp | quote }} + - name: BE_HTTPS_PORT + value: {{ .Values.beSslPort | quote }} + - name: BE_HTTP_PORT + value: {{ .Values.beHttpPort | quote }} + - name: TLS_CERT + value: {{ .Values.beInit.tlsCert }} + - name: TLS_KEY + value: {{ .Values.beInit.tlsKey }} + - name: TLS_KEY_PW + value: {{ .Values.beInit.tlsKeyPw }} + - name: CA_CERT + value: {{ .Values.beInit.caCert }} + - name: BASIC_AUTH_ENABLED + value: {{ .Values.basicAuth.enabled | quote }} + - name: BASIC_AUTH_USER + value: {{ .Values.basicAuth.userName }} + - name: BASIC_AUTH_PASS + value: {{ .Values.basicAuth.userPass }} resources: - limits: - cpu: 800m - memory: 1024Mi - requests: - cpu: 200m - memory: 200Mi + {{- toYaml .Values.resources_initContainer | nindent 12 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - - name: sdc-logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + - name: {{ include "common.fullname" . }}-logs + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: {{ include "common.fullname" . }}-tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: {{ include "common.fullname" . }}-var-tmp + emptyDir: + sizeLimit: {{ .Values.volumes.varTmpSizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml b/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml new file mode 100644 index 0000000000..5033d9d9aa --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.global.kafka.useKafka }} +{{ include "common.kafkauser" . }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-be/templates/sdc-be-kafka-user.yaml b/kubernetes/sdc/components/sdc-be/templates/sdc-be-kafka-user.yaml deleted file mode 100644 index 6cd7f93c5a..0000000000 --- a/kubernetes/sdc/components/sdc-be/templates/sdc-be-kafka-user.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{- if .Values.global.kafka.useKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaUser -metadata: - name: {{ include "common.release" . }}-{{ .Values.global.kafka.sdcBeKafkaUser }} - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - authentication: - type: {{ .Values.config.kafka.saslMech }} - authorization: - type: {{ .Values.config.kafka.authType }} - acls: - - resource: - type: group - name: {{ .Values.config.kafka.topicConsumer.groupId }}-{{ .Values.env.name }} - operation: Read - - resource: - type: topic - patternType: prefix - name: {{ .Values.config.kafka.topicConsumer.pattern }} - operation: All -{{- end }} diff --git a/kubernetes/sdc/components/sdc-be/templates/sdc-distro-topics.yaml b/kubernetes/sdc/components/sdc-be/templates/sdc-distro-topics.yaml deleted file mode 100644 index 9a6f7579e8..0000000000 --- a/kubernetes/sdc/components/sdc-be/templates/sdc-distro-topics.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if .Values.global.kafka.useKafka }} -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: sdc-distro-notif-topic - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ .Values.global.kafka.topics.sdcDistNotifTopic }}-{{ .Values.env.name }} - config: - retention.ms: {{ .Values.config.kafka.topicRetentionMs }} - segment.bytes: {{ .Values.config.kafka.topicSegmentBytes }} ---- -apiVersion: kafka.strimzi.io/v1beta2 -kind: KafkaTopic -metadata: - name: sdc-distro-status-topic - labels: - strimzi.io/cluster: {{ include "common.release" . }}-strimzi -spec: - topicName: {{ .Values.global.kafka.topics.sdcDistStatusTopic }}-{{ .Values.env.name }} - config: - retention.ms: {{ .Values.config.kafka.topicRetentionMs }} - segment.bytes: {{ .Values.config.kafka.topicSegmentBytes }} -{{- end }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-be/templates/secret.yaml b/kubernetes/sdc/components/sdc-be/templates/secret.yaml deleted file mode 100644 index bb5091f01a..0000000000 --- a/kubernetes/sdc/components/sdc-be/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/sdc/components/sdc-be/templates/servicemonitor.yaml b/kubernetes/sdc/components/sdc-be/templates/servicemonitor.yaml new file mode 100644 index 0000000000..c0d9f212b4 --- /dev/null +++ b/kubernetes/sdc/components/sdc-be/templates/servicemonitor.yaml @@ -0,0 +1,3 @@ +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index faf46e5549..2572b235de 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE # Modifications Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,7 +20,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled @@ -30,21 +30,19 @@ global: #to match with its own cluster replica replicaCount: 3 clusterName: cassandra - dataCenter: Pod - # Strimzi kafka config + #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod") + dataCenter: dc1 + # Global Strimzi kafka config overridden + # from parent values.yaml kafka: useKafka: overridden-from-parent-values-yaml - sdcBeKafkaUser: overridden-from-parent-values-yaml - topics: - sdcDistNotifTopic: overridden-from-parent-values-yaml - sdcDistStatusTopic: overridden-from-parent-values-yaml ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-backend-all-plugins:1.12.0 -backendInitImage: onap/sdc-backend-init:1.12.0 +image: onap/sdc-backend-all-plugins:1.14.1 +backendInitImage: onap/sdc-backend-init:1.14.1 pullPolicy: Always @@ -53,54 +51,26 @@ debugEnabled: false #environment file env: - name: AUTO - -certInitializer: - nameOverride: sdc-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop + name: &env AUTO ################################################################# # SDC Config part ################################################################# - -secrets: - - uid: sdc-be-kafka-secret - externalSecret: '{{ tpl (default "" .Values.config.jaasConfExternalSecret) . }}' - type: genericKV - envs: - - name: sasl.jaas.config - value: '{{ .Values.config.someConfig }}' - policy: generate - config: javaOptions: "-Xmx1536m -Xms1536m" cassandraSslEnabled: "false" - # Strimzi kafka config - kafka: - saslMech: scram-sha-512 - securityProtocol: SASL_PLAINTEXT - authType: simple - topicRetentionMs: 7200000 - topicSegmentBytes: 1073741824 - topicConsumer: - pattern: SDC-DIST - groupId: sdc + +kafkaUser: + acls: + - name: sdc + suffix: *env + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + # default number of instances replicaCount: 1 @@ -111,6 +81,7 @@ affinity: {} # probe configuration parameters liveness: + path: /sdc2/rest/healthCheck initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 180 @@ -121,6 +92,7 @@ liveness: enabled: true readiness: + path: /sdc2/rest/healthCheck initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 180 @@ -128,6 +100,7 @@ readiness: failureThreshold: 3 startup: + path: /sdc2/rest/healthCheck initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 180 @@ -137,26 +110,10 @@ startup: service: type: NodePort name: sdc-be - both_tls_and_plain: true internalPort: 8080 - msb: - - port: 8443 - url: "/sdc/v1" - version: "v1" - protocol: "REST" - visualRange: "1" - serviceName: sdc - enable_ssl: true - - port: 8080 - url: "/sdc/v1" - version: "v1" - protocol: "REST" - visualRange: "1" - serviceName: sdc-deprecated ports: - name: tcp-api - port: 8443 - plain_port: 8080 + port: 8080 port_protocol: http nodePort: '04' @@ -165,11 +122,19 @@ ingress: service: - baseaddr: "sdc-be-api" name: "sdc-be" - port: 8443 - plain_port: 8080 + port: 8080 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: nbi-read + - serviceAccount: so-cnfm-lcm-read + - serviceAccount: so-etsi-sol003-adapter-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress # Resource Limit flavor -By Default using small flavor: small @@ -177,26 +142,44 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 2Gi + cpu: "2" + memory: "3Gi" requests: - cpu: 100m - memory: 1Gi + cpu: "1" + memory: "3Gi" large: limits: - cpu: 2 - memory: 4Gi + cpu: "3" + memory: "6Gi" requests: - cpu: 200m - memory: 2Gi + cpu: "1" + memory: "6Gi" unlimited: {} +metrics: + serviceMonitor: + enabled: true + targetPort: 8080 + path: /sdc2/rest/actuator/prometheus + basicAuth: + enabled: false + #Pods Service Account serviceAccount: nameOverride: sdc-be roles: - read +readinessCheck: + wait_for_service: + name: "services" + services: + - sdc-onboarding-be + job_wait_for: + timeout: 25 + services: + - sdc-be + wait_for_job_container: containers: - '{{ include "common.name" . }}-job' @@ -205,3 +188,189 @@ wait_for_job_container: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +securityContext: + user_id: 1000 + group_id: 101 + +jobPodSecurityContext: + fsGroup: 101 + runAsGroup: 101 + runAsNonRoot: true + runAsUser: 101 + seccompProfile: + type: RuntimeDefault + +volumes: + logSizeLimit: 300Mi + jettySizeLimit: 400Mi + tmpSizeLimit: 500Mi + varTmpSizeLimit: 100Mi + +resources_initContainer: + limits: + cpu: "2000m" + memory: "2Gi" + requests: + cpu: "1000m" + memory: "600Mi" + +####### +####### +pairEnvName: "" + +cassandra: + hostname: cassandra-dc1-service.onap + port: 9042 + cassandraPassword: Aa1234%^! + cassandraUsername: asdc_user + connectionTimeout: 10000 + cassandraSslEnabled: false + keystoreLocation: "" + keystorePassword: "" + truststoreLocation: "" + truststorePassword: "" + clusterName: SDC-CS- + readConsistencyLevel: ONE + writeConsistencyLevel: ALL + #replication_strategy_options: dc1,3 + +cassandraConfig: + cassandraHosts: [cassandra-dc1-service.onap] + cassandraPort: 9042 + localDataCenter: dc1 + socketReadTimeout: 20000 + socketConnectTimeout: 20000 + username: asdc_user + password: Aa1234%^! + ssl: false + keystorePath: "" + keystorePassword: false + truststorePath: "" + truststorePassword: "" + +janusgraph: + keyspace: sdctitan + cfgFile: /app/jetty/config/catalog-be/janusgraph.properties + dbCache: + enabled: false + cleanWait: 20 + time: 18000 + size: 0.5 + txCache: + size: '1000000' + storage: + lockRetries: 5 + lockWaitTime: 500 + backend: cql + connectionTimeout: 5000 + graph: + replaceInstance: true + inMemory: false + lockTimeout: 1800 + reconnectInterval: 3 + healthCheckReadTimeout: 8 + +dmaapConsumerConfiguration: + active: false +permittedAncestors: "" +tlsCert: "" +tlsKey: "" +caCert: "" +ONBOARDING_BE: + host: sdc-onboarding-be.onap + httpPort: 8081 + httpsPort: 8445 +dmaapProducerConfiguration: + active: false + hosts: olsd004.com:3905 + topic: SDC-FACADE-NOTIF-v1 + serviceName: dmaap.com:3905/events + environment: TEST + protocol: "" + aftEnvironment: "" + dme2preferredRouterFilePath: "" + username: user1@sdc.com + password: password== +appVersion: "" + +# Distrubution +uebPublicKey: iPIxkpAMI8qTcQj8 +uebSecretKey: Ehq3WyT4bkif4zwgEbvshGal +#distributionNotifTopicName: SDC-DISTR-NOTIF-TOPIC +#distributionStatusTopicName: SDC-DISTR-STATUS-TOPIC +kafkaBootStrapServers: onap-strimzi-kafka-bootstrap:9092 +chefEnvironment: AUTO + +logback: + rootLogLevel: INFO + +jetty: + httpPort: 8080 + httpsPort: 8443 + keystorePath: "" + truststorePath: "" + keystorePassword: "" + truststorePassword: "" + +disableHttp: false +beFqdn: sdc-be.onap +beHttpPort: 8080 +beSslPort: 8443 +basicAuth: + enabled: true + userName: testName + userPass: testPass + +basicAuthConfig: + enabled: false +beInit: + beIp: sdc-be.onap + tlsCert: "" + tlsKey: "" + tlsKeyPw: "" + caCert: "" + +be: + tlsCert: "" + tlsKey: "" + tlsPassword: "" + keystorePath: "" + keystorePassword: "" + caCert: "" + truststorePath: "" + truststorePassword: "" + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" +#END diff --git a/kubernetes/sdc/components/sdc-cs/Chart.yaml b/kubernetes/sdc/components/sdc-cs/Chart.yaml index a7e2d1afa8..dded8cd49a 100644 --- a/kubernetes/sdc/components/sdc-cs/Chart.yaml +++ b/kubernetes/sdc/components/sdc-cs/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 AT&T, ZTE # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,23 +19,25 @@ apiVersion: v2 description: ONAP Service Design and Creation Cassandra name: sdc-cs -version: 12.0.0 +version: 13.0.5 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: cassandra - version: ~12.x-0 + version: ~16.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' condition: global.sdc_cassandra.localCluster - + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/change_cassandra_pass.sh b/kubernetes/sdc/components/sdc-cs/resources/config/change_cassandra_pass.sh new file mode 100644 index 0000000000..4c4ab6df69 --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/change_cassandra_pass.sh @@ -0,0 +1,33 @@ +#!/bin/sh +CASSANDRA_IP={{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local +CASSANDRA_PORT={{ .Values.cassandraConfiguration.cassandraPort }} +echo "Changing Cassandra password..." +SDC_USER="$SDC_USER" +SDC_PASSWORD="$SDC_PASSWORD" + +retry_num=1 +is_up=0 +while [ $is_up -eq 0 ] && [ $retry_num -le 100 ]; do + echo "exit" | cqlsh -u {{ .Values.global.sdc_cassandra.username }} -p {{ .Values.global.sdc_cassandra.password }} $CASSANDRA_IP $CASSANDRA_PORT --cqlversion="{{ .Values.cassandraConfiguration.cql_version }}" + res1=$? + echo "exit" | cqlsh -u {{ .Values.global.sdc_cassandra.username }} -p {{ .Values.global.sdc_cassandra.password }} $CASSANDRA_IP $CASSANDRA_PORT --cqlversion="{{ .Values.cassandraConfiguration.cql_version }}" + res2=$? + + if [ $res1 -eq 0 ] || [ $res2 -eq 0 ]; then + echo "$(date) --- cqlsh is able to connect." + is_up=1 + else + echo "$(date) --- cqlsh is NOT able to connect yet. Sleeping for 5 seconds." + sleep 5 + fi + retry_num=$((retry_num + 1)) +done + +if [ $res1 -eq 0 ] && [ $res2 -eq 1 ] && [ $is_up -eq 1 ]; then + echo "Modifying Cassandra password" + echo "ALTER USER $SDC_USER WITH PASSWORD '$SDC_PASSWORD';" | cqlsh -u {{ .Values.global.sdc_cassandra.username }} -p {{ .Values.global.sdc_cassandra.password }} $CASSANDRA_IP $CASSANDRA_PORT --cqlversion="{{ .Values.cassandraConfiguration.cql_version }}" +elif [ $res1 -eq 1 ] && [ $res2 -eq 0 ] && [ $is_up -eq 1 ]; then + echo "Cassandra password already modified" +else + exit 1 +fi diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/change_cassandra_user.sh b/kubernetes/sdc/components/sdc-cs/resources/config/change_cassandra_user.sh new file mode 100644 index 0000000000..32939e8177 --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/change_cassandra_user.sh @@ -0,0 +1,28 @@ +#!/bin/sh +CASSANDRA_IP={{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local +CASSANDRA_PORT={{ .Values.cassandraConfiguration.cassandraPort }} +SDC_USER="$SDC_USER" +SDC_PASSWORD="$SDC_PASSWORD" + +retry_num=1 +is_up=0 +while [ $is_up -eq 0 -a $retry_num -le 100 ]; do + echo "exit" | cqlsh -u {{ .Values.global.sdc_cassandra.username }} -p {{ .Values.global.sdc_cassandra.password }} $CASSANDRA_IP $CASSANDRA_PORT --cqlversion="{{ .Values.cassandraConfiguration.cql_version }}" + res1=$? + if [ $res1 -eq 0 ]; then + echo "`date` --- cqlsh is able to connect." + is_up=1 + else + echo "`date` --- cqlsh is NOT able to connect yet. sleep 5" + sleep 5 + fi + retry_num=$((retry_num+1)) +done + +cassandra_user_exist=$(echo "list users;" | cqlsh -u {{ .Values.global.sdc_cassandra.username }} -p {{ .Values.global.sdc_cassandra.password }} $CASSANDRA_IP $CASSANDRA_PORT --cqlversion="{{ .Values.cassandraConfiguration.cql_version }}" | grep -c $SDC_USER) +if [ $cassandra_user_exist -eq 1 ]; then + echo "Cassandra user $SDC_USER already exists" +else + echo "Going to create $SDC_USER" + echo "create user $SDC_USER with password '$SDC_PASSWORD' nosuperuser;" | cqlsh -u {{ .Values.global.sdc_cassandra.username }} -p {{ .Values.global.sdc_cassandra.password }} $CASSANDRA_IP $CASSANDRA_PORT --cqlversion="{{ .Values.cassandraConfiguration.cql_version }}" +fi diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/configuration.yaml b/kubernetes/sdc/components/sdc-cs/resources/config/configuration.yaml new file mode 100644 index 0000000000..db30a44521 --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/configuration.yaml @@ -0,0 +1,399 @@ +identificationHeaderFields: + - HTTP_IV_USER + - HTTP_CSP_FIRSTNAME + - HTTP_CSP_LASTNAME + - HTTP_IV_REMOTE_ADDRESS + - HTTP_CSP_WSTYPE + +# catalog backend hostname +beFqdn: sdc-be.{{ include "common.namespace" . }}.svc.cluster.local + +# catalog backend http port +beHttpPort: {{ .Values.cassandraConfiguration.catalogPort }} + +# catalog backend http context +beContext: /sdc/rest/config/get + +# catalog backend protocol +{{- if .Values.cassandraConfiguration.disableHttp }} +beProtocol: https +{{- else }} +beProtocol: http +{{- end }} + +# catalog backend ssl port +beSslPort: {{ .Values.cassandraConfiguration.sslPort }} + +version: 1.0 +released: 2012-11-30 +toscaConformanceLevel: 11.0 +minToscaConformanceLevel: 3.0 + +janusGraphCfgFile: {{ .Values.janusgraph.cfgFile }} +janusGraphInMemoryGraph: false +janusGraphLockTimeout: 1800 +# The interval to try and reconnect to JanusGraph DB when it is down during ASDC startup: +janusGraphReconnectIntervalInSeconds: 3 + +# The read timeout towards JanusGraph DB when health check is invoked: +janusGraphHealthCheckReadTimeout: 8 + +# The interval to try and reconnect to Elasticsearch when it is down during ASDC startup: +uebHealthCheckReconnectIntervalInSeconds: 15 +uebHealthCheckReadTimeout: 4 + +# Protocols +protocols: + - http + - https + +# Default imports +defaultImports: + - nodes: + file: nodes.yml + - datatypes: + file: data.yml + - capabilities: + file: capabilities.yml + - relationships: + file: relationships.yml + - groups: + file: groups.yml + - policies: + file: policies.yml + +# Users +users: + tom: passwd + bob: passwd + +cassandraConfig: + cassandraHosts: [{{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local] + cassandraPort: 9042 + localDataCenter: {{ .Values.global.sdc_cassandra.dataCenter }} + reconnectTimeout: 30000 + socketReadTimeout: {{ .Values.cassandraConfiguration.socketReadTimeout }} + socketConnectTimeout: {{ .Values.cassandraConfiguration.socketConnectTimeout }} + authenticate: true + username: {{ .Values.cassandraConfiguration.cassandra_user }} + password: {{ .Values.cassandraConfiguration.cassandra_password }} + ssl: {{ .Values.cassandraConfiguration.ssl }} + truststorePath: {{ .Values.cassandraConfiguration.truststorePath }} + truststorePassword: {{ .Values.cassandraConfiguration.truststorePassword }} + maxWaitSeconds: 120 + keySpaces: + - { name: dox, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdcaudit, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdcartifact, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdccomponent, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + - { name: sdcrepository, replicationStrategy: NetworkTopologyStrategy, replicationInfo: ['{{ .Values.global.sdc_cassandra.dataCenter }}','{{ .Values.global.sdc_cassandra.replicaCount }}']} + +licenseTypes: + - User + - Installation + - CPU + +# Deployment artifacts placeholder +resourceTypes: &allResourceTypes + - VFC + - CP + - VL + - VF + - VFCMT + - Abstract + - CVFC + +deploymentResourceArtifacts: + deploymentResourceInstanceArtifacts: + heatEnv: + displayName: "HEAT ENV" + type: HEAT_ENV + description: "Auto-generated HEAT Environment deployment artifact" + fileExtension: "env" + VfHeatEnv: + displayName: "VF HEAT ENV" + type: HEAT_ENV + description: "VF Auto-generated HEAT Environment deployment artifact" + fileExtension: "env" + +# Tosca artifacts placeholders +toscaArtifacts: + assetToscaTemplate: + artifactName: -template.yml + displayName: Tosca Template + type: TOSCA_TEMPLATE + description: TOSCA representation of the asset + assetToscaCsar: + artifactName: -csar.csar + displayName: Tosca Model + type: TOSCA_CSAR + description: TOSCA definition package of the asset + +# Informational artifacts placeholder +excludeResourceCategory: + - Generic +excludeResourceType: + - PNF +informationalResourceArtifacts: + features: + displayName: Features + type: OTHER + capacity: + displayName: Capacity + type: OTHER + vendorTestResult: + displayName: Vendor Test Result + type: OTHER + testScripts: + displayName: Test Scripts + type: OTHER + CloudQuestionnaire: + displayName: Cloud Questionnaire (completed) + type: OTHER + HEATTemplateFromVendor: + displayName: HEAT Template from Vendor + type: HEAT + resourceSecurityTemplate: + displayName: Resource Security Template + type: OTHER + +excludeServiceCategory: + +informationalServiceArtifacts: + serviceArtifactPlan: + displayName: Service Artifact Plan + type: OTHER + summaryOfImpactsToECOMPElements: + displayName: Summary of impacts to ECOMP elements,OSSs, BSSs + type: OTHER + automationCompositionFunctions: + displayName: Automation Composition Functions + type: OTHER + dimensioningInfo: + displayName: Dimensioning Info + type: OTHER + affinityRules: + displayName: Affinity Rules + type: OTHER + operationalPolicies: + displayName: Operational Policies + type: OTHER + serviceSpecificPolicies: + displayName: Service-specific Policies + type: OTHER + engineeringRules: + displayName: Engineering Rules (ERD) + type: OTHER + distributionInstructions: + displayName: Distribution Instructions + type: OTHER + certificationTestResults: + displayName: TD Certification Test Results + type: OTHER + deploymentVotingRecord: + displayName: Deployment Voting Record + type: OTHER + serviceQuestionnaire: + displayName: Service Questionnaire + type: OTHER + serviceSecurityTemplate: + displayName: Service Security Template + type: OTHER + +serviceApiArtifacts: + configuration: + displayName: Configuration + type: OTHER + instantiation: + displayName: Instantiation + type: OTHER + monitoring: + displayName: Monitoring + type: OTHER + reporting: + displayName: Reporting + type: OTHER + logging: + displayName: Logging + type: OTHER + testing: + displayName: Testing + type: OTHER + +additionalInformationMaxNumberOfKeys: 50 + +systemMonitoring: + enabled: false + isProxy: false + probeIntervalInSeconds: 15 + +heatArtifactDeploymentTimeout: + defaultMinutes: 30 + minMinutes: 1 + maxMinutes: 120 + +unLoggedUrls: + - /sdc2/rest/healthCheck + +cleanComponentsConfiguration: + cleanIntervalInMinutes: 1440 + componentsToClean: + - Resource + - Service + +artifactsIndex: resources + +heatEnvArtifactHeader: "" +heatEnvArtifactFooter: "" + +# GSS IDNS +switchoverDetector: + gBeFqdn: + gFeFqdn: + beVip: 1.2.3.4 + feVip: 1.2.3.4 + beResolveAttempts: 3 + feResolveAttempts: 3 + enabled: false + interval: 60 + changePriorityUser: ecompasdc + changePriorityPassword: ecompasdc123 + publishNetworkUrl: + publishNetworkBody: '{"note":"comment"}' + groups: + beSet: + changePriorityUrl: "" + changePriorityBody: '{"name":"","uri":"","no_ad_redirection":false,"v4groups":{"failover_groups":["","","failover_policy":["FAILALL"]},"comment":"","intended_app_proto":"DNS"}' + feSet: + changePriorityUrl: "" + changePriorityBody: '{"name":"","uri":"","no_ad_redirection":false,"v4groups":{"failover_groups":["",""],"failover_policy":["FAILALL"]},"comment":"","intended_app_proto":"DNS"}' + +applicationL1Cache: + datatypes: + enabled: true + firstRunDelay: 10 + pollIntervalInSec: 60 + +applicationL2Cache: + enabled: false + catalogL1Cache: + enabled: false + resourcesSizeInCache: 300 + servicesSizeInCache: 200 + productsSizeInCache: 100 + queue: + syncIntervalInSecondes: 43200 + waitOnShutDownInMinutes: 10 + numberOfCacheWorkers: 4 + +toscaValidators: + stringMaxLength: 2500 + +disableAudit: false +vfModuleProperties: + min_vf_module_instances: + forBaseModule: 1 + forNonBaseModule: 0 + max_vf_module_instances: + forBaseModule: 1 + forNonBaseModule: + initial_count: + forBaseModule: 1 + forNonBaseModule: 0 + vf_module_type: + forBaseModule: Base + forNonBaseModule: Expansion + +genericAssetNodeTypes: + VFC: org.openecomp.resource.abstract.nodes.VFC + CVFC: org.openecomp.resource.abstract.nodes.VFC + VF: org.openecomp.resource.abstract.nodes.VF + PNF: org.openecomp.resource.abstract.nodes.PNF + Service: org.openecomp.resource.abstract.nodes.service + +workloadContext: Production + +environmentContext: + defaultValue: General_Revenue-Bearing + validValues: + - Critical_Revenue-Bearing + - Vital_Revenue-Bearing + - Essential_Revenue-Bearing + - Important_Revenue-Bearing + - Needed_Revenue-Bearing + - Useful_Revenue-Bearing + - General_Revenue-Bearing + - Critical_Non-Revenue + - Vital_Non-Revenue + - Essential_Non-Revenue + - Important_Non-Revenue + - Needed_Non-Revenue + - Useful_Non-Revenue + - General_Non-Revenue + +gabConfig: + - artifactType: 'VES_EVENTS' + pathsAndNamesDefinitions: + - friendlyName: "Action" + path: "event.action[2]" + searchable: "true" + - friendlyName: "Comment" + path: "event.comment" + searchable: "true" + - friendlyName: "Alarm Additional Information" + path: "event.structure.faultFields.structure.alarmAdditionalInformation.comment" + searchable: "true" + +dmaapConsumerConfiguration: + hosts: localhost:3905 + consumerGroup: sdc + consumerId: mama + timeoutMs: 15000 + limit: 1 + pollingInterval: 2 + topic: topic + latitude: 32.109333 + longitude: 34.855499 + version: 1.0 + serviceName: localhost/events + environment: TEST + partner: BOT_R + routeOffer: MR1 + protocol: https + contenttype: application/json + dme2TraceOn: true + aftEnvironment: AFTUAT + aftDme2ConnectionTimeoutMs: 15000 + aftDme2RoundtripTimeoutMs: 240000 + aftDme2ReadTimeoutMs: 50000 + dme2preferredRouterFilePath: DME2preferredRouter.txt + timeLimitForNotificationHandleMs: 120000 + credential: + username: user + password: + +excludedPolicyTypesMapping: + # VF: + # - a.b.c + # - c.d.e + # CR: + # - x.y.z + +excludedGroupTypesMapping: + CR: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - tosca.groups.Root + VF: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - tosca.groups.Root + Service: + - org.openecomp.groups.VfModule + - org.openecomp.groups.heat.HeatStack + - tosca.groups.Root + +healthStatusExclude: + - DE + - DMAPP + - DCAE diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/create-alter-dox-db.sh b/kubernetes/sdc/components/sdc-cs/resources/config/create-alter-dox-db.sh new file mode 100644 index 0000000000..8a32bc88b9 --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/create-alter-dox-db.sh @@ -0,0 +1,17 @@ +#!/bin/sh +CASSANDRA_IP={{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local +CASSANDRA_PASS="$SDC_PASSWORD" +CASSANDRA_PORT={{ .Values.cassandraConfiguration.cassandraPort }} +CASSANDRA_USER="$SDC_USER" + +CASSANDRA_COMMAND="cqlsh -u $CASSANDRA_USER -p $CASSANDRA_PASS $CASSANDRA_IP $CASSANDRA_PORT --cqlversion={{ .Values.cassandraConfiguration.cql_version }}" + +echo "Running create_dox_db.cql" +chmod 755 /tmp/writable-config/tools/build/scripts/create_dox_db.cql +$CASSANDRA_COMMAND -f /tmp/writable-config/tools/build/scripts/create_dox_db.cql > /dev/null 2>&1 + +sleep 10 + +echo "Running alter_dox_db.cql" +chmod 755 /tmp/writable-config/tools/build/scripts/alter_dox_db.cql +$CASSANDRA_COMMAND -f /tmp/writable-config/tools/build/scripts/alter_dox_db.cql > /dev/null 2>&1 diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/create_dox_keyspace.sh b/kubernetes/sdc/components/sdc-cs/resources/config/create_dox_keyspace.sh new file mode 100644 index 0000000000..16fb1ece70 --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/create_dox_keyspace.sh @@ -0,0 +1,42 @@ +#!/bin/sh +CASSANDRA_USER="$SDC_USER" +CASSANDRA_IP={{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local +CASSANDRA_PASS="$SDC_PASSWORD" +CASSANDRA_PORT={{ .Values.cassandraConfiguration.cassandraPort }} +DC_NAME={{ .Values.global.sdc_cassandra.dataCenter }} +RC={{ .Values.global.sdc_cassandra.replicaCount }} +CASSANDRA_COMMAND="cqlsh -u $CASSANDRA_USER -p $CASSANDRA_PASS $CASSANDRA_IP $CASSANDRA_PORT --cqlversion={{ .Values.cassandraConfiguration.cql_version }}" + +# Define Keyspace Creation Statements +KEYSPACE="CREATE KEYSPACE IF NOT EXISTS dox WITH REPLICATION = { 'class' : 'NetworkTopologyStrategy', '$DC_NAME': '$RC'};" +KEYSPACE1="CREATE KEYSPACE IF NOT EXISTS zusammen_dox WITH REPLICATION = { 'class' : 'NetworkTopologyStrategy', '$DC_NAME': '$RC'};" +KEYSPACE2="CREATE KEYSPACE IF NOT EXISTS {{ .Values.janusgraph.keyspace }} WITH REPLICATION = { 'class' : 'NetworkTopologyStrategy', '$DC_NAME': '$RC'} AND durable_writes = true;" + +# Save Commands to File +echo "run create_dox_keyspace.cql" +echo "$KEYSPACE" > /tmp/config/create_dox_keyspace.cql +echo "$KEYSPACE1" >> /tmp/config/create_dox_keyspace.cql +echo "$KEYSPACE2" >> /tmp/config/create_dox_keyspace.cql + +chmod 555 /tmp/config/create_dox_keyspace.cql + +# Execute Keyspace Creation +$CASSANDRA_COMMAND -f /tmp/config/create_dox_keyspace.cql > /dev/null 2>&1 + +# Verify Keyspace Creation +res=$(echo "select keyspace_name from system_schema.keyspaces;" | cqlsh -u $CASSANDRA_USER -p $CASSANDRA_PASS $CASSANDRA_IP $CASSANDRA_PORT --cqlversion={{ .Values.cassandraConfiguration.cql_version }} | grep -c dox 2>/dev/null) + +if [ $res -gt 0 ]; then + echo "$(date) --- dox keyspace was created" +else + echo "$(date) --- Failed to create dox keyspace" +fi + +# Check sdctitan Keyspace Creation +res_sdctitan=$(echo "select keyspace_name from system_schema.keyspaces;" | cqlsh -u $CASSANDRA_USER -p $CASSANDRA_PASS $CASSANDRA_IP $CASSANDRA_PORT --cqlversion={{ .Values.cassandraConfiguration.cql_version }} | grep -c {{ .Values.janusgraph.keyspace }} 2>/dev/null) + +if [ $res_sdctitan -gt 0 ]; then + echo "$(date) --- {{ .Values.janusgraph.keyspace }} keyspace was created" +else + echo "$(date) --- Failed to create {{ .Values.janusgraph.keyspace }} keyspace" +fi diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/execution.sh b/kubernetes/sdc/components/sdc-cs/resources/config/execution.sh new file mode 100644 index 0000000000..897a54c1ca --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/execution.sh @@ -0,0 +1,27 @@ +#!/bin/sh + +mkdir -p /tmp/writable-config +mkdir -p /tmp/writable-config/sdctool +mkdir -p /tmp/writable-config/tools +cp -r /home/sdc/sdctool/* /tmp/writable-config/sdctool +cp -r /home/sdc/tools/* /tmp/writable-config/tools +cp /tmp/config/cassandra-db-scripts-common/* /tmp/writable-config/ +chmod +x /tmp/writable-config/*.sh +chmod +x /tmp/writable-config/tools/*/*/* +mkdir -p /home/sdc/asdctool/logs/SDC/SDC-TOOL +chmod -R 770 /home/sdc/asdctool/logs/SDC/SDC-TOOL +cp -r /tmp/writable-config/janusgraph.properties /tmp/writable-config/sdctool/config +cp -r /tmp/writable-config/configuration.yaml /tmp/writable-config/sdctool/config +sh -x /tmp/writable-config/change_cassandra_user.sh || exit +sh -x /tmp/writable-config/create_dox_keyspace.sh || exit +cd /tmp/writable-config/tools/build/scripts +sed -i 's|#!/usr/bin/python|#!/usr/bin/python3|' /tmp/writable-config/tools/build/scripts/parse-json.py +sh -x /tmp/writable-config/tools/build/scripts/onboard-db-schema-creation.sh || exit +chmod -R 770 /tmp/writable-config/sdctool +sed -i 's/java \(.*\) -cp/java \1 -Djava.io.tmpdir=\/tmp\/writable-config\/tmp -cp/' /tmp/writable-config/sdctool/scripts/schemaCreation.sh +sed -i 's/java \(.*\) -cp/java \1 -Djava.io.tmpdir=\/tmp\/writable-config\/tmp -cp/' /tmp/writable-config/sdctool/scripts/janusGraphSchemaCreation.sh +sed -i 's/java \(.*\) -cp/java \1 -Djava.io.tmpdir=\/tmp\/writable-config\/tmp -cp/' /tmp/writable-config/sdctool/scripts/sdcSchemaFileImport.sh +sh -x /tmp/writable-config/create-alter-dox-db.sh +sh -x /tmp/writable-config/sdctool/scripts/schemaCreation.sh /tmp/writable-config/sdctool/config || exit +sh -x /tmp/writable-config/sdctool/scripts/janusGraphSchemaCreation.sh /tmp/writable-config/sdctool/config || exit +sh -x /tmp/writable-config/importconformance.sh || exit \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/importconformance.sh b/kubernetes/sdc/components/sdc-cs/resources/config/importconformance.sh new file mode 100644 index 0000000000..eecf033a9d --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/importconformance.sh @@ -0,0 +1,20 @@ +#!/bin/sh + +# Set the working directory +working_directory="/tmp" + +# Extract the cl_release version +version="1.14.0" # Example version string; replace with actual value +cl_release=$(echo $version | cut -d. -f1-3 | cut -d- -f1) +printf "\033[33mcl_release=[$cl_release]\033[0m\n" + +# Execute the import-Conformance command +conf_dir="/tmp/writable-config/sdctool/config" +tosca_dir="/tmp/writable-config/sdctool/tosca" +cl_version=$(grep 'toscaConformanceLevel:' $conf_dir/configuration.yaml | awk '{print $2}') + +cd /tmp/writable-config/sdctool/scripts +chmod +x sdcSchemaFileImport.sh + +echo "execute /tmp/writable-config/sdctool/scripts/sdcSchemaFileImport.sh ${tosca_dir} ${cl_release} ${cl_version} ${conf_dir} onap" +./sdcSchemaFileImport.sh ${tosca_dir} ${cl_release} ${cl_version} ${conf_dir} onap diff --git a/kubernetes/sdc/components/sdc-cs/resources/config/janusgraph.properties b/kubernetes/sdc/components/sdc-cs/resources/config/janusgraph.properties new file mode 100644 index 0000000000..5dc5b9919d --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/resources/config/janusgraph.properties @@ -0,0 +1,28 @@ +storage.backend={{ .Values.janusgraph.storage.backend }} +storage.hostname={{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }}.svc.cluster.local +storage.port={{ .Values.cassandraConfiguration.cassandraPort }} +storage.username={{ .Values.cassandraConfiguration.cassandra_user }} +storage.password={{ .Values.cassandraConfiguration.cassandra_password }} +storage.connection-timeout={{ .Values.janusgraph.storage.connectionTimeout }} +storage.cql.keyspace={{ .Values.janusgraph.keyspace }} +storage.cql.port={{ .Values.cassandraConfiguration.cassandraPort }} +storage.cql.ssl.enabled={{ .Values.cassandraConfiguration.ssl }} +{{- if .Values.cassandraConfiguration.ssl }} +storage.cql.ssl.truststore.location={{ .Values.truststorePath }} +storage.cql.ssl.truststore.password={{ .Values.truststorePassword }} +{{- end }} +storage.cql.read-consistency-level={{ .Values.cassandraConfiguration.readConsistencyLevel }} +storage.cql.write-consistency-level={{ .Values.cassandraConfiguration.writeConsistencyLevel }} +storage.cql.replication-strategy-class=NetworkTopologyStrategy +storage.cql.replication-strategy-options={{ .Values.global.sdc_cassandra.dataCenter }},{{ .Values.global.sdc_cassandra.replicaCount }} +storage.cql.local-datacenter={{ .Values.global.sdc_cassandra.dataCenter }} +storage.cql.grouping.keys-allowed=false +cache.db-cache={{ .Values.janusgraph.dbCache.enabled }} +{{- if .Values.janusgraph.dbCache.enabled }} +cache.db-cache-clean-wait={{ .Values.janusgraph.dbCache.cleanWait }} +cache.db-cache-time={{ .Values.janusgraph.dbCache.time }} +cache.db-cache-size={{ .Values.janusgraph.dbCache.size }} +{{- end }} +cache.tx-cache-size={{ .Values.janusgraph.txCache.size }} + +storage.lock.wait-time={{ .Values.janusgraph.storage.lockWaitTime }} diff --git a/kubernetes/sdc/components/sdc-cs/templates/configmap.yaml b/kubernetes/sdc/components/sdc-cs/templates/configmap.yaml new file mode 100644 index 0000000000..dc101cda4b --- /dev/null +++ b/kubernetes/sdc/components/sdc-cs/templates/configmap.yaml @@ -0,0 +1,29 @@ +{{/* +# Copyright © 2017 Amdocs, AT&T, Bell Canada +# Modifications Copyright © 2018 ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-cassandra-db-scripts + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml index 0eeeff52da..ed4fbe63a2 100644 --- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, AT&T, Bell Canada # Modifications Copyright © 2018 ZTE +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,13 +19,14 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-config-cassandra + name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app: {{ include "common.name" . }} release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -34,43 +36,29 @@ spec: release: {{ include "common.release" . }} spec: restartPolicy: Never + {{ include "common.podSecurityContext" . | indent 6 | trim }} initContainers: - - name: {{ include "common.name" . }}-init-readiness - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - /app/ready.py - args: - - --container-name - {{- if .Values.global.sdc_cassandra.localCluster }} - - sdc-cs - {{- else }} - - cassandra - {{- end }} - - "-t" - - "15" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.cassandraInitImage }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - /bin/sh + - -c + - | + /tmp/config/cassandra-db-scripts-common/execution.sh volumeMounts: - - name: {{ include "common.fullname" . }}-environments - mountPath: /home/sdc/chef-solo/environments/ - - name: {{ include "common.fullname" . }}-chef-cache - mountPath: /home/sdc/chef-solo/cache + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra + - name: {{ include "common.fullname" . }}-cassandra-db-scripts + mountPath: /tmp/config/cassandra-db-scripts-common + - name: {{ include "common.fullname" . }}-cassandra-config + mountPath: /tmp/config + - name: {{ include "common.fullname" . }}-writable-scripts + mountPath: /tmp/writable-config + - name: {{ include "common.fullname" . }}-importconf-tmp + mountPath: /tmp/writable-config/tmp env: - name: ENVNAME value: {{ .Values.env.name }} @@ -89,22 +77,45 @@ spec: valueFrom: fieldRef: fieldPath: status.podIP - resources: - limits: - cpu: 800m - memory: 1024Mi - requests: - cpu: 200m - memory: 300Mi + {{ if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.jobPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.jobPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + successThreshold: {{ .Values.readiness.successThreshold }} + failureThreshold: {{ .Values.readiness.failureThreshold }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + resources: {{ include "common.resources" . | nindent 12 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: {{ include "common.fullname" . }}-environments + - name: {{ include "common.fullname" . }}-cassandra-db-scripts configMap: - name: {{ include "common.release" . }}-sdc-environments-configmap + name: {{ include "common.fullname" . }}-cassandra-db-scripts defaultMode: 0755 - - name: {{ include "common.fullname" . }}-chef-cache - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + - name: {{ include "common.fullname" . }}-cassandra-config + emptyDir: + sizeLimit: {{ .Values.volumes.cassandraConfigSizeLimit }} + - name: {{ include "common.fullname" . }}-writable-scripts + emptyDir: + sizeLimit: {{ .Values.volumes.writableScriptsSizeLimit }} + - name: {{ include "common.fullname" . }}-importconf-tmp + emptyDir: + sizeLimit: {{ .Values.volumes.importConfTmpSizeLimit }} + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index b3dfbfa0ba..e0a7acfb32 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -18,20 +18,41 @@ ################################################################# global: nodePortPrefix: 302 - readinessImage: onap/oom/readiness:3.0.1 + readinessImage: onap/oom/readiness:6.2.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName #should be sdc-cs if this flag is enabled localCluster: false + #Cassandra login details + username: cassandra + password: cassandra + # in case of a local cassandra cluster + # flag to enable the DB creation via k8ssandra-operator + useOperator: true + # if useOperator set to "true", set "enableServiceAccount to "false" + # as the SA is created by the Operator + enableServiceAccount: false + #The cassandra service name to connect to (default: shared cassandra service) - serviceName: cassandra + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case of local k8ssandra-operator instance it is + #serviceName: sdc-cs-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra + #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled #to match with its own cluster replica replicaCount: 3 clusterName: cassandra - dataCenter: Pod + #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod") + dataCenter: dc1 + #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.0.* must be "3.4.5" + #and cassandra 4.1.* must be "3.4.6" + cqlVersion: "3.4.6" ################################################################# # Application configuration defaults. @@ -48,11 +69,52 @@ cassandra: persistence: mountSubPath: sdc/sdc-cs/CS enabled: true + k8ssandraOperator: + config: + clusterName: sdc-cs + +cassandraConfiguration: + cassandraPort: 9042 + cql_version: 3.4.6 + catalogPort: 8080 + disableHttp: true + sslPort: 8443 + ssl: false + socketConnectTimeout: 40000 + socketReadTimeout: 40000 + truststorePath: /tmp/writable-config/sdctool/config/tmp.trust + truststorePassword: Aa123456 + cassandra_user: asdc_user + cassandra_password: Aa1234%^! + readConsistencyLevel: LOCAL_QUORUM + writeConsistencyLevel: LOCAL_QUORUM + +janusgraph: + keyspace: sdctitan + cfgFile: /tmp/writable-config/sdctool/config/janusgraph.properties + dbCache: + enabled: false + cleanWait: 20 + time: 18000 + size: 0.5 + txCache: + size: '1000000' + storage: + lockRetries: 5 + lockWaitTime: 500 + backend: cql + connectionTimeout: 5000 + graph: + replaceInstance: true + inMemory: false + lockTimeout: 1800 + reconnectInterval: 3 + healthCheckReadTimeout: 8 # application image repository: nexus3.onap.org:10001 -image: onap/sdc-cassandra:1.12.0 -cassandraInitImage: onap/sdc-cassandra-init:1.12.0 +image: onap/sdc-cassandra:1.14.1 +cassandraInitImage: onap/sdc-cassandra-init:1.14.1 pullPolicy: Always config: @@ -60,6 +122,21 @@ config: maxHeapSize: "1536M" heapNewSize: "512M" +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" + #environment file env: name: AUTO @@ -73,15 +150,15 @@ affinity: {} # probe configuration parameters liveness: - initialDelaySeconds: 60 - periodSeconds: 10 + initialDelaySeconds: 120 + periodSeconds: 120 # necessary to disable liveness probe when setting breakpoints # in debugger so K8s doesn't restart unresponsive container enabled: true readiness: initialDelaySeconds: 120 - periodSeconds: 10 + periodSeconds: 60 service: type: ClusterIP @@ -89,7 +166,7 @@ service: portName: sdc-cs externalPort: 9042 internalPort: 9042 - + jobPort: 8080 ## Persist data to a persitent volume persistence: @@ -126,3 +203,45 @@ serviceAccount: wait_for_job_container: containers: - '{{ include "common.name" . }}-job' + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: 1200m + memory: 2Gi + requests: + cpu: 300m + memory: 500Mi + large: + limits: + cpu: 1600m + memory: "2Gi" + requests: + cpu: 400m + memory: 600Mi + unlimited: {} + +securityContext: + user_id: 1000 + group_id: 1000 + +volumes: + importConfTmpSizeLimit: 100Mi + writableScriptsSizeLimit: 1.2Gi + cassandraConfigSizeLimit: 100Mi + +resources_initContainer: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + +readinessCheck: + wait_for: + services: + - '{{ .Values.global.sdc_cassandra.serviceName }}' diff --git a/kubernetes/sdc/components/sdc-fe/Chart.yaml b/kubernetes/sdc/components/sdc-fe/Chart.yaml index 7b646bdf30..b7bb91e4b9 100644 --- a/kubernetes/sdc/components/sdc-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-fe/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 AT&T, ZTE # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +19,18 @@ apiVersion: v2 description: ONAP Service Design and Creation Front End name: sdc-fe -version: 12.0.0 +version: 13.0.4 dependencies: - - name: certInitializer - version: ~12.x-0 + - name: common + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/configuration.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/configuration.yaml new file mode 100644 index 0000000000..95416a9f4e --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/configuration.yaml @@ -0,0 +1,126 @@ +# Needed for logging purposes. To be populated by DevOps - currently dummy +feFqdn: sdc-fe.{{ include "common.namespace" . }}.svc.cluster.local + +# catalog backend hostname +beHost: sdc-be.{{ include "common.namespace" . }}.svc.cluster.local + +# catalog backend http port +beHttpPort: {{ .Values.be_http_port }} + +# catalog backend http context +beContext: /sdc2/rest/v1/catalog/upload/resources + +# catalog backend protocol +{{- if .Values.disableHttp }} +beProtocol: https +{{- else }} +beProtocol: http +{{- end }} + +# catalog backend ssl port +beSslPort: {{ .Values.fe_conf.https_port }} + +# threadpool size for handling requests +threadpoolSize: 50 + +# request processing timeout (seconds) +requestTimeout: 1200 + +# catalog ms (the host-port values need to be changed once it is deployed) +catalogFacadeMs: + protocol: http + host: {{ .Values.facade_vip }} + port: {{ .Values.facade_port }} + healthCheckUri: "/healthCheck" + path: "/uicache" + +# Determines the health check read timeout when invoking health check towards the LB (or BE whatever is configured): +healthCheckSocketTimeoutInMs: 5000 + +healthCheckIntervalInSeconds: 5 + +basicAuth: + enabled: {{ .Values.fe_conf.basic_auth }} + userName: {{ .Values.fe_conf.user_name }} + userPass: {{ .Values.fe_conf.user_pass }} + +onboarding: + hostFe: sdc-fe.{{ include "common.namespace" . }}.svc.cluster.local + {{- if .Values.disableHttp }} + protocolFe: https + portFe: {{ .Values.fe_conf.https_port }} + {{- else }} + protocolFe: http + portFe: {{ .Values.fe_conf.http_port }} + {{- end }} + healthCheckUriFe: "/onboarding/v1.0/healthcheck" + hostBe: sdc-onboarding-be.{{ include "common.namespace" . }}.svc.cluster.local + {{- if .Values.disableHttp }} + protocolBe: https + portBe: {{ .Values.onboarding_be.https_port }} + {{- else }} + protocolBe: http + portBe: {{ .Values.onboarding_be.http_port }} + {{- end }} + +identificationHeaderFields: + - + - &HTTP_IV_USER HTTP_IV_USER + - &iv-user iv-user + - + - &USER_ID USER_ID + - &user-id user-id + - + - &HTTP_CSP_ATTUID HTTP_CSP_ATTUID + - &csp-attuid csp-attuid + +optionalHeaderFields: + - + - &HTTP_CSP_FIRSTNAME HTTP_CSP_FIRSTNAME + - &csp-firstname csp-firstname + - + - &HTTP_CSP_LASTNAME HTTP_CSP_LASTNAME + - &csp-lastname csp-lastname + - + - &HTTP_IV_REMOTE_ADDRESS HTTP_IV_REMOTE_ADDRESS + - &iv-remote-address iv-remote-address + - + - &HTTP_CSP_EMAIL HTTP_CSP_EMAIL + - &csp-email csp-email + +version: 1.0 +released: 2012-11-30 + +# access restriction +authCookie: + cookieName: "AuthenticationCookie" + path: / + domain: "" + securityKey: {{ .Values.access_restriction_key }} + +# Connection parameters +connection: + url: jdbc:mysql://localhost:3306/db + poolSize: 17 + +# Protocols +protocols: + - http + - https + +systemMonitoring: + enabled: false + isProxy: true + probeIntervalInSeconds: 15 + +healthStatusExclude: + - DE + - DMAAP + - DCAE + - DMAAP_PRODUCER + - PORTAL + - CATALOG_FACADE_MS + - External API + +# Space separated list of permitted ancestors +permittedAncestors: {{ .Values.permittedAncestors }} diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/ecomp-error-configuration.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/ecomp-error-configuration.yaml new file mode 100644 index 0000000000..cf0cb86eda --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/ecomp-error-configuration.yaml @@ -0,0 +1,42 @@ +########################################### +# Note the conventions of the field values: +# type can be one of: CONFIG_ERROR, SYSTEM_ERROR, DATA_ERROR, CONNECTION_PROBLEM +# severity can be one of: WARN, ERROR, FATAL +# alarmSeverity can be one of: CRITICAL, MAJOR, MINOR, INFORMATIONAL, NONE +# code is a unique integer in range of 3003-9999 (3000-3002 are occupied for internal usage) +# The above enumeration values are out-of-the-box and can be changed in code. +# In case of config and code mismatch, the appropriate error will be printed to log +# +# Range of FE codes - 8000-9999 + +errors: + FeHealthCheckConnectionError: + type: CONNECTION_PROBLEM + code: ASDC_8000 + severity: ERROR + description: "Connection error during FE Health Check" + alarmSeverity: CRITICAL + FeHttpLoggingError: + type: SYSTEM_ERROR + code: ASDC_8001 + severity: ERROR + description: "Error when logging FE HTTP request/response" + alarmSeverity: MINOR + FePortalServletError: + type: SYSTEM_ERROR + code: ASDC_8002 + severity: ERROR + description: "Error when trying to access FE Portal page" + alarmSeverity: MAJOR + FeHealthCheckGeneralError: + type: SYSTEM_ERROR + code: ASDC_8004 + severity: ERROR + description: "General error during FE Health Check" + alarmSeverity: CRITICAL + FeHealthCheckRecovery: + type: RECOVERY + code: ASDC_8005 + severity: INFO + description: "BE Health Check Recovery" + alarmSeverity: INFORMATIONAL diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/logback.xml b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/logback.xml new file mode 100644 index 0000000000..a047a78c52 --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/logback.xml @@ -0,0 +1,226 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + ${pattern} + + + + + + + ERROR + ACCEPT + DENY + + + "%d [%thread] %-5level %logger{1024} - %msg%n" + + + + + + + + ${logDirectory}/${allLogName}.log + + ${logDirectory}/${allLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + + + + + + ${logDirectory}/${errorLogName}.log + + + + AUDIT_MARKER + + NEUTRAL + DENY + + + + + TRANSACTION_MARKER + + NEUTRAL + DENY + + + + INFO + + + ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${logDirectory}/${debugLogName}.log + + + + + TRANSACTION_MARKER + + NEUTRAL + DENY + + + + + e.level.toInt() <= DEBUG.toInt() + + DENY + NEUTRAL + + + ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${logDirectory}/${auditLogName}.log + + + + AUDIT_MARKER + + DENY + ACCEPT + + + ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${logDirectory}/${transactionLogName}.log + + + + TRANSACTION_MARKER + + DENY + ACCEPT + + + ${logDirectory}/${transactionLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${queueSize} + + + + ${queueSize} + + + + ${queueSize} + + + + ${queueSize} + + + + + + + + + diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/rest-configuration-info.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/rest-configuration-info.yaml new file mode 100644 index 0000000000..ecedafea56 --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/rest-configuration-info.yaml @@ -0,0 +1,11 @@ +# rest read timeout - means no timeout +readTimeoutInSec: 0 + +# whether to ignore certificate +ignoreCertificate: false + +# the connection pool size +connectionPoolSize: 10 + +# create connection timeout +connectTimeoutInSec: 10 diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/workspace-configuration.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/workspace-configuration.yaml new file mode 100644 index 0000000000..f05b28c58e --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/catalogfe/workspace-configuration.yaml @@ -0,0 +1,204 @@ +# following entries defines the workspace menus that are displayed according to type/subtype of the component in the workspace +# in addition, they can also be disabled for specific roles. +workspaceMenuConfiguration: + VFC: + - text: General + action: onMenuItemPressed + state: workspace.general + - text: Deployment Artifact + action: onMenuItemPressed + state: workspace.deployment_artifacts + - text: Information Artifact + action: onMenuItemPressed + state: workspace.information_artifacts + - text: TOSCA Artifacts + action: onMenuItemPressed + state: workspace.tosca_artifacts + - text: Properties + action: onMenuItemPressed + state: workspace.properties + - text: Attributes + action: onMenuItemPressed + state: workspace.attributes + - text: Req. & Capabilities + action: onMenuItemPressed + state: workspace.reqAndCap + - text: Activity Log + action: onMenuItemPressed + state: workspace.activity_log + VL: + - text: General + action: onMenuItemPressed + state: workspace.general + - text: Deployment Artifact + action: onMenuItemPressed + state: workspace.deployment_artifacts + - text: Information Artifact + action: onMenuItemPressed + state: workspace.information_artifacts + - text: TOSCA Artifacts + action: onMenuItemPressed + state: workspace.tosca_artifacts + - text: Properties + action: onMenuItemPressed + state: workspace.properties + - text: Attributes + action: onMenuItemPressed + state: workspace.attributes + - text: Req. & Capabilities + action: onMenuItemPressed + state: workspace.reqAndCap + - text: Activity Log + action: onMenuItemPressed + state: workspace.activity_log + CP: + - text: General + action: onMenuItemPressed + state: workspace.general + - text: Deployment Artifact + action: onMenuItemPressed + state: workspace.deployment_artifacts + - text: Information Artifact + action: onMenuItemPressed + state: workspace.information_artifacts + - text: TOSCA Artifacts + action: onMenuItemPressed + state: workspace.tosca_artifacts + - text: Properties + action: onMenuItemPressed + state: workspace.properties + - text: Attributes + action: onMenuItemPressed + state: workspace.attributes + - text: Req. & Capabilities + action: onMenuItemPressed + state: workspace.reqAndCap + - text: Activity Log + action: onMenuItemPressed + state: workspace.activity_log + VF: + - text: General + action: onMenuItemPressed + state: workspace.general + - text: Deployment Artifact + action: onMenuItemPressed + state: workspace.deployment_artifacts + - text: Information Artifact + action: onMenuItemPressed + state: workspace.information_artifacts + - text: TOSCA Artifacts + action: onMenuItemPressed + state: workspace.tosca_artifacts + - text: Composition + action: onMenuItemPressed + state: workspace.composition.details + - text: Operation + action: onMenuItemPressed + state: workspace.interface_operation + - text: Activity Log + action: onMenuItemPressed + state: workspace.activity_log + - text: Deployment + action: onMenuItemPressed + state: workspace.deployment + - text: Properties Assignment + action: onMenuItemPressed + state: workspace.properties_assignment + - text: Attributes & Outputs + action: onMenuItemPressed + state: workspace.attributes_outputs + - text: Req. & Capabilities + action: onMenuItemPressed + state: workspace.reqAndCapEditable + PNF: + - text: General + action: onMenuItemPressed + state: workspace.general + - text: Deployment Artifact + action: onMenuItemPressed + state: workspace.deployment_artifacts + - text: Information Artifact + action: onMenuItemPressed + state: workspace.information_artifacts + - text: TOSCA Artifacts + action: onMenuItemPressed + state: workspace.tosca_artifacts + - text: Composition + action: onMenuItemPressed + state: workspace.composition.details + - text: Operation + action: onMenuItemPressed + state: workspace.interface_operation + - text: Activity Log + action: onMenuItemPressed + state: workspace.activity_log + - text: Properties Assignment + action: onMenuItemPressed + state: workspace.properties_assignment + - text: Req. & Capabilities + action: onMenuItemPressed + state: workspace.reqAndCapEditable + CR: + - text: General + action: onMenuItemPressed + state: workspace.general + - text: Deployment Artifact + action: onMenuItemPressed + state: workspace.deployment_artifacts + - text: Information Artifact + action: onMenuItemPressed + state: workspace.information_artifacts + - text: TOSCA Artifacts + action: onMenuItemPressed + state: workspace.tosca_artifacts + - text: Composition + action: onMenuItemPressed + state: workspace.composition.details + - text: Activity Log + action: onMenuItemPressed + state: workspace.activity_log + - text: Properties Assignment + action: onMenuItemPressed + state: workspace.properties_assignment + SERVICE: + - text: General + action: onMenuItemPressed + state: workspace.general + - text: TOSCA Artifacts + action: onMenuItemPressed + state: workspace.tosca_artifacts + - text: Composition + action: onMenuItemPressed + state: workspace.composition.details + - text: Operation + action: onMenuItemPressed + state: workspace.interface_operation + - text: Activity Log + action: onMenuItemPressed + state: workspace.activity_log + - text: Management Workflow + action: onMenuItemPressed + state: workspace.management_workflow + - text: 'Network Call Flow ' + action: onMenuItemPressed + state: workspace.network_call_flow + - text: Distribution + action: onMenuItemPressed + state: workspace.distribution + disabledRoles: + - ADMIN + - TESTER + - GOVERNOR + - DESIGNER + - text: Deployment + action: onMenuItemPressed + state: workspace.deployment + - text: Properties Assignment + action: onMenuItemPressed + state: workspace.properties_assignment + - text: Outputs + action: onMenuItemPressed + state: workspace.outputs_assignment + - text: Req. & Capabilities + action: onMenuItemPressed + state: workspace.reqAndCapEditable diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/feEtcConfig/rewrite-root-to-sdc1.xml b/kubernetes/sdc/components/sdc-fe/resources/config/feEtcConfig/rewrite-root-to-sdc1.xml new file mode 100644 index 0000000000..e0862a5bfd --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/feEtcConfig/rewrite-root-to-sdc1.xml @@ -0,0 +1,19 @@ + + + + + + + + /sdc1 + + + + + + + + + false + + diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/logging/logback.xml b/kubernetes/sdc/components/sdc-fe/resources/config/logging/logback.xml deleted file mode 100644 index f3ebf76428..0000000000 --- a/kubernetes/sdc/components/sdc-fe/resources/config/logging/logback.xml +++ /dev/null @@ -1,226 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - ${pattern} - - - - - - - ERROR - ACCEPT - DENY - - - "%d [%thread] %-5level %logger{1024} - %msg%n" - - - - - - - - ${logDirectory}/${allLogName}.log - - ${logDirectory}/${allLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - - - - - - ${logDirectory}/${errorLogName}.log - - - - AUDIT_MARKER - - NEUTRAL - DENY - - - - - TRANSACTION_MARKER - - NEUTRAL - DENY - - - - INFO - - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${logDirectory}/${debugLogName}.log - - - - - TRANSACTION_MARKER - - NEUTRAL - DENY - - - - - e.level.toInt() <= DEBUG.toInt() - - DENY - NEUTRAL - - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${logDirectory}/${auditLogName}.log - - - - AUDIT_MARKER - - DENY - ACCEPT - - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${logDirectory}/${transactionLogName}.log - - - - TRANSACTION_MARKER - - DENY - ACCEPT - - - ${logDirectory}/${transactionLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${queueSize} - - - - ${queueSize} - - - - ${queueSize} - - - - ${queueSize} - - - - - - - - - - - - - - - - - diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/onboardingfe/onboarding_configuration.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/onboardingfe/onboarding_configuration.yaml new file mode 100644 index 0000000000..e0ed8cd6d8 --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/onboardingfe/onboarding_configuration.yaml @@ -0,0 +1,9 @@ +notifications: + pollingIntervalMsec: 2000 + selectionSize: 100 + beHost: sdc-onboarding-be.{{ include "common.namespace" . }}.svc.cluster.local + {{- if .Values.disableHttp }} + beHttpPort: {{ .Values.onboarding_be.https_port }} + {{- else }} + beHttpPort: {{ .Values.onboarding_be.http_port }} + {{- end }} diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml b/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml index cc91960dbf..1648555ffc 100644 --- a/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml +++ b/kubernetes/sdc/components/sdc-fe/resources/config/plugins/plugins-configuration.yaml @@ -1,10 +1,6 @@ pluginsList: - pluginId: WORKFLOW - {{- if (include "common.needTLS" .) }} - pluginDiscoveryUrl: "{{ .Values.config.plugins.workflow_discovery_url.https }}" - {{- else }} pluginDiscoveryUrl: "{{ .Values.config.plugins.workflow_discovery_url.http }}" - {{- end }} pluginSourceUrl: "{{ .Values.config.plugins.workflow_source_url }}" pluginStateUrl: "workflowDesigner" pluginDisplayOptions: diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/combined-liveness.sh b/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/combined-liveness.sh new file mode 100644 index 0000000000..28ad30aef5 --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/combined-liveness.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +# Variables + +INTERNAL_PORT=8181 +HEALTHCHECK_URL="http://localhost:8181/sdc1/rest/healthCheck" + +# 1. TCP Socket Check for Internal Port + +nc -z localhost $INTERNAL_PORT +TCP_STATUS=$? + +if [ $TCP_STATUS -ne 0 ]; then + echo "TCP check failed: Internal port $INTERNAL_PORT is not open." + exit 1 +fi + +# 2. Cassandra Health Check from API Response using jq + +CASSANDRA_STATUS=$(curl -s $HEALTHCHECK_URL | jq -r '.componentsInfo[] | select(.healthCheckComponent == "CASSANDRA") | .healthCheckStatus') + +if [ "$CASSANDRA_STATUS" != "UP" ]; then + echo "Cassandra API check failed: HealthCheck status is $CASSANDRA_STATUS, not UP." + exit 1 +fi + +echo "Liveness check passed: Internal port $INTERNAL_PORT is open, and Cassandra is healthy." +exit 0 diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/ready-probe.sh b/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/ready-probe.sh new file mode 100644 index 0000000000..6606ed3232 --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/readyProbe/ready-probe.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# Determine the protocol and ports from Helm values +disableHttp={{ .Values.disableHttp | quote }} # Use the value from values.yaml +http_port={{ .Values.fe_conf.http_port | quote }} # Use the HTTP port from values.yaml +https_port={{ .Values.fe_conf.https_port | quote }} # Use the HTTPS port from values.yaml + +# Determine the protocol and port +if [ "$disableHttp" = "true" ]; then + protocol="https" + port="$https_port" +else + protocol="http" + port="$http_port" +fi + +# Perform health check +health_check_http_code=$(curl -k --max-time 5 -o /dev/null -w '%{http_code}' "$protocol://127.0.0.1:$port/sdc1/rest/healthCheck") + +# Output the health check result +echo "Health check http status: $health_check_http_code" + +# Check if the response code is 200 +if [ "$health_check_http_code" -eq 200 ]; then + exit 0 +else + exit 1 +fi diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/http.ini b/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/http.ini new file mode 100644 index 0000000000..019c9b25d0 --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/http.ini @@ -0,0 +1,29 @@ +# --------------------------------------- +# Module: http +#{{ .Values.http_option }} + +### HTTP Connector Configuration + +## Connector host/address to bind to +# jetty.http.host=0.0.0.0 + +## Connector port to listen on +jetty.http.port={{ .Values.fe_conf.http_port }} + +## Connector idle timeout in milliseconds +jetty.http.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.http.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.http.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.http.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.http.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.http.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/https.ini b/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/https.ini new file mode 100644 index 0000000000..debf27d5eb --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/https.ini @@ -0,0 +1,29 @@ +# --------------------------------------- +# Module: https +--module=https + +### HTTPS Connector Configuration + +## Connector host/address to bind to +# jetty.https.host=0.0.0.0 + +## Connector port to listen on +jetty.https.port={{ .Values.fe_conf.https_port }} + +## Connector idle timeout in milliseconds +jetty.https.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.https.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.https.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.https.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.https.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.https.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/ssl.ini b/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/ssl.ini new file mode 100644 index 0000000000..bca1cd0aab --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/resources/config/startdConfig/ssl.ini @@ -0,0 +1,95 @@ +## TLS(SSL) Connector Configuration +# --------------------------------------- +# Module: ssl +--module=ssl + +### TLS(SSL) Connector Configuration + +## Connector host/address to bind to +# jetty.ssl.host=0.0.0.0 + +## Connector port to listen on +jetty.ssl.port={{ .Values.fe_conf.https_port }} + +## Connector idle timeout in milliseconds +# jetty.ssl.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.ssl.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.ssl.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.ssl.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.ssl.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.ssl.acceptorPriorityDelta=0 + +## Whether request host names are checked to match any SNI names +# jetty.ssl.sniHostCheck=true + +## max age in seconds for a Strict-Transport-Security response header (default -1) +# jetty.ssl.stsMaxAgeSeconds=31536000 + +## include subdomain property in any Strict-Transport-Security header (default false) +# jetty.ssl.stsIncludeSubdomains=true + +### SslContextFactory Configuration +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html + +## Keystore file path (relative to $jetty.base) +{{- if .Values.keystore_path }} +jetty.sslContext.keyStorePath={{ .Values.keystore_path }} +{{- end }} + +## Truststore file path (relative to $jetty.base) +{{- if .Values.truststore_path }} +jetty.sslContext.trustStorePath={{ .Values.truststore_path }} +{{- end }} + +## Keystore password +{{- if .Values.keystore_password }} +jetty.sslContext.keyStorePassword={{ .Values.keystore_password }} +{{- end }} + +## Keystore type and provider +# jetty.sslContext.keyStoreType=JKS +# jetty.sslContext.keyStoreProvider= + +## KeyManager password +{{- if .Values.keystore_password }} +jetty.sslContext.keyManagerPassword={{ .Values.keystore_password }} +{{- end }} + +## Truststore password +{{- if .Values.truststore_password }} +jetty.sslContext.trustStorePassword={{ .Values.truststore_password }} +{{- end }} + +## Truststore type and provider +# jetty.sslContext.trustStoreType=JKS +# jetty.sslContext.trustStoreProvider= + +## Whether client certificate authentication is required +jetty.sslContext.needClientAuth={{ if .Values.truststore_password }}true{{ else }}false{{ end }} + +## Whether client certificate authentication is desired +# jetty.sslContext.wantClientAuth=false + +## Whether cipher order is significant (since java 8 only) +# jetty.sslContext.useCipherSuitesOrder=true + +## Set the size of the SslSession cache +# jetty.sslContext.sslSessionCacheSize=-1 + +## Set the timeout (in seconds) of the SslSession cache timeout +# jetty.sslContext.sslSessionTimeout=-1 + +## Allow SSL renegotiation +# jetty.sslContext.renegotiationAllowed=true +# jetty.sslContext.renegotiationLimit=5 diff --git a/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-fe/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-fe/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-fe/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml b/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml index 948a3fee99..65c6acd731 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/configmap.yaml @@ -18,7 +18,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-logging-configmap + name: {{ include "common.fullname" . }}-plugins-configmap namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -26,12 +26,21 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/logging/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/plugins/*").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-plugins-configmap + name: {{ include "common.fullname" . }}-readiness-liveness-probe + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +data: +{{ tpl (.Files.Glob "resources/config/readyProbe/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-catalog-fe-config namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -39,4 +48,56 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/plugins/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/catalogfe/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-onboarding-fe-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/onboardingfe/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-startd-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/startdConfig/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-fe-etc-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/feEtcConfig/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-ready-probe-script + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/readyProbe/*").AsConfig . | indent 2 }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml index 599e32e175..7a15fffa17 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023,2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,103 +18,59 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-sdc-be-config-backend - - "-t" - - "35" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} + - name: {{ include "common.name" . }}-copy-jetty + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/sh","-c"] + args: ['cp -a /app/jetty/ /app/jetty_rw/; mkdir /app/jetty_rw/jetty/ruby_temp'] + resources: + limits: + cpu: 400m + memory: 400Mi + requests: + cpu: 30m + memory: 200Mi + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - name: {{ include "common.fullname" . }}-jetty + mountPath: /app/jetty_rw containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} command: - - sh - args: - - "-c" + - /bin/sh + - -c - | - sed -i '/trustStorePassword/d' ${JETTY_BASE}/startup.sh - ${JETTY_BASE}/startup.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} + JAVA_OPTIONS="$JAVA_OPTIONS -Dconfig.home=$JETTY_BASE/config -Dlog.home=$JETTY_BASE/logs -Dlogback.configurationFile=$JETTY_BASE/config/catalog-fe/logback.xml -Dconfiguration.yaml=$JETTY_BASE/config/catalog-fe/configuration.yaml -Donboarding_configuration.yaml=$JETTY_BASE/config/onboarding-fe/onboarding_configuration.yaml -Djavax.net.ssl.trustStore=$JETTY_BASE/etc/org.onap.sdc.trust.jks -Djavax.net.ssl.trustStorePassword=z+KEj;t+,KN^iimSiS89e#p0" + cd /app/jetty + sh -x /app/jetty/ready-probe.sh + java $JAVA_OPTIONS -jar "${JETTY_HOME}/start.jar" + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort2 }} + exec: + command: + - /bin/sh + - /opt/scripts/combined-liveness.sh initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -121,8 +78,10 @@ spec: failureThreshold: {{ .Values.liveness.failureThreshold }} {{ end }} readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort2 }} + exec: + command: + - /bin/sh + - /opt/scripts/combined-liveness.sh initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} @@ -130,14 +89,17 @@ spec: failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} timeoutSeconds: {{ .Values.startup.timeoutSeconds }} successThreshold: {{ .Values.startup.successThreshold }} failureThreshold: {{ .Values.startup.failureThreshold }} resources: {{ include "common.resources" . | nindent 12 }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} env: + - name: TMPDIR + value: '/app/jetty/ruby_temp' - name: ENVNAME value: {{ .Values.env.name }} - name: HOST_IP @@ -147,46 +109,66 @@ spec: - name: JAVA_OPTIONS value: {{ .Values.config.javaOptions }} volumeMounts: - - name: sdc-environments - mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-catalog-fe/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - - name: logs + - name: {{ include "common.fullname" . }}-jetty + mountPath: /app/jetty + subPath: jetty + - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap + - name: {{ include "common.fullname" . }}-tmp + mountPath: /tmp - name: configs mountPath: /app/jetty/config/catalog-fe/plugins-configuration.yaml subPath: plugins-configuration.yaml - - name: logback - mountPath: /tmp/logback.xml + - name: {{ include "common.fullname" . }}-ready-probe-script + mountPath: /app/jetty/ready-probe.sh + subPath: ready-probe.sh + - name: {{ include "common.fullname" . }}-fe-etc-config + mountPath: /app/jetty/etc/rewrite-root-to-sdc1.xml + subPath: rewrite-root-to-sdc1.xml + - name: {{ include "common.fullname" . }}-startd-config + mountPath: /app/jetty/start.d/http.ini + subPath: http.ini + - name: {{ include "common.fullname" . }}-startd-config + mountPath: /app/jetty/start.d/https.ini + subPath: https.ini + - name: {{ include "common.fullname" . }}-startd-config + mountPath: /app/jetty/start.d/ssl.ini + subPath: ssl.ini + - name: {{ include "common.fullname" . }}-onboarding-fe-config + mountPath: /app/jetty/config/onboarding-fe/onboarding_configuration.yaml + subPath: onboarding_configuration.yaml + - name: {{ include "common.fullname" . }}-catalog-fe-config + mountPath: /app/jetty/config/catalog-fe/configuration.yaml + subPath: configuration.yaml + - name: {{ include "common.fullname" . }}-catalog-fe-config + mountPath: /app/jetty/config/catalog-fe/workspace-configuration.yaml + subPath: workspace-configuration.yaml + - name: {{ include "common.fullname" . }}-catalog-fe-config + mountPath: /app/jetty/config/catalog-fe/ecomp-error-configuration.yaml + subPath: ecomp-error-configuration.yaml + - name: {{ include "common.fullname" . }}-catalog-fe-config + mountPath: /app/jetty/config/catalog-fe/logback.xml subPath: logback.xml + - name: {{ include "common.fullname" . }}-catalog-fe-config + mountPath: /app/jetty/config/catalog-fe/rest-configuration-info.yaml + subPath: rest-configuration-info.yaml + - name: {{ include "common.fullname" . }}-readiness-liveness-probe + mountPath: /opt/scripts/combined-liveness.sh + subPath: combined-liveness.sh lifecycle: postStart: exec: - command: ["/bin/sh", "-c", "export LOG=wait_logback.log; touch $LOG; export SRC=/tmp/logback.xml; export DST=/app/jetty/config/catalog-fe/; while [ ! -e $DST ]; do echo 'Waiting for $DST...' >> $LOG; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done' >> $LOG"] + command: ["/bin/sh", "-c", "export LOG=/tmp/wait_logback.log; touch $LOG; export SRC=/tmp/logback.xml; export DST=/app/jetty/config/catalog-fe/; while [ ! -e $DST ]; do echo 'Waiting for $DST...' >> $LOG; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done' >> $LOG"] # side car containers {{ include "common.log.sidecar" . | nindent 8 }} + {{ include "common.podSecurityContext" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 8 }} - name: configs configMap: name : {{ include "common.fullname" . }}-plugins-configmap defaultMode: 0777 - - name: logback - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - name: sdc-environments {{- if .Values.global.aafEnabled }} emptyDir: { medium: "Memory" } @@ -195,7 +177,37 @@ spec: configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - - name: logs - emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: {{ include "common.fullname" . }}-logs + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: {{ include "common.fullname" . }}-tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: {{ include "common.fullname" . }}-jetty + emptyDir: + sizeLimit: {{ .Values.volumes.jettySizeLimit }} + - name: {{ include "common.fullname" . }}-ready-probe-script + configMap: + name: {{ include "common.release" . }}-ready-probe-script + defaultMode: 0755 + - name: {{ include "common.fullname" . }}-fe-etc-config + configMap: + name: {{ include "common.release" . }}-fe-etc-config + defaultMode: 0644 + - name: {{ include "common.fullname" . }}-startd-config + configMap: + name: {{ include "common.release" . }}-startd-config + defaultMode: 0755 + - name: {{ include "common.fullname" . }}-onboarding-fe-config + configMap: + name: {{ include "common.release" . }}-onboarding-fe-config + defaultMode: 0755 + - name: {{ include "common.fullname" . }}-catalog-fe-config + configMap: + name: {{ include "common.release" . }}-catalog-fe-config + defaultMode: 0755 + - name: {{ include "common.fullname" . }}-readiness-liveness-probe + configMap: + name: {{ include "common.fullname" . }}-readiness-liveness-probe + defaultMode: 0755 + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml b/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-fe/templates/service.yaml b/kubernetes/sdc/components/sdc-fe/templates/service.yaml index 30c3d1122f..0a349834b4 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,39 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "sdc-gui", - "version": "v1", - "url": "/sdc1", - "protocol": "UI", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0|1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index abac356d40..4c93bfd76a 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,51 +19,24 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true - -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-fe-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-frontend:1.12.0 +image: onap/sdc-frontend:1.14.1 pullPolicy: Always config: javaOptions: "-Xmx256m -Xms256m" plugins: dcae_discovery_url: - https: "https://sdc-dcae-fe:9444/dcaed/#/home" http: "http://sdc-dcae-fe:8183/dcaed/#/home" dcae_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30264/dcaed/#/home" dcae_dt_discovery_url: - https: "https://sdc-dcae-dt:9446/dcae/#/dcae/home" http: "http://sdc-dcae-dt:8186/dcae/#/dcae/home" dcae_dt_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30266/dcae/#/dcae/home" workflow_discovery_url: - https: "https://sdc-wfd-fe:8443/workflows" http: "http://sdc-wfd-fe:8080/workflows" workflow_source_url: "https://sdc.workflow.plugin.simpledemo.onap.org:30256/workflows/" @@ -84,7 +58,7 @@ affinity: {} liveness: initialDelaySeconds: 1 periodSeconds: 10 - timeoutSeconds: 15 + timeoutSeconds: 30 successThreshold: 1 failureThreshold: 3 # necessary to disable liveness probe when setting breakpoints @@ -94,7 +68,7 @@ liveness: readiness: initialDelaySeconds: 1 periodSeconds: 10 - timeoutSeconds: 15 + timeoutSeconds: 30 successThreshold: 1 failureThreshold: 3 @@ -106,47 +80,47 @@ startup: failureThreshold: 60 service: - #Example service definition with external, internal and node ports. - #Services may use any combination of ports depending on the 'type' of - #service being defined. type: NodePort name: sdc-fe - portName: http internalPort: 8181 - externalPort: 8181 - internalPort2: 9443 - externalPort2: 9443 - nodePort: "07" - + ports: + - name: http + port: 8181 + nodePort: '07' ingress: enabled: false service: - baseaddr: "sdc-fe-ui" name: "sdc-fe" - port: 9443 - plain_port: 8181 + port: 8181 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -155,7 +129,73 @@ serviceAccount: roles: - read +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-sdc-be' + #Log configuration log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +securityContext: + user_id: 1000 + group_id: 101 + +volumes: + logSizeLimit: 64Mi + jettySizeLimit: 400Mi + tmpSizeLimit: 500Mi + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 + +# Script parameters +be_http_port: 8080 + +fe_conf: + http_port: 8181 + https_port: 9443 + domain_name: "sdc" + basic_auth: "true" + user_name: "testName" + user_pass: "testPass" + http_port_pro: 8181 + +facade_vip: +facade_port: +user_name: "testName" +user_pass: "testPass" +access_restriction_key: +permittedAncestors: +disableHttp: false + +onboarding_be: + https_port: 8445 + http_port: 8081 + +http_option : http_option +https_port: 8443 +keystore_path: +truststore_path: +keystore_password: +truststore_password: + +logback: + rootLogLevel: INFO diff --git a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml index cf6948b66c..4efd7f6ba1 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml @@ -2,6 +2,7 @@ # Copyright (c) 2021 Nokia. All rights reserved. # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,12 +20,12 @@ apiVersion: v2 description: ONAP Service Design and Creation Helm Validator name: sdc-helm-validator -version: 12.0.0 +version: 13.0.1 dependencies: - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - name: common - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml index f736a174db..894bfd60f7 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # ===========LICENSE_START======================================================== # Copyright (c) 2021 Nokia. All rights reserved. +# Modifications Copyright © 2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,15 +26,23 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + {{ include "common.podSecurityContext" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {{ include "common.resources" . | nindent 12 }} ports: {{ include "common.containerPorts" . | nindent 12 }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} env: - name: LOG_LEVEL value: {{ .Values.config.loggingLevel }} + - name: TRACING_ENABLED + value: {{ .Values.global.tracing.enabled | quote }} + - name: COLLECTOR_URL + value: {{ .Values.global.tracing.collector.baseUrl }} + - name: TRACING_SAMPLING_PROBABILITY + value: {{ .Values.global.tracing.sampling.probability | quote }} livenessProbe: httpGet: path: {{ .Values.liveness.path }} @@ -42,6 +51,14 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} successThreshold: {{ .Values.liveness.successThreshold }} failureThreshold: {{ .Values.liveness.failureThreshold }} + readinessProbe: + httpGet: + path: {{ .Values.readiness.path }} + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + successThreshold: {{ .Values.readiness.successThreshold }} + failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: httpGet: path: {{ .Values.startup.path }} @@ -50,5 +67,11 @@ spec: periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} failureThreshold: {{ .Values.startup.failureThreshold }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + volumeMounts: + - mountPath: /tmp + name: tmp + volumes: + - name: tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-helm-validator/values.yaml b/kubernetes/sdc/components/sdc-helm-validator/values.yaml index 363a05934d..b96e3c1544 100644 --- a/kubernetes/sdc/components/sdc-helm-validator/values.yaml +++ b/kubernetes/sdc/components/sdc-helm-validator/values.yaml @@ -1,5 +1,6 @@ # ===========LICENSE_START======================================================== # Copyright (c) 2021 Nokia. All rights reserved. +# Modifications Copyright © 2025 Deutsche Telekom # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,8 +18,14 @@ # Global values global: pullPolicy: Always + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) -image: onap/sdc-helm-validator:1.3.1 +image: onap/sdc-helm-validator:1.3.2 containerPort: &svc_port 8080 config: @@ -30,6 +37,11 @@ service: - name: &port http port: *svc_port +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-be-read + liveness: initialDelaySeconds: 1 periodSeconds: 10 @@ -41,6 +53,15 @@ liveness: # in debugger so K8s doesn't restart unresponsive container enabled: true +readiness: + port: *port + path: /actuator/health + initialDelaySeconds: 1 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + startup: initialDelaySeconds: 10 periodSeconds: 10 @@ -53,16 +74,23 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 256Mi + cpu: "1" + memory: "1Gi" requests: - cpu: 1 - memory: 256Mi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 2 - memory: 1Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 256Mi + cpu: "1" + memory: "1Gi" unlimited: {} + +securityContext: + user_id: 1000 + group_id: 65533 + +volumes: + tmpSizeLimit: 200Mi diff --git a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml index 6032061d13..10c8b1174f 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/Chart.yaml @@ -2,6 +2,7 @@ # Modifications Copyright © 2018 AT&T, ZTE # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,15 +19,18 @@ apiVersion: v2 description: ONAP Service Design and Creation Onboarding API name: sdc-onboarding-be -version: 12.0.0 +version: 13.0.5 dependencies: - - name: certInitializer - version: ~12.x-0 + - name: common + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml index ee22ff2cfd..30409b877f 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/logging/logback.xml @@ -1,223 +1,223 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - ${pattern} - - - - - - - ERROR - ACCEPT - DENY - - - "%d [%thread] %-5level %logger{1024} - %msg%n" - - - - - - - - ${logDirectory}/${allLogName}.log - - ${logDirectory}/${allLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - - - - - - ${logDirectory}/${errorLogName}.log - - - - AUDIT_MARKER - - NEUTRAL - DENY - - - - - TRANSACTION_MARKER - - NEUTRAL - DENY - - - - INFO - - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${logDirectory}/${debugLogName}.log - - - - - TRANSACTION_MARKER - - NEUTRAL - DENY - - - - - e.level.toInt() <= DEBUG.toInt() - - DENY - NEUTRAL - - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${logDirectory}/${auditLogName}.log - - - - AUDIT_MARKER - - DENY - ACCEPT - - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${logDirectory}/${transactionLogName}.log - - - - TRANSACTION_MARKER - - DENY - ACCEPT - - - ${logDirectory}/${transactionLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${pattern} - - - - - ${queueSize} - - - - ${queueSize} - - - - ${queueSize} - - - - ${queueSize} - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + ${pattern} + + + + + + + ERROR + ACCEPT + DENY + + + "%d [%thread] %-5level %logger{1024} - %msg%n" + + + + + + + + ${logDirectory}/${allLogName}.log + + ${logDirectory}/${allLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + + + + + + ${logDirectory}/${errorLogName}.log + + + + AUDIT_MARKER + + NEUTRAL + DENY + + + + + TRANSACTION_MARKER + + NEUTRAL + DENY + + + + INFO + + + ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${logDirectory}/${debugLogName}.log + + + + + TRANSACTION_MARKER + + NEUTRAL + DENY + + + + + e.level.toInt() <= DEBUG.toInt() + + DENY + NEUTRAL + + + ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${logDirectory}/${auditLogName}.log + + + + AUDIT_MARKER + + DENY + ACCEPT + + + ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${logDirectory}/${transactionLogName}.log + + + + TRANSACTION_MARKER + + DENY + ACCEPT + + + ${logDirectory}/${transactionLogName}.%d{yyyy-MM-dd}.%i.log + + ${maxFileSize} + + ${maxHistory} + ${totalSizeCap} + + + ${pattern} + + + + + ${queueSize} + + + + ${queueSize} + + + + ${queueSize} + + + + ${queueSize} + + + + + + + + + diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-helmvalidator.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-helmvalidator.yaml new file mode 100644 index 0000000000..fe132179ee --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-helmvalidator.yaml @@ -0,0 +1,6 @@ +hValidatorEnabled: {{ .Values.sdcHelmValidator.enabled }} +hValidatorUrl: {{ .Values.sdcHelmValidator.url }} +hValidatorVersion: {{ .Values.sdcHelmValidator.helmVersion }} +hValidatorDeployable: {{ .Values.sdcHelmValidator.deployable }} +hValidatorLintable: {{ .Values.sdcHelmValidator.lintable }} +hValidatorStrictLintable: {{ .Values.sdcHelmValidator.strictLintable }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-vnfrepo.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-vnfrepo.yaml new file mode 100644 index 0000000000..8b8bdec476 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/config-vnfrepo.yaml @@ -0,0 +1,4 @@ +vnfRepoPort: {{ .Values.VnfRepo.vnfRepoPort }} +vnfRepoHost: refrepo.{{include "common.namespace" .}} +getVnfUri: /onapapi/vnfsdk-marketplace/v1/PackageResource/csars +downloadVnfUri: /onapapi/vnfsdk-marketplace/v1/PackageResource/csars/%s/files/app/jetty/config/onboarding-be diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/externaltesting-configuration.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/externaltesting-configuration.yaml new file mode 100644 index 0000000000..a617f13968 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/externaltesting-configuration.yaml @@ -0,0 +1,5 @@ +client: + enabled: true +endpoints: + - {{ .Values.EXTTEST.ep1_config }} + - {{ .Values.EXTTEST.ep2_config }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/features.properties b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/features.properties new file mode 100644 index 0000000000..54c4dea02b --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/features.properties @@ -0,0 +1 @@ +EXTERNAL_LICENSE=true diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/onboarding_configuration.yaml b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/onboarding_configuration.yaml new file mode 100644 index 0000000000..665d891c83 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/onboarding-config/onboarding_configuration.yaml @@ -0,0 +1,72 @@ +catalogNotificationsConfig: + # catalog backend protocol + catalogBeProtocol: {{ if .Values.global.disableHttp }}https{{- else }}http{{- end }} + catalogBeHttpPort: {{ (.Values.global.BE).http_port }} + catalogBeSslPort: {{ (.Values.global.BE).https_port }} + catalogBeFqdn: sdc-be.{{ include "common.namespace" . }} + # do not remove the "" from catalog_notification_url. it is escaping % characters coming from AUTO.json + catalogNotificationUrl: {{ .Values.ONBOARDING_BE.catalog_notification_url | quote }} + +notifications: + pollingIntervalMsec: 2000 + selectionSize: 100 + beHost: sdc-onboarding-be.{{ include "common.namespace" . }} + beHttpPort: {{ .Values.ONBOARDING_BE.http_port }} + +cassandraConfig: + cassandraHosts: [ {{ .Values.global.sdc_cassandra.serviceName }}.{{ include "common.namespace" . }} ] + cassandraPort: {{ .Values.cassandra.cassandra_port }} + localDataCenter: {{ .Values.global.sdc_cassandra.dataCenter }} + reconnectTimeout: 30000 + socketReadTimeout: {{ .Values.cassandra.socket_read_timeout }} + socketConnectTimeout: {{ .Values.cassandra.socket_connect_timeout }} + authenticate: true + username: {{ .Values.cassandra.cassandra_user }} + password: {{ .Values.cassandra.cassandra_password }} + ssl: {{ .Values.config.cassandraSslEnabled }} + truststorePath: {{ .Values.JETTY_BASE }}/etc/truststore + truststorePassword: {{ .Values.cassandra.truststore_password }} + +authCookie: + securityKey: MlB1WHFpSHNVTWdJZU1PcQ== + maxSessionTimeOut: 86400000 + sessionIdleTimeOut: 3600000 + cookieName: "AuthenticationCookie" + path: / + domain: "" + isHttpOnly: true + # redirect variable name from portal.properties file + redirectURL: "redirect_url" + excludedUrls: [ '/.*' ] + onboardingExcludedUrls: [ '/.*' ] + +basicAuth: + enabled: {{ .Values.basic_auth.enabled }} + userName: {{ .Values.basic_auth.user_name }} + userPass: {{ .Values.basic_auth.user_pass }} + excludedUrls: "/v1.0/healthcheck" + +zipValidation: + ignoreManifest: false + +externalCsarStore: + storageType: NONE # NONE, MINIO + endpoint: + host: 127.0.0.1 + port: 9000 + secure: false + credentials: + accessKey: "login" + secretKey: "password" + foldersToStrip: + - Files/images + sizeLimit: 10000000 + thresholdEntries: 10000 + tempPath: "/home/onap/temp/" + uploadPartSize: 200000000 + +#Space separated list of permitted ancestors +permittedAncestors: {{ .Values.permittedAncestors | join " " }} + +# Comma separated list of excluded URLs by the DataValidatorFilter +dataValidatorFilterExcludedUrls: "/healthCheck,/followed,/authorize" diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/ready-probe.sh b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/ready-probe.sh new file mode 100644 index 0000000000..54ed6960df --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/ready-probe.sh @@ -0,0 +1,8 @@ +#!/bin/sh +health_check_http_code=$(curl -k --max-time 5 -o /dev/null -w '%{http_code}' -X GET --header "Accept: application/json" "{{ if .Values.global.disableHttp }}https://127.0.0.1:{{ .Values.ONBOARDING_BE.https_port }}{{- else -}}http://127.0.0.1:{{ .Values.ONBOARDING_BE.http_port }}{{- end -}}/onboarding-api/v1.0/healthcheck") +if [ "$health_check_http_code" -eq 200 ]; then + exit 0 +else + echo "Health check http status: $health_check_http_code" + exit 1 +fi diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/http.ini b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/http.ini new file mode 100644 index 0000000000..e4e66c5387 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/http.ini @@ -0,0 +1,29 @@ +# Module: http +--module=http + +### HTTP Connector Configuration + +## Connector host/address to bind to +# jetty.http.host=0.0.0.0 + +## Connector port to listen on +#jetty.http.port=8081 +jetty.http.port= {{ .Values.ONBOARDING_BE.http_port }} + +## Connector idle timeout in milliseconds +jetty.http.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.http.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.http.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.http.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.http.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.http.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/https.ini b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/https.ini new file mode 100644 index 0000000000..ec92157dd2 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/https.ini @@ -0,0 +1,31 @@ +# --------------------------------------- +# Module: https +--module=https + +### HTTPS Connector Configuration + +## Connector host/address to bind to +# jetty.https.host=0.0.0.0 + +## Connector port to listen on + +#jetty.https.port=8445 +jetty.https.port= {{ .Values.ONBOARDING_BE.https_port }} + +## Connector idle timeout in milliseconds +jetty.https.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.https.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.https.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.https.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.https.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.https.acceptorPriorityDelta=0 diff --git a/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/ssl.ini b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/ssl.ini new file mode 100644 index 0000000000..70ceffb631 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/resources/config/start.d/ssl.ini @@ -0,0 +1,98 @@ +# --------------------------------------- +# Module: ssl +--module=ssl + +### TLS(SSL) Connector Configuration + +## Connector host/address to bind to +# jetty.ssl.host=0.0.0.0 + +## Connector port to listen on + +#jetty.ssl.port=8445 +jetty.ssl.port = {{ .Values.ONBOARDING_BE.https_port }} + +## Connector idle timeout in milliseconds +# jetty.ssl.idleTimeout=30000 + +## Connector socket linger time in seconds (-1 to disable) +# jetty.ssl.soLingerTime=-1 + +## Number of acceptors (-1 picks default based on number of cores) +# jetty.ssl.acceptors=-1 + +## Number of selectors (-1 picks default based on number of cores) +# jetty.ssl.selectors=-1 + +## ServerSocketChannel backlog (0 picks platform default) +# jetty.ssl.acceptorQueueSize=0 + +## Thread priority delta to give to acceptor threads +# jetty.ssl.acceptorPriorityDelta=0 + +## Whether request host names are checked to match any SNI names +# jetty.ssl.sniHostCheck=true + +## max age in seconds for a Strict-Transport-Security response header (default -1) +# jetty.ssl.stsMaxAgeSeconds=31536000 + +## include subdomain property in any Strict-Transport-Security header (default false) +# jetty.ssl.stsIncludeSubdomains=true + +### SslContextFactory Configuration +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html + +## Keystore file path (relative to $jetty.base) +jetty.sslContext.keyStorePath=etc/org.onap.sdc.p12 + +## Truststore file path (relative to $jetty.base) +jetty.sslContext.trustStorePath=etc/org.onap.sdc.trust.jks + +## Keystore password +# jetty.sslContext.keyStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 + +#jetty.sslContext.keyStorePassword=?(kP!Yur![*!Y5!E^f(ZKc31 +jetty.sslContext.keyStorePassword= {{ .Values.jetty.keyStorePassword }} + +## Keystore type and provider +# jetty.sslContext.keyStoreType=JKS +# jetty.sslContext.keyStoreProvider= + +## KeyManager password +# jetty.sslContext.keyManagerPassword=OBF:1u2u1wml1z7s1z7a1wnl1u2g + +#jetty.sslContext.keyManagerPassword=?(kP!Yur![*!Y5!E^f(ZKc31 +jetty.sslContext.keyManagerPassword= {{ .Values.jetty.keyManagerPassword }} + +## Truststore password +# jetty.sslContext.trustStorePassword=OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 + +#jetty.sslContext.trustStorePassword=z+KEj;t+,KN^iimSiS89e#p0 +jetty.sslContext.trustStorePassword= {{ .Values.jetty.trustStorePassword }} + +## Truststore type and provider +# jetty.sslContext.trustStoreType=JKS +# jetty.sslContext.trustStoreProvider= + +## whether client certificate authentication is required +# jetty.sslContext.needClientAuth=false + +## Whether client certificate authentication is desired +# jetty.sslContext.wantClientAuth=false + +## Whether cipher order is significant (since java 8 only) +# jetty.sslContext.useCipherSuitesOrder=true + +## To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at +## https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites + +## Set the size of the SslSession cache +# jetty.sslContext.sslSessionCacheSize=-1 + +## Set the timeout (in seconds) of the SslSession cache timeout +# jetty.sslContext.sslSessionTimeout=-1 + +## Allow SSL renegotiation +# jetty.sslContext.renegotiationAllowed=true +# jetty.sslContext.renegotiationLimit=5 diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml index aa632f33f4..06e6b79956 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/configmap.yaml @@ -27,3 +27,68 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/logging/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-onboarding-be-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/onboarding-config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-http-04-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/http.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-https-04-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/https.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-ssl-04-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/start.d/ssl.ini").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-ready-probe-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/ready-probe.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 8180cc79f1..90664a82b6 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -18,114 +18,50 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-sdc-onboarding-be-cassandra-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-update-config - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /config-output - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /config-output - cd /config-input && \ - for PFILE in `find . -not -type d | grep -v -F ..` - do - envsubst <${PFILE} >/config-output/${PFILE} - chmod 0755 /config-output/${PFILE} - done - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-environments-input - mountPath: /config-input/ - - name: sdc-environments - mountPath: /config-output/ - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} - - name: volume-permissions - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: - - sh - args: - - "-c" - - | - chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} //onboard/cert - securityContext: - runAsUser: 0 - volumeMounts: - - name: cert-storage - mountPath: "/onboard/cert" - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} + - name: {{ include "common.name" . }}-copy-jetty + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/sh","-c"] + args: ['cp -a /app/jetty/ /app/jetty_rw/; mkdir /app/jetty_rw/jetty/ruby_temp'] + resources: + limits: + cpu: 400m + memory: 400Mi + requests: + cpu: 30m + memory: 200Mi + {{ include "common.containerSecurityContext" . | indent 10 | trim }} + volumeMounts: + - name: {{ include "common.fullname" . }}-jetty + mountPath: /app/jetty_rw containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if eq .Values.liveness.enabled true }} livenessProbe: httpGet: - path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + path: {{ .Values.liveness.path }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} @@ -134,8 +70,8 @@ spec: {{ end }} readinessProbe: httpGet: - path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + path: {{ .Values.readiness.path }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} @@ -143,15 +79,18 @@ spec: failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: httpGet: - path: /onboarding-api/v1.0/healthcheck - port: {{ .Values.service.internalPort2 }} + path: {{ .Values.startup.path }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} timeoutSeconds: {{ .Values.startup.timeoutSeconds }} successThreshold: {{ .Values.startup.successThreshold }} failureThreshold: {{ .Values.startup.failureThreshold }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} resources: {{ include "common.resources" . | nindent 12 }} env: + - name: TMPDIR + value: '/app/jetty/ruby_temp' - name: ENVNAME value: {{ .Values.env.name }} - name: JAVA_OPTIONS @@ -171,56 +110,86 @@ spec: valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} - name: SDC_CERT_DIR - value: {{ .Values.cert.certDir }} + value: "" volumeMounts: - - name: sdc-environments - mountPath: /app/jetty/chef-solo/environments/ - {{- if .Values.global.aafEnabled }} - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-onboard-backend/files/default/org.onap.sdc.p12 - subPath: org.onap.sdc.p12 - - name: sdc-environments - mountPath: /app/jetty/chef-solo/cookbooks/sdc-onboard-backend/files/default/org.onap.sdc.trust.jks - subPath: org.onap.sdc.trust.jks - {{- end }} - - name: localtime - mountPath: /etc/localtime - readOnly: true - - name: logs + - name: {{ include "common.fullname" . }}-jetty + mountPath: /app/jetty + subPath: jetty + - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap - - name: cert-storage - mountPath: "{{ .Values.cert.certDir }}" + - name: {{ include "common.fullname" . }}-tmp + mountPath: /tmp - name: logback mountPath: /tmp/logback.xml subPath: logback.xml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/config-vnfrepo.yaml + subPath: config-vnfrepo.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/onboarding_configuration.yaml + subPath: onboarding_configuration.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/config-helmvalidator.yaml + subPath: config-helmvalidator.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/externaltesting-configuration.yaml + subPath: externaltesting-configuration.yaml + - name: onboarding-conf + mountPath: /app/jetty/config/onboarding-be/features.properties + subPath: features.properties + - name: http-config + mountPath: /app/jetty/start.d/http.ini + subPath: http.ini + - name: https-config + mountPath: /app/jetty/start.d/https.ini + subPath: https.ini + - name: ssl-config + mountPath: /app/jetty/start.d/ssl.ini + subPath: ssl.ini + - name: ready-probe-config + mountPath: /app/jetty/ready-probe.sh + subPath: ready-probe.sh lifecycle: postStart: exec: - command: ["/bin/sh", "-c", "export LOG=wait_logback.log; touch $LOG; export SRC=/tmp/logback.xml; export DST=/app/jetty/config/onboarding-be/; while [ ! -e $DST ]; do echo 'Waiting for $DST...' >> $LOG; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done' >> $LOG"] + command: ["/bin/sh", "-c", "export LOG=/tmp/wait_logback.log; touch $LOG; export SRC=/tmp/logback.xml; export DST=/app/jetty/config/onboarding-be/; while [ ! -e $DST ]; do echo 'Waiting for $DST...' >> $LOG; sleep 5; done; sleep 2; /bin/cp -f $SRC $DST; echo 'Done' >> $LOG"] # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - + {{ include "common.podSecurityContext" . | indent 6 | trim }} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: logback configMap: name : {{ include "common.fullname" . }}-logging-configmap - - name: sdc-environments - {{- if .Values.global.aafEnabled }} - emptyDir: { medium: "Memory" } - - name: sdc-environments-input - {{- end }} + - name: onboarding-conf configMap: - name: {{ include "common.release" . }}-sdc-environments-configmap + name: {{ include "common.release" . }}-sdc-onboarding-be-configmap defaultMode: 0755 - - name: logs - emptyDir: {} - - name: cert-storage - persistentVolumeClaim: - claimName: {{ include "common.fullname" . }}-cert - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + - name: http-config + configMap: + name: {{ include "common.release" . }}-sdc-http-04-configmap + defaultMode: 0755 + - name: https-config + configMap: + name: {{ include "common.release" . }}-sdc-https-04-configmap + defaultMode: 0755 + - name: ssl-config + configMap: + name: {{ include "common.release" . }}-sdc-ssl-04-configmap + defaultMode: 0755 + - name: ready-probe-config + configMap: + name: {{ include "common.release" . }}-sdc-ready-probe-configmap + defaultMode: 0755 + - name: {{ include "common.fullname" . }}-logs + emptyDir: + sizeLimit: {{ .Values.volumes.logSizeLimit }} + - name: {{ include "common.fullname" . }}-tmp + emptyDir: + sizeLimit: {{ .Values.volumes.tmpSizeLimit }} + - name: {{ include "common.fullname" . }}-jetty + emptyDir: + sizeLimit: {{ .Values.volumes.jettySizeLimit }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml index bfc1ef8e7b..7ff54e87dc 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/job.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, AT&T, Bell Canada # Modifications Copyright © 2018 ZTE +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,13 +19,14 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-cassandra-init + name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app: {{ include "common.name" . }} release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -34,30 +36,10 @@ spec: release: {{ include "common.release" . }} spec: restartPolicy: Never + securityContext: + {{- toYaml .Values.jobPodSecurityContext | nindent 8 }} initContainers: - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.release" . }}-sdc-cs-config-cassandra - - "-t" - - "20" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi + {{ include "common.readinessCheck.waitFor" (dict "dot" . "wait_for" .Values.readinessCheck.job_wait_for) | nindent 8 }} containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.onboardingInitImage }} @@ -72,6 +54,8 @@ spec: volumeMounts: - name: {{ include "common.fullname" . }}-environments mountPath: /home/sdc/chef-solo/environments/ + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: ENVNAME value: {{ .Values.env.name }} @@ -92,17 +76,40 @@ spec: value: "{{ .Values.global.sdc_cassandra.serviceName }}" resources: limits: - cpu: 800m - memory: 1024Mi + cpu: "800m" + memory: "1Gi" requests: - cpu: 200m - memory: 200Mi + cpu: "200m" + memory: "200Mi" + {{ if eq .Values.liveness.enabled true }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.jobPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} + successThreshold: {{ .Values.liveness.successThreshold }} + failureThreshold: {{ .Values.liveness.failureThreshold }} + {{ end }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.jobPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} + successThreshold: {{ .Values.readiness.successThreshold }} + failureThreshold: {{ .Values.readiness.failureThreshold }} + {{ include "common.containerSecurityContext" . | indent 10 | trim }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: name: {{ include "common.release" . }}-sdc-environments-configmap defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - restartPolicy: Never + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml deleted file mode 100644 index bc110c3b0f..0000000000 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/pv.yaml +++ /dev/null @@ -1,41 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (C) 2019, Nordix Foundation. All rights reserved. -# ================================================================================ -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.persistence.enabled (not .Values.cert.persistence.existingClaim) -}} -{{- if eq "True" (include "common.needPV" .) -}} -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }} -spec: - capacity: - storage: {{ .Values.cert.persistence.size}} - accessModes: - - {{ .Values.cert.persistence.accessMode }} - persistentVolumeReclaimPolicy: {{ .Values.cert.persistence.volumeReclaimPolicy }} - storageClassName: "{{ include "common.fullname" . }}-data" - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.persistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.cert.persistence.mountSubPath }} -{{- end -}} -{{- end -}} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml deleted file mode 100644 index 006d736b63..0000000000 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/pvc.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# ================================================================================ -# Copyright (C) 2019, Nordix Foundation. All rights reserved. -# ================================================================================ -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{- if and .Values.cert.persistence.enabled (not .Values.cert.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-cert - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" -{{- if .Values.cert.persistence.annotations }} - annotations: -{{ toYaml .Values.cert.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.cert.persistence.accessMode }} - storageClassName: {{ include "common.storageClass" . }} - resources: - requests: - storage: {{ .Values.cert.persistence.size }} -{{- end -}} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml index ece5a439a3..0a349834b4 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,35 +16,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName | default "http" }}s - - - port: {{ .Values.service.externalPort2 }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }} - name: {{ .Values.service.portName | default "http" }}} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName | default "http" }}s - - port: {{ .Values.service.externalPort2 }} - targetPort: {{ .Values.service.internalPort2 }} - name: {{ .Values.service.portName | default "http" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/servicemonitor.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/servicemonitor.yaml new file mode 100644 index 0000000000..937f5ef974 --- /dev/null +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/servicemonitor.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2024 Deutsche Telekom AG +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.metrics.serviceMonitor.enabled }} +{{ include "common.serviceMonitor" . }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index 1db5af98d0..6a35c444e2 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true persistence: {} sdc_cassandra: #This flag allows SDC to instantiate its own cluster, serviceName @@ -32,35 +32,12 @@ global: clusterName: cassandra dataCenter: Pod -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-onboarding-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop - ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-onboard-backend:1.12.0 -onboardingInitImage: onap/sdc-onboard-cassandra-init:1.12.0 +image: onap/sdc-onboard-backend:1.14.1 +onboardingInitImage: onap/sdc-onboard-cassandra-init:1.14.1 pullPolicy: Always # flag to enable debugging - application support required @@ -83,6 +60,7 @@ affinity: {} # probe configuration parameters liveness: + path: /onboarding-api/v1.0/healthcheck initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 15 @@ -93,6 +71,7 @@ liveness: enabled: true readiness: + path: /onboarding-api/v1.0/healthcheck initialDelaySeconds: 1 periodSeconds: 10 timeoutSeconds: 15 @@ -100,6 +79,7 @@ readiness: failureThreshold: 3 startup: + path: /onboarding-api/v1.0/healthcheck initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 @@ -109,12 +89,16 @@ startup: service: type: ClusterIP name: sdc-onboarding-be - portName: http - internalPort: 8445 - externalPort: 8445 + internalPort: 8081 + jobPort: 8080 + ports: + - name: http + port: 8081 - internalPort2: 8081 - externalPort2: 8081 +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-be-read ## Persist data to a persitent volume persistence: @@ -139,21 +123,6 @@ persistence: mountPath: /dockerdata-nfs mountSubPath: /sdc/sdc-cs/CS -##Certificate storage persistence -##This is temporary solution for SDC-1980 -cert: - certDir: /app/jetty/cert - persistence: - enabled: true - size: 10Mi - accessMode: ReadWriteOnce - volumeReclaimPolicy: Retain - mountSubPath: /sdc/onbaording/cert - -securityContext: - fsGroup: 35953 - runAsUser: 352070 - ingress: enabled: false @@ -163,18 +132,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1.5Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "3Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "3Gi" unlimited: {} #Pods Service Account @@ -187,7 +156,136 @@ wait_for_job_container: containers: - '{{ include "common.name" . }}-job' +readinessCheck: + wait_for: + timeout: 25 + jobs: + - '{{ include "common.release" . }}-sdc-onboarding-be' + job_wait_for: + timeout: 20 + jobs: + - '{{ include "common.release" . }}-sdc-cs' + #Log configuration log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +securityContext: + user_id: 1000 + group_id: 101 + +volumes: + logSizeLimit: 300Mi + jettySizeLimit: 400Mi + tmpSizeLimit: 500Mi + +resources_initContainer: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + +jobPodSecurityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + +################################################################# +# Settings from Default.rb +################################################################# +ONBOARDING_BE: + http_port: 8081 + https_port: 8445 + catalog_notification_url: "%s://%s:%s/sdc2/rest/v1/catalog/notif/vsp/" +FE: + http_port: 8181 + https_port: 9443 +disableHttp: true +cassandra: + truststore_password: Aa123456 + cassandra_port: 9042 + datacenter_name: DC- + cluster_name: SDC-CS- + socket_read_timeout: 20000 + socket_connect_timeout: 20000 + janusgraph_connection_timeout: 10000 + cassandra_user: asdc_user + cassandra_password: Aa1234%^! +sdcHelmValidator: + enabled: true + helmVersion: 3.5.2 + deployable: true + lintable: false + strictLintable: false + url: http://sdc-helm-validator:8080/validate +VnfRepo: + vnfRepoPort: 8703 + vnfRepoHost: refrepo +jetty: + trustStorePassword: "z+KEj;t+,KN^iimSiS89e#p0" + keyManagerPassword: "?(kP!Yur![*!Y5!E^f(ZKc31" + keyStorePassword: "?(kP!Yur![*!Y5!E^f(ZKc31" +basic_auth: + enabled: true + user_name: testName + user_pass: testPass + excludedUrls: /v1.0/healthcheck + +EXTTEST: + ep1_config: vtp,VTP,true,http://refrepo:8702/onapapi/vnfsdk-marketplace,onap.* + ep2_config: repository,Repository,false,,.* + +#Addiding extra Envs +permittedAncestors: "" +JETTY_BASE: "/app/jetty" +http_option: http_option + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 + +metrics: + serviceMonitor: + enabled: true + targetPort: 8081 + path: /onboarding-api/v1.0/actuator/prometheus + basicAuth: + enabled: false + +logback: + rootLogLevel: INFO + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" diff --git a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml index 51e84a690e..7fc60f2227 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,15 +18,15 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer backend name: sdc-wfd-be -version: 12.0.0 +version: 13.0.5 dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml index a187e19a75..25288e530f 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, AT&T, Bell Canada # Modifications Copyright © 2018 ZTE +# Modifications Copyright © 2023,2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,75 +18,37 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: {{- if .Values.initJob.enabled }} - - name: {{ include "common.name" . }}-job-completion - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: "{{ .Values.global.pullPolicy | default .Values.pullPolicy }}" - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-workflow-init - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} {{ end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export SERVER_SSL_KEY_PASSWORD=$cadi_keystore_password_p12 - export KEYMANAGER_PASS=$cadi_keystore_password_p12 - export SERVER_SSL_TRUST_PASSWORD=$cadi_truststore_password - export SERVER_SSL_KEYSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} - export SERVER_SSL_TRUSTSTORE_PATH={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} - ./startup.sh - {{- end }} - ports: - - containerPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} successThreshold: {{ .Values.liveness.successThreshold }} @@ -93,14 +56,14 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} @@ -120,6 +83,8 @@ spec: - name: CS_PASSWORD valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password} + - name: CS_DATACENTER + value: "{{ .Values.config.cassandraDataCenter }}" - name: CS_SSL_ENABLED value: "{{ .Values.config.cassandraSSLEnabled }}" - name: CS_TRUST_STORE_PATH @@ -128,28 +93,24 @@ spec: valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: cs_truststore_password} - name: SDC_PROTOCOL - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary "HTTPS" "HTTP" }}" + value: "HTTP" - name: SDC_ENDPOINT - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdcEndpoint.https .Values.config.sdcEndpoint.http }}" + value: "{{ .Values.config.sdcEndpoint.http }}" - name: SDC_USER value: "{{ .Values.config.sdcExternalUser }}" - name: SDC_PASSWORD valueFrom: secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: wf_external_user_password} - {{- if (include "common.needTLS" .) }} - - name: SERVER_SSL_ENABLED - value: "true" - - name: SERVER_SSL_KEYSTORE_TYPE - value: "{{ .Values.config.serverSSLKeyStoreType }}" - - name: SERVER_SSL_TRUSTSTORE_TYPE - value: "{{ .Values.config.serverSSLTrustStoreType }}" - {{- else }} - name: SERVER_SSL_ENABLED value: "false" - {{- end }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + - name: TRACING_ENABLED + value: "{{ .Values.global.tracing.enabled }}" + - name: TRACING_COLLECTOR_BASEURL + value: "{{ .Values.global.tracing.collector.baseUrl }}" + - name: TRACING_SAMPLING_PROBABILITY + value: "{{ .Values.config.tracing.samplingProbability }}" + - name: TRACING_SKIP_PATTERN + value: "{{ .Values.config.tracing.skipPattern }}" resources: {{ include "common.resources" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml index 171442dfdc..e9e5fcf1d1 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{include "common.ingress" .}} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml index 2e5826d229..32eb8572ab 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/job.yaml @@ -19,13 +19,14 @@ apiVersion: batch/v1 kind: Job metadata: - name: {{ include "common.fullname" . }}-workflow-init + name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app: {{ include "common.name" . }} release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -43,7 +44,7 @@ spec: - /app/ready.py args: - --job-name - - {{ include "common.release" . }}-sdc-cs-config-cassandra + - {{ include "common.release" . }}-sdc-cs - "-t" - "20" env: @@ -54,11 +55,11 @@ spec: fieldPath: metadata.namespace resources: limits: - cpu: 100m - memory: 100Mi + cpu: "100m" + memory: "500Mi" requests: - cpu: 3m - memory: 20Mi + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: @@ -72,6 +73,9 @@ spec: - /bin/sh - -c {{- end }} + volumeMounts: + - name: {{ include "common.fullname" . }}-cqlshrc + mountPath: /home/sdc/.cassandra env: - name: CS_HOST value: "{{ .Values.global.sdc_cassandra.serviceName }}" @@ -83,8 +87,12 @@ spec: valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_user}} - name: CS_PASSWORD valueFrom: {secretKeyRef: {name: {{ include "common.release" . }}-sdc-cs-secrets, key: sdc_password}} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: {{ include "common.fullname" . }}-cqlshrc + configMap: + name: {{ include "common.release" . }}-sdc-cqlshrc + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end }} diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml index 2f4129b03f..895eac1794 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/service.yaml @@ -2,6 +2,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2023 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,28 +17,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index 8e4916901b..0e5cc81d9a 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2018 AT&T, ZTE +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,7 +19,6 @@ ################################################################# global: nodePortPrefix: 302 - aafEnabled: true sdc_cassandra: # This flag allows SDC to instantiate its own cluster, serviceName # should be sdc-cs if this flag is enabled @@ -31,36 +31,17 @@ global: replicaCount: 3 clusterName: cassandra dataCenter: Pod - -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-wfd-be-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-workflow-backend:1.11.1 -configInitImage: onap/sdc-workflow-init:1.11.1 +image: onap/sdc-workflow-backend:1.14.0 +configInitImage: onap/sdc-workflow-init:1.14.0 pullPolicy: Always initJob: @@ -70,14 +51,17 @@ config: javaOptions: "-Xmx1536m -Xms1536m" cassandraAuthenticationEnabled: true cassandraClientPort: 9042 + cassandraDataCenter: dc1 sdcEndpoint: - https: sdc-be:8443 http: sdc-be:8080 sdcExternalUser: workflow serverSSLKeyStoreType: jks serverSSLTrustStoreType: jks cassandraSSLEnabled: false cassandraTrustStorePath: /home/sdc/etc/truststore + tracing: + samplingProbability: 1.0 + skipPattern: "" # environment file env: @@ -126,41 +110,47 @@ startup: service: type: NodePort - portName: http internalPort: 8080 - externalPort: 8080 - internalPort2: 8443 - externalPort2: 8443 - nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property + ports: + - name: http + port: 8080 + nodePort: "57" ingress: enabled: false service: - baseaddr: "sdc-wfd-be-api" name: "sdc-wfd-be" - port: 8443 - plain_port: 8080 + port: 8080 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-wfd-fe-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: istio-ingress + namespace: istio-ingress + # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "2Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "2Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "3Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "3Gi" unlimited: {} #Pods Service Account @@ -172,3 +162,41 @@ serviceAccount: wait_for_job_container: containers: - '{{ include "common.name" . }}-job' + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.fullname" . }}' + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" diff --git a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml index 1b17aa9e91..b94d65e25f 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,15 +18,15 @@ apiVersion: v2 description: ONAP Service Design and Creation Workflow Designer frontend name: sdc-wfd-fe -version: 12.0.0 +version: 13.0.4 dependencies: - - name: certInitializer - version: ~12.x-0 - repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/autoscaling.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/autoscaling.yaml new file mode 100644 index 0000000000..b7f265319b --- /dev/null +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/autoscaling.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: {{- include "common.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "common.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml index d57309004d..54a99e4e1f 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml @@ -16,93 +16,33 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} + {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ .Values.minReadySeconds }} + strategy: + type: {{ .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - "sdc-wfd-be" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- if .Values.global.aafEnabled }} - - name: {{ include "common.fullname" . }}-move-cert - command: - - /bin/sh - args: - - -c - - | - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.keystoreFile }} /sdc-certs/{{ .Values.certInitializer.keystoreFile }} - cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.truststoreFile }} /sdc-certs/{{ .Values.certInitializer.truststoreFile }} - cp {{ .Values.certInitializer.credsPath }}/mycreds.prop /sdc-certs/mycreds.prop - image: {{ include "repositoryGenerator.image.busybox" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - name: sdc-certs - mountPath: /sdc-certs - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 3m - memory: 20Mi - {{- end }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | nindent 8 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - "-c" - - | - export $(grep '^c' /sdc-certs/mycreds.prop | xargs -0) - export KEYSTORE_PASS=$cadi_keystore_password_p12 - export TRUSTSTORE_PASS=$cadi_truststore_password - export KEYSTORE_PATH=/etc/{{ .Values.certInitializer.keystoreFile }} - export TRUSTSTORE_PATH=/etc/{{ .Values.certInitializer.truststoreFile }} - ./startup.sh - {{- end }} - ports: - - containerPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} successThreshold: {{ .Values.liveness.successThreshold }} @@ -110,14 +50,14 @@ spec: {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} successThreshold: {{ .Values.readiness.successThreshold }} failureThreshold: {{ .Values.readiness.failureThreshold }} startupProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }} periodSeconds: {{ .Values.startup.periodSeconds }} successThreshold: {{ .Values.startup.successThreshold }} @@ -128,28 +68,9 @@ spec: - name: JAVA_OPTIONS value: {{ .Values.config.javaOptions }} - name: BACKEND - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.backendServerURL.https .Values.config.backendServerURL.http }}" + value: "{{ .Values.config.backendServerURL.http }}" - name: IS_HTTPS - value: "{{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}" - {{- if and (include "common.needTLS" .) (eq .Values.security.isDefaultStore false) }} - - name: TRUST_ALL - value: "{{ .Values.config.isTrustAll}}" - {{- end }} - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - {{- if .Values.global.aafEnabled }} - - name: sdc-certs - mountPath: /sdc-certs/mycreds.prop - subPath: mycreds.prop - - name: sdc-certs - mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.keystoreFile }} - subPath: {{ .Values.certInitializer.keystoreFile }} - - name: sdc-certs - mountPath: /var/lib/jetty/etc/{{ .Values.certInitializer.truststoreFile }} - subPath: {{ .Values.certInitializer.truststoreFile }} - {{ end }} + value: "false" resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: @@ -162,17 +83,8 @@ spec: # side car containers {{ include "common.log.sidecar" . | nindent 8 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - {{- if .Values.global.aafEnabled }} - - name: sdc-certs - emptyDir: - medium: "Memory" - {{- end }} + volumes: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - name: logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml index 8f87c68f1e..90875ab5cc 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/ingress.yaml @@ -1 +1,18 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml index 08feb5a6ed..f6b302776c 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/service.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2018 ZTE # Modifications Copyright © 2018 AT&T, Amdocs, Bell Canada +# Modifications Copyright © 2023 Deutsche Telekom # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -14,39 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "wf-gui", - "version": "v1", - "url": "/", - "protocol": "UI", - "port": "{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }}", - "visualRange":"0|1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- else -}} - - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.externalPort2 .Values.service.externalPort }} - targetPort: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort2 .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index 37fdfd7993..cbfc15c3c3 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,36 +19,12 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - aafEnabled: true - -################################################################# -# AAF Part -################################################################# -certInitializer: - nameOverride: sdc-wfd-fe-cert-init - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - fqdn: sdc - fqi: sdc@sdc.onap.org - public_fqdn: sdc.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - addconfig: true - keystoreFile: "org.onap.sdc.p12" - truststoreFile: "org.onap.sdc.trust.jks" - permission_user: 352070 - permission_group: 35953 - aaf_add_config: | - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop ################################################################# # Application configuration defaults. ################################################################# # application image -image: onap/sdc-workflow-frontend:1.11.1 +image: onap/sdc-workflow-frontend:1.14.0 pullPolicy: Always # flag to enable debugging - application support required @@ -56,7 +33,6 @@ debugEnabled: false config: javaOptions: "-Xmx256m -Xms256m" backendServerURL: - https: "https://sdc-wfd-be:8443" http: "http://sdc-wfd-be:8080" # following flag decides whether to check the certificate on the outgoing proxy request or whether to trust all parties isTrustAll: true @@ -101,26 +77,25 @@ startup: service: type: NodePort internalPort: 8080 - externalPort: 8080 - internalPort2: 8443 - externalPort2: 8443 - portName: sdc-wfd-fe - nodePort: "56" # only one node port. set to http or https port depending on isHttpsEnabled property + ports: + - name: http + port: 8080 + port_protocol: http + nodePort: '56' ingress: enabled: false service: - baseaddr: "sdc-wfd-fe-ui" name: "sdc-wfd-fe" - port: 8443 - plain_port: 8080 - annotations: - ingress.kubernetes.io/secure-backends: "false" - nginx.ingress.kubernetes.io/secure-backends: "false" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/backend-protocol: "HTTP" - nginx.ingress.kubernetes.io/rewrite-target: "/workflows/" + port: 8080 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: sdc-fe-read + - serviceAccount: istio-ingress + namespace: istio-ingress # Resource Limit flavor -By Default using small # Segregation for Different environment (Small and Large) @@ -128,18 +103,18 @@ flavor: small resources: small: limits: - cpu: 500m - memory: 2Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 40m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 1 - memory: 4Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 80m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account @@ -152,3 +127,26 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +readinessCheck: + wait_for: + services: + - sdc-wfd-be + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + targetCPUUtilizationPercentage: 75 + +# number of ReplicaSets that should be retained for the Deployment +revisionHistoryLimit: 1 + +# the minimum number of seconds that a newly created Pod should be ready +minReadySeconds: 30 +updateStrategy: + type: RollingUpdate + # The number of pods that can be unavailable during the update process + maxUnavailable: 0 + # The number of pods that can be created above the desired amount of pods during an update + maxSurge: 1 diff --git a/kubernetes/sdc/resources/config/cqlshrc b/kubernetes/sdc/resources/config/cqlshrc new file mode 100644 index 0000000000..cb6df94880 --- /dev/null +++ b/kubernetes/sdc/resources/config/cqlshrc @@ -0,0 +1,2 @@ +[cql] +version={{.Values.global.sdc_cassandra.cqlVersion}} \ No newline at end of file diff --git a/kubernetes/sdc/resources/config/environments/AUTO.json b/kubernetes/sdc/resources/config/environments/AUTO.json index aee666f4af..59cb8655b9 100755 --- a/kubernetes/sdc/resources/config/environments/AUTO.json +++ b/kubernetes/sdc/resources/config/environments/AUTO.json @@ -8,7 +8,7 @@ "chef_type": "environment", "default_attributes": { - "disableHttp": {{ (eq "true" (include "common.needTLS" .)) | ternary "true" "false" }}, + "disableHttp": false, "CS_VIP": "{{.Values.global.sdc_cassandra.serviceName}}.{{include "common.namespace" .}}", "BE_VIP": "sdc-be.{{include "common.namespace" .}}", "ONBOARDING_BE_VIP": "sdc-onboarding-be.{{include "common.namespace" .}}", @@ -19,7 +19,11 @@ }, "ECompP": { "ecomp_rest_url": "https://portal-app.{{include "common.namespace" .}}:8443/ONAPPORTAL/auxapi", + {{- if .Values.global.kafka.useKafka }} + "ueb_url_list": "no-message-router.{{include "common.namespace" .}}, message-router.{{include "common.namespace" .}}", + {{- else }} "ueb_url_list": "message-router.{{include "common.namespace" .}}, message-router.{{include "common.namespace" .}}", + {{- end }} "app_secret": "XftIATw9Jr3VzAcPqt3NnJOu", "app_key": "x9UfO7JsDn8BESVX", "inbox_name": "ECOMP-PORTAL-INBOX", @@ -31,17 +35,24 @@ "PublicKey": "iPIxkpAMI8qTcQj8", "SecretKey": "Ehq3WyT4bkif4zwgEbvshGal", "fqdn": [ + {{- if .Values.global.kafka.useKafka }} + "no-message-router.{{include "common.namespace" .}}", + "no-message-router.{{include "common.namespace" .}}" + {{- else }} "message-router.{{include "common.namespace" .}}", "message-router.{{include "common.namespace" .}}" + {{- end }} ] }, "Kafka": { - "bootstrap": "{{ include "common.release" . }}-{{ .Values.global.kafka.kafkaBootstrap }}" + "bootstrap": "{{ include "common.release" . }}-strimzi-kafka-bootstrap:9092" }, + {{- if .Values.global.kafka.useKafka }} "DistributionTopics": { "notificationTopicName": "{{ .Values.global.kafka.topics.sdcDistNotifTopic }}", "statusTopicName": "{{ .Values.global.kafka.topics.sdcDistStatusTopic }}" }, + {{- end }} "Nodes": { "CS": [ "{{.Values.global.sdc_cassandra.serviceName}}.{{include "common.namespace" .}}" @@ -119,13 +130,6 @@ "username": "user1@sdc.com", "password": "password==" } - {{- if .Values.global.aafEnabled }} - }, - "jetty": { - "keystore_pwd": "${KEYSTORE_PASS}", - "truststore_pwd": "${TRUSTSTORE_PASS}", - "keymanager_pwd": "${KEYMANAGER_PASS}" - {{- end }} } } } diff --git a/kubernetes/sdc/templates/configmap.yaml b/kubernetes/sdc/templates/configmap.yaml index 712f2ecc61..dee73ba711 100644 --- a/kubernetes/sdc/templates/configmap.yaml +++ b/kubernetes/sdc/templates/configmap.yaml @@ -28,4 +28,17 @@ metadata: data: {{ tpl (.Files.Glob "resources/config/environments/*").AsConfig . | indent 2 }} --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.release" . }}-sdc-cqlshrc + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/cqlshrc").AsConfig . | indent 2 }} +--- {{ include "common.log.configMap" . }} diff --git a/kubernetes/sdc/templates/kafkatopic.yaml b/kubernetes/sdc/templates/kafkatopic.yaml new file mode 100644 index 0000000000..53352c4e56 --- /dev/null +++ b/kubernetes/sdc/templates/kafkatopic.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{- if .Values.global.kafka.useKafka }} +{{ include "common.kafkatopic" . }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index 60a361eae6..23324186a1 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -25,36 +25,65 @@ global: truststore_password: eitLRWo7dCssS05eaWltU2lTODllI3Aw keystore_password: PyhrUCFZdXIhWyohWTUhRV5mKFpLYzMx wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== - aafEnabled: true sdc_cassandra: - #This flag allows SDC to instantiate its own cluster, serviceName - #should be "sdc-cs" if this flag is enabled - localCluster: false - #The cassandra service name to connect to (default: shared cassandra service) - serviceName: cassandra - #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled - #to match with its own cluster replica - #see "cassandra: replicaCount" in file sdc-cs/values.yaml) - replicaCount: 3 - dbCache: true - readConsistencyLevel: ONE - writeConsistencyLevel: ALL - clusterName: cassandra - dataCenter: Pod + #This flag allows SDC to instantiate its own cluster, serviceName + #should be "sdc-cs" if this flag is enabled + localCluster: false + #Cassandra login details + username: cassandra + password: cassandra + #The cassandra service name to connect to (default: shared cassandra service) + #in case of using k8ssandra-operator in the common cassandra installation + #the service name is: + serviceName: cassandra-dc1-service + #in case the older cassandra installation is used: + #serviceName: cassandra + #Shared cassandra cluster replicaCount, should be changed if localCluster is enabled + #to match with its own cluster replica + #see "cassandra: replicaCount" in file sdc-cs/values.yaml + dbCache: true + readConsistencyLevel: ONE + writeConsistencyLevel: ALL + clusterName: cassandra + #datacenter name (use "dc1" in case of k8ssandra-operator, otherwise "Pod") + replicaCount: 3 + dataCenter: dc1 + rc1: 1 + #cqlVersion for cassandra 3.11.* must be "3.4.4" and cassandra 4.0.* must be "3.4.5" + #and cassandra 4.1.* must be "3.4.6" + cqlVersion: "3.4.6" + + BE: + http_port: 8080 + https_port: 8443 + centralizedLoggingEnabled: true - # Kafka config + # global Kafka config passed to sdc-be chart kafka: + # If true, the following Strimzi KafkaTopics will be created useKafka: true - sdcBeKafkaUser: sdc-be-kafka-user - kafkaBootstrap: strimzi-kafka-bootstrap:9092 topics: - sdcDistNotifTopic: SDC-DISTR-NOTIF-TOPIC - sdcDistStatusTopic: SDC-DISTR-STATUS-TOPIC + sdcDistNotifTopic: ¬if-topic-name SDC-DISTR-NOTIF-TOPIC + sdcDistStatusTopic: &status-topic-name SDC-DISTR-STATUS-TOPIC + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + +# Environment file +env: + name: &env AUTO + +kafkaTopic: + - name: *notif-topic-name + suffix: *env + - name: *status-topic-name + suffix: *env sdc-be: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' - config: - jaasConfExternalSecret: '{{ include "common.release" . }}-{{ .Values.global.kafka.sdcBeKafkaUser }}' sdc-fe: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' sdc-onboarding-be: @@ -62,10 +91,6 @@ sdc-onboarding-be: sdc-wfd-fe: logConfigMapNamePrefix: '{{ include "common.release" . }}-sdc' -# Environment file -env: - name: AUTO - config: logstashServiceName: log-ls logstashPort: 5044 @@ -83,3 +108,25 @@ sdcHelmValidator: lintable: false strictLintable: false url: http://sdc-helm-validator:8080/validate + +ONBOARDING_BE: + http_port: 8081 + https_port: 8445 + catalog_notification_url: "%s://%s:%s/sdc2/rest/v1/catalog/notif/vsp/" +cassandra: + cassandra_port: 9042 + concurrent_reads: 32 + num_tokens: 256 + data_dir: /var/lib/cassandra/data + hinted_handoff_enabled: true + cassandra_user: asdc_user + cassandra_password: Aa1234%^! + concurrent_writes: 32 + multithreaded_compaction: false + cache_dir: "/var/lib/cassandra/saved_caches" + log_file: "/var/lib/cassandra/log/system.log" + phi_convict_threshold: 8 + commitlog_dir: "/var/lib/cassandra/commitlog" + socket_read_timeout: 20000 + socket_connect_timeout: 20000 + janusgraph_connection_timeout: 10000 diff --git a/kubernetes/sdnc/Chart.yaml b/kubernetes/sdnc/Chart.yaml index a3f07ebeb5..87654cbacc 100644 --- a/kubernetes/sdnc/Chart.yaml +++ b/kubernetes/sdnc/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,61 +18,57 @@ apiVersion: v2 description: SDN Controller name: sdnc -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: certManagerCertificate - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: logConfiguration - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: network-name-gen - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: network-name-gen.enabled - name: dgbuilder - version: ~12.x-0 + version: ~15.x-0 repository: '@local' condition: dgbuilder.enabled - name: sdnc-prom - version: ~12.x-0 + version: ~13.x-0 repository: '@local' condition: config.geoEnabled - name: mariadb-galera - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: elasticsearch - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - condition: config.sdnr.enabled + condition: sdnc.elasticsearch.enabled,elasticsearch.enabled # conditions for sdnc-subcharts - - name: dmaap-listener - version: ~12.x-0 - repository: 'file://components/dmaap-listener/' - condition: sdnc.dmaap-listener.enabled,dmaap-listener.enabled - name: ueb-listener - version: ~12.x-0 - repository: 'file://components/ueb-listener/' + version: ~15.x-0 + repository: '@local' condition: sdnc.ueb-listener.enabled,ueb-listener.enabled - name: sdnc-ansible-server - version: ~12.x-0 - repository: 'file://components/sdnc-ansible-server/' + version: ~15.x-0 + repository: '@local' condition: sdnc.sdnc-ansible-server.enabled,sdnc-ansible-server.enabled - name: sdnc-web - version: ~12.x-0 - repository: 'file://components/sdnc-web/' + version: ~15.x-0 + repository: '@local' condition: sdnc.sdnc-web.enabled,sdnc-web.enabled - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/msb/components/msb-consul/.helmignore b/kubernetes/sdnc/components/dgbuilder/.helmignore similarity index 100% rename from kubernetes/msb/components/msb-consul/.helmignore rename to kubernetes/sdnc/components/dgbuilder/.helmignore diff --git a/kubernetes/sdnc/components/dgbuilder/Chart.yaml b/kubernetes/sdnc/components/dgbuilder/Chart.yaml new file mode 100644 index 0000000000..31089ad91e --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/Chart.yaml @@ -0,0 +1,31 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: D.G. Builder application +name: dgbuilder +version: 15.1.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js new file mode 100644 index 0000000000..372a0ca4c9 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/resources/config/customSettings.js @@ -0,0 +1,58 @@ +/* Copyright © 2017 AT&T, Amdocs, Bell Canada +* +* Licensed under the Apache License, Version 2.0 (the "License"); +* you may not use this file except in compliance with the License. +* You may obtain a copy of the License at +* +* http://www.apache.org/licenses/LICENSE-2.0 +* +* Unless required by applicable law or agreed to in writing, software +* distributed under the License is distributed on an "AS IS" BASIS, +* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +* See the License for the specific language governing permissions and +* limitations under the License. +*/ + +module.exports={ + "name": "Release sdnc1.0", + "emailAddress": "dguser@onap.org", + "uiPort": 3100, + "mqttReconnectTime": 15000, + "serialReconnectTime": 15000, + "debugMaxLength": 1000, + "htmlPath": "releases/sdnc1.0/html/", + "xmlPath": "releases/sdnc1.0/xml/", + "flowFile": "releases/sdnc1.0/flows/flows.json", + "sharedDir": "releases/sdnc1.0/flows/shared", + "userDir": "releases/sdnc1.0", + "httpAuth": { + "user": "${HTTP_USER}", + "pass": "${HTTP_PASSWORD}" + }, + "dbHost": "{{.Values.config.dbServiceName}}.{{ include "common.namespace" . }}", + "dbPort": "3306", + "dbName": "{{.Values.config.db.dbName}}", + "dbUser": "${DB_USER}", + "dbPassword": "${DB_PASSWORD}", + "gitLocalRepository": "", + "restConfUrl": "http://localhost:8181/rests/operations/SLI-API:execute-graph", + "restConfUser": "${REST_CONF_USER}", + "restConfPassword": "${REST_CONF_PASSWORD}", + "formatXML": "Y", + "formatJSON": "Y", + "httpRoot": "/", + "disableEditor": false, + "httpAdminRoot": "/", + "httpAdminAuth": { + "user": "${HTTP_ADMIN_USER}", + "pass": "${HTTP_ADMIN_PASSWORD}" + }, + "httpNodeRoot": "/", + "httpNodeAuth": { + "user": "${HTTP_NODE_USER}", + "pass": "${HTTP_NODE_PASSWORD}" + }, + "uiHost": "0.0.0.0", + "version": "0.9.1", + "performGitPull": "N" +} diff --git a/kubernetes/common/dgbuilder/resources/config/svclogic.properties b/kubernetes/sdnc/components/dgbuilder/resources/config/svclogic.properties similarity index 100% rename from kubernetes/common/dgbuilder/resources/config/svclogic.properties rename to kubernetes/sdnc/components/dgbuilder/resources/config/svclogic.properties diff --git a/kubernetes/common/dgbuilder/templates/NOTES.txt b/kubernetes/sdnc/components/dgbuilder/templates/NOTES.txt similarity index 100% rename from kubernetes/common/dgbuilder/templates/NOTES.txt rename to kubernetes/sdnc/components/dgbuilder/templates/NOTES.txt diff --git a/kubernetes/common/dgbuilder/templates/configmap.yaml b/kubernetes/sdnc/components/dgbuilder/templates/configmap.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/configmap.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/configmap.yaml diff --git a/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml b/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml new file mode 100644 index 0000000000..a89941d3d7 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/templates/deployment.yaml @@ -0,0 +1,127 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - command: + - sh + args: + - -c + - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + env: + - name: DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 10 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 10 }} + - name: HTTP_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "login") | indent 10 }} + - name: HTTP_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "http-user-creds" "key" "password") | indent 10 }} + - name: HTTP_ADMIN_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "login") | indent 10 }} + - name: HTTP_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "admin-creds" "key" "password") | indent 10 }} + - name: HTTP_NODE_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "login") | indent 10 }} + - name: HTTP_NODE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "node-creds" "key" "password") | indent 10 }} + - name: REST_CONF_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "login") | indent 10 }} + - name: REST_CONF_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restconf-creds" "key" "password") | indent 10 }} + volumeMounts: + - mountPath: /config-input + name: config-input + - mountPath: /config + name: config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config + - command: + - /app/ready.py + args: + - --service-name + - {{ .Values.config.dbServiceName }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: ["/bin/bash"] + args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"] + ports: {{- include "common.containerPorts" . | indent 10 }} + readinessProbe: + tcpSocket: + port: {{ .Values.service.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + env: + - name: SDNC_CONFIG_DIR + value: /opt/onap/sdnc/data/properties + volumeMounts: + - name: config + mountPath: /opt/app/application.properties + subPath: application.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/conf/svclogic.properties + subPath: svclogic.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/svclogic/svclogic.properties + subPath: svclogic.properties + - name: config + mountPath: /opt/onap/ccsdk/dgbuilder/releases/sdnc1.0/customSettings.js + subPath: customSettings.js + resources: {{ include "common.resources" . | nindent 12 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: config-input + configMap: + name: {{ include "common.fullname" . }}-config + - name: config + emptyDir: + medium: Memory + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/dgbuilder/templates/ingress.yaml b/kubernetes/sdnc/components/dgbuilder/templates/ingress.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/ingress.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/ingress.yaml diff --git a/kubernetes/common/dgbuilder/templates/secrets.yaml b/kubernetes/sdnc/components/dgbuilder/templates/secrets.yaml similarity index 100% rename from kubernetes/common/dgbuilder/templates/secrets.yaml rename to kubernetes/sdnc/components/dgbuilder/templates/secrets.yaml diff --git a/kubernetes/sdnc/components/dgbuilder/templates/service.yaml b/kubernetes/sdnc/components/dgbuilder/templates/service.yaml new file mode 100644 index 0000000000..53f04104d9 --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/dgbuilder/values.yaml b/kubernetes/sdnc/components/dgbuilder/values.yaml new file mode 100644 index 0000000000..d913728a2e --- /dev/null +++ b/kubernetes/sdnc/components/dgbuilder/values.yaml @@ -0,0 +1,180 @@ +# Copyright © 2018 AT&T, Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image pull policy + pullPolicy: Always + + # default mount path root directory referenced + # by persistent volumes and log files + persistence: + mountPath: /dockerdata-nfs + + # flag to enable debugging - application support required + debugEnabled: true + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: 'db-root-password' + type: password + externalSecret: '{{ tpl (default "" .Values.config.db.rootPasswordExternalSecret) . }}' + password: '{{ .Values.config.db.rootPassword }}' + - uid: 'db-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + - uid: 'http-user-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.httpCredsExternalSecret) . }}' + login: '{{ .Values.config.httpUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'admin-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.adminCredsExternalSecret) . }}' + login: '{{ .Values.config.adminUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'node-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.nodeCredsExternalSecret) . }}' + login: '{{ .Values.config.nodeUser }}' + password: '{{ .Values.config.dgUserPassword }}' + - uid: 'restconf-creds' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.restconfCredsExternalSecret) . }}' + login: '{{ .Values.config.restconfUser }}' + password: '{{ .Values.config.restconfPassword }}' + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/ccsdk-dgbuilder-image:2.1.0 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false + +# application configuration +config: + db: + dbName: sdnctl + # unused for now to preserve the API + rootPassword: openECOMP1.0 + # rootPasswordExternalSecret: some secret + userName: sdnctl + # unused for now to preserve the API + userPassword: gamma + # userCredentialsExternalSecret: some secret + httpUser: dguser + # unused for now to preserve the API + httpPassword: cc03e747a6afbbcbf8be7668acfebee5 + # httpCredsExternalSecret: some secret + adminUser: dguser + # unused for now to preserve the API + adminPassword: cc03e747a6afbbcbf8be7668acfebee5 + # adminCredsExternalSecret: some secret + nodeUser: dguser + # unused for now to preserve the API + nodePassword: cc03e747a6afbbcbf8be7668acfebee5 + # nodeCredsExternalSecret: some secret + restconfUser: admin + # unused for now to preserve the API + restconfPassword: admin + # restconfCredsExternalSecret: some secret + + dbPodName: mysql-db + dbServiceName: sdnc-dbhost + # MD5 hash of dguser password ( default: test123 ) + dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: NodePort + name: dgbuilder + internalPort: 3100 + ports: + - name: http + port: 3100 + nodePort: 28 + +ingress: + enabled: false + service: + - baseaddr: "dgbuilder" + name: "dgbuilder" + port: 3100 + config: + ssl: "redirect" + +#Resource Limit flavor -By Default using small +flavor: small +#segregation for different envionment (Small and Large) + +resources: + small: + limits: + cpu: "2" + memory: "4Gi" + requests: + cpu: "1" + memory: "2Gi" + large: + limits: + cpu: "4" + memory: "8Gi" + requests: + cpu: "2" + memory: "4Gi" + unlimited: {} + +podAnnotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" + +#Pods Service Account +serviceAccount: + nameOverride: dgbuilder + roles: + - read diff --git a/kubernetes/sdnc/components/dmaap-listener/Chart.yaml b/kubernetes/sdnc/components/dmaap-listener/Chart.yaml deleted file mode 100644 index 451e73ad42..0000000000 --- a/kubernetes/sdnc/components/dmaap-listener/Chart.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: SDNC DMaaP Listener -name: dmaap-listener -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml deleted file mode 100644 index b788a36248..0000000000 --- a/kubernetes/sdnc/components/dmaap-listener/templates/deployment.yaml +++ /dev/null @@ -1,132 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - initContainers: - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: SDNC_DB_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }} - - name: SDNC_DB_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }} - - name: ODL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "login") | indent 10 }} - - name: ODL_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: config-input - - mountPath: /config - name: properties - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.mariadbService" . }} - - --container-name - - {{ .Values.config.sdncChartName }} - - --container-name - - {{ .Values.config.msgRouterContainerName }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - command: - - /opt/onap/sdnc/dmaap-listener/bin/start-dmaap-listener.sh - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: PROPERTY_DIR - value: "{{ .Values.config.configDir }}" - - name: SDNC_CONFIG_DIR - value: "{{ .Values.config.configDir }}" - - name: LOG4J_FORMAT_MSG_NO_LOOKUPS - value: "true" - volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: {{ .Values.config.configDir }}/dblib.properties - name: properties - subPath: dblib.properties - - mountPath: {{ .Values.config.configDir }}/dhcpalert.properties - name: properties - subPath: dhcpalert.properties - - mountPath: {{ .Values.config.configDir }}/lcm.properties - name: properties - subPath: lcm.properties - - mountPath: {{ .Values.config.configDir }}/aai.properties - name: properties - subPath: aai.properties - - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-CMNotify.properties - name: properties - subPath: dmaap-consumer-CMNotify.properties - - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-a1Adapter-policy.properties - name: properties - subPath: dmaap-consumer-a1Adapter-policy.properties - - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-oofpcipoc.properties - name: properties - subPath: dmaap-consumer-oofpcipoc.properties - - mountPath: {{ .Values.config.configDir }}/dmaap-consumer-RANSlice.properties - name: properties - subPath: dmaap-consumer-RANSlice.properties - resources: {{ include "common.resources" . | nindent 10 }} - {{- if .Values.nodeSelector }} - nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.affinity }} - affinity: {{ toYaml .Values.affinity | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: - - name: localtime - hostPath: - path: /etc/localtime - - name: config-input - configMap: - name: {{ include "common.fullname" . }} - defaultMode: 0644 - - name: properties - emptyDir: - medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/secret.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/sdnc/components/dmaap-listener/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml b/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml deleted file mode 100644 index 728ba05046..0000000000 --- a/kubernetes/sdnc/components/dmaap-listener/templates/service.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: ClusterIP - clusterIP: None diff --git a/kubernetes/sdnc/components/dmaap-listener/values.yaml b/kubernetes/sdnc/components/dmaap-listener/values.yaml deleted file mode 100644 index 4273a31c53..0000000000 --- a/kubernetes/sdnc/components/dmaap-listener/values.yaml +++ /dev/null @@ -1,135 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - mariadbGalera: - #This flag allows SO to instantiate its own mariadb-galera cluster - #If shared instance is used, this chart assumes that DB already exists - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-secret - name: &dbSecretName '{{ include "common.release" . }}-sdnc-dmaap-listener-db-secret' - type: basicAuth - # This is a nasty trick that allows you override this secret using external one - # with the same field that is used to pass this to subchart - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret")) .) (hasSuffix "sdnc-dmaap-listener-db-secret" (index .Values "mariadb-galera" "config" "userCredentialsExternalSecret"))}}' - login: '{{ index .Values "mariadb-galera" "config" "userName" }}' - password: '{{ index .Values "mariadb-galera" "config" "userPassword" }}' - passwordPolicy: required - - uid: odl-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.odlCredsExternalSecret) . }}' - login: '{{ .Values.config.odlUser }}' - password: '{{ .Values.config.odlPassword }}' - passwordPolicy: required - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/sdnc-dmaap-listener-image:2.4.1 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: - dmaapPort: 3904 - sdncChartName: sdnc - sdncPort: 8282 - msgRouterContainerName: message-router - configDir: /opt/onap/sdnc/data/properties - odlUser: admin - odlPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - # odlCredsExternalSecret: some secret - -mariadb-galera: - config: - userCredentialsExternalSecret: *dbSecretName - userName: sdnctl - userPassword: gamma - mysqlDatabase: sdnctl - nameOverride: dmaap-listener-galera - service: - name: dmaap-listener-galera - portName: dmaap-listener-galera - internalPort: 3306 - replicaCount: 1 - persistence: - enabled: true - mountSubPath: dmaap-listener/maria/data - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -ingress: - enabled: false - -service: - name: sdnc-dmaap-listener - -#Resource limit flavor -By default using small -flavor: small -#Segregation for different environment (small and large) - -resources: - small: - limits: - cpu: 2 - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - large: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - unlimited: {} - -#Pods Service Account -serviceAccount: - nameOverride: sdnc-dmaap-listener - roles: - - read diff --git a/kubernetes/sdnc/components/network-name-gen/Chart.yaml b/kubernetes/sdnc/components/network-name-gen/Chart.yaml new file mode 100644 index 0000000000..8484b1c15c --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/Chart.yaml @@ -0,0 +1,34 @@ +# Copyright (C) 2018 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2021 Orange +# Modifications Copyright © 2021 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: Name Generation Micro Service +name: network-name-gen +version: 16.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: mariadb-init + version: ~16.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/common/network-name-gen/resources/config/aai_keystore b/kubernetes/sdnc/components/network-name-gen/resources/config/aai_keystore similarity index 100% rename from kubernetes/common/network-name-gen/resources/config/aai_keystore rename to kubernetes/sdnc/components/network-name-gen/resources/config/aai_keystore diff --git a/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml b/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml new file mode 100644 index 0000000000..e1fcd235c5 --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/templates/deployment.yaml @@ -0,0 +1,120 @@ +{{/* +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - name: {{ include "common.name" . }}-readiness + command: + - /app/ready.py + args: +{{- if .Values.global.mariadbGalera.localCluster }} + - --service-name + - {{ include "common.mariadbService" . }} +{{- else }} + - --job-name + - {{ include "common.release" . }}-{{ index .Values "mariadb-init" "nameOverride" }}-config-job +{{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }} + command: + - bash + args: + - '-c' + - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: SPRING_PROFILE + value: "{{ .Values.config.springProfile }}" + - name: NENG_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "login") | indent 10}} + - name: NENG_DB_PASS + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "neng-db-secret" "key" "password") | indent 10}} + - name: NENG_DB_URL + value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-init" "config" "mysqlDatabase" }} + - name: POL_CLIENT_AUTH + value: "{{ .Values.config.polClientAuth }}" + - name: POL_BASIC_AUTH_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} + - name: POL_BASIC_AUTH_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} + - name: POL_URL + {{- if (include "common.needTLS" .) }} + value: "{{ .Values.config.polUrl.https }}" + {{- else }} + value: "{{ .Values.config.polUrl.http }}" + {{- end }} + - name: POL_ENV + value: "{{ .Values.config.polEnv }}" + - name: POL_REQ_ID + value: "{{ .Values.config.polReqId }}" + - name: AAI_CERT_PASS + value: "{{ .Values.config.aaiCertPass }}" + - name: AAI_CERT_PATH + value: "{{ .Values.config.aaiCertPath }}" + - name: AAI_URI + {{- if (include "common.needTLS" .) }} + value: "{{ .Values.config.aaiUri.https }}" + {{- else }} + value: "{{ .Values.config.aaiUri.http }}" + {{- end }} + - name: AAI_AUTH + value: "{{ .Values.config.aaiAuth }}" + - name: DISABLE_HOST_VERIFICATION + value: "{{ .Values.config.disableHostVerification }}" + volumeMounts: + - name: certs + mountPath: /opt/etc/config/aai_keystore + subPath: aai_keystore + readOnly: true + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 10 }} + {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: certs + secret: + secretName: {{ include "common.release" . }}-aai-keystore + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/common/network-name-gen/templates/secrets.yaml b/kubernetes/sdnc/components/network-name-gen/templates/secrets.yaml similarity index 100% rename from kubernetes/common/network-name-gen/templates/secrets.yaml rename to kubernetes/sdnc/components/network-name-gen/templates/secrets.yaml diff --git a/kubernetes/sdnc/components/network-name-gen/templates/service.yaml b/kubernetes/sdnc/components/network-name-gen/templates/service.yaml new file mode 100644 index 0000000000..aac71f7eb3 --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/templates/service.yaml @@ -0,0 +1,43 @@ +{{/* +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.servicename" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }} + {{- else -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.service.internalPort }} + name: {{ .Values.service.portName }} + {{- end}} + selector: + app.kubernetes.io/name: {{ include "common.name" . }} + app.kubernetes.io/instance: {{ include "common.release" . }} + diff --git a/kubernetes/sdnc/components/network-name-gen/values.yaml b/kubernetes/sdnc/components/network-name-gen/values.yaml new file mode 100644 index 0000000000..9d6a0aef5c --- /dev/null +++ b/kubernetes/sdnc/components/network-name-gen/values.yaml @@ -0,0 +1,136 @@ +# Copyright (C) 2018 AT&T Intellectual Property. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + + # Change to an unused port prefix range to prevent port conflicts + # with other instances running within the same k8s cluster + nodePortPrefix: 302 + + # image pull policy + pullPolicy: IfNotPresent + + mariadbGalera: &mariadbGalera + # flag to enable the DB creation via mariadb-operator + useOperator: true + localCluster: false + service: &dbService mariadb-galera + internalPort: &dbPort 3306 + nameOverride: mariadb-galera + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: neng-db-secret + name: &dbUserSecretName '{{ include "common.release" . }}-neng-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.externalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + - uid: pol-basic-auth-secret + name: '{{ include "common.release" . }}-pol-basic-auth-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' + login: '{{ .Values.config.polBasicAuthUser }}' + password: '{{ .Values.config.polBasicAuthPassword }}' + +mariadb-init: + config: + userCredentialsExternalSecret: *dbUserSecretName + mysqlDatabase: nengdb + nameOverride: nengdb-init + mariadb-galera: + nameOverride: *dbService + service: + internalPort: *dbPort + serviceAccount: + nameOverride: nengdb-init + +################################################################# +# Application configuration defaults. +################################################################# +# application image +image: onap/ccsdk-apps-ms-neng:1.4.0 +pullPolicy: IfNotPresent + +# application configuration +config: + db: + userName: nenguser + # userPassword: password + # userCredentialsExternalSecret: some-secret + springProfile: live + polClientAuth: cHl0aG9uOnRlc3Q= + polBasicAuthUser: healthcheck + polBasicAuthPassword: zb!XztG34 + polUrl: + https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision + http: http://policy-xacml-pdp:6969/policy/pdpx/v1/decision + polEnv: TEST + polReqId: xx + disableHostVerification: true + aaiCertPass: changeit + aaiCertPath: /opt/etc/config/aai_keystore + aaiAuth: QUFJOkFBSQ== + aaiUri: + https: https://aai:8443/aai/v14/ + http: http://aai:80/aai/v14/ + +# default number of instances +replicaCount: 1 + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + initialDelaySeconds: 10 + periodSeconds: 10 + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: false + +readiness: + initialDelaySeconds: 10 + periodSeconds: 10 + +service: + type: ClusterIP + name: neng-serv + portName: http + internalPort: 8080 + externalPort: 8080 + +ingress: + enabled: false + +resources: {} + +podAnnotations: + # Workarround to exclude K8S API from istio communication + # as init-container (readinessCheck) does not work with the + # Istio CNI plugin, see: + # (https://istio.io/latest/docs/setup/additional-setup/cni/#compatibility-with-application-init-containers) + traffic.sidecar.istio.io/excludeOutboundPorts: "443" + +#Pods Service Account +serviceAccount: + nameOverride: network-name-gen + roles: + - read diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml index 924d5e4e0a..a9abeef711 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: SDN-C Ansible Server name: sdnc-ansible-server -version: 12.0.0 +version: 15.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml index 51263cf410..f558b71125 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -53,7 +50,7 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} env: - name: NAMESPACE @@ -64,6 +61,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} command: ["/bin/bash"] @@ -71,8 +75,7 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 12 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} @@ -88,9 +91,6 @@ spec: initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/RestServer_config name: config subPath: RestServer_config @@ -103,9 +103,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -113,5 +110,4 @@ spec: - name: config emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml index 3543044eaf..fe45159c64 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/templates/service.yaml @@ -14,22 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.service.name }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - selector: - app.kubernetes.io/name: {{ include "common.name" . }} - app.kubernetes.io/instance: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml index ee5d498f56..05300f116a 100644 --- a/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml +++ b/kubernetes/sdnc/components/sdnc-ansible-server/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -49,7 +51,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ansible-server-image:2.4.1 +image: onap/sdnc-ansible-server-image:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -78,6 +80,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: ansible-server/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -101,13 +106,18 @@ readiness: service: type: ClusterIP name: sdnc-ansible-server - portName: http internalPort: 8000 - externalPort: 8000 + ports: + - name: http + port: 8000 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + #Resource Limit flavor -By default using small flavor: small @@ -116,18 +126,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/sdnc-prom/Chart.yaml b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml index 65382edcc5..85bfb265b1 100644 --- a/kubernetes/sdnc/components/sdnc-prom/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: ONAP SDNC Policy Driven Ownership Management name: sdnc-prom -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh index c36d2e3e9f..e579e62231 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh @@ -19,7 +19,7 @@ set -e primary=${SDNC_IS_PRIMARY_CLUSTER:-true} -url=http://sdnc:8282/restconf/operations/cluster-admin:change-member-voting-states-for-all-shards +url=http://sdnc:8282/rests/operations/cluster-admin:change-member-voting-states-for-all-shards username="${ODL_USERNAME:-{{.Values.odl.restconf.username}}}" password="${ODL_PASSWORD:-{{.Values.odl.restconf.password}}}" LOGFILE="/app/geo.log" diff --git a/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml index 803434cf09..7562a97929 100644 --- a/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: 1 selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -30,9 +27,9 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - sdnc - - --container-name + - --service-name - consul env: - name: NAMESPACE @@ -43,6 +40,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -53,9 +57,6 @@ spec: workingDir: "/app" command: [ "bin/prom.sh" ] volumeMounts: - - name: localtime - mountPath: /etc/localtime - readOnly: true - name: prom-config mountPath: /app/config - name: prom-scripts @@ -71,9 +72,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: prom-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -88,5 +86,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - imagePullSecrets: - - name: {{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-prom/values.yaml b/kubernetes/sdnc/components/sdnc-prom/values.yaml index eb11d646b3..e52bc24a2d 100644 --- a/kubernetes/sdnc/components/sdnc-prom/values.yaml +++ b/kubernetes/sdnc/components/sdnc-prom/values.yaml @@ -93,7 +93,22 @@ persistence: ingress: enabled: false -resources: {} +resources: + small: + limits: + cpu: "1" + memory: "500Mi" + requests: + cpu: "0.5" + memory: "500Mi" + large: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "1Gi" + unlimited: {} #Pods Service Account serviceAccount: diff --git a/kubernetes/sdnc/components/sdnc-web/Chart.yaml b/kubernetes/sdnc/components/sdnc-web/Chart.yaml index 43c53c6ea5..cf46600161 100644 --- a/kubernetes/sdnc/components/sdnc-web/Chart.yaml +++ b/kubernetes/sdnc/components/sdnc-web/Chart.yaml @@ -16,18 +16,15 @@ apiVersion: v2 description: SDN-C Web Server name: sdnc-web -version: 12.0.0 +version: 15.1.0 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-web/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml index 03432d3b63..90632820e7 100644 --- a/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml +++ b/kubernetes/sdnc/components/sdnc-web/templates/deployment.yaml @@ -23,14 +23,14 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "common.certInitializer.initContainer" . | indent 6 }} + initContainers: - name: {{ include "common.name" . }}-readiness image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /app/ready.py args: - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} env: - name: NAMESPACE @@ -38,6 +38,13 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} @@ -49,34 +56,26 @@ spec: {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.service.internalPort .Values.service.internalPlainPort }} + port: {{ .Values.service.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: - name: WEBPROTOCOL - value: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.webProtocol .Values.config.webPlainProtocol }} + value: {{ .Values.config.webProtocol }} - name: WEBPORT - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.webPort .Values.config.webPlainPort | quote }} + value : {{ .Values.config.webPort | quote }} - name: SDNRPROTOCOL - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrProtocol .Values.config.sdnrPlainProtocol }} + value : {{ .Values.config.sdnrProtocol }} - name: SDNRHOST - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrHost .Values.config.sdnrPlainHost }}.{{ include "common.namespace" . }} + value : {{ .Values.config.sdnrHost }}.{{ include "common.namespace" . }} - name: SDNRPORT - value : {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdnrPort .Values.config.sdnrPlainPort | quote }} - {{ if (include "common.needTLS" .) }} - - name: SSL_CERT_DIR - value: {{ .Values.config.sslCertDir }} - - name: SSL_CERTIFICATE - value: {{ .Values.config.sslCertiticate }} - - name: SSL_CERTIFICATE_KEY - value: {{ .Values.config.sslCertKey }} - {{ end }} + value : {{ .Values.config.sdnrPort | quote }} {{ if .Values.config.transportpce.enabled }} - name: TRPCEURL value: {{ .Values.config.transportpce.transportpceUrl }} @@ -91,11 +90,8 @@ spec: value: "{{ .Values.config.oauth.enabled | default "false" }}" - name: ENABLE_ODLUX_RBAC value: "{{ .Values.config.oauth.odluxRbac.enabled | default "false" }}" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - + - name: SDNRWEBSOCKETPORT + value: "{{ .Values.sdnrWebsocketPort | default "8182" }}" resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} @@ -104,10 +100,4 @@ spec: affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: localtime - hostPath: - path: /etc/localtime - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml b/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/sdnc/components/sdnc-web/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/sdnc/components/sdnc-web/templates/service.yaml b/kubernetes/sdnc/components/sdnc-web/templates/service.yaml index 216073eee6..b4b437ccfe 100644 --- a/kubernetes/sdnc/components/sdnc-web/templates/service.yaml +++ b/kubernetes/sdnc/components/sdnc-web/templates/service.yaml @@ -13,5 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{- include "common.service" . -}} +{{ include "common.service" . }} diff --git a/kubernetes/sdnc/components/sdnc-web/values.yaml b/kubernetes/sdnc/components/sdnc-web/values.yaml index 979698ffef..f15c4569d9 100644 --- a/kubernetes/sdnc/components/sdnc-web/values.yaml +++ b/kubernetes/sdnc/components/sdnc-web/values.yaml @@ -16,31 +16,22 @@ # Global configuration defaults. ################################################################# global: - aafEnabled: true nodePortPrefix: 322 - k8scluster: svc.cluster.local + ################################################################# # Application configuration defaults. ################################################################# # application image -image: "onap/sdnc-web-image:2.4.1" +image: "onap/sdnc-web-image:3.1.0" pullPolicy: Always config: sdncChartName: sdnc - webProtocol: HTTPS - webPlainProtocol: HTTP - webPort: 8443 - webPlainPort: 8080 - sdnrProtocol: https - sdnrPlainProtocol: http + webProtocol: HTTP + webPort: 8080 + sdnrProtocol: http sdnrHost: "sdnc" - sdnrPlainHost: "sdnc" - sdnrPort: "8443" - sdnrPlainPort : "8080" - sslCertDir: "/opt/app/osaaf/local/certs" - sslCertiticate: "cert.pem" - sslCertKey: "key.pem" + sdnrPort: "8282" oauth: enabled: false odluxRbac: @@ -53,30 +44,6 @@ config: topologyserverUrl: http://toplogy-api-service.topology:3001 tileserverUrl: https://tile.openstreetmap.org - -################################################################# -# aaf configuration defaults. -################################################################# -certInitializer: - nameOverride: sdnc-web-cert-initializer - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: "org.onap.sdnc" - public_fqdn: "sdnc.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: | - cd /opt/app/osaaf/local - mkdir -p certs - keytool -exportcert -rfc -file certs/cacert.pem -keystore {{ .Values.fqi_namespace }}.trust.jks -alias ca_local_0 -storepass $cadi_truststore_password - openssl pkcs12 -in {{ .Values.fqi_namespace }}.p12 -out certs/cert.pem -passin pass:$cadi_keystore_password_p12 -passout pass:$cadi_keystore_password_p12 - cp {{ .Values.fqi_namespace }}.key certs/key.pem - chmod -R 755 certs - # default number of instances replicaCount: 1 @@ -98,22 +65,27 @@ readiness: service: name: sdnc-web - suffix: service type: NodePort - sessionAffinity: ClientIP # for liveness and readiness probe only # internalPort: - internalPort: 8443 - internalPlainPort: 8080 + internalPort: 8080 ports: - - name: http-sdnc-web - port: "8443" - plain_port: "8080" - port_protocol: http + - name: http + port: "8080" nodePort: "05" -#ingress: -# enabled: false +ingress: + enabled: false + service: + - baseaddr: "sdnc-web-ui" + name: "sdnc-web" + port: 8080 + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: istio-ingress + namespace: istio-ingress #Resource limit flavor -By default using small flavor: small @@ -121,18 +93,18 @@ flavor: small resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "500Mi" requests: - cpu: 0.5 - memory: 500Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "1Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/components/ueb-listener/Chart.yaml b/kubernetes/sdnc/components/ueb-listener/Chart.yaml index d30c30e8db..53ba47d093 100644 --- a/kubernetes/sdnc/components/ueb-listener/Chart.yaml +++ b/kubernetes/sdnc/components/ueb-listener/Chart.yaml @@ -17,15 +17,15 @@ apiVersion: v2 description: SDNC UEB Listener name: ueb-listener -version: 12.0.0 +version: 15.1.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml b/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml new file mode 100644 index 0000000000..d0c1f718b5 --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/resources/config/log4j2.xml @@ -0,0 +1,25 @@ + + + + $${env:LOGDIR:-logs} + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties index 45a80af8a6..580e939f70 100644 --- a/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties +++ b/kubernetes/sdnc/components/ueb-listener/resources/config/ueb-listener.properties @@ -1,17 +1,15 @@ -{{- if (include "common.needTLS" .) }} -org.onap.ccsdk.sli.northbound.uebclient.asdc-address=sdc-be.{{.Release.Namespace}}:8443 -{{- else }} -org.onap.ccsdk.sli.northbound.uebclient.asdc-address=sdc-be.{{.Release.Namespace}}:8080 +org.onap.ccsdk.sli.northbound.uebclient.sdc-address=sdc-be.{{.Release.Namespace}}:8080 org.onap.ccsdk.sli.northbound.uebclient.use-https=false +{{- with (first .Values.kafkaUser.acls) }} +org.onap.ccsdk.sli.northbound.uebclient.consumer-group={{ .name }} +org.onap.ccsdk.sli.northbound.uebclient.consumer-id={{ .name }}-sdc-listener {{- end }} -org.onap.ccsdk.sli.northbound.uebclient.consumer-group=sdc-OpenSource-Env1-sdnc-dockero -org.onap.ccsdk.sli.northbound.uebclient.consumer-id=sdc-COpenSource-Env11-sdnc-dockero org.onap.ccsdk.sli.northbound.uebclient.environment-name=AUTO org.onap.ccsdk.sli.northbound.uebclient.password=${UEB_PASSWORD} org.onap.ccsdk.sli.northbound.uebclient.user=${UEB_USER} org.onap.ccsdk.sli.northbound.uebclient.sdnc-user=${ODL_USER} org.onap.ccsdk.sli.northbound.uebclient.sdnc-passwd=${ODL_PASSWORD} -org.onap.ccsdk.sli.northbound.uebclient.asdc-api-base-url=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/restconf/operations/ +org.onap.ccsdk.sli.northbound.uebclient.asdc-api-base-url=http://sdnc.{{.Release.Namespace}}:{{.Values.config.sdncPort}}/rests/operations/ org.onap.ccsdk.sli.northbound.uebclient.asdc-api-namespace=org:onap:ccsdk org.onap.ccsdk.sli.northbound.uebclient.spool.incoming=/opt/onap/sdnc/ueb-listener/spool/incoming org.onap.ccsdk.sli.northbound.uebclient.spool.archive=/opt/onap/sdnc/ueb-listener/spool/archive @@ -24,4 +22,3 @@ org.onap.ccsdk.sli.northbound.uebclient.keystore-path= org.onap.ccsdk.sli.northbound.uebclient.keystore-password= org.onap.ccsdk.sli.northbound.uebclient.xslt-path-list=/opt/onap/sdnc/ueb-listener/lib/normalizeTagNames.xslt,/opt/onap/sdnc/ueb-listener/lib/removeNs.xslt org.onap.ccsdk.sli.northbound.uebclient.artifact-map=/opt/onap/sdnc/data/properties/artifact.map -org.onap.ccsdk.sli.northbound.uebclient.msg-bus-address=message-router.{{.Release.Namespace}},message-router.{{.Release.Namespace}} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml b/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml b/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml index a23a6af460..1a6efe4c41 100644 --- a/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml +++ b/kubernetes/sdnc/components/ueb-listener/templates/deployment.yaml @@ -18,9 +18,6 @@ apiVersion: apps/v1 kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} template: @@ -56,14 +53,12 @@ spec: - command: - /app/ready.py args: - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - - --container-name + - --service-name - {{ .Values.config.sdncChartName }} - - --container-name + - --service-name - {{ .Values.config.sdcbeChartName }} - - --container-name - - {{ .Values.config.msgRouterContainerName }} env: - name: NAMESPACE valueFrom: @@ -73,6 +68,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - command: - /opt/onap/sdnc/ueb-listener/bin/start-ueb-listener.sh @@ -86,17 +88,23 @@ spec: value: "{{ .Values.config.configDir }}" - name: LOG4J_FORMAT_MSG_NO_LOOKUPS value: "true" + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: {{ .Values.config.configDir }}/dblib.properties name: properties subPath: dblib.properties - mountPath: {{ .Values.config.configDir }}/ueb-listener.properties name: properties subPath: ueb-listener.properties + - mountPath: {{ .Values.config.configDir }}/log4j2.xml + name: properties + subPath: log4j2.xml resources: {{ include "common.resources" . | nindent 10 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }} {{- end }} @@ -105,9 +113,6 @@ spec: {{- end }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: config-input configMap: name: {{ include "common.fullname" . }} @@ -115,5 +120,4 @@ spec: - name: properties emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml b/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/sdnc/components/ueb-listener/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/sdnc/components/ueb-listener/templates/service.yaml b/kubernetes/sdnc/components/ueb-listener/templates/service.yaml index 728ba05046..77b0d878c1 100644 --- a/kubernetes/sdnc/components/ueb-listener/templates/service.yaml +++ b/kubernetes/sdnc/components/ueb-listener/templates/service.yaml @@ -14,17 +14,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: -spec: - type: ClusterIP - clusterIP: None +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/sdnc/components/ueb-listener/values.yaml b/kubernetes/sdnc/components/ueb-listener/values.yaml index 7c85f39fcc..81c7f50ecc 100644 --- a/kubernetes/sdnc/components/ueb-listener/values.yaml +++ b/kubernetes/sdnc/components/ueb-listener/values.yaml @@ -18,6 +18,8 @@ global: nodePortPrefix: 302 mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false @@ -55,7 +57,7 @@ secrets: # Application configuration defaults. ################################################################# # application image -image: onap/sdnc-ueb-listener-image:2.4.1 +image: onap/sdnc-ueb-listener-image:3.1.0 pullPolicy: Always # flag to enable debugging - application support required @@ -92,6 +94,9 @@ mariadb-galera: persistence: enabled: true mountSubPath: ueb-listener/maria/data + mariadbOperator: + galera: + enabled: false # default number of instances replicaCount: 1 @@ -113,29 +118,49 @@ readiness: periodSeconds: 10 service: + type: ClusterIP name: sdnc-ueb-listener + internalPort: 80 + ports: + - name: http + port: 80 + +# Strimzi KafkaUser definition +kafkaUser: + acls: + - name: sdnc + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: [] + #Resource limit flavor -By default using small flavor: small #Segregation for different environment (small and large) resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 0.5 - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} #Pods Service Account diff --git a/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh b/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh new file mode 100644 index 0000000000..28c703b1bd --- /dev/null +++ b/kubernetes/sdnc/resources/config/bin/createSdnrDb.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +### +# ============LICENSE_START======================================================= +# ONAP : SDN-C +# ================================================================================ +# Copyright (C) 2023 highstreet technologies Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +### + +echo "Create '${SDNRDBDATABASE}' and user '${SDNRDBUSERNAME}' within maria-galera database cluster" +root_user=root +mysql -v -v -u $root_user -p${MYSQL_ROOT_PASSWORD} -Bse "\ +CREATE DATABASE IF NOT EXISTS ${SDNRDBDATABASE}; \ +CREATE USER IF NOT EXISTS ${SDNRDBUSERNAME}@'%' IDENTIFIED BY '${SDNRDBPASSWORD}'; \ +GRANT ALL PRIVILEGES ON ${SDNRDBDATABASE}.* TO '${SDNRDBUSERNAME}'@'%'; \ +FLUSH PRIVILEGES; " + diff --git a/kubernetes/sdnc/resources/config/conf/aaiclient.properties b/kubernetes/sdnc/resources/config/conf/aaiclient.properties index 5108a9d005..f7694d5b3f 100755 --- a/kubernetes/sdnc/resources/config/conf/aaiclient.properties +++ b/kubernetes/sdnc/resources/config/conf/aaiclient.properties @@ -38,11 +38,7 @@ org.onap.ccsdk.sli.adaptors.aai.application=openECOMP # # Configuration file for A&AI Client # -{{- if (include "common.needTLS" .) }} -org.onap.ccsdk.sli.adaptors.aai.uri=https://aai.{{.Release.Namespace}}:8443 -{{- else }} org.onap.ccsdk.sli.adaptors.aai.uri=http://aai.{{.Release.Namespace}}:80 -{{- end }} connection.timeout=60000 read.timeout=60000 @@ -59,8 +55,8 @@ org.onap.ccsdk.sli.adaptors.aai.update=/aai/v13/actions/update # UBB Notify org.onap.ccsdk.sli.adaptors.aai.path.notify=/aai/v13/actions/notify -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=<%= @ubbUri %>/restconf/config/L3SDN-API:services/layer3-service-list/{service-instance-id} -org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=<%= @ubbUri %>/restconf/config/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information +org.onap.ccsdk.sli.adaptors.aai.notify.selflink.fqdn=<%= @ubbUri %>/rests/data/L3SDN-API:services/layer3-service-list/{service-instance-id} +org.onap.ccsdk.sli.adaptors.aai.notify.selflink.avpn=<%= @ubbUri %>/rests/data/L3AVPN-EVC-API:services/service-list/{service-instance-id}/service-data/avpn-logicalchannel-information # P-Interfaces org.onap.ccsdk.sli.adaptors.aai.path.pserver.pinterfaces=/aai/v13/cloud-infrastructure/pservers/pserver/{hostname}/p-interfaces diff --git a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties index 4ce1851658..ada4d7b1cc 100644 --- a/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties +++ b/kubernetes/sdnc/resources/config/conf/blueprints-processor-adaptor.properties @@ -34,4 +34,4 @@ org.onap.ccsdk.features.blueprints.adaptors.restconf.type=generic org.onap.ccsdk.features.blueprints.adaptors.restconf.enable=true org.onap.ccsdk.features.blueprints.adaptors.restconf.user=${RESTCONF_USER} org.onap.ccsdk.features.blueprints.adaptors.restconf.passwd=${RESTCONF_PASSWORD} -org.onap.ccsdk.features.blueprints.adaptors.restconf.url=http://sdnc:8282/restconf/ +org.onap.ccsdk.features.blueprints.adaptors.restconf.url=http://sdnc:8282/rests/ diff --git a/kubernetes/sdnc/resources/config/conf/generic-resource-api-dg.properties b/kubernetes/sdnc/resources/config/conf/generic-resource-api-dg.properties new file mode 100644 index 0000000000..89b9c1c45b --- /dev/null +++ b/kubernetes/sdnc/resources/config/conf/generic-resource-api-dg.properties @@ -0,0 +1,106 @@ +restapi.templateDir=/opt/onap/sdnc/restapi/templates +controller.url=http://localhost:8181 +controller.user=${ODL_USER} +controller.pwd=${ODL_PASSWORD} +honeycomb.url=http://{honeycomb-instance-ip}:8183 +honeycomb.user=${HONEYCOMB_USER} +honeycomb.pwd=${HONEYCOMB_PASSWORD} +restapi.trustStoreFileName=/opt/onap/sdnc/data/stores/truststore.openecomp.client.jks +restapi.trustStorePassword=${TRUSTSTORE_PASSWORD} +restapi.keyStoreFileName=/opt/onap/sdnc/data/stores/sdnc.p12 +restapi.keyStorePassword=${KEYSTORE_PASSWORD} +restapi.connection-oof-url=http://oof-osdf:8698/api/oof/v1/route +naming.gen-name.url=http://neng-serv:8080 +naming.gen-name.user=${NENG_NAME} +naming.gen-name.pwd=${NENG_PASSWORD} +so.user=${SO_USER} +so.pwd=${SO_PASSWORD} +cds.url=http://cds-blueprints-processor-http:8080 +cds.user=${CDS_USER} +cds.pwd=${CDS_PASSWORD} + +# Templates +restapi.sz.templatefile=security-zone-allotted-resource.json +restapi.cr.templatefile=contrail-route-allotted-resource.json +restapi.brg.templatefile=brg-allotted-resource.json +restapi.vpp.vxlan-tunnel.templatefile=vcpe-vxlan-tunnel.json +restapi.vpp.bridge-domain.templatefile=vcpe-vpp-bridge-domain.json +restapi.vpp.xconnect.templatefile=vcpe-l2-interface.json +restapi.tx.templatefile=tunnelxconn-allotted-resource.json +restapi.parentsvc.templatefile=parent-provided-allotted-resource.json +restapi.network-ar.templatefile=network-provided-allotted-resources.json +restapi.vnf-ar.templatefile=vnf-provided-allotted-resources.json +restapi.services.templatefile=vcpe-services-service.json +restapi.services.vnf.vfmodule.templatefile=vfmodule-vim-parameters.vgw.json +restapi.sotn-attachment.templatefile=sotn-attachment-allotted-resource.json +restapi.sdwan-attachment.templatefile=sdwan-attachment-allotted-resource.json +restapi.oof-getpath.templatefile=oof-getpath.json +restapi.transport-slice-creation.templatefile=ts-allocate-tn-slice.json +restapi.transport-sliceA-list-creation.templatefile=ts-allocate-tn-sliceA-list.json +restapi.transport-sliceB-list-creation.templatefile=ts-allocate-tn-sliceB-list.json +restapi.transport-sliceG-list-creation.templatefile=ts-allocate-tn-sliceG-list.json +restapi.ts-otn-src-domain-creation.templatefile=ts-otn-tunnel-src-domain.json +restapi.ts-otn-dst-domain-creation.templatefile=ts-otn-tunnel-dst-domain.json +restapi.ts-otn-domainG-creation.templatefile=ts-otn-tunnel-domainG.json +restapi.ts-ethernet-service.templatefile=ts-ethernet-service.json +restapi.ts-coloring-uni-port.templatefile=ts-coloring-uni-port.json +restapi.p2p-otn-src-domain-creation.templatefile=p2p-otn-tunnel-src-domain.json +restapi.p2p-otn-dst-domain-creation.templatefile=p2p-otn-tunnel-dst-domain.json +restapi.p2p-otn-domainG-creation.templatefile=p2p-otn-tunnel-domainG.json +restapi.p2p-ethernet-service.templatefile=p2p-ethernet-service.json +restapi.p2p-ethernet-service-vlan.templatefile=p2p-ethernet-service-vlan.json +restapi.p2p-ethernet-service-same-domain.templatefile=p2p-ethernet-service-same-domain.json +restapi.p2p-ethernet-service-modify.templatefile=p2p-ethernet-service-modify.json +restapi.p2p-subscribe-notification.templatefile=p2p-subscribe-notification.json +restapi.p2p-terminate-notification.templatefile=p2p-terminate-notification.json +restapi.p2p-create-pm-data.templatefile=p2p-create-pm-data.json +restapi.p2p-call-ves.templatefile=p2p-call-ves.json +restapi.cll-ethernet-service-loop.templatefile=cll-ethernet-service-loop.json +restapi.cll-ethernet-service-loop-protection.templatefile=cll-ethernet-service-loop-protection.json +restapi.cll-otn-src-domain-creation.templatefile=cll-otn-tunnel-src-domain.json +restapi.cll-otn-dst-domain-creation.templatefile=cll-otn-tunnel-dst-domain.json +restapi.cll-otn-domainG-creation.templatefile=cll-otn-tunnel-domainG.json +restapi.cll-subscribe-notification.templatefile=cll-subscribe-notification.json +restapi.cll-terminate-notification.templatefile=cll-terminate-notification.json +restapi.cll-create-pm-data.templatefile=cll-create-pm-data.json +restapi.cll-call-ves.templatefile=cll-call-ves.json +restapi.naming.gen-name.templatefile=naming-ms-post-gen-name.json +restapi.ss.pnf.templatefile=self-serve-pnf-assignments.json +restapi.ss.vnf.templatefile=self-serve-vnf-assignments.json +restapi.ss.vfmodule.templatefile=self-serve-vfmodule-assignments.json +restapi.ss.mS.vlan.tag.assign.templatefile=self-serve-mS-vlan-tag-assignments.json +restapi.ss.mS.vlan.tag.unassign.templatefile=self-serve-mS-vlan-tag-unassignments.json +restapi.ss.mS.mac.address.assign.templatefile=self-serve-mS-mac-address-assign.json +restapi.ss.mS.mac.address.unassign.templatefile=self-serve-mS-mac-address-unassign.json + +# Default cloud owner +cloud-region.cloud-owner=CloudOwner + +# URLs +restapi.cr-allottedresource=/rests/data/GENERIC-RESOURCE-API:contrail-route-allotted-resources/contrail-route-allotted-resource={allotted-resource-id} +restapi.sz-allottedresource=/rests/data/GENERIC-RESOURCE-API:security-zone-allotted-resources/security-zone-allotted-resource={allotted-resource-id} +restapi.brg-allottedresource=/rests/data/GENERIC-RESOURCE-API:brg-allotted-resources/brg-allotted-resource={allotted-resource-id} +restapi.vpp-honeycomb=/rests/data/ietf-interfaces:interfaces/interface={tunnel-name} +restapi.tx-allottedresource=/rests/data/GENERIC-RESOURCE-API:tunnelxconn-allotted-resources/tunnelxconn-allotted-resource={allotted-resource-id} +restapi.vnf-provided-allottedresource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vnf-provided-allotted-resources +restapi.network-provided-allottedresource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vnf-provided-allotted-resources +restapi.pm-configuration=/rests/data/GENERIC-RESOURCE-API:port-mirror-configurations/port-mirror-configuration={configuration-id} +restapi.network=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/networks +restapi.vnf=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs +restapi.vnf-api.service-information=/rests/data/VNF-API:vnfs/vnf-list={vnf-id}/service-data +restapi.parent-provided-resource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/provided-allotted-resources/provided-allotted-resource={allotted-resource-id} +restapi.network-provided-resource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/networks/network={network-id}/network-data/network-provided-allotted-resources +restapi.services=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id} +restapi.service.vnf.vfmodule-resource=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vf-modules/vf-module={vf-module-id} +restapi.connection-attachment-allottedresource=/rests/data/GENERIC-RESOURCE-API:connection-attachment-allotted-resources/connection-attachment-allotted-resource={allotted-resource-id} +restapi.naming.gen-name.service=/web/service/v1/genNetworkElementName +restapi.ss-pnf-assignments=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/pnfs/pnf={pnf-id} +restapi.ss-vnf-assignments=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id} +restapi.ss-vfmodule-assignments=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vf-modules/vf-module={vf-module-id} +restapi.ss-mS-vlan-tag-assign=/vlantagapi/v1/{action} +restapi.ss-mS-mac-address-assign=/api/macaddress/v1/service/assign +restapi.ss-mS-mac-address-unassign=/api/macaddress/v1/service/unassign +restapi.preload-network=/rests/data/GENERIC-RESOURCE-API:preload-information/preload-list={network-name}/network/preload-data/preload-network-topology-information +restapi.preloadinformation=/rests/data/GENERIC-RESOURCE-API:preload-information/preload-list= +restapi.vf-module=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id}/vnf-data/vf-modules/vf-module={vf-module-id} +restapi.vnf-assign=/rests/data/GENERIC-RESOURCE-API:services/service={service-instance-id}/service-data/vnfs/vnf={vnf-id} \ No newline at end of file diff --git a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties index 44ee0b998f..17dea78908 100644 --- a/kubernetes/sdnc/resources/config/conf/lcm-dg.properties +++ b/kubernetes/sdnc/resources/config/conf/lcm-dg.properties @@ -21,8 +21,8 @@ restapi.templateDir=/opt/onap/sdnc/restapi/templates #RESTCONF lcm.restconf.configscaleout.templatefile=lcm-restconf-configscaleout.json -lcm.restconf.configscaleout.urlpath=/restconf/config/vlb-business-vnf-onap-plugin:vlb-business-vnf-onap-plugin/vdns-instances/vdns-instance/ -lcm.restconf.configscaleout.geturlpath=/restconf/operational/health-vnf-onap-plugin:health-vnf-onap-plugin-state/health-check +lcm.restconf.configscaleout.urlpath=/rests/data/vlb-business-vnf-onap-plugin:vlb-business-vnf-onap-plugin/vdns-instances/vdns-instance/ +lcm.restconf.configscaleout.geturlpath=/rests/data/health-vnf-onap-plugin:health-vnf-onap-plugin-state/health-check lcm.restconf.configscaleout.user=${SCALEOUT_USER} lcm.restconf.configscaleout.password=${SCALEOUT_PASSWORD} lcm.restconf.user=${RESTCONF_USER} diff --git a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties index 303e504aa9..9e5e25443f 100644 --- a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties +++ b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties @@ -1,43 +1,43 @@ [general] -dmaapEnabled={{.Values.config.sdnr.mountpointRegistrarEnabled | default "false"}} -{{ if .Values.global.aafEnabled }} -baseUrl=https://localhost:{{.Values.service.internalPort4}} -{{- else }} -baseUrl=http://localhost:{{.Values.service.internalPort}} -{{- end }} +baseUrl=http://{{.Values.service.name}}.{{.Release.Namespace}}:{{.Values.service.externalPort}} sdnrUser=${ODL_ADMIN_USERNAME} sdnrPasswd=${ODL_ADMIN_PASSWORD} +[strimzi-kafka] +strimziEnabled=${SDNR_KAFKA_ENABLED} +bootstrapServers=${SDNR_KAFKA_BOOTSTRAP_SERVERS} +securityProtocol=${SDNR_KAFKA_SECURITY_PROTOCOL} +saslMechanism=${SDNR_KAFKA_SASL_MECHANISM} +saslJaasConfig=${SDNR_KAFKA_SASL_JASS_CONFIG} + [fault] -faultConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPFaultVESMsgConsumer -TransportType=HTTPNOAUTH -host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} -{{- if .Values.config.sdnr.dmaapProxy.enabled }} -{{- if .Values.config.sdnr.dmaapProxy.usepwd }} -jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} -jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} -{{- end }} -jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} -{{- end }} topic=unauthenticated.SEC_FAULT_OUTPUT -contenttype=application/json -group=myG -id=C1 +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 +limit=10000 +fetchPause=5000 + +[provisioning] +topic=unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 limit=10000 +fetchPause=5000 [pnfRegistration] -pnfRegConsumerClass=org.onap.ccsdk.features.sdnr.wt.mountpointregistrar.impl.DMaaPPNFRegVESMsgConsumer -TransportType=HTTPNOAUTH -host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}} -{{- if .Values.config.sdnr.dmaapProxy.enabled }} -{{- if .Values.config.sdnr.dmaapProxy.usepwd }} -jersey.config.client.proxy.username=${DMAAP_HTTP_PROXY_USERNAME} -jersey.config.client.proxy.password=${DMAAP_HTTP_PROXY_PASSWORD} -{{- end }} -jersey.config.client.proxy.uri={{ .Values.config.sdnr.dmaapProxy.url }} -{{- end }} topic=unauthenticated.VES_PNFREG_OUTPUT -contenttype=application/json -group=myG -id=C1 +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 +limit=10000 +fetchPause=5000 + +[stndDefinedFault] +topic=unauthenticated.SEC_3GPP_FAULTSUPERVISION_OUTPUT +consumerGroup={{.Values.config.sdnr.kafka.consumerGroupPrefix}} +consumerID=C1 +timeout=20000 limit=10000 +fetchPause=5000 diff --git a/kubernetes/sdnc/resources/env.yaml b/kubernetes/sdnc/resources/env.yaml index f02f8aef16..d1eec9b189 100644 --- a/kubernetes/sdnc/resources/env.yaml +++ b/kubernetes/sdnc/resources/env.yaml @@ -14,7 +14,7 @@ # limitations under the License. */}} -SDNC_AAF_ENABLED: "{{ .Values.global.aafEnabled }}" +SDNC_AAF_ENABLED: "false" SDNC_GEO_ENABLED: "{{ .Values.config.geoEnabled }}" SDNC_IS_PRIMARY_CLUSTER: "{{ .Values.config.isPrimaryCluster }}" SDNC_ODL_COUNT: "{{ .Values.replicaCount }}" diff --git a/kubernetes/sdnc/resources/geo/bin/switchVoting.sh b/kubernetes/sdnc/resources/geo/bin/switchVoting.sh index a276854d5c..0ff065666f 100755 --- a/kubernetes/sdnc/resources/geo/bin/switchVoting.sh +++ b/kubernetes/sdnc/resources/geo/bin/switchVoting.sh @@ -33,11 +33,11 @@ PASSWORD=`awk '/odlPassword/ {print $2}' $dir/../../../values.yaml | head -1` case "$1" in primary) - status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/restconf/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":true}, { "member-name" : "member-2", "voting":true}, { "member-name" : "member-3", "voting":true},{ "member-name" : "member-4", "voting":false},{ "member-name" : "member-5", "voting":false},{ "member-name" : "member-6", "voting":false}] } }' -w "%{http_code}\n" $url 2> /dev/null) + status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/rests/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":true}, { "member-name" : "member-2", "voting":true}, { "member-name" : "member-3", "voting":true},{ "member-name" : "member-4", "voting":false},{ "member-name" : "member-5", "voting":false},{ "member-name" : "member-6", "voting":false}] } }' -w "%{http_code}\n" $url 2> /dev/null) ;; secondary) - status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/restconf/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":false}, { "member-name" : "member-2", "voting":false}, { "member-name" : "member-3", "voting":false},{ "member-name" : "member-4", "voting":true},{ "member-name" : "member-5", "voting":true},{ "member-name" : "member-6", "voting":true}] } }' -w "%{http_code}\n" $url 2> /dev/null) + status=$(curl -u $USERNAME:$PASSWORD -o /dev/null -H "Content-Type: application/json" -H "Accept: application/json" -X POST http://localhost:30202/rests/operations/cluster-admin:change-member-voting-states-for-all-shards -d '{ "input" : { "member-voting-state" : [ { "member-name" : "member-1", "voting":false}, { "member-name" : "member-2", "voting":false}, { "member-name" : "member-3", "voting":false},{ "member-name" : "member-4", "voting":true},{ "member-name" : "member-5", "voting":true},{ "member-name" : "member-6", "voting":true}] } }' -w "%{http_code}\n" $url 2> /dev/null) ;; *) diff --git a/kubernetes/sdnc/templates/authorizationpolicy.yaml b/kubernetes/sdnc/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..672ddf0b2f --- /dev/null +++ b/kubernetes/sdnc/templates/authorizationpolicy.yaml @@ -0,0 +1,61 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} +--- +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipalsSdnHosts := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipalsSdnHosts -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +{{- if (include "common.useAuthorizationPolicies" .) }} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: sdnhost-{{ include "common.servicename" . }}-authz + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app: sdnhost-{{ include "common.name" . }} + action: ALLOW + rules: +{{- if $authorizedPrincipalsSdnHosts }} +{{- range $principal := $authorizedPrincipalsSdnHosts }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/kubernetes/sdnc/templates/job.yaml b/kubernetes/sdnc/templates/job.yaml index b6dc32b096..4a7ca8a2ab 100755 --- a/kubernetes/sdnc/templates/job.yaml +++ b/kubernetes/sdnc/templates/job.yaml @@ -25,6 +25,9 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -34,7 +37,7 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} - command: - sh args: @@ -75,21 +78,6 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - - - name: {{ include "common.name" . }}-readiness - command: - - /app/ready.py - args: - - --container-name - - {{ include "common.mariadbService" . }} - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -159,10 +147,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d emptyDir: {} - name: bin @@ -177,6 +163,5 @@ spec: emptyDir: medium: Memory restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} {{- end -}} diff --git a/kubernetes/sdnc/templates/kafkauser.yaml b/kubernetes/sdnc/templates/kafkauser.yaml new file mode 100644 index 0000000000..48c4754db8 --- /dev/null +++ b/kubernetes/sdnc/templates/kafkauser.yaml @@ -0,0 +1,18 @@ +{{/* +# Copyright © 2023 highstreet technologies GmbH +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ if .Values.config.sdnr.kafka.enabled }} +{{ include "common.kafkauser" . }} +{{ end }} diff --git a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml index 665e16c9f8..0b630e0aa8 100755 --- a/kubernetes/sdnc/templates/sdnrdb-init-job.yaml +++ b/kubernetes/sdnc/templates/sdnrdb-init-job.yaml @@ -16,30 +16,38 @@ {{ if .Values.config.sdnr.enabled -}} apiVersion: batch/v1 kind: Job -metadata: {{- include "common.resourceMetadata" (dict "suffix" "sdnrdb-init-job" "dot" . ) | nindent 2 }} +metadata: + name: {{ include "common.fullname" . }}-sdnrdb-init-job + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: metadata: {{ include "common.templateMetadata" . | indent 6}} spec: initContainers: - {{ include "common.certInitializer.initContainer" . | indent 6 }} - {{ if .Values.global.aafEnabled }} - - name: {{ include "common.name" . }}-chown - image: {{ include "repositoryGenerator.image.busybox" . }} - command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }}"] - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - {{ end }} - name: {{ include "common.name" . }}-readiness command: - /app/ready.py args: + {{- if .Values.config.sdnr.mariadb.enabled }} + - --service-name + - {{ include "common.mariadbService" . }} + {{- else }} - --container-name - {{.Values.elasticsearch.nameOverride}}-elasticsearch - --container-name - {{.Values.elasticsearch.nameOverride}}-nginx - --container-name - {{.Values.elasticsearch.nameOverride}}-master + {{- end }} env: - name: NAMESPACE valueFrom: @@ -48,6 +56,13 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-sdnrdb-init-job image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -56,10 +71,13 @@ spec: args: - -c - | + {{- if .Values.config.sdnr.mariadb.enabled }} + "{{ .Values.config.binDir }}/createSdnrDb.sh"; + {{- end }} sleep 90; "{{ .Values.config.binDir }}/startODL.sh" env: - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" + value: "false" - name: SDNC_HOME value: "{{.Values.config.sdncHome}}" - name: ETC_DIR @@ -69,16 +87,34 @@ spec: ## start sdnrdb parameter - name: SDNRINIT value: "true" + {{- if .Values.config.sdnr.mariadb.enabled }} + - name: SDNRDBTYPE + value: MARIADB + - name: MYSQL_HOST + value: {{ include "common.mariadbService" . }} + - name: MYSQL_ROOT_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-password" "key" "password") | indent 12 }} + - name: SDNRDBURL + value: "jdbc:mysql://{{ include "common.mariadbService" . }}:3306/{{ .Values.config.sdnr.mariadb.databaseName }}" + - name: SDNRDBDATABASE + value: "{{ .Values.config.sdnr.mariadb.databaseName }}" + - name: SDNRDBUSERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "login") | indent 12 }} + - name: SDNRDBPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "password") | indent 12 }} + {{- else }} - name: SDNRDBURL - {{ if .Values.global.aafEnabled -}} - value: "https://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" - {{- else -}} value: "http://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" - {{- end }} - name: SDNRDBPARAMETER value: "-k" - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - resources: {{ include "common.resources" . | nindent 12 }} + {{- end }} + {{- if .Values.config.sdnr.mariadb.enabled }} + volumeMounts: + - mountPath: {{ .Values.config.binDir }}/createSdnrDb.sh + name: bin + subPath: createSdnrDb.sh + {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} {{- if include "common.onServiceMesh" . }} - name: sdnrdb-service-mesh-wait-for-job-container image: {{ include "repositoryGenerator.image.quitQuit" . }} @@ -103,10 +139,8 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d emptyDir: {} - name: bin @@ -117,9 +151,6 @@ spec: configMap: name: {{ include "common.fullname" . }}-properties defaultMode: 0644 -{{ include "common.certInitializer.volumes" . | nindent 6 }} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - + {{- include "common.imagePullSecrets" . | nindent 6 }} {{ end -}} diff --git a/kubernetes/sdnc/templates/service.yaml b/kubernetes/sdnc/templates/service.yaml index 1fe4ee3ded..052cfe16ad 100644 --- a/kubernetes/sdnc/templates/service.yaml +++ b/kubernetes/sdnc/templates/service.yaml @@ -38,18 +38,18 @@ metadata: } ]' spec: - type: NodePort + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} ports: - name: "{{ .Values.service.portName }}-restconf" - {{ if not .Values.global.aafEnabled }} port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - {{- else -}} - port: {{ .Values.service.externalPort4 }} - targetPort: {{ .Values.service.internalPort4 }} - {{ end }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort4 }} + {{ end }} {{ if .Values.config.sdnr.enabled }} + - name: "{{ .Values.service.portName }}-sdnrwebsocket" + port: {{ .Values.service.sdnrWebsocketPort | default "8182" }} + targetPort: {{ .Values.service.sdnrWebsocketPort }} sessionAffinity: ClientIP {{ end }} selector: @@ -108,18 +108,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-0 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 spec: ports: - - name: {{ .Values.service.portName }}-0-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort4 }} - name: {{ .Values.service.portName }}-0-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort1 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-0 {{ end }} @@ -131,18 +130,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-1 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-1 spec: ports: - - name: {{ .Values.service.portName }}-1-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort5 }} - name: {{ .Values.service.portName }}-1-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort2 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-1 {{ end }} @@ -154,18 +152,17 @@ metadata: name: sdnhost-{{ include "common.servicename" . }}-2 namespace: {{ .Release.Namespace }} labels: + app: sdnhost-{{ include "common.name" . }} statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 spec: ports: - - name: {{ .Values.service.portName }}-2-port-{{ .Values.service.internalPort4 }} - port: {{ .Values.service.clusterPort2 }} - targetPort: {{ .Values.service.internalPort4 }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort6 }} - name: {{ .Values.service.portName }}-2-port-{{ .Values.service.internalPort }} port: {{ .Values.service.clusterPort3 }} targetPort: {{ .Values.service.internalPort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.geoNodePort3 }} - type: NodePort + {{ end }} + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} selector: statefulset.kubernetes.io/pod-name: {{ include "common.fullname" . }}-2 {{ end }} @@ -183,12 +180,14 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: - type: NodePort + type: {{ if (include "common.ingressEnabled" .) }}ClusterIP{{ else }}NodePort{{ end }} ports: - name: "{{ .Values.service.portName }}-callhome" port: {{ .Values.service.callHomePort }} targetPort: {{ .Values.service.callHomePort }} + {{ if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.callHomeNodePort }} + {{ end }} selector: app.kubernetes.io/name: {{ include "common.name" . }} app.kubernetes.io/instance: {{ include "common.release" . }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index d252c9a3fb..5a89df5732 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -20,13 +20,10 @@ apiVersion: apps/v1 kind: StatefulSet metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - serviceName: {{ include "common.servicename" . }}-cluster - replicas: {{ .Values.replicaCount }} selector: {{- include "common.selectors" . | nindent 4 }} + serviceName: {{ include "common.servicename" . }}-cluster podManagementPolicy: Parallel + replicas: {{ .Values.replicaCount }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: @@ -105,22 +102,29 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} - name: ODL_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "odl-creds" "key" "password") | indent 10 }} - {{ if and .Values.config.sdnr.dmaapProxy.enabled .Values.config.sdnr.dmaapProxy.usepwd }} - - name: DMAAP_HTTP_PROXY_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "login") | indent 10 }} - - name: DMAAP_HTTP_PROXY_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "dmaap-proxy-creds" "key" "password") | indent 10 }} - {{- end }} {{ if .Values.config.sdnr.oauth.enabled }} - name: OAUTH_TOKEN_SECRET {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oauth-token-secret" "key" "password") | indent 10 }} - name: KEYCLOAK_SECRET {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keycloak-secret" "key" "password") | indent 10 }} - - name: ENABLE_ODLUX_RBAC value: "{{ .Values.config.sdnr.oauth.odluxRbac.enabled | default "true" }}" {{ end }} - + - name: SDNR_KAFKA_ENABLED + value: "{{ .Values.config.sdnr.kafka.enabled | default "false" }}" + {{ if .Values.config.sdnr.kafka.enabled }} + - name: SDNR_KAFKA_BOOTSTRAP_SERVERS + value: "{{ .Values.config.sdnr.kafka.bootstrapServers | default (include "common.release" .) }}-strimzi-kafka-bootstrap.{{.Release.Namespace}}:9092" + - name: SDNR_KAFKA_SECURITY_PROTOCOL + value: "{{ .Values.config.sdnr.kafka.securityProtocol | default "SASL_PLAINTEXT" }}" + - name: SDNR_KAFKA_SASL_MECHANISM + value: "{{ .Values.config.sdnr.kafka.saslMechanism | default "SCRAM-SHA-512" }}" + - name: SDNR_KAFKA_SASL_JASS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config + {{ end }} volumeMounts: - mountPath: /config-input name: config-input @@ -134,7 +138,7 @@ spec: - /app/ready.py args: {{ if .Values.dgbuilder.enabled -}} - - --container-name + - --service-name - {{ include "common.mariadbService" . }} - --job-name - {{ include "common.fullname" . }}-dbinit-job @@ -152,8 +156,14 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness - {{ end -}} -{{ include "common.certInitializer.initContainer" . | indent 6 }} + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + {{ end }} - name: {{ include "common.name" . }}-chown image: {{ include "repositoryGenerator.image.busybox" . }} command: @@ -165,11 +175,7 @@ spec: mkdir {{ .Values.persistence.mdsalPath }}/snapshots mkdir {{ .Values.persistence.mdsalPath }}/daexim chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} -{{- if .Values.global.aafEnabled }} - chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }} -{{- end }} volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} - mountPath: {{ .Values.persistence.mdsalPath }} name: {{ include "common.fullname" . }}-data containers: @@ -268,7 +274,7 @@ spec: - name: GEO_ENABLED value: "{{ .Values.config.geoEnabled}}" - name: SDNC_AAF_ENABLED - value: "{{ .Values.global.aafEnabled}}" + value: "false" - name: SDNC_REPLICAS value: "{{ .Values.replicaCount }}" - name: MYSQL_HOST @@ -284,7 +290,7 @@ spec: - name: JAVA_HOME value: "{{ .Values.config.javaHome}}" - name: JAVA_OPTS - value: "-Xms{{.Values.config.odl.javaOptions.minMemory}} -Xmx{{.Values.config.odl.javaOptions.maxMemory}}" + value: "-XX:MaxRAMPercentage={{.Values.config.odl.javaOptions.maxRAMPercentage}}" - name: LOG4J_FORMAT_MSG_NO_LOOKUPS value: "true" - name: KARAF_CONSOLE_LOG_LEVEL @@ -297,13 +303,31 @@ spec: {{- end }} - name: SDNRONLY value: "{{ .Values.config.sdnr.sdnronly | default "false" }}" + {{- if .Values.config.sdnr.mariadb.enabled }} + - name: SDNRCONTROLLERID + value: {{ uuidv4 }} + - name: SDNRDBTYPE + value: MARIADB + - name: SDNRDBURL + value: "jdbc:mysql://{{ include "common.mariadbService" . }}:3306/{{ .Values.config.sdnr.mariadb.databaseName}}" + - name: SDNR_DB_DATABASE + value: {{ .Values.config.sdnr.mariadb.databaseName }} + - name: SDNRDBUSERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "login") | indent 12 }} + - name: SDNRDBPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnrdb-secret" "key" "password") | indent 12 }} + - name: SDNR_ASYNC_HANDLING + value: {{ .Values.config.sdnr.mariadb.asyncHandling | default "false" | quote }} + - name: SDNR_ASYNC_POOLSIZE + value: {{ .Values.config.sdnr.mariadb.asyncPoolSize | default 200 | quote }} + {{- else }} - name: SDNRDBURL - {{- $prefix := ternary "https" "http" .Values.global.aafEnabled}} - value: "{{$prefix}}://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" + value: "http://{{ .Values.elasticsearch.service.name | default "sdnrdb"}}.{{.Release.Namespace}}:{{.Values.elasticsearch.service.port | default "9200"}}" {{- if .Values.config.sdnr.sdnrdbTrustAllCerts }} - name: SDNRDBTRUSTALLCERTS value: "true" {{- end }} + {{- end }} {{- if .Values.global.cmpv2Enabled }} - name: ODL_CERT_DIR value: {{ (mustFirst (.Values.certificates)).mountPath }} @@ -332,15 +356,26 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ves-collector-secret" "key" "login") | indent 12 }} - name: SDNR_VES_COLLECTOR_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ves-collector-secret" "key" "password") | indent 12 }} + - name: SDNR_WEBSOCKET_PORT + value: "{{ .Values.sdnrWebsocketPort | default "8182"}}" + - name: SDNR_KAFKA_ENABLED + value: "{{ .Values.config.sdnr.kafka.enabled | default "false" }}" + {{ if .Values.config.sdnr.kafka.enabled }} + - name: SDNR_KAFKA_BOOTSTRAP_SERVERS + value: "{{ .Values.config.sdnr.kafka.bootstrapServers | default (include "common.release" .) }}-strimzi-kafka-bootstrap.{{.Release.Namespace}}:9092" + - name: SDNR_KAFKA_SECURITY_PROTOCOL + value: "{{ .Values.config.sdnr.kafka.securityProtocol | default "PLAINTEXT" }}" + - name: SDNR_KAFKA_SASL_MECHANISM + value: "{{ .Values.config.sdnr.kafka.saslMechanism | default "PLAIN" }}" + - name: SDNR_KAFKA_SASL_JASS_CONFIG + value: "{{ .Values.config.sdnr.kafka.saslJassConfig | default "PLAIN" }}" + {{ end }} + volumeMounts: -{{ include "common.certInitializer.volumeMount" . | indent 10 }} {{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumeMounts" . | indent 10 }} {{- end }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - mountPath: /opt/opendaylight/current/etc/org.ops4j.pax.logging.cfg name: sdnc-logging-cfg-config subPath: org.ops4j.pax.logging.cfg @@ -359,6 +394,9 @@ spec: - mountPath: {{ .Values.config.configDir }}/dblib.properties name: properties subPath: dblib.properties + - mountPath: {{ .Values.config.configDir }}/generic-api-dg.properties + name: properties + subPath: generic-api-dg.properties - mountPath: {{ .Values.config.configDir }}/lcm-dg.properties name: properties subPath: lcm-dg.properties @@ -413,13 +451,9 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 8 }} {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: logs emptyDir: {} {{ include "common.log.volumes" . | nindent 8 }} @@ -441,7 +475,6 @@ spec: - name: {{ include "common.fullname" . }}-data emptyDir: {} {{ else }} -{{ include "common.certInitializer.volumes" . | nindent 8 }} {{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumes" . | nindent 8 }} {{- end }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 1fd5bf3363..8773abde9a 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -22,15 +22,19 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - aafEnabled: true centralizedLoggingEnabled: true mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true #This flag allows SO to instantiate its own mariadb-galera cluster #If shared instance is used, this chart assumes that DB already exists localCluster: false - service: mariadb-galera + service: &mariadbService mariadb-galera internalPort: 3306 - nameOverride: mariadb-galera + nameOverride: &mariadbName mariadb-galera + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: + ################################################################# # Secrets metaconfig @@ -45,13 +49,18 @@ secrets: # override this secret using external one with the same field that is used # to pass this to subchart. externalSecret: '{{ .Values.global.mariadbGalera.localCluster | - ternary ((hasSuffix "sdnc-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | - ternary - "" - (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .)) - (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . - "chartName" .Values.global.mariadbGalera.nameOverride)) }}' + ternary (( hasSuffix "sdnc-db-root-password" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ (index .Values "mariadb-galera" "rootUser" "password") }}' - uid: db-secret name: &dbSecretName '{{ include "common.release" . }}-sdnc-db-secret' @@ -72,14 +81,6 @@ secrets: password: '{{ .Values.config.odlPassword }}' # For now this is left hardcoded but should be revisited in a future passwordPolicy: required - - uid: dmaap-proxy-creds - name: &dmaapProxyCredsSecretName '{{ include "common.release" . }}-sdnc-dmaap-proxy-creds' - type: basicAuth - externalSecret: '{{ .Values.config.dmaapProxyCredsExternalSecret }}' - login: '{{ .Values.config.sdnr.dmaapProxy.user }}' - password: '{{ .Values.config.sdnr.dmaapProxy.password }}' - # For now this is left hardcoded but should be revisited in a future - passwordPolicy: required - uid: netbox-apikey type: password externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}' @@ -185,6 +186,11 @@ secrets: type: basicAuth login: '{{ .Values.config.sdnr.vesCollector.username }}' password: '{{ .Values.config.sdnr.vesCollector.password }}' + - uid: sdnrdb-secret + name: &sdnrdbSecretName '{{ include "common.release" . }}-sdnc-sdnrdb-secret' + type: basicAuth + login: '{{ index .Values "config" "sdnr" "mariadb" "user" }}' + password: '{{ index .Values "config" "sdnr" "mariadb" "password" }}' ################################################################# # Certificates ################################################################# @@ -210,7 +216,7 @@ certificates: # application images pullPolicy: Always -image: onap/sdnc-image:2.4.1 +image: onap/sdnc-image:3.1.0 # flag to enable debugging - application support required debugEnabled: false @@ -310,8 +316,7 @@ config: maxGCPauseMillis: 100 parallelGCThreads : 3 numberGCLogFiles: 10 - minMemory: 512m - maxMemory: 2048m + maxRAMPercentage: 70 gcLogOptions: "" # Next line enables gc logging # gcLogOptions: "-Xlog:gc=trace:file={{.Values.config.odl.gcLogDir}}/gc-%t.log}:time,level,tags:filecount={{.Values.config.odl.javaOptions.numberGCLogFiles}}" @@ -324,18 +329,50 @@ config: # sdnronly: true starts sdnc container with odl and sdnrwt features only sdnronly: false sdnrdbTrustAllCerts: true - mountpointRegistrarEnabled: false + elasticsearch: + ## for legacy eleasticsearch database + enabled: &esdbenabled true + # enabled: &esdbenabled false + mariadb: + ## for legacy eleasticsearch database + enabled: false + # enabled: true + databaseName: sdnrdb + user: sdnrdb + externalSecret: *sdnrdbSecretName + asyncHandling: true + asyncPoolSize: 200 + kafka: + enabled: false + consumerGroupPrefix: &consumerGroupPrefix sdnr + # Strimzi KafkaUser config see configuration below + kafkaUser: &kafkaUser + acls: + - name: unauthenticated.SEC_ + type: topic + patternType: prefix + operations: [Read] + - name: unauthenticated.VES_PNFREG_OUTPUT + type: topic + patternType: literal + operations: [Read] + - name: *consumerGroupPrefix + type: group + patternType: prefix + operations: [Read] + ## set if bootstrap server is not OOM standard + # bootstrapServers: [] + ## set connection parameters if not default + # securityProtocol: PLAINTEXT + # saslMechanism: SCRAM-SHA-512 + ## saslJassConfig: provided by secret + + mountpointStateProviderEnabled: false netconfCallHome: enabled: true - # - # enable and set dmaap-proxy for mountpointRegistrar - dmaapProxy: - enabled: false - usepwd: true - user: addUserHere - password: addPasswordHere - url: addProxyUrlHere + + oauth: enabled: false tokenIssuer: ONAP SDNC @@ -366,31 +403,33 @@ config: username: sample1 password: sample1 address: dcae-ves-collector.onap - port: 8443 + port: 8080 version: v7 reportingEntityName: ONAP SDN-R eventLogMsgDetail: SHORT -# dependency / sub-chart configuration -certInitializer: - nameOverride: sdnc-cert-initializer - truststoreMountpath: /opt/onap/sdnc/data/stores - fqdn: "sdnc" - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqi_namespace: org.onap.sdnc - public_fqdn: "sdnc.onap.org" - aafDeployFqi: "deployer@people.osaaf.org" - aafDeployPass: demo123456! - cadi_latitude: "38.0" - cadi_longitude: "-72.0" - credsPath: /opt/app/osaaf/local - aaf_add_config: > - echo "$cadi_keystore_password" > {{ .Values.credsPath }}/.pass 2>&1 +# Strimzi KafkaUser/Topic config on top level +kafkaUser: *kafkaUser + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" # dependency / sub-chart configuration network-name-gen: enabled: true + mariadb-galera: &mariadbGalera nameOverride: &sdnc-db sdnc-db config: &mariadbGaleraConfig @@ -400,36 +439,25 @@ mariadb-galera: &mariadbGalera rootUser: externalSecret: *rootDbSecret db: + name: *sdncDbName user: *dbUser externalSecret: *dbSecretName service: - name: sdnc-dbhost + name: sdnc-db sdnctlPrefix: sdnc persistence: mountSubPath: sdnc/mariadb-galera enabled: true replicaCount: 1 + mariadbOperator: + galera: + enabled: false serviceAccount: nameOverride: *sdnc-db cds: enabled: false -dmaap-listener: - enabled: true - nameOverride: sdnc-dmaap-listener - mariadb-galera: - <<: *mariadbGalera - config: - <<: *mariadbGaleraConfig - mysqlDatabase: *sdncDbName - config: - sdncChartName: sdnc - dmaapPort: 3904 - sdncPort: 8282 - configDir: /opt/onap/sdnc/data/properties - odlCredsExternalSecret: *odlCredsSecretName - ueb-listener: enabled: true mariadb-galera: @@ -460,8 +488,6 @@ sdnc-ansible-server: dgbuilder: enabled: true nameOverride: sdnc-dgbuilder - certInitializer: - nameOverride: sdnc-dgbuilder-cert-initializer config: db: dbName: *sdncDbName @@ -471,8 +497,8 @@ dgbuilder: (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" "mariadb-galera")) }}' userCredentialsExternalSecret: *dbSecretName - dbPodName: mariadb-galera - dbServiceName: mariadb-galera + dbPodName: *mariadbName + dbServiceName: *mariadbService # This should be revisited and changed to plain text dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 serviceAccount: @@ -480,18 +506,17 @@ dgbuilder: mariadb-galera: service: name: sdnc-dgbuilder - nodePort: "03" + ports: + - name: http + port: 3100 + nodePort: "03" ingress: enabled: false service: - baseaddr: "sdnc-dgbuilder-ui" name: "sdnc-dgbuilder" - port: 3000 - - baseaddr: "sdnc-web-service-api" - name: "sdnc-web-service" - port: 8443 - plain_port: 8080 + port: 3100 config: ssl: "redirect" @@ -500,12 +525,9 @@ dgbuilder: # local elasticsearch cluster localElasticCluster: true elasticsearch: + enabled: *esdbenabled nameOverride: &elasticSearchName sdnrdb name: sdnrdb-cluster - certInitializer: - fqdn: "sdnc" - fqi_namespace: org.onap.sdnc - fqi: "sdnc@sdnc.onap.org" service: name: *elasticSearchName master: @@ -521,6 +543,8 @@ elasticsearch: # enable sdnc-web: enabled: true + ## set if web socket port should not be default + # sdnrWebsocketPort: *sdnrWebsocketPort # default number of instances replicaCount: 1 @@ -547,7 +571,6 @@ service: internalPort: 8181 internalPort2: 8101 internalPort3: 8080 - internalPort4: 8443 #port externalPort: 8282 @@ -556,7 +579,6 @@ service: externalPort3: 8280 - externalPort4: 8443 nodePort4: 67 clusterPort: 2550 @@ -570,8 +592,12 @@ service: geoNodePort5: 65 geoNodePort6: 66 - callHomePort: 4334 + callHomePort: &chport 4334 callHomeNodePort: 66 + ## set if web socket port should not be default + ## change in sdnc-web section as well + # sdnrWebsocketPort: &sdnrWebsocketPort 8182 + ## Persist data to a persitent volume persistence: @@ -598,32 +624,41 @@ persistence: journalPath: /opt/opendaylight/segmented-journal snapshotsPath: /opt/opendaylight/snapshots -certpersistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 50Mi - mountPath: /dockerdata-nfs - mountSubPath: sdnc/certs - certPath: /opt/app/osaaf - ##storageClass: "manual" - ingress: enabled: false service: - - baseaddr: "sdnc-api" - name: "sdnc" - port: 8443 - plain_port: 8282 + - baseaddr: "sdnc-api" + name: "sdnc" + port: 8282 + - baseaddr: "sdnc-callhome" + name: "sdnc-callhome" + port: *chport + protocol: tcp + exposedPort: *chport + exposedProtocol: TCP config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: a1policymanagement-read + - serviceAccount: cds-blueprints-processor-read + - serviceAccount: consul-read + - serviceAccount: ncmp-dmi-plugin-read + - serviceAccount: policy-drools-pdp-read + - serviceAccount: robot-read + - serviceAccount: sdnc-ansible-server-read + - serviceAccount: sdnc-dmaap-listener-read + - serviceAccount: sdnc-prom-read + - serviceAccount: sdnc-ueb-listener-read + - serviceAccount: sdnc-web-read + - serviceAccount: so-sdnc-adapter-read + - serviceAccount: istio-ingress + namespace: istio-ingress + authorizedPrincipalsSdnHosts: + - serviceAccount: sdnc-read + #Resource Limit flavor -By Default using small flavor: small #segregation for different envionment (Small and Large) @@ -631,18 +666,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "3" + memory: "8Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "8Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "10Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "10Gi" unlimited: {} #Pods Service Account @@ -654,3 +689,8 @@ serviceAccount: #Log configuration log: path: /var/log/onap + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' diff --git a/kubernetes/sniro-emulator/.helmignore b/kubernetes/sniro-emulator/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/sniro-emulator/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/sniro-emulator/Chart.yaml b/kubernetes/sniro-emulator/Chart.yaml deleted file mode 100644 index dddacebcba..0000000000 --- a/kubernetes/sniro-emulator/Chart.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Mock Sniro Emulator -name: sniro-emulator -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/sniro-emulator/templates/NOTES.txt b/kubernetes/sniro-emulator/templates/NOTES.txt deleted file mode 100644 index c233cade6b..0000000000 --- a/kubernetes/sniro-emulator/templates/NOTES.txt +++ /dev/null @@ -1,34 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, AT&T, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/sniro-emulator/templates/deployment.yaml b/kubernetes/sniro-emulator/templates/deployment.yaml deleted file mode 100644 index 0dff4eb7be..0000000000 --- a/kubernetes/sniro-emulator/templates/deployment.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sniro-emulator/templates/service.yaml b/kubernetes/sniro-emulator/templates/service.yaml deleted file mode 100644 index 9119071ab2..0000000000 --- a/kubernetes/sniro-emulator/templates/service.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName | default "http" }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName | default "http" }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/sniro-emulator/values.yaml b/kubernetes/sniro-emulator/values.yaml deleted file mode 100644 index 8f43a4f46b..0000000000 --- a/kubernetes/sniro-emulator/values.yaml +++ /dev/null @@ -1,75 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: # global defaults - nodePortPrefix: 302 - -# application image -image: onap/sniroemulator:1.0.0 -pullPolicy: IfNotPresent - -# flag to enable debugging - application support required -debugEnabled: false - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: sniro-emulator - internalPort: 9999 - externalPort: 80 - nodePort: 88 - portName: http - -ingress: - enabled: false - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # - # Example: - # Configure resource requests and limits - # ref: http://kubernetes.io/docs/user-guide/compute-resources/ - # Minimum memory for development is 2 CPU cores and 4GB memory - # Minimum memory for production is 4 CPU cores and 8GB memory -#resources: -# limits: -# cpu: 2 -# memory: 4Gi -# requests: -# cpu: 2 -# memory: 4Gi diff --git a/kubernetes/so/Chart.yaml b/kubernetes/so/Chart.yaml index b9c54d47ef..288a31b550 100755 --- a/kubernetes/so/Chart.yaml +++ b/kubernetes/so/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2017 Amdocs, Bell Canada # Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2023 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,92 +17,88 @@ apiVersion: v2 description: ONAP Service Orchestrator name: so -version: 12.0.0 +version: 16.0.4 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - condition: global.aafEnabled - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: mariadb-galera - version: ~12.x-0 + version: ~16.x-0 repository: '@local' condition: global.mariadbGalera.localCluster - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/soHelpers' - name: so-admin-cockpit - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-admin-cockpit' condition: so-admin-cockpit.enabled - - name: so-appc-orchestrator - version: ~12.x-0 - repository: 'file://components/so-appc-orchestrator' - condition: so-appc-orchestrator.enabled - name: so-bpmn-infra - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-bpmn-infra' - name: so-catalog-db-adapter - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-catalog-db-adapter' condition: so-catalog-db-adapter.enabled - name: so-cnf-adapter - version: ~12.x-0 + version: ~15.x-0 repository: "file://components/so-cnf-adapter" condition: so-cnf-adapter.enabled + - name: so-cnfm-lcm + version: ~13.x-0 + repository: 'file://components/so-cnfm-lcm' + condition: so-cnfm-lcm.enabled - name: so-etsi-nfvo-ns-lcm - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-nfvo-ns-lcm' condition: so-etsi-nfvo-ns-lcm.enabled - name: so-etsi-sol003-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-sol003-adapter' condition: so-etsi-sol003-adapter.enabled - name: so-mariadb - version: ~12.x-0 + version: ~16.x-0 repository: 'file://components/so-mariadb' - name: so-nssmf-adapter - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-nssmf-adapter' condition: so-nssmf-adapter.enabled - name: so-oof-adapter - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-oof-adapter' condition: so-oof-adapter.enabled - name: so-openstack-adapter - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-openstack-adapter' condition: so-openstack-adapter.enabled - name: so-request-db-adapter - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-request-db-adapter' - name: so-sdc-controller - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-sdc-controller' - name: so-sdnc-adapter - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/so-sdnc-adapter' condition: so-sdnc-adapter.enabled - name: so-ve-vnfm-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-ve-vnfm-adapter' condition: so-ve-vnfm-adapter.enabled - name: so-etsi-sol005-adapter - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/so-etsi-sol005-adapter' condition: so-etsi-sol005-adapter.enabled - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-admin-cockpit/Chart.yaml b/kubernetes/so/components/so-admin-cockpit/Chart.yaml index 89534e746c..76fae4d874 100644 --- a/kubernetes/so/components/so-admin-cockpit/Chart.yaml +++ b/kubernetes/so/components/so-admin-cockpit/Chart.yaml @@ -21,21 +21,18 @@ apiVersion: v2 description: A Helm chart for ONAP Service Orchestration Monitoring name: so-admin-cockpit -version: 12.0.0 +version: 15.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: soHelpers - version: ~12.x-0 - repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml index dc9a4f2dad..8bfb1499bd 100644 --- a/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-admin-cockpit/resources/config/overrides/override.yaml @@ -3,21 +3,11 @@ server: forward-headers-strategy: none {{- end }} port: {{ index .Values.containerPort }} - {{- if .Values.global.aafEnabled }} - ssl: - keyStore: ${KEYSTORE} - keyStorePassword: ${KEYSTORE_PASSWORD} - trustStore: ${TRUSTSTORE} - trustStorePassword: ${TRUSTSTORE_PASSWORD} - {{- else }} ssl: enabled: false - {{- end }} tomcat: max-threads: 50 - {{- if not .Values.global.aafEnabled }} ssl-enable: false - {{- end }} camunda: rest: api: @@ -31,6 +21,8 @@ mso: url: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083/infraActiveRequests/ auth: Basic YnBlbDpwYXNzd29yZDEk spring: + application: + name: so-admin-cockpit main: allow-bean-definition-overriding: true security: diff --git a/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-admin-cockpit/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml b/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml index 808c439181..372224cb2e 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/deployment.yaml @@ -21,18 +21,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -40,12 +32,9 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: - name: so-chown image: {{ include "repositoryGenerator.image.busybox" . }} volumeMounts: @@ -57,21 +46,13 @@ spec: containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} command: - /bin/sh args: - -c - | export SO_COCKPIT_PASSWORD=`htpasswd -bnBC 10 "" $SO_COCKPIT_PASS | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.cred.props | xargs -0) - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE=file://$cadi_keystore - export KEYSTORE_PASSWORD=$cadi_keystore_password_p12 - export TRUSTSTORE=file://$cadi_truststore - export TRUSTSTORE_PASSWORD=$cadi_truststore_password - {{- end }} /app/start-app.sh env: - name: DB_HOST @@ -95,7 +76,7 @@ spec: - configMapRef: name: {{ include "common.fullname" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -114,16 +95,12 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml b/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml index 8f87c68f1e..65f46c48c1 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-admin-cockpit/templates/service.yaml b/kubernetes/so/components/so-admin-cockpit/templates/service.yaml index b23e5ab99e..03b8df3e10 100644 --- a/kubernetes/so/components/so-admin-cockpit/templates/service.yaml +++ b/kubernetes/so/components/so-admin-cockpit/templates/service.yaml @@ -19,32 +19,5 @@ # ============LICENSE_END========================================================= # @author: gareth.roper@ericsson.com */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - {{if .Values.global.aafEnabled -}} - type: {{ .Values.service.type }} - {{- else -}} - type: ClusterIP - {{- end }} - ports: - {{if and (eq .Values.service.type "NodePort") (.Values.global.aafEnabled) -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-admin-cockpit/values.yaml b/kubernetes/so/components/so-admin-cockpit/values.yaml index 7e4a654acb..c61de0015e 100644 --- a/kubernetes/so/components/so-admin-cockpit/values.yaml +++ b/kubernetes/so/components/so-admin-cockpit/values.yaml @@ -26,20 +26,14 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 - readinessImage: onap/oom/readiness:3.0.1 - aafAgentImage: onap/aaf/aaf_agent:2.1.20 + readinessImage: onap/oom/readiness:6.1.2 envsubstImage: dibi/envsubst - aafEnabled: true persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: true - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' ################################################################# @@ -72,9 +66,18 @@ secrets: # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/so-admin-cockpit:1.9.0 +image: onap/so/so-admin-cockpit:1.10.0 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -93,12 +96,6 @@ app: so-admin-cockpit # soHelpers part ################################################################# soHelpers: - nameOverride: so-cockpit-cert-init - certInitializer: - nameOverride: so-cockpit-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.monitoringPerm containerPort: *containerPort server: @@ -108,54 +105,62 @@ server: # soMonitoringCredsExternalSecret: some secret service: -#Since this is a feature for monitoring the service type is changed to internal, users can change it to NodePort on need basis... - type: NodePort - nodePort: 24 - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: NodePort + ports: + - port: *containerPort + name: http + nodePort: 24 + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 # Resource Limit flavor -By Default using small flavor: small #Segregation for different environment (Small or large) resources: - small: - requests: - memory: 1Gi - cpu: 10m - limits: - memory: 4Gi - cpu: 1 - large: - requests: - memory: 2Gi - cpu: 20m - limits: - memory: 8Gi - cpu: 2 + small: + requests: + cpu: "1" + memory: "1Gi" + limits: + cpu: "2" + memory: "4Gi" + large: + requests: + cpu: "1" + memory: "2Gi" + limits: + cpu: "3" + memory: "8Gi" + unlimited: {} readinessProbe: - port: 9091 - initialDelaySeconds: 20 - periodSeconds: 10 - timeoutSeconds: 10 + port: 9091 + initialDelaySeconds: 40 + periodSeconds: 10 + timeoutSeconds: 10 livenessProbe: - port: 9091 - initialDelaySeconds: 40 - periodSeconds: 10 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + port: 9091 + initialDelaySeconds: 80 + periodSeconds: 10 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: - enabled: false - service: - - baseaddr: "so-admin-cockpit-ui" - name: "so-admin-cockpit" - port: 9091 - config: - ssl: "none" + enabled: false + service: + - baseaddr: "so-admin-cockpit-ui" + name: "so-admin-cockpit" + port: 9091 + config: + ssl: "none" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: portal-app-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-appc-orchestrator/Chart.yaml b/kubernetes/so/components/so-appc-orchestrator/Chart.yaml deleted file mode 100644 index 51a80959d0..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/Chart.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright © 2020 AT&T USA -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: A Helm chart for so appc orchestrator -name: so-appc-orchestrator -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: soHelpers - version: ~12.x-0 - repository: 'file://../soHelpers' - - name: serviceAccount - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml b/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml deleted file mode 100644 index 061d8f0847..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/resources/config/overrides/override.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -server: - {{- if include "common.onServiceMesh" . }} - forward-headers-strategy: none - {{- end }} - port: {{ index .Values.containerPort }} - tomcat: - max-threads: 50 - ssl-enable: false -mso: - logPath: ./logs/soappcorch - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.auth.rest.aafEncrypted "value2" .Values.mso.auth )}} - msoKey: {{ .Values.global.app.msoKey }} - config: - {{ if .Values.global.security.aaf.enabled }} - cadi: {{ include "so.cadi.keys" . | nindent 8}} - {{- else }} - cadi: - aafId: {{ .Values.mso.basicUser }} - {{- end }} - workflow: - endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine - topics: - retryMultiplier: 1000 -appc: - client: - topic: - read: - name: {{ .Values.appc.client.topic.read.name }} - timeout: {{ .Values.appc.client.topic.read.timeout }} - write: {{ .Values.appc.client.topic.write }} - sdnc: - read: {{ .Values.appc.client.topic.sdnc.read }} - write: {{ .Values.appc.client.topic.sdnc.write }} - response: - timeout: {{ .Values.appc.client.response.timeout }} - key: {{ .Values.appc.client.key }} - secret: {{ .Values.appc.client.secret }} - service: ueb - poolMembers: message-router.{{ include "common.namespace" . }}:3904,message-router.{{ include "common.namespace" . }}:3904 -spring: - security: - usercredentials: - - - username: ${ACTUATOR_USERNAME} - password: ${ACTUATOR_PASSWORD} - role: ACTUATOR diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml deleted file mode 100755 index 6abb1673d5..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-app-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml deleted file mode 100644 index d6584250e2..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - selector: {{- include "common.selectors" . | nindent 4 }} - replicas: {{ index .Values.replicaCount }} - minReadySeconds: {{ index .Values.minReadySeconds }} - strategy: - type: {{ index .Values.updateStrategy.type }} - rollingUpdate: - maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} - maxSurge: {{ index .Values.updateStrategy.maxSurge }} - template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} - spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} - - name: {{ include "common.name" . }}-pass-encoder - command: - - sh - args: - {{/* bcrypt plain text and convert to OpenBSD variant using sed */}} - - -c - - htpasswd -bnBC 10 "" "${ACTUATOR_PASSWORD}" | tr -d ':\n' | sed 's/\$2y/\$2a/' 1>/tmp/app/encoded; - env: - - name: ACTUATOR_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 10 }} - image: {{ include "repositoryGenerator.image.htpasswd" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: - - name: encoder - mountPath: /tmp/app - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - | - export ACTUATOR_PASSWORD="$(cat /tmp/app/encoded)" - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} - /app/start-app.sh - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - env: - - name: ACTUATOR_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} - envFrom: - - configMapRef: - name: {{ include "common.fullname" . }}-configmap - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: {{- include "common.containerPorts" . | nindent 10 }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - - name: logs - mountPath: /app/logs - - name: encoder - mountPath: /tmp/app - - name: config - mountPath: /app/config - readOnly: true -{{ include "so.helpers.livenessProbe" .| indent 8 }} - serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} - - name: logs - emptyDir: {} - - name: encoder - emptyDir: - medium: Memory - - name: config - configMap: - name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml deleted file mode 100644 index 34932b713d..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml deleted file mode 100644 index 7f004cc050..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/templates/service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{/* -# Copyright © 2020 AT&T USA -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-appc-orchestrator/values.yaml b/kubernetes/so/components/so-appc-orchestrator/values.yaml deleted file mode 100644 index 724fcbd032..0000000000 --- a/kubernetes/so/components/so-appc-orchestrator/values.yaml +++ /dev/null @@ -1,166 +0,0 @@ -# Copyright © 2020 AT&T USA -# Copyright © 2020 Huawei -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -################################################################# -# Global configuration defaults. -################################################################# - -global: - nodePortPrefix: 302 - nodePortPrefixExt: 304 - persistence: - mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - app: - msoKey: 07a7159d3bf51a0e53be7a8f89699be7 -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-user-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' - login: '{{ .Values.db.userName }}' - password: '{{ .Values.db.userPassword }}' - passwordPolicy: required - - uid: db-admin-creds - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' - login: '{{ .Values.db.adminName }}' - password: '{{ .Values.db.adminPassword }}' - passwordPolicy: required - - uid: server-actuator-creds - name: '{{ include "common.release" . }}-so-appc-actuator-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.actuatorCredsExternalSecret) . }}' - login: '{{ .Values.server.actuator.username }}' - password: '{{ .Values.server.actuator.password }}' - passwordPolicy: required - -#secretsFilePaths: | -# - 'my file 1' -# - '{{ include "templateThatGeneratesFileName" . }}' - -################################################################# -# Application configuration defaults. -################################################################# -image: onap/so/so-appc-orchestrator:1.6.4 -pullPolicy: Always - -db: - userName: so_user - userPassword: so_User123 - # userCredsExternalSecret: some secret - adminName: so_admin - adminPassword: so_Admin123 - # adminCredsExternalSecret: some secret -server: - actuator: - username: mso_admin - password: password1$ -replicaCount: 1 -minReadySeconds: 10 -containerPort: &containerPort 8080 -logPath: ./logs/soappcorch -app: appc-orchestrator -service: - name: so-appc-orchestrator - type: ClusterIP - ports: - - port: *containerPort - name: http -updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 -# Resource Limit flavor -By Default using small -flavor: small - - -################################################################# -# soHelper part -################################################################# - -soHelpers: - nameOverride: so-appc-cert-init - certInitializer: - nameOverride: so-appc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm - containerPort: *containerPort - -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - memory: 4Gi - cpu: 2000m - requests: - memory: 1Gi - cpu: 500m - large: - limits: - memory: 8Gi - cpu: 4000m - requests: - memory: 2Gi - cpu: 1000m - unlimited: {} -livenessProbe: - path: /manage/health - port: 8083 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 -ingress: - enabled: false -nodeSelector: {} -tolerations: [] -affinity: {} - -auth: - rest: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 - -mso: - auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 - basicUser: poBpmn - -appc: - client: - topic: - read: - name: APPC-LCM-WRITE - timeout: 360000 - write: APPC-LCM-READ - sdnc: - read: SDNC-LCM-WRITE - write: SDNC-LCM-READ - response: - timeout: 3600000 - key: VIlbtVl6YLhNUrtU - secret: 64AG2hF4pYeG2pq7CT6XwUOT - service: ueb - -#Pods Service Account -serviceAccount: - nameOverride: so-appc-orchestrator - roles: - - read diff --git a/kubernetes/so/components/so-bpmn-infra/Chart.yaml b/kubernetes/so/components/so-bpmn-infra/Chart.yaml index 08cdb93a52..9ffe352d61 100755 --- a/kubernetes/so/components/so-bpmn-infra/Chart.yaml +++ b/kubernetes/so/components/so-bpmn-infra/Chart.yaml @@ -1,6 +1,7 @@ # Copyright © 2018 AT&T USA # Modifications Copyright © 2021 Orange # Modifications Copyright © 2021 Nordix Foundation +# Modifications Copyright © 2024 Deutsche Telekom Intellectual Property. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,24 +18,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for SO Bpmn Infra name: so-bpmn-infra -version: 12.0.0 +version: 15.2.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml index 77e553bd67..01b3259479 100755 --- a/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-bpmn-infra/resources/config/overrides/override.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 AT&T USA +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,14 +15,10 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} dme2: timeout: '30000' - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} workflowAaiDistributionDelay: PT30S pnfEntryNotificationTimeout: P14D cds: @@ -45,14 +42,13 @@ camunda: entitymanager: packagesToScan: com pnf: - dmaap: - host: message-router - port: 3904 - protocol: http - uriPathPrefix: events - topicName: unauthenticated.PNF_READY - consumerGroup: consumerGroup - consumerId: consumerId + kafka: + pnfReadyTopicName: unauthenticated.PNF_READY + pnfUpdateTopicName: unauthenticated.PNF_UPDATE + consumerGroup: so-consumer + consumerId: so-bpmn-infra-pnfready + consumerIdUpdate: so-bpmn-infra-pnfupdate + kafkaBootstrapServers: {{ include "common.release" . }}-strimzi-kafka-bootstrap:9092 topicListenerDelayInSeconds: 5 bpelURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081 msb-ip: msb-iag @@ -65,8 +61,6 @@ mso: correlation: timeout: 60 logPath: logs - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} async: core-pool-size: 50 max-pool-size: 50 @@ -79,7 +73,7 @@ mso: endpoint: http://so-openstack-adapter.{{ include "common.namespace" . }}:8087/CompleteMsoProcess requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} db: auth: {{ .Values.mso.adapters.db.auth }} password: {{ .Values.mso.adapters.db.password }} @@ -131,7 +125,7 @@ mso: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} default: adapter: namespace: http://org.onap.mso @@ -165,11 +159,7 @@ mso: oof: auth: {{ .Values.mso.oof.auth }} callbackEndpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - {{ if (include "common.needTLS" .) }} - endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ else }} endpoint: http://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ end }} timeout: PT30M workflow: CreateGenericVNFV1: @@ -309,7 +299,7 @@ policy: sdnc: auth: Basic YWRtaW46S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ== host: http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }} - path: /restconf/operations/GENERIC-RESOURCE-API + path: /rests/operations/GENERIC-RESOURCE-API si: svc: types: PORT-MIRROR,PPROBE @@ -321,7 +311,7 @@ sdnc: callback: timeout: PT5M lcm: - path: '/restconf/operations/LCM:' + path: '/rests/operations/LCM:' actionTimeout: 300000 dmapp: readTopic: SDNC-LCM-WRITE @@ -365,6 +355,8 @@ server: tomcat: max-threads: 50 spring: + application: + name: so-bpmn-infra datasource: hikari: jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/camundabpmn @@ -374,6 +366,7 @@ spring: pool-name: bpmn-pool registerMbeans: true security: + rbacEnabled: {{ .Values.global.so.auth.rbacEnabled }} usercredentials: - username: apihBpmn @@ -399,11 +392,27 @@ spring: username: mso_admin password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + messaging: + jms: + enabled: false + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + web: + skip-pattern: /actuator/health/* + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} so: vnfm: adapter: url: http://so-etsi-sol003-adapter.{{ include "common.namespace" . }}:9092/so/vnfm-adapter/v1 auth: {{ .Values.so.sol003.adapter.auth }} +cnfm: + endpoint: + url: http://so-cnfm-lcm.{{ include "common.namespace" . }}:9888 org: onap: so: diff --git a/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml index 58ac6d9ab8..6cb6b8c512 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,12 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + {{- if .Values.global.so.auth.enabled }} + ACTIVE_PROFILE: "basic" + {{- end }} --- apiVersion: v1 kind: ConfigMap @@ -48,4 +50,3 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} - diff --git a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml index 2b8b827f91..190b89d530 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 AT&T USA +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,18 +16,11 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +28,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +49,16 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} + - name: JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -84,15 +66,13 @@ spec: readOnly: true - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} -{{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + {{- include "so.helpers.startupProbe" .| indent 8 }} + {{- include "so.helpers.livenessProbe" .| indent 8 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +84,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml b/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml new file mode 100644 index 0000000000..8e3ee32cb2 --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/kafkatopic.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkatopic" . }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml b/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml new file mode 100644 index 0000000000..5c7edd5b19 --- /dev/null +++ b/kubernetes/so/components/so-bpmn-infra/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/service.yaml b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml index 5b8dee0774..739cb279c1 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/service.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-bpmn-infra/values.yaml b/kubernetes/so/components/so-bpmn-infra/values.yaml index b120d0c23f..2739929eaf 100755 --- a/kubernetes/so/components/so-bpmn-infra/values.yaml +++ b/kubernetes/so/components/so-bpmn-infra/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2018 AT&T USA # Copyright © 2020 Huawei +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -22,20 +23,28 @@ global: #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - security: - aaf: - enabled: false - aaf: - auth: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + so: + auth: + enabled: true + rbacEnabled: false readinessCheck: wait_for: jobs: - '{{ include "common.release" . }}-so-mariadb-config-job' + services: + - 'so-catalog-db-adapter' ################################################################# # Secrets metaconfig @@ -63,9 +72,24 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/bpmn-infra:1.11.0 +image: onap/so/bpmn-infra:1.15.6 pullPolicy: Always +kafkaUser: + acls: + - name: so-consumer + type: group + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_READY + type: topic + patternType: literal + operations: [Read] + - name: unauthenticated.PNF_UPDATE + type: topic + patternType: literal + operations: [Read] + bpmn: historyTTL: 14 @@ -73,6 +97,15 @@ camunda: sundayCleanupWindowStartTime: "04:00" sundayCleanupWindowEndTime: "10:00" +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -115,30 +148,25 @@ vnf: version: v2 replicaCount: 1 +revisionHistoryLimit: 1 minReadySeconds: 10 containerPort: &containerPort 8081 logPath: ./logs/bpmn/ app: so-bpmn-infra service: type: ClusterIP - internalPort: *containerPort - externalPort: 8081 - portName: http + ports: + - port: *containerPort + name: http updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-bpmn-cert-init - certInitializer: - nameOverride: so-bpmn-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.bpmnPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -147,29 +175,38 @@ flavor: large resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "3Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "1" + memory: "3Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "3" + memory: "6Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "6Gi" unlimited: {} livenessProbe: path: /manage/health scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 + periodSeconds: 20 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-oof-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read nodeSelector: {} tolerations: [] affinity: {} @@ -184,3 +221,9 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 diff --git a/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml index 50ffb8cd90..9f7883f54b 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/Chart.yaml @@ -16,24 +16,24 @@ apiVersion: v2 description: A Helm chart for so-catalog-db-adapter name: so-catalog-db-adapter -version: 12.0.0 +version: 15.2.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml index c82a0d29d4..b13fbeb3c7 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/resources/config/overrides/override.yaml @@ -24,15 +24,15 @@ ssl-enable: false mso: logPath: logs site-name: onapheat - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.db.auth )}} + auth: {{ .Values.mso.adapters.db.auth }} spring: + application: + name: so-catalog-db-adapter datasource: hikari: jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/catalogdb @@ -42,6 +42,7 @@ spring: pool-name: catdb-pool registerMbeans: true security: + rbacEnabled: {{ .Values.global.so.auth.rbacEnabled }} usercredentials: - username: bpel @@ -51,6 +52,21 @@ spring: username: mso_admin password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + messaging: + jms: + enabled: false + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + web: + skip-pattern: {{ join "," .Values.tracing.skipPatterns }} + scheduled: + skip-pattern: .*({{ join "|" .Values.tracing.scheduled.skipClasses }}) + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} #Actuator management: context-path: /manage @@ -104,3 +120,7 @@ cloud_config: clli: "{{ .Values.config.openStackRegion }}" aic_version: "2.5" identity_service_id: "DEFAULT_KEYSTONE" + +logging: + request-status: + exclusions: {{ join "," .Values.logging.requestStatus.excludedPatterns }} diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml index 6331656fce..4f526c0e5b 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,12 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + {{- if .Values.global.so.auth.enabled }} + ACTIVE_PROFILE: "basic" + {{- end }} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml index fa9d3a6a4b..02673ecce5 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml @@ -15,18 +15,11 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +27,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,28 +48,24 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true -{{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + {{- include "so.helpers.startupProbe" .| indent 8 }} + {{- include "so.helpers.livenessProbe" .| indent 8 }} + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml index 5b8dee0774..739cb279c1 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-catalog-db-adapter/values.yaml b/kubernetes/so/components/so-catalog-db-adapter/values.yaml index 060ac7f82f..30accc8ffd 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/values.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/values.yaml @@ -19,17 +19,21 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= app: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + so: + auth: + enabled: true + rbacEnabled: false readinessCheck: wait_for: @@ -62,9 +66,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/catalog-db-adapter:1.11.0 +image: onap/so/catalog-db-adapter:1.15.6 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -79,30 +92,30 @@ mso: auth: Basic YnBlbDpwYXNzd29yZDEk replicaCount: 1 +revisionHistoryLimit: 1 minReadySeconds: 10 containerPort: &containerPort 8082 logPath: ./logs/catdb/ app: catalog-db-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - port: *containerPort + name: http updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 + +logging: + requestStatus: + excludedPatterns: + - /manage/** ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-catalogdb-cert-init - certInitializer: - nameOverride: so-catalogdb-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.catalogDbAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -111,30 +124,38 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8082 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8082 + scheme: HTTP + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read + - serviceAccount: so-sdnc-adapter-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" @@ -155,3 +176,16 @@ serviceAccount: roles: - read +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 + +tracing: + skipPatterns: + - /actuator/health/* + scheduled: + skipClasses: + - ScheduledDnsLookup + - ExternalTaskServiceUtils diff --git a/kubernetes/so/components/so-cnf-adapter/Chart.yaml b/kubernetes/so/components/so-cnf-adapter/Chart.yaml index 82cebafbfa..6c4e64664d 100755 --- a/kubernetes/so/components/so-cnf-adapter/Chart.yaml +++ b/kubernetes/so/components/so-cnf-adapter/Chart.yaml @@ -18,24 +18,24 @@ apiVersion: v2 appVersion: "1.7.1" description: A Helm chart for Kubernetes name: so-cnf-adapter -version: 12.0.0 +version: 15.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml index d667cb5c60..7065b4511a 100755 --- a/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-cnf-adapter/resources/config/overrides/override.yaml @@ -15,21 +15,31 @@ */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.server.aai.auth ) }} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} + auth: {{ .Values.server.aai.auth }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} enabled: {{ .Values.global.aai.enabled }} logging: path: logs spring: + application: + name: so-cnf-adapter security: usercredentials: - username: ${ACTUATOR_USERNAME} password: ${ACTUATOR_PASSWORD} role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + propagation: + type: w3c,bc + web: + skip-pattern: {{ join "," .Values.tracing.ignorePatterns }} + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} server: {{- if include "common.onServiceMesh" . }} forward-headers-strategy: none diff --git a/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml b/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml index c5ebec0b15..786dd83f59 100755 --- a/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-cnf-adapter/templates/configmap.yaml @@ -20,7 +20,7 @@ metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml index 340571a59b..60baffad14 100755 --- a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml @@ -20,6 +20,7 @@ metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -30,7 +31,7 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + initContainers: - name: {{ include "common.name" . }}-encrypter command: - sh @@ -59,53 +60,39 @@ spec: args: - -c - | - export AAF_BASE64=$(echo -n "${AAF_USERNAME}:${AAF_PASSWORD}" | base64) - export AAF_AUTH=$(echo "Basic ${AAF_BASE64}") export AAI_AUTH=$(cat /input/.aai_creds) - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password}" - {{- end }} - {{- end }} ./start-app.sh resources: {{ include "common.resources" . | nindent 12 }} ports: {{- include "common.containerPorts" . | nindent 12 }} env: - - name: AAF_USERNAME - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-aaf-creds" "key" "login") | indent 14 }} - - name: AAF_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "so-aaf-creds" "key" "password") | indent 14 }} - name: ACTUATOR_USERNAME {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} - name: ACTUATOR_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | indent 12 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-env imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true - readOnly: true - name: encoder mountPath: /input + {{- include "so.helpers.startupProbe" .| indent 10 }} livenessProbe: httpGet: path: {{ index .Values.livenessProbe.path}} port: {{ index .Values.containerPort }} scheme: {{ index .Values.livenessProbe.scheme}} - initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} timeoutSeconds: {{ index .Values.livenessProbe.timeoutSeconds}} successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config @@ -114,5 +101,4 @@ spec: - name: encoder emptyDir: medium: Memory - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-cnf-adapter/values.yaml b/kubernetes/so/components/so-cnf-adapter/values.yaml index 6d7eec4a64..1f58de056c 100755 --- a/kubernetes/so/components/so-cnf-adapter/values.yaml +++ b/kubernetes/so/components/so-cnf-adapter/values.yaml @@ -20,14 +20,15 @@ global: soCryptoImage: sdesbure/so_crypto:latest persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: ${AAF_AUTH} aai: enabled: true + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + ################################################################# # Secrets metaconfig ################################################################# @@ -51,13 +52,6 @@ secrets: login: '{{ .Values.server.actuator.username }}' password: '{{ .Values.server.actuator.password }}' passwordPolicy: required - - uid: so-aaf-creds - name: '{{ include "common.release" . }}-so-cnf-aaf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.aafCredsExternalSecret) . }}' - login: '{{ .Values.server.aaf.username }}' - password: '{{ .Values.server.aaf.password }}' - passwordPolicy: required - uid: so-aai-creds name: '{{ include "common.release" . }}-so-cnf-aai-creds' type: basicAuth @@ -76,7 +70,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-cnf-adapter:1.10.0 +image: onap/so/so-cnf-adapter:1.13.0 pullPolicy: Always readinessCheck: @@ -84,6 +78,15 @@ readinessCheck: jobs: - '{{ include "common.release" . }}-so-mariadb-config-job' +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -92,10 +95,6 @@ db: adminPassword: so_Admin123 # adminCredsExternalSecret: some secret server: - aaf: - username: so@so.onap.org - password: demo123456 - # aafCredsExternalSecret: some secret aai: username: aai@aai.onap.org password: demo123456! @@ -112,6 +111,7 @@ mso: requestDb: auth: ${REQUEST_AUTH} replicaCount: 1 +revisionHistoryLimit: 1 minReadySeconds: 10 containerPort: &containerPort 8090 logPath: ./logs/cnf-adapter/ @@ -125,44 +125,46 @@ updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-cnf-cert-init - certInitializer: - nameOverride: so-cnf-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm containerPort: *containerPort + # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "3Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "3Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "4Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "4Gi" unlimited: {} livenessProbe: path: /manage/health port: 8090 scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 + periodSeconds: 20 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} @@ -172,3 +174,13 @@ serviceAccount: nameOverride: so-cnf-adapter roles: - read + +tracing: {} + # ignorePatterns: + # - "" + +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 diff --git a/kubernetes/so/components/so-cnfm-lcm/Chart.yaml b/kubernetes/so/components/so-cnfm-lcm/Chart.yaml new file mode 100644 index 0000000000..df3eed7bd7 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/Chart.yaml @@ -0,0 +1,38 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +name: so-cnfm-lcm +description: ONAP SO CNFM LCM +version: 13.0.0 + +dependencies: + - name: common + version: ~13.x-0 + # local reference to common chart, as it is + # a part of this chart's package and will not + # be published independently to a repo (at this point) + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: soHelpers + version: ~13.x-0 + repository: 'file://../soHelpers' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml b/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml new file mode 100644 index 0000000000..3d2f6c8449 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/resources/config/overrides/override.yaml @@ -0,0 +1,55 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +aai: + auth: {{ .Values.aai.auth }} + version: v24 + endpoint: http://aai.{{ include "common.namespace" . }}:80 +spring: + application: + name: so-cnfm-lcm + datasource: + hikari: + camunda: + jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/camundabpmn + username: ${DB_USERNAME} + password: ${DB_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + pool-name: bpmn-pool + registerMbeans: true + cnfm: + jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/cnfm + username: ${DB_ADMIN_USERNAME} + password: ${DB_ADMIN_PASSWORD} + driver-class-name: org.mariadb.jdbc.Driver + pool-name: cnfm-pool + registerMbeans: true +server: + port: {{ .Values.containerPort }} + tomcat: + max-threads: 50 +mso: + key: {{ .Values.mso.key }} +sdc: + username: {{ .Values.sdc.username }} + password: {{ .Values.sdc.password }} + key: {{ .Values.sdc.key }} + endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 +camunda: + bpm: + history-level: full + job-execution: + max-pool-size: 30 + core-pool-size: 3 + deployment-aware: true diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml new file mode 100644 index 0000000000..2d8cb1e5f5 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/configmap.yaml @@ -0,0 +1,43 @@ +{{/* + # Copyright © 2023 Nordix Foundation + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + */}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-app-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/overrides/*").AsConfig . | indent 2 }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml new file mode 100644 index 0000000000..040fbadc3d --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/deployment.yaml @@ -0,0 +1,76 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + minReadySeconds: {{ index .Values.minReadySeconds }} + strategy: + type: {{ index .Values.updateStrategy.type }} + rollingUpdate: + maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} + maxSurge: {{ index .Values.updateStrategy.maxSurge }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} + containers: + - name: {{ include "common.name" . }} + command: [ "./start-app.sh" ] + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + resources: {{ include "common.resources" . | nindent 12 }} + env: + - name: DB_HOST + value: {{ include "common.mariadbService" . }} + - name: DB_PORT + value: {{ include "common.mariadbPort" . | quote }} + - name: DB_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "login") | indent 14 }} + - name: DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-user-creds" "key" "password") | indent 14 }} + - name: DB_ADMIN_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} + - name: DB_ADMIN_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} + envFrom: + - configMapRef: + name: {{ include "common.fullname" . }}-configmap + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: logs + mountPath: /app/logs + - name: config + mountPath: /app/config + readOnly: true + livenessProbe: + tcpSocket: + port: {{ index .Values.livenessProbe.port }} + initialDelaySeconds: {{ index .Values.livenessProbe.initialDelaySeconds}} + periodSeconds: {{ index .Values.livenessProbe.periodSeconds}} + successThreshold: {{ index .Values.livenessProbe.successThreshold}} + failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} + ports: {{ include "common.containerPorts" . | nindent 12 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: logs + emptyDir: {} + - name: config + configMap: + name: {{ include "common.fullname" . }}-app-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml new file mode 100644 index 0000000000..30c7b6e674 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/ingress.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml new file mode 100644 index 0000000000..e361015b5c --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml b/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml new file mode 100644 index 0000000000..72b8e4be89 --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-cnfm-lcm/values.yaml b/kubernetes/so/components/so-cnfm-lcm/values.yaml new file mode 100644 index 0000000000..fbb4274b0f --- /dev/null +++ b/kubernetes/so/components/so-cnfm-lcm/values.yaml @@ -0,0 +1,155 @@ +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration defaults. +################################################################# +global: + persistence: + mountPath: /dockerdata-nfs + mariadbGalera: + service: mariadb-galera + servicePort: '3306' + +################################################################# +# Secrets metaconfig +################################################################# +secrets: + - uid: db-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.userCredsExternalSecret) . }}' + login: '{{ .Values.db.userName }}' + password: '{{ .Values.db.userPassword }}' + passwordPolicy: required + - uid: db-admin-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.adminCredsExternalSecret) . }}' + login: '{{ .Values.db.adminName }}' + password: '{{ .Values.db.adminPassword }}' + passwordPolicy: required + +################################################################# +# Application configuration defaults. +################################################################# +image: onap/so/so-cnfm-as-lcm:1.13.0 +pullPolicy: Always + +aai: + auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-so-mariadb-config-job' + +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + +db: + userName: so_user + userPassword: so_User123 + # userCredsExternalSecret: some secret + adminName: so_admin + adminPassword: so_Admin123 + # adminCredsExternalSecret: some secret +mso: + key: 07a7159d3bf51a0e53be7a8f89699be7 +sdc: + username: mso + password: 76966BDD3C7414A03F7037264FF2E6C8EEC6C28F2B67F2840A1ED857C0260FEE731D73F47F828E5527125D29FD25D3E0DE39EE44C058906BF1657DE77BF897EECA93BDC07FA64F + key: 566B754875657232314F5548556D3665 + +replicaCount: 1 +revisionHistoryLimit: 1 +minReadySeconds: 10 +containerPort: &containerPort 9888 +logPath: ./logs/so-cnfm-lcm/ +app: so-cnfm-lcm +service: + type: ClusterIP + ports: + - name: http + port: *containerPort +updateStrategy: + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 + +################################################################# +# soHelpers part +################################################################# +soHelpers: + containerPort: *containerPort + +# Resource Limit flavor -By Default using small +flavor: small +# Segregation for Different environment (Small and Large) +resources: + small: + limits: + cpu: "4" + memory: "4Gi" + requests: + cpu: "2" + memory: "1Gi" + large: + limits: + cpu: "5" + memory: "8Gi" + requests: + cpu: "2" + memory: "2Gi" + unlimited: {} + +livenessProbe: + port: *containerPort + periodSeconds: 20 + timeoutSeconds: 10 + initialDelaySeconds: 60 + successThreshold: 1 + failureThreshold: 3 + +ingress: + enabled: false + service: + - baseaddr: 'so-cnfm-lcm-api' + name: 'so-cnfms-lcm' + port: *containerPort + config: + ssl: 'redirect' + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +#Pods Service Account +serviceAccount: + nameOverride: so-cnfm-lcm + roles: + - read diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml index 539e3f11a4..068686db48 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/Chart.yaml @@ -17,21 +17,24 @@ apiVersion: v2 description: ONAP SO ETSI NFVO NS LCM name: so-etsi-nfvo-ns-lcm -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml index df47c0a5fd..b555d16d10 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/resources/config/overrides/override.yaml @@ -15,14 +15,12 @@ */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} version: v19 - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} spring: + application: + name: so-etsi-nfvo-ns-lcm datasource: hikari: camunda: @@ -61,16 +59,7 @@ so: etsi-catalog-manager: base: {{- if .Values.global.msbEnabled }} - {{ if (include "common.needTLS" .) }} - endpoint: https://msb-iag:443/api - {{ else }} - endpoint: http://msb-iag:443/api - {{ end }} - http: - client: - ssl: - trust-store: file:${TRUSTSTORE} - trust-store-password: ${TRUSTSTORE_PASSWORD} + endpoint: http://msb-iag:80/api {{- else }} endpoint: http://modeling-etsicatalog.{{ include "common.namespace" . }}:8806/api {{- end }} diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml index add9a02cf6..6bf005c051 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/configmap.yaml @@ -27,7 +27,7 @@ metadata: data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml index 6465af4e4a..19cf991292 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml @@ -29,7 +29,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 8 }} + initContainers: + {{ include "common.readinessCheck.waitFor" . | indent 8 | trim }} containers: - name: {{ include "common.name" . }} command: @@ -38,12 +39,6 @@ spec: - -c - | export ETSI_NFVO_PASSWORD=`htpasswd -bnBC 10 "" $ETSI_NFVO_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} ./start-app.sh image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} @@ -64,12 +59,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 14 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | indent 12 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -84,11 +78,10 @@ spec: failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} ports: {{ include "common.containerPorts" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml index 6aaa367310..ad5548733e 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/values.yaml @@ -19,14 +19,8 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' ################################################################# @@ -60,6 +54,21 @@ pullPolicy: Always aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 + +readinessCheck: + wait_for: + jobs: + - '{{ include "common.release" . }}-so-mariadb-config-job' + +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -85,7 +94,6 @@ logPath: ./logs/so-etsi-nfvo-ns-lcm/ app: so-etsi-nfvo-ns-lcm service: type: ClusterIP - name: so-etsi-nfvo-ns-lcm annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' msb.onap.org/service-info: | @@ -111,12 +119,6 @@ updateStrategy: # soHelpers part ################################################################# soHelpers: - nameOverride: so-nfvo-cert-init - certInitializer: - nameOverride: so-nfvo-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.nfvoAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -125,18 +127,18 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "3Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "2Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "5Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: @@ -156,6 +158,13 @@ ingress: config: ssl: 'redirect' +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress + nodeSelector: {} tolerations: [] diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml index 599b8055fa..caa7dd9553 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/Chart.yaml @@ -16,21 +16,21 @@ apiVersion: v2 description: ONAP SO ETSI SOL003 Adapter name: so-etsi-sol003-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml index fed38f7592..27af6f340d 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/resources/config/overrides/override.yaml @@ -14,14 +14,12 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} + auth: {{ .Values.aai.auth }} version: v15 - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} spring: + application: + name: so-etsi-sol003-adapter security: usercredentials: - username: vnfm @@ -41,30 +39,19 @@ mso: key: {{ .Values.mso.key }} site-name: localSite logPath: ./logs/etsi-sol003-adapter - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 sdc: - username: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.username "value2" .Values.sdc.username )}} - password: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.password "value2" .Values.sdc.password )}} + username: {{ .Values.sdc.username }} + password: {{ .Values.sdc.password }} key: {{ .Values.sdc.key }} - {{ if (include "common.needTLS" .) }} - endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 - {{ end }} vnfmadapter: endpoint: http://so-etsi-sol003-adapter.{{ include "common.namespace" . }}:9092 etsi-catalog-manager: vnfpkgm: {{- if .Values.global.msbEnabled }} - endpoint: https://msb-iag:443/api/vnfpkgm/v1 - http: - client: - ssl: - trust-store: file:${TRUSTSTORE} - trust-store-password: ${TRUSTSTORE_PASSWORD} + endpoint: http://msb-iag:80/api {{- else }} endpoint: http://modeling-etsicatalog.{{ include "common.namespace" . }}:8806/api/vnfpkgm/v1 {{- end }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml index 7751bf4631..4067eee9bd 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -34,34 +26,17 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - export KEYSTORE="{{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.p12" - /app/start-app.sh - {{- end }} - env: - {{ include "so.certificates.env" . | indent 8 | trim }} + resources: {{ include "common.resources" . | nindent 10 }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -74,16 +49,12 @@ spec: periodSeconds: {{ .Values.livenessProbe.periodSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml index 8f87c68f1e..f298193924 100644 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2019 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml index 96a2acd3a6..3da38759a8 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/templates/service.yaml @@ -13,39 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "{{ include "common.servicename" . }}", - "version": "v1", - "url": "/so/vnfm-adapter/v1", - "protocol": "REST", - "port": "{{.Values.service.externalPort}}", - "visualRange":"1" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml index 170cfdd0d7..6d08ea1ba8 100755 --- a/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol003-adapter/values.yaml @@ -28,7 +28,7 @@ global: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-etsi-sol003-adapter:1.9.0 +image: onap/so/so-etsi-sol003-adapter:1.9.1 pullPolicy: Always aaf: @@ -50,26 +50,34 @@ containerPort: &containerPort 9092 logPath: ./logs/etsi-sol003-adapter/ app: etsi-sol003-adapter service: - type: NodePort - internalPort: *containerPort - externalPort: *containerPort - nodePort: "06" - portName: http + type: NodePort + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: 'true' + msb.onap.org/service-info: | + {{ if .Values.global.msbEnabled -}}[ + { + "serviceName": "{{ include "common.servicename" . }}", + "version": "v1", + "url": "/so/vnfm-adapter/v1", + "protocol": "REST", + "port": "{{.Values.containerPort}}", + "visualRange":"1" + } + ]{{ end }} + ports: + - name: http + port: *containerPort + nodePort: "06" + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-etsi-sol003-cert-init - certInitializer: - nameOverride: so-etsi-sol003-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.vnfmAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -78,34 +86,43 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - port: 9092 - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + port: 9092 + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false service: - - baseaddr: "so-etsi-sol003-adapter-api" - name: "so-etsi-sol003-adapter" - port: 9092 + - baseaddr: "so-etsi-sol003-adapter-api" + name: "so-etsi-sol003-adapter" + port: 9092 config: ssl: "redirect" +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-nfvo-ns-lcm-read + - serviceAccount: so-read + - serviceAccount: istio-ingress + namespace: istio-ingress nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml index bb92b9fdca..a6c6c2e708 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-etsi-sol005-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml index 189a02bf73..d1e47736f1 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/resources/config/overrides/override.yaml @@ -16,6 +16,8 @@ logging: path: logs spring: + application: + name: so-etsi-sol005-adapter datasource: hikari: driver-class-name: org.mariadb.jdbc.Driver @@ -42,18 +44,12 @@ server: mso: site-name: localSite logPath: ./logs/etsi-sol005-adapter - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} msb-ip: msb-iag msb-port: 80 adapters: requestDb: - {{ if (include "common.needTLS" .) }} - endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ else }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} #Actuator management: security: diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml index 6331656fce..c334fd7699 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml index 1abf21816b..28e8709d7e 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ .Values.minReadySeconds }} strategy: type: {{ .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ .Values.updateStrategy.maxUnavailable }} maxSurge: {{ .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -92,16 +67,12 @@ spec: timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: - - containerPort: {{ .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml index 5b8dee0774..21a6a77e27 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/templates/service.yaml @@ -13,28 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml index b20f318658..cc81dacccc 100755 --- a/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml +++ b/kubernetes/so/components/so-etsi-sol005-adapter/values.yaml @@ -19,14 +19,8 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -58,9 +52,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-etsi-sol005-adapter:1.9.0 +image: onap/so/so-etsi-sol005-adapter:1.9.1 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -80,26 +83,19 @@ containerPort: &containerPort 8084 logPath: ./logs/etsi-sol005-adapter/ app: etsi-sol005-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - port: *containerPort + name: http updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-etsi-sol005-cert-init - certInitializer: - nameOverride: so-etsi-sol005-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.vfcAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -108,30 +104,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "3Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "2Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "4Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8084 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8084 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-mariadb/Chart.yaml b/kubernetes/so/components/so-mariadb/Chart.yaml index 02a456e0bd..3d229b8a18 100755 --- a/kubernetes/so/components/so-mariadb/Chart.yaml +++ b/kubernetes/so/components/so-mariadb/Chart.yaml @@ -16,21 +16,21 @@ apiVersion: v2 description: MariaDB Service name: so-mariadb -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh index 1a78253f5e..73c120a054 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/01-create-camundabpmn.sh @@ -26,7 +26,7 @@ echo "Creating camundabpmn database . . ." 1>/tmp/mariadb-camundabpmn.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 DROP DATABASE IF EXISTS camundabpmn; CREATE DATABASE camundabpmn; DROP USER IF EXISTS '${CAMUNDA_DB_USER}'; @@ -37,7 +37,7 @@ EOF cd /docker-entrypoint-initdb.d/db-sql-scripts -mysql -uroot -p$MYSQL_ROOT_PASSWORD -f < mariadb_engine_7.14.0.sql || exit 1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD -f < mariadb_identity_7.14.0.sql || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD -f < mariadb_engine_7.14.0.sql || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD -f < mariadb_identity_7.14.0.sql || exit 1 echo "Created camundabpmn database . . ." 1>>/tmp/mariadb-camundabpmn.log 2>&1 diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh index 4c2d668af7..ae9a23d734 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/02-create-requestdb.sh @@ -25,7 +25,7 @@ echo "Creating requestdb database . . ." 1>/tmp/mariadb-requestdb.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 DROP DATABASE IF EXISTS requestdb; CREATE DATABASE /*!32312 IF NOT EXISTS*/ requestdb /*!40100 DEFAULT CHARACTER SET latin1 */; DROP USER IF EXISTS '${REQUEST_DB_USER}'; diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh index dd374d440b..2f2aec89d9 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/03-create-catalogdb.sh @@ -25,7 +25,7 @@ echo "Creating catalogdb database . . ." 1>/tmp/mariadb-catalogdb.log 2>&1 -mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 DROP DATABASE IF EXISTS catalogdb; CREATE DATABASE /*!32312 IF NOT EXISTS*/ catalogdb /*!40100 DEFAULT CHARACTER SET latin1 */; DROP USER IF EXISTS '${CATALOG_DB_USER}'; diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh index db6fd22eaf..410be6ce7b 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/04-create-nfvo-db.sh @@ -28,7 +28,7 @@ prepare_password() NFVO_DB_PASSWORD=`prepare_password $NFVO_DB_PASSWORD` -mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 CREATE DATABASE /*!32312 IF NOT EXISTS*/ nfvo /*!40100 DEFAULT CHARACTER SET latin1 */; DROP USER IF EXISTS '${NFVO_DB_USER}'; CREATE USER '${NFVO_DB_USER}'; diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh new file mode 100644 index 0000000000..84ff14d5e0 --- /dev/null +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/05-create-cnfm-db.sh @@ -0,0 +1,39 @@ +#!/bin/sh +{{/* +# ============LICENSE_START======================================================= +# Copyright (C) 2023 Nordix Foundation. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +*/}} + +echo "Creating cnfm database . . ." 1>/tmp/mariadb-cnfmdb.log 2>&1 + +prepare_password() +{ + echo "$1" | sed -e "s/'/\\\\'/g; s/\"/\\\\\"/g" +} + +CNFM_DB_PASSWORD=`prepare_password $CNFM_DB_PASSWORD` + +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +CREATE DATABASE /*!32312 IF NOT EXISTS*/ cnfm /*!40100 DEFAULT CHARACTER SET latin1 */; +DROP USER IF EXISTS '${CNFM_DB_USER}'; +CREATE USER '${CNFM_DB_USER}'; +GRANT ALL on cnfm.* to '${CNFM_DB_USER}' identified by '${CNFM_DB_PASSWORD}' with GRANT OPTION; +FLUSH PRIVILEGES; +EOF + +echo "Created cnfm database . . ." 1>>/tmp/mariadb-cnfmdb.log 2>&1 \ No newline at end of file diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh index 33c4b32146..8086dd67e9 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/98-create-so-user.sh @@ -4,6 +4,7 @@ # ============LICENSE_START========================================== # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2022/23 Nordix Foundation # =================================================================== # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,7 +33,7 @@ prepare_password() DB_PASSWORD=`prepare_password $DB_PASSWORD` -mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 DROP USER IF EXISTS '${DB_USER}'; CREATE USER '${DB_USER}'; GRANT USAGE ON *.* TO '${DB_USER}'@'%' IDENTIFIED BY '${DB_PASSWORD}'; @@ -40,6 +41,7 @@ GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON requestdb.* TO '${DB GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON catalogdb.* TO '${DB_USER}'@'%'; GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON camundabpmn.* TO '${DB_USER}'@'%'; GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON nfvo.* TO '${DB_USER}'@'%'; +GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE, SHOW VIEW ON cnfm.* TO '${DB_USER}'@'%'; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh index 069556f51c..d4ffb1f997 100755 --- a/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh +++ b/kubernetes/so/components/so-mariadb/resources/config/docker-entrypoint-initdb.d/99-create-so-admin.sh @@ -4,6 +4,7 @@ # ============LICENSE_START========================================== # =================================================================== # Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright (C) 2022/23 Nordix Foundation # =================================================================== # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -32,7 +33,7 @@ prepare_password() DB_ADMIN_PASSWORD=`prepare_password $DB_ADMIN_PASSWORD` -mysql -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 +mysqlcmd -uroot -p$MYSQL_ROOT_PASSWORD << EOF || exit 1 DROP USER IF EXISTS '${DB_ADMIN}'; CREATE USER '${DB_ADMIN}'; GRANT USAGE ON *.* TO '${DB_ADMIN}'@'%' IDENTIFIED BY '${DB_ADMIN_PASSWORD}'; @@ -40,6 +41,7 @@ GRANT ALL PRIVILEGES ON camundabpmn.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON requestdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON catalogdb.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON nfvo.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; +GRANT ALL PRIVILEGES ON cnfm.* TO '${DB_ADMIN}'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; EOF diff --git a/kubernetes/so/components/so-mariadb/templates/job.yaml b/kubernetes/so/components/so-mariadb/templates/job.yaml index d9c6009c8a..d87faf9671 100644 --- a/kubernetes/so/components/so-mariadb/templates/job.yaml +++ b/kubernetes/so/components/so-mariadb/templates/job.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright (C) 2022/23 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -24,10 +25,9 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": pre-upgrade,pre-install - "helm.sh/hook-weight": "1" - "helm.sh/hook-delete-policy": before-hook-creation + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -56,24 +56,17 @@ spec: - | {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - mysqldump -vv --user=${DB_USER} --password=${DB_PASS} --host=${DB_HOST} --port=${DB_PORT} --databases --single-transaction --quick --lock-tables=false catalogdb requestdb nfvo > /var/data/mariadb/backup-`date +%s`.sql + mysqldump -vv --user=${DB_USER} --password=${DB_PASS} --host=${DB_HOST} --port=${DB_PORT} --databases --single-transaction --quick --lock-tables=false catalogdb requestdb nfvo cnfm > /var/data/mariadb/backup-`date +%s`.sql volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: backup-storage mountPath: /var/data/mariadb {{ include "common.waitForJobContainer" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: backup-storage persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-migration - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} restartPolicy: Never --- {{- end }} @@ -87,10 +80,9 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-upgrade,post-rollback,post-install - "helm.sh/hook-weight": "0" - "helm.sh/hook-delete-policy": before-hook-creation + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -103,7 +95,7 @@ spec: initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} containers: - name: {{ include "common.name" . }}-config - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + image: {{ include "repositoryGenerator.image.mariadb" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - /bin/bash @@ -111,12 +103,12 @@ spec: - > {{- if include "common.onServiceMesh" . }} echo "waiting 15s for istio side cars to be up"; sleep 15s;{{- end }} - mysql() { /usr/bin/mysql -h ${DB_HOST} -P ${DB_PORT} "$@"; }; - export -f mysql; - mysql --user=root --password=${MYSQL_ROOT_PASSWORD} requestdb -e exit > /dev/null 2>&1 {{ if not .Values.global.migration.enabled }} && echo "Database already initialized!!!" && exit 0 {{ end }}; - for f in /docker-entrypoint-initdb.d/*; do case "$f" in *.sh) echo "$0: running $f"; . "$f" ;; *.sql) echo "$0: running $f"; "${mysql[@]}" < "$f"; echo ;; *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${mysql[@]}"; echo ;; *) echo "$0: ignoring $f" ;; esac; echo; done; + mysqlcmd() { mariadb -h ${DB_HOST} -P ${DB_PORT} "$@"; }; + export -f mysqlcmd; + mysqlcmd --user=root --password=${MYSQL_ROOT_PASSWORD} requestdb -e exit > /dev/null 2>&1 {{ if not .Values.global.migration.enabled }} && echo "Database already initialized!!!" && exit 0 {{ end }}; + for f in /docker-entrypoint-initdb.d/*; do case "$f" in *.sh) echo "$0: running $f"; . "$f" ;; *.sql) echo "$0: running $f"; "${mysqlcmd[@]}" < "$f"; echo ;; *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${mysqlcmd[@]}"; echo ;; *) echo "$0: ignoring $f" ;; esac; echo; done; {{- if .Values.global.migration.enabled }} - mysql -vv --user=root --password=${MYSQL_ROOT_PASSWORD} < `ls -tr /var/data/mariadb/* | tail -1`; + mysqlcmd -vv --user=root --password=${MYSQL_ROOT_PASSWORD} < `ls -tr /var/data/mariadb/* | tail -1`; {{- end }} env: - name: DB_HOST @@ -149,10 +141,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nfvo-db-creds" "key" "login") | indent 10 }} - name: NFVO_DB_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "nfvo-db-creds" "key" "password") | indent 10 }} + - name: CNFM_DB_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cnfm-db-creds" "key" "login") | indent 10 }} + - name: CNFM_DB_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cnfm-db-creds" "key" "password") | indent 10 }} volumeMounts: - - mountPath: /etc/localtime - name: localtime - readOnly: true - name: docker-entrypoint-initdb-d-sh mountPath: "/docker-entrypoint-initdb.d" - name: docker-entrypoint-initdb-d-sql @@ -161,8 +154,7 @@ spec: - name: backup-storage mountPath: /var/data/mariadb {{- end }} - resources: -{{ include "common.resources" . | indent 12 }} + resources: {{ include "common.resources" . | nindent 10 }} {{ include "common.waitForJobContainer" . | indent 6 | trim }} {{- if .Values.nodeSelector }} nodeSelector: @@ -172,10 +164,8 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - - name: localtime - hostPath: - path: /etc/localtime - name: docker-entrypoint-initdb-d-sh configMap: name: {{ include "common.fullname" . }}-mariadb-sh @@ -188,5 +178,4 @@ spec: claimName: {{ include "common.fullname" . }}-migration {{- end }} restartPolicy: Never - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-mariadb/values.yaml b/kubernetes/so/components/so-mariadb/values.yaml index 13dd0868e8..a2cf93c71d 100755 --- a/kubernetes/so/components/so-mariadb/values.yaml +++ b/kubernetes/so/components/so-mariadb/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright (C) 2022-23 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,11 +22,13 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 repository: nexus3.onap.org:10001 - readinessImage: onap/oom/readiness:4.1.0 + readinessImage: onap/oom/readiness:6.2.0 ubuntuInitRepository: docker.io mariadbGalera: - nameOverride: &mariadbName mariadb-galera - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + nameOverride: mariadb-galera + service: mariadb-galera servicePort: "3306" migration: enabled: false @@ -34,10 +37,6 @@ global: dbUser: root dbPassword: secretpassword -readinessCheck: - wait_for: - - *mariadbName - ################################################################# # Secrets metaconfig ################################################################# @@ -89,15 +88,25 @@ secrets: externalSecret: '{{ tpl (default "" .Values.db.nfvo.dbCredsExternalSecret) . }}' login: '{{ .Values.db.nfvo.userName }}' password: '{{ .Values.db.nfvo.password }}' + - uid: cnfm-db-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.db.cnfm.dbCredsExternalSecret) . }}' + login: '{{ .Values.db.cnfm.userName }}' + password: '{{ .Values.db.cnfm.password }}' ################################################################# # Application configuration defaults. ################################################################# -# application image -repository: nexus3.onap.org:10001 -image: mariadb:10.1.38 pullPolicy: Always -ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 + +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false # db config db: @@ -127,6 +136,9 @@ db: nfvo: userName: nfvouser # dbCredsExternalSecret: some secret + cnfm: + userName: cnfmuser + # dbCredsExternalSecret: some secret # application configuration config: @@ -147,18 +159,18 @@ flavor: small resources: small: limits: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 2Gi + cpu: "1" + memory: "2Gi" large: limits: - cpu: 4 - memory: 8Gi + cpu: "4" + memory: "8Gi" requests: - cpu: 2 - memory: 4Gi + cpu: "2" + memory: "4Gi" unlimited: {} persistence: @@ -191,3 +203,23 @@ serviceAccount: wait_for_job_container: containers: - '{{ include "common.name" . }}-config' + +readinessCheck: + wait_for: + services: + - '{{ include "common.mariadbService" . }}' + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" diff --git a/kubernetes/so/components/so-nssmf-adapter/Chart.yaml b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml index b8a3387bfb..b06e503db7 100755 --- a/kubernetes/so/components/so-nssmf-adapter/Chart.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-nssmf-adapter -version: 12.0.0 +version: 15.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml index 016b3f534f..7c63fd3c57 100755 --- a/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/resources/config/overrides/override.yaml @@ -14,15 +14,13 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.aai.auth )}} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} + auth: {{ .Values.aai.auth }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} logging: path: logs spring: + application: + name: so-nssmf-adapter datasource: jdbc-url: jdbc:mariadb://${DB_HOST}:${DB_PORT}/requestdb username: ${DB_USERNAME} @@ -58,12 +56,8 @@ mso: msb-port: 80 adapters: requestDb: - {{ if (include "common.needTLS" .) }} - endpoint: https://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ else }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} #Actuator management: endpoints: diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-nssmf-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml index 03a3df4163..35baef1759 100755 --- a/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/configmap.yaml @@ -19,7 +19,7 @@ metadata: {{- include "common.resourceMetadata" (dict "dot" . "suffix" "env") | data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml index f41352e63f..5aea3023aa 100755 --- a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml @@ -26,11 +26,9 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} @@ -41,12 +39,6 @@ spec: - | export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` - {{- if .Values.global.aafEnabled }} - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - {{- end }} ./start-app.sh image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} @@ -72,12 +64,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "login") | indent 14 }} - name: ACTUATOR_PASSWORD_INPUT {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "server-actuator-creds" "key" "password") | indent 14 }} - {{ include "so.certificates.env" . | nindent 12 }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-env imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -94,11 +85,10 @@ spec: successThreshold: {{ index .Values.livenessProbe.successThreshold}} failureThreshold: {{ index .Values.livenessProbe.failureThreshold}} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config configMap: name: {{ include "common.fullname" . }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-nssmf-adapter/values.yaml b/kubernetes/so/components/so-nssmf-adapter/values.yaml index 29f9f4e24d..fc26535d30 100755 --- a/kubernetes/so/components/so-nssmf-adapter/values.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/values.yaml @@ -19,14 +19,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' readinessCheck: @@ -75,9 +71,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-nssmf-adapter:1.9.1 +image: onap/so/so-nssmf-adapter:1.10.0 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -110,17 +115,14 @@ service: - name: http port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-nssmf-cert-init - certInitializer: - nameOverride: so-nssmf-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.nssmfAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -129,30 +131,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "2Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "1" + memory: "2Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "3" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8088 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8088 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-oof-adapter/Chart.yaml b/kubernetes/so/components/so-oof-adapter/Chart.yaml index 9f9c107b16..00fa469121 100755 --- a/kubernetes/so/components/so-oof-adapter/Chart.yaml +++ b/kubernetes/so/components/so-oof-adapter/Chart.yaml @@ -18,21 +18,21 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-oof-adapter -version: 12.0.0 +version: 15.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml index 2d645bebf2..5f52f0083a 100755 --- a/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-oof-adapter/resources/config/overrides/override.yaml @@ -16,6 +16,8 @@ logging: path: logs spring: + application: + name: so-oof-adapter security: usercredentials: - username: ${BPEL_USERNAME} @@ -39,17 +41,13 @@ mso: msb-port: 80 msoKey: ${MSO_KEY} camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081 - camundaAuth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.camundaAuth )}} + camundaAuth: {{ .Values.mso.camundaAuth }} workflow: message: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage oof: auth: ${OOF_LOGIN}:${OOF_PASSWORD} - {{ if (include "common.needTLS" .) }} - endpoint: https://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ else }} endpoint: http://oof-osdf.{{ include "common.namespace" . }}:8698 - {{ end }} #Actuator management: endpoints: diff --git a/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-oof-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml b/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml index da5fda9c42..62ad76709f 100755 --- a/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-oof-adapter/templates/configmap.yaml @@ -26,7 +26,7 @@ metadata: data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml b/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml index f5307992d1..eef3ef4a0e 100755 --- a/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-oof-adapter/templates/deployment.yaml @@ -26,15 +26,12 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: {{- include "common.labels" . | nindent 8 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: -{{ include "common.resources" . | indent 10 }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -54,12 +51,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oof-auth" "key" "login") | indent 10 }} - name: OOF_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "oof-auth" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -68,11 +64,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: {{- include "common.containerPorts" . | nindent 12 }} + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -84,5 +80,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-oof-adapter/values.yaml b/kubernetes/so/components/so-oof-adapter/values.yaml index 530c35afdd..b205756263 100755 --- a/kubernetes/so/components/so-oof-adapter/values.yaml +++ b/kubernetes/so/components/so-oof-adapter/values.yaml @@ -20,14 +20,10 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' # Secrets metaconfig @@ -71,9 +67,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/so-oof-adapter:1.8.3 +image: onap/so/so-oof-adapter:1.10.1 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + mso: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 oof: @@ -87,23 +92,19 @@ containerPort: *containerPort logPath: ./logs/oof-adapter/ app: so-oof-adapter service: - type: ClusterIP - ports: - - name: http - port: *containerPort + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 +################################################################# +# soHelpers part +################################################################# soHelpers: - nameOverride: so-oof-adapter-cert-init - certInitializer: - nameOverride: so-oof-adapter-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.oofadapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -112,30 +113,35 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: - path: /manage/health - port: *containerPort - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: *containerPort + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} diff --git a/kubernetes/so/components/so-openstack-adapter/Chart.yaml b/kubernetes/so/components/so-openstack-adapter/Chart.yaml index fc80962326..43fe471abe 100755 --- a/kubernetes/so/components/so-openstack-adapter/Chart.yaml +++ b/kubernetes/so/components/so-openstack-adapter/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-openstack-adapter -version: 12.0.0 +version: 15.2.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml index 7dc22c3536..30b429de85 100755 --- a/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-openstack-adapter/resources/config/overrides/override.yaml @@ -14,12 +14,8 @@ # limitations under the License. */}} aai: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.aai.auth )}} - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} + auth: {{ .Values.aai.auth }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} server: {{- if include "common.onServiceMesh" . }} forward-headers-strategy: none @@ -27,6 +23,8 @@ server: port: {{ index .Values.containerPort }} SW port: {{ index .Values.containerPort }} spring: + application: + name: so-openstack-adapter datasource: hikari: jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/catalogdb @@ -61,6 +59,21 @@ spring: username: mso_admin password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + messaging: + jms: + enabled: false + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + web: + skip-pattern: {{ join "," .Values.tracing.skipPatterns }} + scheduled: + skip-pattern: .*({{ join "|" .Values.tracing.scheduled.skipClasses }}) + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} org: onap: so: @@ -72,7 +85,7 @@ org: {{- end }} default_keystone_reg_ex: "/[vV][0-9]" vnf: - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.bpelauth }} checkRequiredParameters: true addGetFilesOnVolumeReq: false sockettimeout: 30 @@ -83,7 +96,7 @@ org: valet_enabled: false fail_requests_on_valet_failure: false network: - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.bpelauth }} sockettimeout: 5 connecttimeout: 5 retrycount: 5 @@ -113,12 +126,16 @@ ecomp: retryCount: 3 pollTimeout: 7500 pollInterval: 15 +multicloud: + endpoint: http://multicloud-k8s.{{ include "common.namespace" . }}:9015 mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.aaf.auth.encrypted "value2" .Values.mso.auth )}} + auth: {{ .Values.mso.db.auth }} + auth: + user: {{ .Values.mso.auth.user }} + password: {{ .Values.mso.auth.password }} logPath: ./logs/openstack msb-ip: msb-iag msb-port: 80 @@ -126,19 +143,12 @@ mso: workflow: endpoint: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/sobpmnengine msoKey: {{ .Values.mso.msoKey }} - config: - {{ if eq .Values.global.security.aaf.enabled true }} - cadi: {{ include "so.cadi.keys" . | nindent 8}} - {{- else }} - cadi: - aafId: {{ .Values.mso.basicUser }} - {{- end }} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.db.auth )}} + auth: {{ .Values.mso.db.auth }} site-name: localDevEnv async: core-pool-size: 50 diff --git a/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-openstack-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml index 050aab9732..eeab0f72cd 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml index 55493f7c42..247b8cb3b1 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +60,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +76,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-openstack-adapter/templates/service.yaml b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-openstack-adapter/values.yaml b/kubernetes/so/components/so-openstack-adapter/values.yaml index e25f4b3498..648ac1faff 100755 --- a/kubernetes/so/components/so-openstack-adapter/values.yaml +++ b/kubernetes/so/components/so-openstack-adapter/values.yaml @@ -19,15 +19,18 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + readinessCheck: wait_for: @@ -58,9 +61,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/openstack-adapter:1.11.0 +image: onap/so/openstack-adapter:1.15.6 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -71,9 +83,6 @@ db: aai: auth: 2A11B07DB6214A839394AA1EC5844695F5114FC407FF5422625FB00175A3DCB8A1FF745F22867EFA72D5369D599BBD88DA8BED4233CF5586 -aaf: - auth: - encrypted: 7F182B0C05D58A23A1C4966B9CDC9E0B8BC5CD53BC8C7B4083D869F8D53E9BDC3EFD55C94B1D3F org: onap: so: @@ -81,8 +90,9 @@ org: bpelauth: D1A67FA93B6A6419132D0F83CC771AF774FD3C60853C50C22C8C6FC5088CC79E9E81EDE9EA39F22B2F66A0068E mso: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 - basicUser: poBpmn - auth: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 + auth: + user: poBpmn + password: BEA8637716A7EB617DF472BA6552D22F68C1CB17B0D094D77DDA562F4ADAAC4457CAB848E1A4 db: auth: Basic YnBlbDpwYXNzd29yZDEk @@ -92,25 +102,19 @@ containerPort: &containerPort 8087 logPath: ./logs/openstack/ app: openstack-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# -# soHelper part +# soHelpers part ################################################################# soHelpers: - nameOverride: so-openstack-cert-init - certInitializer: - nameOverride: so-openstack-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.openStackAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -119,30 +123,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "3" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8087 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8087 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read config: openStackUserName: "vnf_user" openStackRegion: "RegionOne" @@ -166,3 +176,17 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 + +tracing: + skipPatterns: + - /actuator/health/* + scheduled: + skipClasses: + - ScheduledDnsLookup + - ExternalTaskServiceUtils diff --git a/kubernetes/so/components/so-request-db-adapter/Chart.yaml b/kubernetes/so/components/so-request-db-adapter/Chart.yaml index c959f3642a..9e03210b67 100755 --- a/kubernetes/so/components/so-request-db-adapter/Chart.yaml +++ b/kubernetes/so/components/so-request-db-adapter/Chart.yaml @@ -16,24 +16,24 @@ apiVersion: v2 description: A Helm chart for request-db-adapter name: so-request-db-adapter -version: 12.0.0 +version: 15.2.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml index 86e02d638a..844db44004 100755 --- a/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-request-db-adapter/resources/config/overrides/override.yaml @@ -25,13 +25,13 @@ ssl-enable: false mso: logPath: logs site-name: localSite - config: - cadi: {{- include "so.cadi.keys" . | nindent 8}} adapters: requestDb: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 spring: + application: + name: so-request-db-adapter datasource: hikari: jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/requestdb @@ -41,6 +41,7 @@ spring: pool-name: reqdb-pool registerMbeans: true security: + rbacEnabled: {{ .Values.global.so.auth.rbacEnabled }} usercredentials: - username: bpel @@ -50,6 +51,25 @@ spring: username: mso_admin password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + messaging: + jms: + enabled: false + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + web: + skip-pattern: {{ join "," .Values.tracing.skipPatterns }} + scheduled: + skip-pattern: .*({{ join "|" .Values.tracing.scheduled.skipClasses }}) + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} #Actuator management: context-path: /manage + +logging: + request-status: + exclusions: {{ join "," .Values.logging.requestStatus.excludedPatterns }} diff --git a/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-request-db-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml index 6331656fce..4f526c0e5b 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,12 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + {{- if .Values.global.so.auth.enabled }} + ACTIVE_PROFILE: "basic" + {{- end }} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml index fa9d3a6a4b..93eef57795 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml @@ -15,18 +15,11 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +27,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,28 +48,24 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config mountPath: /app/config readOnly: true -{{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + {{- include "so.helpers.startupProbe" .| indent 8 }} + {{- include "so.helpers.livenessProbe" .| indent 8 }} + ports: {{- include "common.containerPorts" . | nindent 10 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: - name: {{ include "common.fullname" . }}-app-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + name: {{ include "common.fullname" . }}-app-configmap + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-request-db-adapter/templates/service.yaml b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-request-db-adapter/values.yaml b/kubernetes/so/components/so-request-db-adapter/values.yaml index 6d24563dcf..174e857ec3 100755 --- a/kubernetes/so/components/so-request-db-adapter/values.yaml +++ b/kubernetes/so/components/so-request-db-adapter/values.yaml @@ -19,15 +19,21 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + so: + auth: + enabled: true + rbacEnabled: false readinessCheck: wait_for: @@ -58,9 +64,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/request-db-adapter:1.11.0 +image: onap/so/request-db-adapter:1.15.6 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -75,30 +90,30 @@ mso: auth: Basic YnBlbDpwYXNzd29yZDEk replicaCount: 1 +revisionHistoryLimit: 1 minReadySeconds: 10 containerPort: &containerPort 8083 logPath: ./logs/reqdb/ app: request-db-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 + +logging: + requestStatus: + excludedPatterns: + - /manage/** ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-requestdb-cert-init - certInitializer: - nameOverride: so-requestdb-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.requestDbAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -107,30 +122,40 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8083 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8083 + scheme: HTTP + periodSeconds: 20 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-admin-cockpit-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-etsi-sol005-adapter-read + - serviceAccount: so-nssmf-adapter-read + - serviceAccount: so-openstack-adapter-read + - serviceAccount: so-read + - serviceAccount: so-sdc-controller-read nodeSelector: {} tolerations: [] affinity: {} @@ -140,3 +165,17 @@ serviceAccount: nameOverride: so-request-db-adapter roles: - read + +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 + +tracing: + skipPatterns: + - /actuator/health/* + scheduled: + skipClasses: + - ScheduledDnsLookup + - ExternalTaskServiceUtils diff --git a/kubernetes/so/components/so-sdc-controller/Chart.yaml b/kubernetes/so/components/so-sdc-controller/Chart.yaml index e0db2678d4..df3031291f 100755 --- a/kubernetes/so/components/so-sdc-controller/Chart.yaml +++ b/kubernetes/so/components/so-sdc-controller/Chart.yaml @@ -17,24 +17,24 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdc-controller -version: 12.0.0 +version: 15.2.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml index 29a1cf7443..b349c8911f 100755 --- a/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdc-controller/resources/config/overrides/override.yaml @@ -21,6 +21,8 @@ server: {{- end }} port: {{ index .Values.containerPort }} spring: + application: + name: so-sdc-controller datasource: hikari: jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/catalogdb @@ -39,6 +41,21 @@ spring: username: mso_admin password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + messaging: + jms: + enabled: false + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + web: + skip-pattern: {{ join "," .Values.tracing.skipPatterns }} + scheduled: + skip-pattern: .*({{ join "|" .Values.tracing.scheduled.skipClasses }}) + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} request: datasource: hikari: @@ -51,49 +68,43 @@ request: mso: msoKey: {{ index .Values.mso.msoKey }} logPath: ./logs/sdc - config: - cadi: {{ include "so.cadi.keys" . | nindent 8}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ .Values.mso.requestDb.auth }} site-name: onapheat camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.requestDb.auth )}} + auth: {{ .Values.mso.requestDb.auth }} aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} asdc-connections: asdc-controller1: user: mso - consumerGroup: SO-OpenSource-Env11 - consumerId: SO-COpenSource-Env11 - environmentName: AUTO - {{ if (include "common.needTLS" .) }} - asdcAddress: sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} - asdcAddress: sdc-be.{{ include "common.namespace" . }}:8080 + {{ with (first .Values.kafkaUser.acls) }} + consumerId: {{ .name }}-sdc-controller + consumerGroup: {{ .name }} {{ end }} + environmentName: AUTO + sdcAddress: sdc-be.{{ include "common.namespace" . }}:8080 password: {{ index .Values "mso" "asdc-connections" "asdc-controller1" "password" }} - pollingInterval: 60 - pollingTimeout: 60 + pollingInterval: 15 + pollingTimeout: 15 relevantArtifactTypes: HEAT,HEAT_ENV,HEAT_VOL - useHttpsWithDmaap: false - useHttpsWithSdc: {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + useHttpsWithSdc: false activateServerTLSAuth: false keyStorePassword: keyStorePath: watchDogTimeout: 300 isFitlerInEmptyResources: true - messageBusAddress: message-router.{{ include "common.namespace" . }},message-router.{{ include "common.namespace" . }} + httpsProxyHost: + httpProxyHost: + httpsProxyPort: 0 + httpProxyPort: 0 asdc: config: activity: diff --git a/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml index 050aab9732..cb40c08f77 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,10 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + ACTIVE_PROFILE: "basic" --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml index 55493f7c42..e3a0e2bec3 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,16 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} + - name: SASL_JAAS_CONFIG + valueFrom: + secretKeyRef: + name: {{ include "common.name" . }}-ku + key: sasl.jaas.config envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,14 +65,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -104,5 +81,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml new file mode 100644 index 0000000000..6fc37c3d01 --- /dev/null +++ b/kubernetes/so/components/so-sdc-controller/templates/kafkauser.yaml @@ -0,0 +1,16 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.kafkauser" . }} diff --git a/kubernetes/so/components/so-sdc-controller/templates/service.yaml b/kubernetes/so/components/so-sdc-controller/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/service.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdc-controller/values.yaml b/kubernetes/so/components/so-sdc-controller/values.yaml index f006c0772c..77bd6ab713 100755 --- a/kubernetes/so/components/so-sdc-controller/values.yaml +++ b/kubernetes/so/components/so-sdc-controller/values.yaml @@ -19,20 +19,26 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' + soSdcListenerKafkaUser: so-sdc-list-user + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) readinessCheck: wait_for: + timeout: 30 jobs: - '{{ include "common.release" . }}-so-mariadb-config-job' + services: + - sdc-be ################################################################# # Secrets metaconfig @@ -58,9 +64,18 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdc-controller:1.11.0 +image: onap/so/sdc-controller:1.15.6 pullPolicy: Always +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -87,26 +102,22 @@ minReadySeconds: 10 containerPort: &containerPort 8085 logPath: ./logs/sdc/ app: sdc-controller + service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort + updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-sdc-cert-init - certInitializer: - nameOverride: so-sdc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.sdcControllerPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -115,34 +126,54 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "2" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "1" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "3" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} + livenessProbe: - path: /manage/health - port: 8085 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8085 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + ingress: enabled: false + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-read + nodeSelector: {} tolerations: [] affinity: {} +# Strimzi KafkaUser config +kafkaUser: + acls: + - name: SO + type: group + operations: [Read] + - name: SDC-DISTR + type: topic + patternType: prefix + operations: [Read, Write] + #Pods Service Account serviceAccount: nameOverride: so-sdc-controller @@ -153,3 +184,18 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 + +tracing: + skipPatterns: + - /actuator/health/* + scheduled: + skipClasses: + - ScheduledDnsLookup + - ExternalTaskServiceUtils + - ASDCControllerSingleton diff --git a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml index 64464ac034..bffb50c64a 100755 --- a/kubernetes/so/components/so-sdnc-adapter/Chart.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/Chart.yaml @@ -17,21 +17,21 @@ apiVersion: v2 appVersion: "1.0" description: A Helm chart for Kubernetes name: so-sdnc-adapter -version: 12.0.0 +version: 15.2.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: soHelpers - version: ~12.x-0 + version: ~13.x-0 repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml index 119236b1b2..6e1771fa4d 100755 --- a/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/resources/config/overrides/override.yaml @@ -20,20 +20,20 @@ server: port: {{ index .Values.containerPort }} mso: msoKey: ${MSO_KEY} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "${AAF_AUTH}" "value2" "${MSO_AUTH}" )}} + auth: + user: so@so.onap.org + password: ${MSO_AUTH} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 logPath: ./logs/sdnc - config: - cadi: {{ include "so.cadi.keys" . | nindent 14}} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} site-name: onapheat #needs to be confirmed TODO workflow: @@ -112,7 +112,7 @@ org: changedelete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf delete: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf rollback: POST|270000|sdncurl6|sdnc-request-header|org:onap:sdnctl:vnf - bpelauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.bpelauth )}} + bpelauth: {{ .Values.org.onap.so.adapters.sdnc.bpelauth }} bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/SDNCAdapterCallbackService opticalservice: optical-service-create: @@ -157,18 +157,18 @@ org: myurl: http://so-sdnc-adapter.{{ include "common.namespace" . }}:8086/adapters/rest/SDNCNotify rest: bpelurl: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/mso/WorkflowMessage - sdncauth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.org.onap.so.adapters.sdnc.sdncauth )}} + sdncauth: {{ .Values.org.onap.so.adapters.sdnc.sdncauth }} sdncconnecttime: 5000 - sdncurl10: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/GENERIC-RESOURCE-API:' - sdncurl11: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/VNFTOPOLOGYAIC-API:' + sdncurl10: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/GENERIC-RESOURCE-API:' + sdncurl11: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/VNFTOPOLOGYAIC-API:' sdncurl12: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/' - sdncurl13: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/opticalservice:' - sdncurl5: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/config' - sdncurl6: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/VNF-API:' - sdncurl7: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/L3UCPE-API:' - sdncurl8: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/NBNC-API:' - sdncurl9: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/NORTHBOUND-API:service-topology-operation' - sdncurl20: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/restconf/operations/LCM:' + sdncurl13: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/opticalservice:' + sdncurl5: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/data' + sdncurl6: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/VNF-API:' + sdncurl7: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/L3UCPE-API:' + sdncurl8: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/NBNC-API:' + sdncurl9: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/NORTHBOUND-API:service-topology-operation' + sdncurl20: 'http://{{ .Values.global.sdncOamService }}.{{ include "common.namespace" . }}:{{ .Values.global.sdncOamPort }}/rests/operations/LCM:' service: infra: service-topology-infra-activate-operation: POST|90000|sdncurl9|sdnc-request-header|com:att:sdnctl:northbound-api:v1 @@ -187,6 +187,8 @@ org: network: encryptionKey: {{ index .Values.org.onap.so.adapters.sdnc.network.encryptionKey }} spring: + application: + name: so-sdnc-adapter security: usercredentials: - @@ -213,3 +215,16 @@ spring: username: mso_admin password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + messaging: + jms: + enabled: false + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + web: + skip-pattern: /actuator/health/* + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-sdnc-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml index 050aab9732..eeab0f72cd 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/configmap.yaml @@ -17,7 +17,7 @@ apiVersion: v1 data: LOG_PATH: {{ index .Values.logPath }} APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} + ACTIVE_PROFILE: "basic" kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml index b95e0b58a3..e298069233 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml @@ -15,17 +15,9 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ index .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: @@ -34,28 +26,12 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -73,14 +49,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-mso-key" "key" "password") | indent 10 }} - name: MSO_AUTH {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-mso-auth" "key" "password") | indent 10 }} - - name: AAF_AUTH - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "sdnc-adapter-aaf-auth" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -89,14 +62,11 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{- include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config @@ -108,5 +78,4 @@ spec: {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml index 5b8dee0774..495f828bfb 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/service.yaml @@ -13,28 +13,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-sdnc-adapter/values.yaml b/kubernetes/so/components/so-sdnc-adapter/values.yaml index 1562a37ddd..eb6f0b8e9d 100755 --- a/kubernetes/so/components/so-sdnc-adapter/values.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/values.yaml @@ -22,17 +22,17 @@ global: #This configuration specifies Service and port for SDNC OAM interface sdncOamService: sdnc-oam sdncOamPort: 8282 - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 - #encryptedSecret: some secret mariadbGalera: - serviceName: mariadb-galera + # flag to enable the DB creation via mariadb-operator + useOperator: true + service: mariadb-galera servicePort: '3306' + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) ################################################################# # Secrets metaconfig @@ -55,11 +55,6 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.mso.msoKeySecret) . }}' password: '{{ .Values.mso.msoKey }}' - - uid: sdnc-adapter-aaf-auth - name: '{{ include "common.release" . }}-so-sdnc-aaf-auth' - type: password - externalSecret: '{{ tpl (default "" .Values.global.aaf.auth.encryptedSecret) . }}' - password: '{{ .Values.global.aaf.auth.encrypted }}' - uid: sdnc-adapter-mso-auth name: '{{ include "common.release" . }}-so-sdnc-mso-auth' type: password @@ -72,7 +67,7 @@ secrets: ################################################################# # Application configuration defaults. ################################################################# -image: onap/so/sdnc-adapter:1.11.0 +image: onap/so/sdnc-adapter:1.15.6 pullPolicy: Always org: @@ -93,6 +88,15 @@ mso: requestDb: auth: Basic YnBlbDpwYXNzd29yZDEk +# Local mariadb galera instance default name +mariadb-galera: + nameOverride: so-mariadb-galera + service: + internalPort: 3306 + mariadbOperator: + galera: + enabled: false + db: userName: so_user userPassword: so_User123 @@ -107,26 +111,19 @@ containerPort: &containerPort 8086 logPath: ./logs/sdnc/ app: sdnc-adapter service: - type: ClusterIP - internalPort: *containerPort - externalPort: *containerPort - portName: http + type: ClusterIP + ports: + - name: http + port: *containerPort updateStrategy: - type: RollingUpdate - maxUnavailable: 1 - maxSurge: 1 - + type: RollingUpdate + maxUnavailable: 1 + maxSurge: 1 ################################################################# # soHelpers part ################################################################# soHelpers: - nameOverride: so-sdnc-cert-init - certInitializer: - nameOverride: so-sdnc-cert-init - credsPath: /opt/app/osaaf/local - cadi: - apiEnforcement: org.onap.so.sdncAdapterPerm containerPort: *containerPort # Resource Limit flavor -By Default using small @@ -135,30 +132,36 @@ flavor: small resources: small: limits: - memory: 4Gi - cpu: 2000m + cpu: "1" + memory: "1.5Gi" requests: - memory: 1Gi - cpu: 500m + cpu: "0.5" + memory: "1.5Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "3Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "3Gi" unlimited: {} livenessProbe: - path: /manage/health - port: 8086 - scheme: HTTP - initialDelaySeconds: 600 - periodSeconds: 60 - timeoutSeconds: 10 - successThreshold: 1 - failureThreshold: 3 + path: /manage/health + port: 8086 + scheme: HTTP + initialDelaySeconds: 600 + periodSeconds: 60 + timeoutSeconds: 10 + successThreshold: 1 + failureThreshold: 3 ingress: enabled: false +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: robot-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: so-read nodeSelector: {} tolerations: [] affinity: {} @@ -173,3 +176,9 @@ serviceAccount: log: path: /var/log/onap logConfigMapNamePrefix: '{{ include "common.fullname" . }}' + +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml index 1b4294af2f..d45c89ca71 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/Chart.yaml @@ -17,24 +17,21 @@ apiVersion: v2 description: ONAP SO VE VNFM Adapter (SOL002) name: so-ve-vnfm-adapter -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - - name: soHelpers - version: ~12.x-0 - repository: 'file://../soHelpers' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml index 1a96abf9cb..606ceb4fcc 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/resources/config/overrides/override.yaml @@ -21,18 +21,10 @@ server: port: {{ include "common.getPort" (dict "global" . "name" "http") }} vevnfmadapter: - {{ if (include "common.needTLS" .) }} - endpoint: https://msb-iag:30283/api/{{ include "common.servicename" . }}/v1 - {{ else }} - endpoint: http://msb-iag:30283/api/{{ include "common.servicename" . }}/v1 - {{ end }} + endpoint: http://msb-iag:80/api/{{ include "common.servicename" . }}/v1 aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} dmaap: endpoint: http://message-router.{{ include "common.namespace" . }}:3904 diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml index 9a6b79c440..e322b60e48 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/templates/deployment.yaml @@ -24,7 +24,7 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} + initContainers: {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} @@ -34,7 +34,7 @@ spec: image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 12 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -47,9 +47,9 @@ spec: periodSeconds: {{ .Values.livenessProbe.periodSeconds}} successThreshold: {{ .Values.livenessProbe.successThreshold}} failureThreshold: {{ .Values.livenessProbe.failureThreshold}} - ports: {{- include "common.containerPorts" . | nindent 10 }} + ports: {{- include "common.containerPorts" . | nindent 12 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 8 }} + volumes: - name: logs emptyDir: {} - name: config diff --git a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml index 8e8236cfb4..0e252ff376 100755 --- a/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml +++ b/kubernetes/so/components/so-ve-vnfm-adapter/values.yaml @@ -20,8 +20,9 @@ global: readinessCheck: wait_for: - - aai - - message-router + services: + - aai + - message-router ################################################################# # Application configuration defaults. @@ -48,31 +49,22 @@ service: - name: http port: 9098 -################################################################# -# soHelpers part -################################################################# -soHelpers: - nameOverride: so-vevnfm-cert-init - certInitializer: - nameOverride: so-vevnfm-cert-init - credsPath: /opt/app/osaaf/local - flavor: small resources: small: limits: - memory: 512Mi - cpu: 500m + cpu: "1" + memory: "1Gi" requests: - memory: 256Mi - cpu: 250m + cpu: "0.5" + memory: "1Gi" large: limits: - memory: 8Gi - cpu: 4000m + cpu: "2" + memory: "2Gi" requests: - memory: 2Gi - cpu: 1000m + cpu: "1" + memory: "2Gi" unlimited: {} livenessProbe: port: 9098 @@ -85,6 +77,11 @@ nodeSelector: {} tolerations: [] affinity: {} +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: so-read + #Pods Service Account serviceAccount: nameOverride: so-ve-vnfm-adapter diff --git a/kubernetes/so/components/soHelpers/Chart.yaml b/kubernetes/so/components/soHelpers/Chart.yaml index bf300e3f3b..280e3e237e 100755 --- a/kubernetes/so/components/soHelpers/Chart.yaml +++ b/kubernetes/so/components/soHelpers/Chart.yaml @@ -16,15 +16,12 @@ apiVersion: v2 description: A Helm chart for SO helpers name: soHelpers -version: 12.0.0 +version: 13.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl b/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl deleted file mode 100644 index 7e04706d4a..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl +++ /dev/null @@ -1,21 +0,0 @@ -{{- define "so.cadi.keys" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -cadiLoglevel: {{ $initRoot.cadi.logLevel }} -cadiKeyFile: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.certInitializer.fqi_namespace }}.keyfile -cadiTrustStore: {{ $initRoot.certInitializer.credsPath }}/truststoreONAPall.jks -cadiTruststorePassword: ${TRUSTSTORE_PASSWORD} -cadiLatitude: {{ $initRoot.cadi.latitude }} -cadiLongitude: {{ $initRoot.cadi.longitude }} -aafEnv: {{ $initRoot.cadi.aafEnv }} -aafApiVersion: {{ $initRoot.cadi.aafApiVersion }} -aafRootNs: {{ $initRoot.cadi.aafRootNs }} -aafId: {{ $initRoot.cadi.aafId }} -aafPassword: {{ $initRoot.cadi.aafPassword }} -aafLocateUrl: {{ $initRoot.cadi.aafLocateUrl }} -aafUrl: {{ $initRoot.cadi.aafUrl }} -apiEnforcement: {{ $initRoot.cadi.apiEnforcement }} -{{- if ($initRoot.cadi.noAuthn) }} -noAuthn: {{ $initRoot.cadi.noAuthn }} -{{- end }} -{{- end }} diff --git a/kubernetes/so/components/soHelpers/templates/_certificates.tpl b/kubernetes/so/components/soHelpers/templates/_certificates.tpl deleted file mode 100644 index cda61b2cfa..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_certificates.tpl +++ /dev/null @@ -1,34 +0,0 @@ -{{- define "so.certificate.container_importer" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.initContainer" $subchartDot }} -{{- end -}} - -{{- define "so.certificate.volumes" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.volumes" $subchartDot }} -{{- end -}} - -{{- define "so.certificate.volumeMount" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{ include "common.certInitializer.volumeMount" $subchartDot }} -{{- end -}} - -{{- define "so.certificates.env" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} -{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} -{{- if $dot.Values.global.aafEnabled }} -- name: TRUSTSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/truststoreONAPall.jks -{{- if $dot.Values.global.security.aaf.enabled }} -- name: KEYSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.certInitializer.fqi_namespace }}.p12 -{{- end }} -{{- end }} -{{- end -}} diff --git a/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl index cde94742c6..70ea57c709 100644 --- a/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl +++ b/kubernetes/so/components/soHelpers/templates/_livenessProbe.tpl @@ -7,12 +7,9 @@ livenessProbe: path: {{ $subchartDot.Values.livenessProbe.path }} port: {{ $subchartDot.Values.containerPort }} scheme: {{ $subchartDot.Values.livenessProbe.scheme }} - {{- if $subchartDot.Values.global.security.aaf.enabled }} - httpHeaders: - - name: Authorization - value: {{ $subchartDot.Values.global.aaf.auth.header }} - {{- end }} +{{- if $subchartDot.Values.livenessProbe.initialDelaySeconds }} initialDelaySeconds: {{ $subchartDot.Values.livenessProbe.initialDelaySeconds }} +{{- end }} periodSeconds: {{ $subchartDot.Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ $subchartDot.Values.livenessProbe.timeoutSeconds }} successThreshold: {{ $subchartDot.Values.livenessProbe.successThreshold }} diff --git a/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl b/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl deleted file mode 100644 index 56910ebebd..0000000000 --- a/kubernetes/so/components/soHelpers/templates/_profileProperty.tpl +++ /dev/null @@ -1,3 +0,0 @@ -{{- define "so.helpers.profileProperty" -}} - {{ if .condition }}{{ .value1 }}{{ else }}{{ .value2 }}{{ end }} -{{- end -}} diff --git a/kubernetes/so/components/soHelpers/templates/_startupProbe.tpl b/kubernetes/so/components/soHelpers/templates/_startupProbe.tpl new file mode 100644 index 0000000000..3ea89160b7 --- /dev/null +++ b/kubernetes/so/components/soHelpers/templates/_startupProbe.tpl @@ -0,0 +1,14 @@ +{{- define "so.helpers.startupProbe" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.soHelpers .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +startupProbe: + httpGet: + path: {{ $subchartDot.Values.startupProbe.path }} + port: {{ $subchartDot.Values.containerPort }} + scheme: {{ $subchartDot.Values.startupProbe.scheme }} + periodSeconds: {{ $subchartDot.Values.startupProbe.periodSeconds }} + timeoutSeconds: {{ $subchartDot.Values.startupProbe.timeoutSeconds }} + successThreshold: {{ $subchartDot.Values.startupProbe.successThreshold }} + failureThreshold: {{ $subchartDot.Values.startupProbe.failureThreshold }} +{{- end -}} diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml index 2417d2553c..60a71f4de0 100755 --- a/kubernetes/so/components/soHelpers/values.yaml +++ b/kubernetes/so/components/soHelpers/values.yaml @@ -16,61 +16,25 @@ # Global configuration defaults. ################################################################# global: - aafAgentImage: onap/aaf/aaf_agent:2.1.20 msbEnabled: true - security: - aaf: - enabled: false app: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 -################################################################# -# AAF part -################################################################# -certInitializer: - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: so - fqi: so@so.onap.org - public_fqdn: so.onap.org - fqi_namespace: org.onap.so - cadi_longitude: '0.0' - cadi_latitude: '0.0' - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop - echo "TRUSTSTORE_PASSWORD={{ .Values.truststorePassword }}" >> {{ .Values.credsPath }}/mycreds.prop - -aafConfig: - permission_user: 1000 - permission_group: 999 - ################################################################# # Application configuration defaults. ################################################################# +startupProbe: + path: /manage/health + scheme: HTTP + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 120 livenessProbe: path: /manage/health scheme: HTTP - initialDelaySeconds: 600 periodSeconds: 60 timeoutSeconds: 10 successThreshold: 1 failureThreshold: 3 - -cadi: - logLevel: DEBUG - latitude: 38.4329 - longitude: -90.43248 - aafEnv: IST - aafApiVersion: 2.1 - aafRootNs: org.onap.so - aafLocateUrl: https://aaf-locate.onap:8095 - aafUrl: https://aaf-locate.onap:8095/locate/org.osaaf.aaf.service:2.1 - aafId: so@so.onap.org - aafPassword: enc:EME-arXn2lx8PO0f2kEtyK7VVGtAGWavXorFoxRmPO9 - apiEnforcement: org.onap.so.apihPerm - noAuthn: /manage/health diff --git a/kubernetes/so/resources/config/log/logback.apihandler-infra.xml b/kubernetes/so/resources/config/log/logback.apihandler-infra.xml index 6221c11477..494813fd84 100755 --- a/kubernetes/so/resources/config/log/logback.apihandler-infra.xml +++ b/kubernetes/so/resources/config/log/logback.apihandler-infra.xml @@ -130,7 +130,7 @@ - + diff --git a/kubernetes/so/resources/config/mso/mso-docker.json b/kubernetes/so/resources/config/mso/mso-docker.json index 119a31304a..9a8284c3e9 100755 --- a/kubernetes/so/resources/config/mso/mso-docker.json +++ b/kubernetes/so/resources/config/mso/mso-docker.json @@ -58,15 +58,15 @@ { "sdncurls": [ - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/L3SDN-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/config/L3SDN-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/Firewall-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/config", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/VNF-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/NBNC-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/NORTHBOUND-API:service-topology-operation", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/GENERIC-RESOURCE-API:", - "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/restconf/operations/VNFTOPOLOGYAIC-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/L3SDN-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/data/L3SDN-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/Firewall-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/data", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/VNF-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/NBNC-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/NORTHBOUND-API:service-topology-operation", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/GENERIC-RESOURCE-API:", + "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/rests/operations/VNFTOPOLOGYAIC-API:", "http://{{.Values.config.sdnc.serviceName}}:{{.Values.config.sdnc.port}}/" ], diff --git a/kubernetes/so/resources/config/overrides/override.yaml b/kubernetes/so/resources/config/overrides/override.yaml index 48b75c72e9..819557fbcc 100755 --- a/kubernetes/so/resources/config/overrides/override.yaml +++ b/kubernetes/so/resources/config/overrides/override.yaml @@ -1,10 +1,6 @@ aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + auth: {{ .Values.mso.aai.auth }} server: port: {{ index .Values.containerPort }} tomcat: @@ -17,16 +13,15 @@ mso: adapters: requestDb: endpoint: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} catalog: db: spring: endpoint: http://so-catalog-db-adapter.{{ include "common.namespace" . }}:8082 db: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.adapters.requestDb.auth )}} + auth: {{ .Values.mso.adapters.requestDb.auth }} config: path: /src/main/resources/ - cadi: {{ include "so.cadi.keys" . | nindent 10}} infra: default: alacarte: @@ -38,33 +33,25 @@ mso: default: testApi: GR_API camundaURL: http://so-bpmn-infra.{{ include "common.namespace" . }}:8081/ - camundaAuth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.camundaAuth )}} + camundaAuth: {{ .Values.mso.camundaAuth }} async: core-pool-size: 50 max-pool-size: 50 queue-capacity: 500 sdc: client: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.sdc.client.auth )}} + auth: {{ .Values.mso.sdc.client.auth }} activate: instanceid: test userid: cs0008 - {{ if (include "common.needTLS" .) }} - endpoint: https://sdc-be.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://sdc-be.{{ include "common.namespace" . }}:8080 - {{ end }} tenant: isolation: retry: count: 3 aai: - {{ if (include "common.needTLS" .) }} - endpoint: https://aai.{{ include "common.namespace" . }}:8443 - {{ else }} endpoint: http://aai.{{ include "common.namespace" . }}:80 - {{ end }} - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.aai.auth )}} + auth: {{ .Values.mso.aai.auth }} extApi: endpoint: http://nbi.onap:8080/nbi/api/v3 @@ -74,17 +61,19 @@ mso: username: testuser password: VjR5NDcxSzA= host: http://dmaap-bc.{{ include "common.namespace" . }}:8080 - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.encrypted "value2" .Values.mso.so.operationalEnv.dmaap.auth )}} + auth: {{ .Values.mso.so.operationalEnv.dmaap.auth }} publisher: topic: com.att.ecomp.mso.operationalEnvironmentEvent health: - auth: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" .Values.global.aaf.auth.header "value2" .Values.mso.health.auth )}} + auth: {{ .Values.mso.health.auth }} endpoints: - subsystem: apih uri: http://so-bpmn-infra:8081 - subsystem: catalogdb uri: http://so-catalog-db-adapter:8082 spring: + application: + name: so-api-handler-infra datasource: hikari: jdbcUrl: jdbc:mariadb://${DB_HOST}:${DB_PORT}/catalogdb @@ -96,6 +85,7 @@ spring: jersey: type: filter security: + rbacEnabled: {{ .Values.global.so.auth.rbacEnabled }} usercredentials: - username: sitecontrol @@ -121,6 +111,21 @@ spring: username: mso_admin password: '$2a$10$Fh9ffgPw2vnmsghsRD3ZauBL1aKXebigbq3BB1RPWtE62UDILsjke' role: ACTUATOR + sleuth: + enabled: {{ .Values.global.tracing.enabled }} + messaging: + jms: + enabled: false + trace-id128: true + sampler: + probability: {{ .Values.global.tracing.sampling.probability }} + supports-join: false + web: + skip-pattern: {{ join "," .Values.tracing.skipPatterns }} + scheduled: + skip-pattern: .*({{ join "|" .Values.tracing.scheduled.skipClasses }}) + zipkin: + base-url: {{ .Values.global.tracing.collector.baseUrl }} request: datasource: hikari: diff --git a/kubernetes/so/templates/authorizationpolicy.yaml b/kubernetes/so/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/templates/configmap.yaml b/kubernetes/so/templates/configmap.yaml index c55bf573f1..0c66ed4abf 100755 --- a/kubernetes/so/templates/configmap.yaml +++ b/kubernetes/so/templates/configmap.yaml @@ -14,10 +14,6 @@ # limitations under the License. */}} apiVersion: v1 -data: - LOG_PATH: {{ index .Values.logPath }} - APP: {{ index .Values.app }} - ACTIVE_PROFILE: {{ include "so.helpers.profileProperty" (dict "condition" .Values.global.security.aaf.enabled "value1" "aaf" "value2" "basic")}} kind: ConfigMap metadata: name: {{ include "common.fullname" . }}-configmap @@ -27,6 +23,12 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} +data: + LOG_PATH: {{ index .Values.logPath }} + APP: {{ index .Values.app }} + {{- if .Values.global.so.auth.enabled }} + ACTIVE_PROFILE: "basic" + {{- end }} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index 99a5eff0e7..dcf04b0f9a 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -15,18 +15,10 @@ */}} apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.fullname" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ index .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} minReadySeconds: {{ index .Values.minReadySeconds }} strategy: type: {{ index .Values.updateStrategy.type }} @@ -34,30 +26,14 @@ spec: maxUnavailable: {{ index .Values.updateStrategy.maxUnavailable }} maxSurge: {{ index .Values.updateStrategy.maxSurge }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: initContainers: - {{ include "so.certificate.container_importer" . | indent 6 | trim }} {{ include "common.readinessCheck.waitFor" . | indent 6 | trim }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - resources: {{ include "common.resources" . | nindent 12 }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - {{- if .Values.global.security.aaf.enabled }} - export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" - {{- end }} - /app/start-app.sh - {{- end }} + resources: {{ include "common.resources" . | nindent 10 }} env: - name: DB_HOST value: {{ include "common.mariadbService" . }} @@ -71,12 +47,11 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} - {{ include "so.certificates.env" . | indent 8 | trim }} envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} + volumeMounts: - name: logs mountPath: /app/logs - name: config @@ -85,24 +60,20 @@ spec: - name: {{ include "common.fullname" . }}-logs mountPath: {{ .Values.log.path }} {{ include "so.helpers.livenessProbe" .| indent 8 }} - ports: - - containerPort: {{ index .Values.containerPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - protocol: TCP + ports: {{ include "common.containerPorts" . | nindent 10 }} # Filebeat sidecar container {{ include "common.log.sidecar" . | nindent 6 }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} - volumes: {{ include "so.certificate.volumes" . | nindent 6 }} + volumes: - name: logs emptyDir: {} - name: config configMap: - name: {{ include "common.fullname" . }}-app-configmap + name: {{ include "common.fullname" . }}-app-configmap - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log {{ include "common.log.volumes" . | nindent 6 }} - name: {{ include "common.fullname" . }}-logs emptyDir: {} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/so/templates/ingress.yaml b/kubernetes/so/templates/ingress.yaml index 8f87c68f1e..9bef773eda 100644 --- a/kubernetes/so/templates/ingress.yaml +++ b/kubernetes/so/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2018 AT&T USA +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/so/templates/service.yaml b/kubernetes/so/templates/service.yaml index 5a83d566ac..21a6a77e27 100755 --- a/kubernetes/so/templates/service.yaml +++ b/kubernetes/so/templates/service.yaml @@ -13,391 +13,5 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResources/{version:[vV][1]}/operationalEnvironments/{operationalEnvironmentId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}/{requestId}/unlock", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/cloudResourcesRequests/{version:[vV][1]}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/orchestrationRequests/{version:[vV][4-7]}/{requestId}/unlock", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][7]}/serviceInstances/assign", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/unassign", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/enablePort", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/disablePort", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/activate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/configurations/{configurationInstanceId}/deactivate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/addRelationships", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/removeRelationships", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/replace", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/applyUpdatedConfig", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/replace", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][6-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/inPlaceSoftwareUpdate", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/{vfmoduleInstanceId}/deactivateAndCloudDelete", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/vfModules/scaleOut", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/vnfs/{vnfInstanceId}/volumeGroups/{volumeGroupInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiation/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - }, - { - "serviceName": "so", - "version": "v1", - "url": "/onap/so/infra/serviceInstantiationRequests/{version:[vV][5-7]}/serviceInstances/{serviceInstanceId}/networks/{networkInstanceId}", - "protocol": "REST", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"0", - "lb_policy":"ip_hash" - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + +{{ include "common.service" . }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index cc63ca50c0..2c5fa36fd5 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -1,6 +1,8 @@ # Copyright © 2018 AT&T USA # Copyright © 2020 Huawei # Copyright © 2021 Orange +# Copyright © 2024 Deutsche Telekom Intellectual Property. All rights reserved. +# Modifications Copyright © 2023 Nordix Foundation # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at @@ -18,19 +20,19 @@ global: nodePortPrefix: 302 nodePortPrefixExt: 304 - aafAgentImage: onap/aaf/aaf_agent:2.1.20 centralizedLoggingEnabled: true mariadbGalera: + # flag to enable the DB creation via mariadb-operator + useOperator: true nameOverride: mariadb-galera - serviceName: mariadb-galera servicePort: '3306' service: mariadb-galera internalPort: '3306' - # mariadbRootPassword: secretpassword - # rootPasswordExternalSecret: some secret - #This flag allows SO to instantiate its own mariadb-galera cluster, - #serviceName and nameOverride should be so-mariadb-galera if this flag is enabled + # This flag allows SO to instantiate its own mariadb-galera cluster, + # serviceName and nameOverride should be so-mariadb-galera if this flag is enabled localCluster: false + # (optional) if localCluster=false and an external secret is used set this variable + #userRootSecret: persistence: mountPath: /dockerdata-nfs #This configuration specifies Service and port for SDNC OAM interface @@ -45,22 +47,20 @@ global: dbUser: root dbPassword: secretpassword # dbCredsExternalSecret: some secret - msbEnabled: true - security: - aaf: - enabled: false - aaf: - auth: - header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= - encrypted: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 app: siteName: onapheat auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 defaultCloudOwner: onap - - certificates: - path: /etc/ssl/certs - share_path: /usr/local/share/ca-certificates/ + tracing: + enabled: false + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + so: + auth: + enabled: true + rbacEnabled: false readinessCheck: wait_for: @@ -74,11 +74,24 @@ secrets: - uid: db-root-pass name: &dbRootPassSecretName '{{ include "common.release" . }}-so-db-root-pass' type: password - externalSecret: '{{ .Values.global.mariadbGalera.localCluster | ternary - .Values.global.mariadbGalera.rootPasswordExternalSecret - (default (include "common.mariadb.secret.rootPassSecretName" - (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) - .Values.global.mariadbGalera.rootPasswordExternalSecret) }}' + # If we're using shared mariadb, we need to use the secret name (second + # part). + # If not, we do the same trick than for user db secret hat allows you + # override this secret using external one with the same field that is used + # to pass this to subchart. + externalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (( hasSuffix "so-db-root-pass" (index .Values "mariadb-galera" "rootUser" "externalSecret")) | + ternary + "" + (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) + ) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' password: '{{ .Values.global.mariadbGalera.mariadbRootpassword }}' - uid: db-backup-creds name: &dbBackupCredsSecretName '{{ include "common.release" . }}-so-db-backup-creds' @@ -129,13 +142,6 @@ secrets: login: '{{ .Values.server.bpel.username }}' password: '{{ .Values.server.bpel.password }}' passwordPolicy: required - - uid: so-aaf-creds - name: &aaf-secrets '{{ include "common.release" . }}-so-server-aaf-creds' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.server.aafCredsExternalSecret) . }}' - login: '{{ .Values.server.aaf.username }}' - password: '{{ .Values.server.aaf.password }}' - passwordPolicy: required - uid: so-aai-creds name: &aai-secrets '{{ include "common.release" . }}-so-server-aai-creds' type: basicAuth @@ -144,32 +150,7 @@ secrets: password: '{{ .Values.server.aai.password }}' passwordPolicy: required -aafConfig: - permission_user: 1000 - permission_group: 999 - -aaf: - trustore: org.onap.so.trust.jks - -################################################################# -# AAF part for Ingress -################################################################# -certInitializer: - nameOverride: so-tls-cert - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: so - fqi: so@so.onap.org - public_fqdn: so.onap.org - fqi_namespace: org.onap.so - cadi_longitude: '0.0' - cadi_latitude: '0.0' - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - ingressTlsSecret: '{{ include "common.release" . }}-so-ingress-certs' - -################################################################# +################################################################## # Application configuration defaults. ################################################################# @@ -182,13 +163,9 @@ dbCreds: userName: so_user adminName: so_admin -image: onap/so/api-handler-infra:1.11.0 +image: onap/so/api-handler-infra:1.15.6 server: - aaf: - username: so@so.onap.org - password: demo123456 - # aafCredsExternalSecret: some secret aai: username: aai@aai.onap.org password: demo123456! @@ -210,45 +187,41 @@ logPath: ./logs/apih/ app: api-handler-infra service: type: NodePort - nodePort: 77 internalPort: *containerPort - externalPort: *containerPort - portName: http + ports: + - name: http + port: *containerPort + nodePort: '77' + updateStrategy: type: RollingUpdate maxUnavailable: 1 maxSurge: 1 -################################################################# +################################################################ # soHelpers part ################################################################# soHelpers: - nameOverride: so-apih-cert-init - certInitializer: - nameOverride: so-apih-cert-init - credsPath: /opt/app/osaaf/local containerPort: *containerPort # Resource Limit flavor -By Default using small flavor: small # Segregation for Different environment (Small and Large) -persistence: - certificatesPath: /certificates resources: small: limits: - cpu: 2000m - memory: 4Gi + cpu: "1500m" + memory: "4Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "0.5" + memory: "1Gi" large: limits: - cpu: 4000m - memory: 8Gi + cpu: "2" + memory: "8Gi" requests: - cpu: 1000m - memory: 2Gi + cpu: "1" + memory: "2Gi" unlimited: {} nodeSelector: {} @@ -266,11 +239,18 @@ config: # --set so.global.mariadbGalera.localCluster=true \ # --set so.global.mariadbGalera.nameOverride=so-mariadb-galera \ # --set so.global.mariadbGalera.serviceName=so-mariadb-galera -mariadb-galera: +mariadb-galera: &mariadbGalera rootUser: externalSecret: *dbRootPassSecretName nameOverride: &so-mariadb so-mariadb-galera replicaCount: 1 + service: + name: *so-mariadb + portName: *so-mariadb + internalPort: 3306 + mariadbOperator: + galera: + enabled: false persistence: mountSubPath: so/mariadb-galera/data enabled: true @@ -283,9 +263,18 @@ ingress: - baseaddr: 'so-api' name: 'so' port: 8080 - config: - tls: - secret: '{{ include "common.release" . }}-so-ingress-certs' + +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: nbi-read + - serviceAccount: policy-drools-pdp-read + - serviceAccount: so-bpmn-infra-read + - serviceAccount: robot-read + - serviceAccount: istio-ingress + namespace: istio-ingress mso: adapters: @@ -308,49 +297,69 @@ mso: health: auth: basic bXNvX2FkbWlufHBhc3N3b3JkMSQ= -so-appc-orchestrator: - enabled: false - server: - actuatorCredsExternalSecret: *actuator-secrets - db: - <<: *dbSecrets - so-bpmn-infra: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-catalog-db-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-cnf-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets server: - aafCredsExternalSecret: *aaf-secrets aaiCredsExternalSecret: *aai-secrets actuatorCredsExternalSecret: *actuator-secrets mso: msoKeySecret: *mso-key +so-cnfm-lcm: + enabled: true + mariadb-galera: + <<: *mariadbGalera + db: + <<: *dbSecrets + so-etsi-nfvo-ns-lcm: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-mariadb: + mariadb-galera: + <<: *mariadbGalera db: rootPasswordExternalSecretLocalDb: *dbRootPassSecretName - rootPasswordExternalSecret: '{{ ternary .Values.db.rootPasswordExternalSecretLocalDb (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride)) .Values.global.mariadbGalera.localCluster }}' + #rootPasswordExternalSecretLocalDb: *dbRootPassSecretName + rootPasswordExternalSecret: '{{ .Values.global.mariadbGalera.localCluster | + ternary (tpl .Values.db.rootPasswordExternalSecretLocalDb .) + ( (not (empty (default "" .Values.global.mariadbGalera.userRootSecret))) | + ternary + .Values.global.mariadbGalera.userRootSecret + (include "common.mariadb.secret.rootPassSecretName" + (dict "dot" . "chartName" .Values.global.mariadbGalera.nameOverride) + ) + ) }}' backupCredsExternalSecret: *dbBackupCredsSecretName userCredsExternalSecret: *dbUserCredsSecretName adminCredsExternalSecret: *dbAdminCredsSecretName so-admin-cockpit: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets @@ -359,11 +368,15 @@ so-nssmf-adapter: server: actuatorCredsExternalSecret: *actuator-secrets bpelCredsExternalSecret: *bpel-secrets + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-oof-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets mso: @@ -375,21 +388,29 @@ so-oof-adapter: so-openstack-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-request-db-adapter: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets so-sdc-controller: + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets logConfigMapNamePrefix: '{{ include "common.release" . }}-so' so-sdnc-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets mso: @@ -401,6 +422,8 @@ so-ve-vnfm-adapter: so-etsi-sol005-adapter: enabled: true + mariadb-galera: + <<: *mariadbGalera db: <<: *dbSecrets @@ -416,3 +439,19 @@ serviceAccount: #Log configuration log: path: /var/log/onap + level: + root: DEBUG + +podAnnotations: + # disable istio-based tracing + proxy.istio.io/config: | + tracing: + sampling: 0 + +tracing: + skipPatterns: + - /actuator/health/* + scheduled: + skipClasses: + - ScheduledDnsLookup + - ExternalTaskServiceUtils diff --git a/kubernetes/strimzi/.helmignore b/kubernetes/strimzi/.helmignore index 0f976e9ff3..218ebb106c 100644 --- a/kubernetes/strimzi/.helmignore +++ b/kubernetes/strimzi/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj Chart.lock +# OOM specific dirs +components/ diff --git a/kubernetes/strimzi/Chart.yaml b/kubernetes/strimzi/Chart.yaml index 4ef20e19d2..f0fb478254 100644 --- a/kubernetes/strimzi/Chart.yaml +++ b/kubernetes/strimzi/Chart.yaml @@ -1,4 +1,5 @@ # Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,20 +16,19 @@ apiVersion: v2 description: ONAP Strimzi Kafka name: strimzi -version: 12.0.0 +version: 16.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: strimzi-kafka-bridge - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/strimzi-kafka-bridge' condition: strimzi-kafka-bridge.enabled - diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore b/kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore index 0f976e9ff3..218ebb106c 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/.helmignore @@ -20,3 +20,5 @@ .idea/ *.tmproj Chart.lock +# OOM specific dirs +components/ diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml index 8c290b2cec..63c4a2ca35 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/Chart.yaml @@ -15,9 +15,9 @@ apiVersion: v2 description: ONAP Strimzi Kafka Bridge name: strimzi-kafka-bridge -version: 12.0.0 +version: 13.0.3 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties b/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties new file mode 100644 index 0000000000..e6ad8e0920 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/resources/config/log4j2.properties @@ -0,0 +1,38 @@ +name=BridgeConfig + +appender.console.type=Console +appender.console.name=STDOUT + +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = [%d] %-5p <%-12.12c{1}:%L> [%-12.12t] %m%n + +# Alternate JSONLayout pattern config +#appender.console.layout.type=JSONLayout +#appender.console.layout.compact=true +#appender.console.layout.eventEol=true +#appender.console.layout.complete=true +#appender.console.layout.properties=false +#appender.console.layout.propertiesAsList=false +#appender.console.layout.locationInfo=true +#appender.console.layout.includeStacktrace=true +#appender.console.layout.stacktraceAsString=true +#appender.console.layout.includeNullDelimiter=false +#appender.console.layout.objectMessageAsJsonObject=true + +rootLogger.level=INFO +rootLogger.appenderRefs=console +rootLogger.appenderRef.console.ref=STDOUT +rootLogger.additivity=false + +logger.bridge.name=io.strimzi.kafka.bridge +logger.bridge.level=INFO +logger.bridge.appenderRefs=console +logger.bridge.appenderRef.console.ref=STDOUT +logger.bridge.additivity=false + +logger.healthy.name=http.openapi.operation.healthy +logger.healthy.level=WARN +logger.ready.name=http.openapi.operation.ready +logger.ready.level=WARN + +monitorInterval=30 diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml new file mode 100644 index 0000000000..83c8045786 --- /dev/null +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/configmap.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-kb-logging-cm + labels: {{- include "common.labels" . | nindent 4 }} + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/log4j2.properties").AsConfig . | indent 2 }} diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml index 3abb04af10..6f00574c70 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/templates/strimzi-kb.yaml @@ -24,7 +24,28 @@ spec: username: {{ .Values.config.strimziKafkaAdminUser }} passwordSecret: secretName: {{ .Values.config.strimziKafkaAdminUser }} - password: password + password: {{ .Values.config.strimziKafkaAdminPassword }} enableMetrics: {{ .Values.config.enableMetrics }} http: port: {{ .Values.config.port }} + logging: + type: external + valueFrom: + configMapKeyRef: + key: log4j2.properties + name: {{ include "common.fullname" . }}-kb-logging-cm + resources: + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.pod.securityContext | nindent 8 }} + bridgeContainer: + securityContext: + {{- toYaml .Values.bridgeContainer.securityContext | nindent 8 }} diff --git a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml index 8a4c4cdc6c..f3495584d5 100644 --- a/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml +++ b/kubernetes/strimzi/components/strimzi-kafka-bridge/values.yaml @@ -29,7 +29,32 @@ config: saslMechanism: parentValue kafkaInternalPort: parentValue strimziKafkaAdminUser: parentValue + strimziKafkaAdminPassword: password # nameOverride is required to avoid duplication # in pod and service names ie ...-bridge-bridge-{random hex} nameOverride: strimzi-kafka + +resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +pod: + securityContext: + seccompProfile: + type: RuntimeDefault +bridgeContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW diff --git a/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml new file mode 100644 index 0000000000..1e59dc67a0 --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/cruisecontrol-metrics-config.yml @@ -0,0 +1,20 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + - pattern: kafka.cruisecontrol<>(\w+) + name: kafka_cruisecontrol_$1_$2 + type: GAUGE diff --git a/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml new file mode 100644 index 0000000000..8db35a9c8d --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/kafka-metrics-config.yml @@ -0,0 +1,137 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + # Special cases and very specific rules + - pattern: kafka.server<>Value + name: kafka_server_$1_$2 + type: GAUGE + labels: + clientId: "$3" + topic: "$4" + partition: "$5" + - pattern: kafka.server<>Value + name: kafka_server_$1_$2 + type: GAUGE + labels: + clientId: "$3" + broker: "$4:$5" + - pattern: kafka.server<>connections + name: kafka_server_$1_connections_tls_info + type: GAUGE + labels: + cipher: "$2" + protocol: "$3" + listener: "$4" + networkProcessor: "$5" + - pattern: kafka.server<>connections + name: kafka_server_$1_connections_software + type: GAUGE + labels: + clientSoftwareName: "$2" + clientSoftwareVersion: "$3" + listener: "$4" + networkProcessor: "$5" + - pattern: "kafka.server<>(.+):" + name: kafka_server_$1_$4 + type: GAUGE + labels: + listener: "$2" + networkProcessor: "$3" + - pattern: kafka.server<>(.+) + name: kafka_server_$1_$4 + type: GAUGE + labels: + listener: "$2" + networkProcessor: "$3" + # Some percent metrics use MeanRate attribute + # Ex) kafka.server<>MeanRate + - pattern: kafka.(\w+)<>MeanRate + name: kafka_$1_$2_$3_percent + type: GAUGE + # Generic gauges for percents + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3_percent + type: GAUGE + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3_percent + type: GAUGE + labels: + "$4": "$5" + # Generic per-second counters with 0-2 key/value pairs + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_total + type: COUNTER + # Generic gauges with 0-2 key/value pairs + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>Value + name: kafka_$1_$2_$3 + type: GAUGE + # Emulate Prometheus 'Summary' metrics for the exported 'Histogram's. + # Note that these are missing the '_sum' metric! + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + labels: + "$4": "$5" + "$6": "$7" + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + "$6": "$7" + quantile: "0.$8" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + labels: + "$4": "$5" + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + "$4": "$5" + quantile: "0.$6" + - pattern: kafka.(\w+)<>Count + name: kafka_$1_$2_$3_count + type: COUNTER + - pattern: kafka.(\w+)<>(\d+)thPercentile + name: kafka_$1_$2_$3 + type: GAUGE + labels: + quantile: "0.$4" diff --git a/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml new file mode 100644 index 0000000000..d5bf27f44d --- /dev/null +++ b/kubernetes/strimzi/resources/metrics/zookeeper-metrics-config.yml @@ -0,0 +1,44 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +lowercaseOutputName: true +rules: + # replicated Zookeeper + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$2" + type: GAUGE + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$3" + type: GAUGE + labels: + replicaId: "$2" + - pattern: "org.apache.ZooKeeperService<>(Packets\\w+)" + name: "zookeeper_$4" + type: COUNTER + labels: + replicaId: "$2" + memberType: "$3" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4" + type: GAUGE + labels: + replicaId: "$2" + memberType: "$3" + - pattern: "org.apache.ZooKeeperService<>(\\w+)" + name: "zookeeper_$4_$5" + type: GAUGE + labels: + replicaId: "$2" + memberType: "$3" diff --git a/kubernetes/strimzi/templates/configmap.yaml b/kubernetes/strimzi/templates/configmap.yaml new file mode 100644 index 0000000000..ace51f78ba --- /dev/null +++ b/kubernetes/strimzi/templates/configmap.yaml @@ -0,0 +1,21 @@ +{{/* +# Copyright (c) 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +data: {{ tpl (.Files.Glob "resources/metrics/*").AsConfig . | nindent 2 }} +{{ end }} diff --git a/kubernetes/strimzi/templates/ingress.yaml b/kubernetes/strimzi/templates/ingress.yaml new file mode 100644 index 0000000000..bcc60a0953 --- /dev/null +++ b/kubernetes/strimzi/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.ingress" . }} diff --git a/kubernetes/strimzi/templates/kafka-rebalance.yaml b/kubernetes/strimzi/templates/kafka-rebalance.yaml new file mode 100644 index 0000000000..f7e6ad00c5 --- /dev/null +++ b/kubernetes/strimzi/templates/kafka-rebalance.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright (c) 2023-2025 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.cruiseControl.kafkaRebalance.enabled }} +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaRebalance +metadata: + name: {{ include "common.fullname" . }}-kafka-rebalance + labels: {{- include "common.labels" . | nindent 4 }} + strimzi.io/cluster: {{ include "common.release" . }}-strimzi +spec: {} +{{- end }} diff --git a/kubernetes/strimzi/templates/pod-monitor.yaml b/kubernetes/strimzi/templates/pod-monitor.yaml new file mode 100644 index 0000000000..329784fd0d --- /dev/null +++ b/kubernetes/strimzi/templates/pod-monitor.yaml @@ -0,0 +1,52 @@ +{{/* +# Copyright (c) 2023-2025 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.. +*/}} +{{- if .Values.metrics.podMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "common.fullname" . }}-podmonitor + ## podMonitor labels for prometheus to pick up the podMonitor + ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor + ## + # labels: + # prometheus: kube-prometheus + labels: + app: '{{- default $.Chart.Name $.Values.nameOverride | trunc 63 | trimSuffix "-" -}}' + {{- if $.Chart.AppVersion }} + version: '{{ $.Chart.AppVersion | replace "+" "_" }}' + {{- else }} + version: '{{ $.Chart.Version | replace "+" "_" }}' + {{- end }} + {{- toYaml $.Values.metrics.podMonitor.labels | nindent 4 }} +spec: + selector: + matchLabels: + strimzi.io/cluster: {{ include "common.release" . }}-strimzi + podMetricsEndpoints: + - port: {{ .Values.metrics.podMonitor.port }} + {{- if .Values.metrics.podMonitor.relabelings }} + ## RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + relabelings: {{- toYaml .Values.metrics.podMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if .Values.metrics.podMonitor.metricRelabelings }} + metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} + ## MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## Value is evalued as a template + {{- end }} +{{- end }} diff --git a/kubernetes/strimzi/templates/pv-controller.yaml b/kubernetes/strimzi/templates/pv-controller.yaml new file mode 100644 index 0000000000..9a1c849670 --- /dev/null +++ b/kubernetes/strimzi/templates/pv-controller.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +{{ include "common.replicaPV" (dict "dot" . "suffix" "controller" "persistenceInfos" .Values.persistence.controller) }} diff --git a/kubernetes/strimzi/templates/pv-kafka.yaml b/kubernetes/strimzi/templates/pv-kafka.yaml index efd4902562..5f22f79fb2 100644 --- a/kubernetes/strimzi/templates/pv-kafka.yaml +++ b/kubernetes/strimzi/templates/pv-kafka.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,4 +14,4 @@ # See the License for the specific language governing permissions and # limitations under the License. */}} -{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }} +{{ include "common.replicaPV" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.broker) }} diff --git a/kubernetes/strimzi/templates/pv-zk.yaml b/kubernetes/strimzi/templates/pv-zk.yaml deleted file mode 100644 index 2c5a8e3678..0000000000 --- a/kubernetes/strimzi/templates/pv-zk.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{/* -# Copyright © 2022 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -{{ include "common.replicaPV" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }} diff --git a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml index c1bf4b8b14..7a3e7ef787 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka-admin-user.yaml @@ -17,15 +17,8 @@ apiVersion: kafka.strimzi.io/v1beta2 kind: KafkaUser metadata: name: {{ .Values.config.strimziKafkaAdminUser }} - labels: + labels: {{- include "common.labels" . | nindent 4 }} strimzi.io/cluster: {{ include "common.release" . }}-strimzi spec: authentication: type: {{ .Values.config.saslMechanism }} - authorization: - type: {{ .Values.config.authType }} - acls: - - resource: - type: group - name: onap-group - operation: Read \ No newline at end of file diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index b35485f11c..630d6c8109 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,12 +15,112 @@ # limitations under the License. */}} apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaNodePool +metadata: + name: {{ include "common.fullname" . }}-controller + labels: + strimzi.io/cluster: {{ include "common.fullname" . }} +spec: + replicas: {{ .Values.replicaCount }} + roles: + - controller + resources: + limits: + cpu: {{ .Values.controller.resources.limits.cpu }} + memory: {{ .Values.controller.resources.limits.memory }} + requests: + cpu: {{ .Values.controller.resources.requests.cpu }} + memory: {{ .Values.controller.resources.requests.memory }} + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.controller.template.pod.securityContext | nindent 8 }} + {{- if .Values.affinity.podAntiAffinity.enabled }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: strimzi.io/name + operator: In + values: + - {{ include "common.fullname" . }}-controller + topologyKey: "kubernetes.io/hostname" + {{- end }} + kafkaContainer: + securityContext: + {{- toYaml .Values.controller.template.kafkaContainer.securityContext | nindent 10 }} + storage: + type: jbod + volumes: + - id: 0 + type: persistent-claim + size: {{ .Values.persistence.controller.size }} + kraftMetadata: shared + deleteClaim: true + class: {{ include "common.storageClass" (dict "dot" . "suffix" "controller" "persistenceInfos" .Values.persistence.controller) }} +--- +apiVersion: kafka.strimzi.io/v1beta2 +kind: KafkaNodePool +metadata: + name: {{ include "common.fullname" . }}-broker + labels: + strimzi.io/cluster: {{ include "common.fullname" . }} +spec: + replicas: {{ .Values.replicaCount }} + roles: + - broker + resources: + limits: + cpu: {{ .Values.broker.resources.limits.cpu }} + memory: {{ .Values.broker.resources.limits.memory }} + requests: + cpu: {{ .Values.broker.resources.requests.cpu }} + memory: {{ .Values.broker.resources.requests.memory }} + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 6 }} + securityContext: + {{- toYaml .Values.broker.template.pod.securityContext | nindent 8 }} + {{- if .Values.affinity.podAntiAffinity.enabled }} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: strimzi.io/name + operator: In + values: + - {{ include "common.fullname" . }}-broker + topologyKey: "kubernetes.io/hostname" + {{- end }} + kafkaContainer: + securityContext: + {{- toYaml .Values.broker.template.kafkaContainer.securityContext | nindent 8 }} + storage: + type: jbod + volumes: + - id: 0 + type: persistent-claim + size: {{ .Values.persistence.broker.size }} + kraftMetadata: shared + deleteClaim: true + class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.broker) }} +--- +apiVersion: kafka.strimzi.io/v1beta2 kind: Kafka -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +metadata: + name: {{ include "common.fullname" . }} + annotations: + strimzi.io/node-pools: enabled + strimzi.io/kraft: enabled spec: kafka: version: {{ .Values.config.kafkaVersion }} - replicas: {{ .Values.replicaCount }} + {{- if .Values.config.kafkaMetadataVersion }} + metadataVersion: {{ .Values.config.kafkaMetadataVersion }} + {{- end }} listeners: - name: plain port: {{ .Values.config.kafkaInternalPort }} @@ -35,29 +136,38 @@ spec: type: tls - name: external port: 9094 - type: nodeport - tls: true + type: {{ if (include "common.ingressEnabled" .) }}cluster-ip{{ else }}nodeport{{ end }} + tls: {{ if (include "common.ingressEnabled" .) }}false{{ else }}true{{ end }} authentication: - type: tls + type: {{ if (include "common.ingressEnabled" .) }}{{ .Values.config.saslMechanism }}{{ else }}tls{{ end }} configuration: + {{- if not (include "common.ingressEnabled" .) }} bootstrap: nodePort: {{ .Values.global.nodePortPrefixExt }}93 + {{- end }} brokers: - broker: 0 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker0 }} + {{- if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt }}90 + {{- end }} - broker: 1 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker1 }} + {{- if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt }}91 + {{- end }} - broker: 2 + advertisedHost: {{ .Values.config.advertisedHost }} + advertisedPort: {{ .Values.config.advertizedPortBroker2 }} + {{- if not (include "common.ingressEnabled" .) }} nodePort: {{ .Values.global.nodePortPrefixExt }}92 + {{- end }} authorization: type: {{ .Values.config.authType }} superUsers: - {{ .Values.config.strimziKafkaAdminUser }} - template: - pod: - securityContext: - runAsUser: 0 - fsGroup: 0 config: default.replication.factor: {{ .Values.replicaCount }} min.insync.replicas: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} @@ -67,33 +177,92 @@ spec: transaction.state.log.min.isr: {{ (eq 1.0 (.Values.replicaCount)) | ternary 1 (sub .Values.replicaCount 1) }} log.message.format.version: {{ .Values.config.kafkaVersion }} inter.broker.protocol.version: {{ .Values.config.kafkaVersion }} - storage: - type: jbod - volumes: - - id: 0 - type: persistent-claim - size: {{ .Values.persistence.kafka.size }} - deleteClaim: true - class: {{ include "common.storageClass" (dict "dot" . "suffix" "kafka" "persistenceInfos" .Values.persistence.kafka) }} - zookeeper: + auto.create.topics.enable: {{ .Values.config.autoCreateTopics }} + {{- if .Values.metrics.kafkaExporter.enabled }} + metricsConfig: + type: {{ .Values.metrics.kafkaExporter.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: kafka-metrics-config.yml + {{- end }} + entityOperator: template: pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} securityContext: - runAsUser: 0 - fsGroup: 0 - replicas: {{ .Values.replicaCount }} - config: - ssl.hostnameVerification: false - ssl.quorum.hostnameVerification: false - {{- if (include "common.onServiceMesh" .) }} - sslQuorum: false - {{- end }} - storage: - type: persistent-claim - size: {{ .Values.persistence.zookeeper.size }} - deleteClaim: true - class: {{ include "common.storageClass" (dict "dot" . "suffix" "zk" "persistenceInfos" .Values.persistence.zookeeper) }} - entityOperator: - topicOperator: {} - userOperator: {} - + {{- toYaml .Values.entityOperator.template.pod.securityContext | nindent 10 }} + topicOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.topicOperatorContainer.securityContext | nindent 10 }} + userOperatorContainer: + securityContext: + {{- toYaml .Values.entityOperator.template.userOperatorContainer.securityContext | nindent 10 }} + topicOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.topicOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.topicOperator.resources.requests.memory }} + userOperator: + resources: + limits: + cpu: {{ .Values.entityOperator.template.userOperator.resources.limits.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.limits.memory }} + requests: + cpu: {{ .Values.entityOperator.template.userOperator.resources.requests.cpu }} + memory: {{ .Values.entityOperator.template.userOperator.resources.requests.memory }} + {{- if .Values.cruiseControl.enabled }} + cruiseControl: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + cruiseControlContainer: + securityContext: + {{- toYaml .Values.cruiseControl.template.cruiseControlContainer.securityContext | nindent 10 }} + metricsConfig: + type: {{ .Values.cruiseControl.metricsConfig.type }} + valueFrom: + configMapKeyRef: + name: {{ include "common.fullname" . }} + key: cruisecontrol-metrics-config.yml + resources: + limits: + cpu: {{ .Values.cruiseControl.template.resources.limits.cpu }} + memory: {{ .Values.cruiseControl.template.resources.limits.memory }} + requests: + cpu: {{ .Values.cruiseControl.template.resources.requests.cpu }} + memory: {{ .Values.cruiseControl.template.resources.requests.memory }} + {{- end }} + {{- if .Values.metrics.kafkaExporter.enabled }} + kafkaExporter: + template: + pod: + {{- include "common.imagePullSecrets" . | nindent 8 }} + securityContext: + {{- toYaml .Values.cruiseControl.template.pod.securityContext | nindent 10 }} + container: + securityContext: + {{- toYaml .Values.kafkaExporter.template.container.securityContext | nindent 10 }} + topicRegex: {{ .Values.metrics.kafkaExporter.topicRegex }} + groupRegex: {{ .Values.metrics.kafkaExporter.groupRegex }} + resources: + requests: + cpu: {{ .Values.metrics.kafkaExporter.resources.requests.cpu }} + memory: {{ .Values.metrics.kafkaExporter.resources.requests.memory }} + limits: + cpu: {{ .Values.metrics.kafkaExporter.resources.limits.cpu }} + memory: {{ .Values.metrics.kafkaExporter.resources.limits.memory }} + logging: {{ .Values.metrics.kafkaExporter.logging }} + enableSaramaLogging: {{ .Values.metrics.kafkaExporter.enableSaramaLogging }} + readinessProbe: + initialDelaySeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.metrics.kafkaExporter.readinessProbe.timeoutSeconds }} + livenessProbe: + initialDelaySeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.metrics.kafkaExporter.livenessProbe.timeoutSeconds }} + {{- end }} diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index e6da1d55db..5f31fc12cc 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2022 Nordix Foundation +# Modifications Copyright © 2025 Deutsche Telekom # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,21 +20,39 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs + ingress: + virtualhost: + baseurl: &baseurl "simpledemo.onap.org" + preaddr: &preaddr "" + postaddr: &postaddr "" + ################################################################# # Application configuration defaults. ################################################################# replicaCount: 3 +affinity: + podAntiAffinity: + enabled: true config: - kafkaVersion: 3.2.3 + # strimzi-operator 0.45.0 supports <=3.9.0 + kafkaVersion: 3.9.0 + # strimzi-operator 0.46.0 supports <=4.0.0 + #kafkaVersion: 4.0.0 + #kafkaMetadataVersion: 4.0-IV3 authType: simple saslMechanism: &saslMech scram-sha-512 kafkaInternalPort: &plainPort 9092 strimziKafkaAdminUser: &adminUser strimzi-kafka-admin + advertisedHost: kafka-api.simpledemo.onap.org + advertizedPortBroker0: &advertizedPortBroker0 9000 + advertizedPortBroker1: &advertizedPortBroker1 9001 + advertizedPortBroker2: &advertizedPortBroker2 9002 + autoCreateTopics: true persistence: enabled: &pvenabled true mountPath: /dockerdata-nfs - kafka: + broker: enabled: *pvenabled # default values of 2Gi for dev env. # Production values should be dimensioned according to requirements. ie >= 10Gi @@ -41,14 +60,14 @@ persistence: volumeReclaimPolicy: Retain accessMode: ReadWriteOnce mountPath: /dockerdata-nfs - mountSubPath: strimzi-kafka/kafka - zookeeper: + mountSubPath: strimzi-kafka/broker + controller: enabled: *pvenabled size: 1Gi volumeReclaimPolicy: Retain accessMode: ReadWriteOnce mountPath: /dockerdata-nfs - mountSubPath: strimzi-kafka/zk + mountSubPath: strimzi-kafka/controller #Pods Service Account serviceAccount: @@ -56,6 +75,101 @@ serviceAccount: roles: - read +ingress: + enabled: false + service: + - baseaddr: "kafka-bootstrap-api" + name: "onap-strimzi-kafka-external-bootstrap" + port: 9094 + protocol: tcp + exposedPort: 9010 + exposedProtocol: TLS + - baseaddr: "kafka-api" + tcpRoutes: + - name: "onap-strimzi-kafka-0" + port: 9094 + exposedPort: *advertizedPortBroker0 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-1" + port: 9094 + exposedPort: *advertizedPortBroker1 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-2" + port: 9094 + exposedPort: *advertizedPortBroker2 + exposedProtocol: TLS + +# Kafka Exporter for metrics +metrics: + enabled: false + kafkaExporter: + enabled: false + metricsConfig: + type: jmxPrometheusExporter + topicRegex: ".*" + groupRegex: ".*" + resources: + requests: + cpu: "2" + memory: "600Mi" + limits: + cpu: "5" + memory: "1.5Gi" + logging: debug + enableSaramaLogging: true + readinessProbe: + initialDelaySeconds: 15 + timeoutSeconds: 5 + livenessProbe: + initialDelaySeconds: 15 + timeoutSeconds: 5 + podMonitor: + # Prometheus pre requisite. Currently an optional addon in the OOM docs + enabled: false + # default port for strimzi metrics + port: "tcp-prometheus" + # podMonitor labels for prometheus to pick up the podMonitor + # dummy value + labels: + release: dummy + relabelings: [] + metricRelabelings: [] + +cruiseControl: +## Cruise Control provides a Kafka metrics reporter implementation +## once installed into the Kafka brokers, filters and records a wide range of metrics provided by the brokers themselves. +## pre requisite is having 2 or more broker nodes + enabled: false + metricsConfig: + type: jmxPrometheusExporter + ## Custom resource for Kafka that can rebalance your cluster + # ref. https://strimzi.io/blog/2020/06/15/cruise-control/ + kafkaRebalance: + enabled: false + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + cruiseControlContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + ###################### # Component overrides ###################### @@ -64,4 +178,123 @@ strimzi-kafka-bridge: config: saslMechanism: *saslMech kafkaInternalPort: *plainPort - strimziKafkaAdminUser: *adminUser \ No newline at end of file + strimziKafkaAdminUser: *adminUser + +broker: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + kafkaContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +controller: + template: + pod: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + kafkaContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + #runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +entityOperator: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + topicOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + userOperatorContainer: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW + topicOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + userOperator: + resources: + limits: + cpu: '2' + memory: 2Gi + requests: + cpu: 100m + memory: 1Gi + +kafkaExporter: + template: + pod: + securityContext: + seccompProfile: + type: RuntimeDefault + container: + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL + - CAP_NET_RAW diff --git a/kubernetes/uui/Chart.yaml b/kubernetes/uui/Chart.yaml index 6acf6f2e4d..1b3ca07032 100644 --- a/kubernetes/uui/Chart.yaml +++ b/kubernetes/uui/Chart.yaml @@ -18,27 +18,30 @@ apiVersion: v2 description: ONAP uui name: uui -version: 12.0.0 +version: 15.0.1 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 # local reference to common chart, as it is # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: uui-server - version: ~12.x-0 + version: ~15.x-0 repository: 'file://components/uui-server' - name: uui-nlp - version: ~12.x-0 + version: ~13.x-0 repository: 'file://components/uui-nlp' - name: uui-intent-analysis - version: ~11.x-0 + version: ~15.x-0 repository: 'file://components/uui-intent-analysis' + - name: uui-llm-adaptation + version: ~15.x-0 + repository: 'file://components/uui-llm-adaptation' + - name: nginx + version: ~18.3.x-0 + repository: '@local' diff --git a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml index 89b67993e4..25fa9459c5 100644 --- a/kubernetes/uui/components/uui-intent-analysis/Chart.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/Chart.yaml @@ -15,21 +15,21 @@ apiVersion: v2 description: ONAP uui intent analysis name: uui-intent-analysis -version: 11.0.0 +version: 15.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: readinessCheck - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql b/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql index ac3eaf0fed..323deef209 100644 --- a/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql +++ b/kubernetes/uui/components/uui-intent-analysis/resources/config/intent-analysis-init.sql @@ -21,7 +21,8 @@ CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; create table if not exists intent( intent_id varchar(255) primary key, - intent_name varchar(255) + intent_name varchar(255), + intent_generateType VARCHAR (225) ); create table if not exists expectation( @@ -89,3 +90,21 @@ create table if not exists intent_management_function_reg_info( handle_name varchar(255), intent_function_type varchar(255) ); + +create table if not exists intent_event_record( + id varchar(255) DEFAULT uuid_generate_v4 (), + intent_id varchar(255), + intent_name varchar(255), + intent_status varchar (225), + operate_type varchar (225), + parent_id varchar(255) + ); + +-- ---------------------------- +-- Records of intent_management_function_reg_info +-- ---------------------------- + +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLBusinessId','CLLBusiness','CLLBUSINESS',null,'CREATE,DELETE,UPDATE,SEARCH','CLLBusinessIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLBusinessId' ) +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLDeliveryId','CLLDelivery','CLLBUSINESS,DELIVERY',null,'CREATE,DELETE,UPDATE,SEARCH','CLLDeliveryIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLDeliveryId' ) +insert into intent_management_function_reg_info(imfr_info_id, imfr_info_description, support_area, support_model, support_interfaces, handle_name, intent_function_type) select 'CLLAssuranceId','CLLAssurance','CLLBUSINESS,ASSURANCE',null,'CREATE,DELETE,UPDATE,SEARCH','CLLAssuranceIntentManagementFunction','INTERNALFUNCTION' where not exists(select * from intent_management_function_reg_info where imfr_info_id='CLLAssuranceId' ) + diff --git a/kubernetes/uui/components/uui-intent-analysis/resources/entrypoint/run.sh b/kubernetes/uui/components/uui-intent-analysis/resources/entrypoint/run.sh index cf68e7c96a..0d2bf30d0b 100644 --- a/kubernetes/uui/components/uui-intent-analysis/resources/entrypoint/run.sh +++ b/kubernetes/uui/components/uui-intent-analysis/resources/entrypoint/run.sh @@ -1,3 +1,4 @@ +#!/bin/sh {{/* # # Copyright (C) 2022 Huawei Technologies Co., Ltd. All rights reserved. @@ -20,7 +21,7 @@ main_path="/home/uui" echo @main_path@ $main_path JAVA_PATH="$JAVA_HOME/bin/java" -JAVA_OPTS="-Xms50m -Xmx128m" +JAVA_OPTS="-XX:MaxRAMPercentage=${MAX_RAM_PERCENTAGE:-70}" echo @JAVA_PATH@ $JAVA_PATH echo @JAVA_OPTS@ $JAVA_OPTS diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml index 91d96c232f..2d52f1e1d1 100644 --- a/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/templates/deployment.yaml @@ -19,6 +19,7 @@ metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: @@ -42,26 +43,37 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - name: POSTGRES_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} -{{- if eq .Values.liveness.enabled true }} + - name: TRACING_ENABLED + value: {{ .Values.global.tracing.enabled | quote }} + - name: COLLECTOR_HOST + value: {{ .Values.tracing.collector.host }} + - name: COLLECTOR_PORT + value: {{ .Values.tracing.collector.port | quote }} + {{- if eq .Values.startup.enabled true }} + startupProbe: + httpGet: + port: {{ .Values.startup.port }} + path: {{ .Values.startup.path }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} + {{- end }} + {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: port: {{ .Values.liveness.port }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} -{{- end }} + {{- end }} readinessProbe: tcpSocket: port: {{ .Values.readiness.port }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . }} -{{- if .Values.nodeSelector }} + resources: {{ include "common.resources" . | nindent 10 }} + {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} -{{- end }} -{{- if .Values.affinity }} + {{- end }} + {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} -{{- end }} + {{- end }} volumeMounts: - mountPath: /uui/run.sh name: entrypoint @@ -72,5 +84,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-entrypoint defaultMode: 0755 - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml index edcf3fe09f..639cad158a 100644 --- a/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/templates/job.yaml @@ -24,6 +24,9 @@ metadata: chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} release: {{ include "common.release" . }} heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -37,8 +40,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -48,6 +51,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.image.postgres" . }} @@ -66,8 +76,9 @@ spec: - name: init-data mountPath: /aaa/init/intent-analysis-init.sql subPath: intent-analysis-init.sql - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: diff --git a/kubernetes/uui/components/uui-intent-analysis/values.yaml b/kubernetes/uui/components/uui-intent-analysis/values.yaml index 65cc4004bb..65f721449a 100644 --- a/kubernetes/uui/components/uui-intent-analysis/values.yaml +++ b/kubernetes/uui/components/uui-intent-analysis/values.yaml @@ -18,6 +18,8 @@ global: passwordStrength: long + tracing: + enabled: false #Pods Service Account serviceAccount: @@ -40,7 +42,7 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate -image: onap/usecase-ui-intent-analysis:5.1.1 +image: onap/usecase-ui-intent-analysis:15.0.1 pullPolicy: Always # flag to enable debugging - application support required @@ -49,6 +51,7 @@ flavor: small replicaCount: 1 nodeSelector: {} affinity: {} +revisionHistoryLimit: 1 service: type: ClusterIP @@ -57,14 +60,19 @@ service: - name: http-rest port: &svc_port 8083 +startup: + enabled: true + path: /api/usecaseui-intent-analysis/v1/actuator/health + port: *svc_port + periodSeconds: 1 + failureThreshold: 90 + liveness: - initialDelaySeconds: 120 + enabled: true port: *svc_port periodSeconds: 10 - enabled: true readiness: - initialDelaySeconds: 60 port: *svc_port periodSeconds: 10 @@ -90,8 +98,12 @@ postgres: readinessCheck: wait_for: - containers: - - *postgresName + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -106,16 +118,36 @@ readinessCheck: resources: small: limits: - cpu: 200m - memory: 500Mi + cpu: "2" + memory: "1Gi" requests: - cpu: 100m - memory: 250Mi + cpu: "1" + memory: "200Mi" large: limits: - cpu: 400m - memory: 1000Mi + cpu: "4" + memory: "2Gi" requests: - cpu: 200m - memory: 500Mi + cpu: "2" + memory: "1Gi" unlimited: {} + +tracing: + collector: + host: jaeger-collector.istio-config + port: 9411 + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" diff --git a/kubernetes/msb/components/msb-discovery/.helmignore b/kubernetes/uui/components/uui-llm-adaptation/.helmignore similarity index 100% rename from kubernetes/msb/components/msb-discovery/.helmignore rename to kubernetes/uui/components/uui-llm-adaptation/.helmignore diff --git a/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml new file mode 100644 index 0000000000..2391ac35f1 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/Chart.yaml @@ -0,0 +1,35 @@ +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v2 +description: ONAP uui llm adaptation +name: uui-llm-adaptation +version: 15.0.0 + +dependencies: + - name: common + version: ~13.x-0 + repository: '@local' + - name: repositoryGenerator + version: ~13.x-0 + repository: '@local' + - name: postgres + version: ~13.x-0 + repository: '@local' + - name: serviceAccount + version: ~13.x-0 + repository: '@local' + - name: readinessCheck + version: ~13.x-0 + repository: '@local' diff --git a/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql b/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql new file mode 100644 index 0000000000..5379c73864 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/resources/config/llm-adaptation-init.sql @@ -0,0 +1,23 @@ +-- +-- Copyright (C) 2024 CMCC, Inc. and others. All rights reserved. +-- +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- + +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + +create table if not exists intent( + intent_id varchar(255) primary key, + intent_name varchar(255), + intent_generateType VARCHAR (225) +); \ No newline at end of file diff --git a/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh b/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh new file mode 100644 index 0000000000..a89b40dcdb --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/resources/entrypoint/run.sh @@ -0,0 +1,32 @@ +#!/bin/sh +{{/* +# +# Copyright (C) 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +*/}} + +main_path="/home/uui" +echo @main_path@ $main_path + +JAVA_PATH="$JAVA_HOME/bin/java" +JAVA_OPTS="-XX:MaxRAMPercentage=${MAX_RAM_PERCENTAGE:-70}" +echo @JAVA_PATH@ $JAVA_PATH +echo @JAVA_OPTS@ $JAVA_OPTS + +jar_path="$main_path/usecase-ui-llm-adaptation.jar" +echo @jar_path@ $jar_path + +echo "Starting usecase-ui-llm-adaptation..." +$JAVA_PATH $JAVA_OPTS -classpath $jar_path -jar $jar_path $SPRING_OPTS diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml new file mode 100644 index 0000000000..3583c416de --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/configmap.yaml @@ -0,0 +1,31 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-entrypoint + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/entrypoint/*").AsConfig . | indent 2 }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml new file mode 100644 index 0000000000..890bc5e033 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/deployment.yaml @@ -0,0 +1,75 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: {{ include "common.readinessCheck.waitFor" . | nindent 6 }} + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.pullPolicy }} + command: ["sh", "-c"] + args: + - ". /uui/run.sh" + ports: {{ include "common.containerPorts" . | nindent 10 }} + env: + - name: POSTGRES_IP + value: {{ .Values.postgres.service.name2 }} + - name: POSTGRES_PORT + value: "{{ .Values.postgres.service.externalPort }}" + - name: POSTGRES_DB_NAME + value: {{ .Values.postgres.config.pgDatabase }} + - name: POSTGRES_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: POSTGRES_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} +{{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} +{{- end }} + readinessProbe: + tcpSocket: + port: {{ .Values.readiness.port }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + resources: {{ include "common.resources" . | nindent 10 }} +{{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} +{{- end }} +{{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} +{{- end }} + volumeMounts: + - mountPath: /uui/run.sh + name: entrypoint + subPath: run.sh + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: entrypoint + configMap: + name: {{ include "common.fullname" . }}-entrypoint + defaultMode: 0755 + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml new file mode 100644 index 0000000000..efbcce2c4e --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/job.yaml @@ -0,0 +1,85 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "common.fullname" . }}-init-postgres + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }}-job + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} +spec: + backoffLimit: 20 + template: + metadata: + labels: + app: {{ include "common.name" . }}-job + release: {{ include "common.release" . }} + spec: + restartPolicy: Never + initContainers: + - command: + - /app/ready.py + args: + - --service-name + - "{{ .Values.postgres.service.name2 }}" + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: {{ include "repositoryGenerator.image.readiness" . }} + imagePullPolicy: {{ .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" + containers: + - name: {{ include "common.name" . }}-job + image: {{ include "repositoryGenerator.image.postgres" . }} + imagePullPolicy: {{ .Values.pullPolicy }} + env: + - name: PGUSER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} + - name: PGPASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} + command: + - /bin/sh + - -c + - | + psql -h $(UUI_ADAPTATION_PG_PRIMARY_SERVICE_HOST) -f /aaa/init/llm-adaptation-init.sql -d {{ .Values.postgres.config.pgDatabase }} + volumeMounts: + - name: init-data + mountPath: /aaa/init/llm-adaptation-init.sql + subPath: llm-adaptation-init.sql + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} + volumes: + - name: init-data + configMap: + name: {{ include "common.fullname" . }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml new file mode 100644 index 0000000000..638e02c1e5 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.secretFast" . }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml b/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml new file mode 100644 index 0000000000..33e96ef8c4 --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/uui/components/uui-llm-adaptation/values.yaml b/kubernetes/uui/components/uui-llm-adaptation/values.yaml new file mode 100644 index 0000000000..9ee1f3043e --- /dev/null +++ b/kubernetes/uui/components/uui-llm-adaptation/values.yaml @@ -0,0 +1,141 @@ +# Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for uui llm adaptation. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + passwordStrength: long + +#Pods Service Account +serviceAccount: + nameOverride: uui-llm-adaptation + roles: + - read + +secrets: + - uid: pg-root-pass + name: &pgRootPassSecretName '{{ include "common.release" . }}-uui-adaptation-pg-root-pass' + type: password + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "uui-adaptation-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' + password: '{{ .Values.postgres.config.pgRootpassword }}' + policy: generate + - uid: pg-user-creds + name: &pgUserCredsSecretName '{{ include "common.release" . }}-uui-adaptation-pg-user-creds' + type: basicAuth + externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "uui-adaptation-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' + login: '{{ .Values.postgres.config.pgUserName }}' + password: '{{ .Values.postgres.config.pgUserPassword }}' + passwordPolicy: generate + +image: onap/usecase-ui-llm-adaptation:15.0.0 +pullPolicy: Always + +# flag to enable debugging - application support required +debugEnabled: false +flavor: small +replicaCount: 1 +nodeSelector: {} +affinity: {} +revisionHistoryLimit: 1 + +service: + type: ClusterIP + name: uui-llm-adaptation + ports: + - name: http-rest + port: &svc_port 8084 + +liveness: + initialDelaySeconds: 120 + port: *svc_port + periodSeconds: 10 + enabled: true + +readiness: + initialDelaySeconds: 60 + port: *svc_port + periodSeconds: 10 + +# application configuration override for postgres +postgres: + nameOverride: &postgresName uui-adaptation-postgres + service: + name: *postgresName + name2: uui-adaptation-pg-primary + name3: uui-adaptation-pg-replica + container: + name: + primary: uui-adaptation-pg-primary + replica: uui-adaptation-pg-replica + config: + pgUserName: uui + pgDatabase: uuiadaptation + pgUserExternalSecret: *pgUserCredsSecretName + pgRootPasswordExternalSecret: *pgRootPassSecretName + persistence: + mountSubPath: uui/uuiadaptation/data + mountInitPath: uui + +readinessCheck: + wait_for: + services: + - '{{ .Values.postgres.service.name2 }}' + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' + +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# +# Example: +# Configure resource requests and limits +# ref: http://kubernetes.io/docs/user-guide/compute-resources/ +# Minimum memory for development is 2 CPU cores and 4GB memory +# Minimum memory for production is 4 CPU cores and 8GB memory +resources: + small: + limits: + cpu: "2" + memory: "1Gi" + requests: + cpu: "1" + memory: "200Mi" + large: + limits: + cpu: "4" + memory: "2Gi" + requests: + cpu: "2" + memory: "1Gi" + unlimited: {} + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" diff --git a/kubernetes/uui/components/uui-nlp/Chart.yaml b/kubernetes/uui/components/uui-nlp/Chart.yaml index 3d7bd08f29..681b7bc90c 100644 --- a/kubernetes/uui/components/uui-nlp/Chart.yaml +++ b/kubernetes/uui/components/uui-nlp/Chart.yaml @@ -20,15 +20,15 @@ apiVersion: v2 description: ONAP UUI NLP name: uui-nlp -version: 12.0.0 +version: 13.0.0 dependencies: - name: common - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/uui/components/uui-nlp/templates/deployment.yaml b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml index e72ee448c6..f8537bd325 100644 --- a/kubernetes/uui/components/uui-nlp/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-nlp/templates/deployment.yaml @@ -22,6 +22,7 @@ kind: Deployment metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: replicas: 1 + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} selector: {{- include "common.selectors" . | nindent 4 }} template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} @@ -57,6 +58,4 @@ spec: {{- else }} emptyDir: {} {{- end }} - - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-nlp/templates/ingress.yaml b/kubernetes/uui/components/uui-nlp/templates/ingress.yaml index 8f87c68f1e..1471cb1d75 100644 --- a/kubernetes/uui/components/uui-nlp/templates/ingress.yaml +++ b/kubernetes/uui/components/uui-nlp/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/components/uui-nlp/values.yaml b/kubernetes/uui/components/uui-nlp/values.yaml index b8c4b2fa69..abf1d7f227 100644 --- a/kubernetes/uui/components/uui-nlp/values.yaml +++ b/kubernetes/uui/components/uui-nlp/values.yaml @@ -19,7 +19,7 @@ global: pullPolicy: Always persistence: {} -image: onap/usecase-ui-nlp:1.0.3 +image: onap/usecase-ui-nlp:1.0.5 uui-nlp: enabled: true @@ -43,6 +43,7 @@ service: - name: http-upload port: *upload_port +revisionHistoryLimit: 1 liveness: initialDelaySeconds: 300 @@ -81,16 +82,16 @@ securityContext: resources: small: limits: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" requests: - cpu: 0.5 - memory: 512Mi + cpu: "0.5" + memory: "500Mi" large: limits: - cpu: 2 - memory: 2Gi + cpu: "2" + memory: "2Gi" requests: - cpu: 1 - memory: 1Gi + cpu: "1" + memory: "1Gi" unlimited: {} diff --git a/kubernetes/uui/components/uui-server/Chart.yaml b/kubernetes/uui/components/uui-server/Chart.yaml index a93cb669ba..e5677aa216 100644 --- a/kubernetes/uui/components/uui-server/Chart.yaml +++ b/kubernetes/uui/components/uui-server/Chart.yaml @@ -17,21 +17,18 @@ apiVersion: v2 description: ONAP uui server name: uui-server -version: 12.0.0 +version: 15.0.1 dependencies: - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: repositoryGenerator - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: postgres - version: ~12.x-0 + version: ~13.x-0 repository: '@local' - name: serviceAccount - version: ~12.x-0 + version: ~13.x-0 repository: '@local' diff --git a/kubernetes/uui/components/uui-server/resources/config/application.properties b/kubernetes/uui/components/uui-server/resources/config/application.properties index ee531dc741..a86cea7ff3 100644 --- a/kubernetes/uui/components/uui-server/resources/config/application.properties +++ b/kubernetes/uui/components/uui-server/resources/config/application.properties @@ -14,7 +14,8 @@ ## limitations under the License. ## ## General App Properties -server.servlet.contextPath=/api/usecaseui-server/v1 +spring.application.name=uui-server +server.servlet.contextPath={{ .Values.uuiServer.basePath }} server.port=8082 spring.http.multipart.max-file-size=128MB spring.http.multipart.max-request-size=128MB @@ -47,7 +48,28 @@ logging.level.*=INFO endpoints.shutdown.enabled=true endpoints.shutdown.sensitive=false -server.ssl.protocol=TLS -server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 -server.ssl.key-store-password=${KEYSTORE_PASSWORD} -server.ssl.key-store-type=PKCS12 +intents.scheduledTask.enabled=false + +management.endpoints.web.exposure.include=* +management.tracing.enabled={{ default .Values.global.tracing.enabled .Values.tracing.enabled }} +management.tracing.sampling.probability={{ default .Values.global.tracing.sampling.probability .Values.tracing.collector.baseUrl }} +management.zipkin.tracing.endpoint={{ default .Values.global.tracing.collector.baseUrl .Values.tracing.collector.baseUrl }}/api/v2/spans + +uui-server.client.aai.baseUrl={{ .Values.uuiServer.client.aai.baseUrl }} +uui-server.client.aai.apiVersion={{ .Values.uuiServer.client.aai.apiVersion }} +uui-server.client.aai.username={{ .Values.uuiServer.client.aai.username }} +uui-server.client.aai.password={{ .Values.uuiServer.client.aai.password }} +uui-server.client.so.baseUrl={{ .Values.uuiServer.client.so.baseUrl }} +uui-server.client.so.username={{ .Values.uuiServer.client.so.username }} +uui-server.client.so.password={{ .Values.uuiServer.client.so.password }} +uui-server.client.sdc.baseUrl={{ .Values.uuiServer.client.sdc.baseUrl }} +uui-server.client.sdc.username={{ .Values.uuiServer.client.sdc.username }} +uui-server.client.sdc.password={{ .Values.uuiServer.client.sdc.password }} +uui-server.slicing.service-invariant-uuid={{ .Values.uuiServer.slicing.serviceInvariantUuid }} +uui-server.slicing.service-uuid={{ .Values.uuiServer.slicing.serviceUuid }} +uui-server.slicing.global-subscriber-id={{ .Values.uuiServer.slicing.globalSubscriberId }} +uui-server.slicing.service-type={{ .Values.uuiServer.slicing.serviceType }} +uui-server.ccvpn.globalCustomerId={{ .Values.uuiServer.ccvpn.globalCustomerId }} +uui-server.ccvpn.serviceType={{ .Values.uuiServer.ccvpn.serviceType }} +uui-server.ccvpn.subscriberName={{ .Values.uuiServer.ccvpn.subscriberName }} +uui-server.ccvpn.subscriberType={{ .Values.uuiServer.ccvpn.subscriberType }} diff --git a/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh b/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh index 283d55b741..6f585273a8 100644 --- a/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh +++ b/kubernetes/uui/components/uui-server/resources/entrypoint/run.sh @@ -32,7 +32,7 @@ $dbScript 127.0.0.1 5432 postgres uui echo "usecase-ui database init script finished normally..." JAVA_PATH="$JAVA_HOME/bin/java" -JAVA_OPTS="-Xms50m -Xmx128m" +JAVA_OPTS="-XX:MaxRAMPercentage=${MAX_RAM_PERCENTAGE:-70}" echo @JAVA_PATH@ $JAVA_PATH echo @JAVA_OPTS@ $JAVA_OPTS diff --git a/kubernetes/uui/components/uui-server/templates/deployment.yaml b/kubernetes/uui/components/uui-server/templates/deployment.yaml index 13b8774f47..0d48648f1f 100644 --- a/kubernetes/uui/components/uui-server/templates/deployment.yaml +++ b/kubernetes/uui/components/uui-server/templates/deployment.yaml @@ -21,13 +21,13 @@ metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} template: - metadata: - {{- include "common.templateMetadata" . | nindent 6 }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: {{ include "common.podSecurityContext" . | indent 6 | trim }} serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . ) }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: @@ -52,8 +52,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -63,6 +63,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -72,30 +79,39 @@ spec: args: - -c - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) bash /uui/run.sh - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container + {{- if eq .Values.startup.enabled true }} + startupProbe: + httpGet: + port: {{ index .Values.service.ports 0 "port" }} + path: {{ .Values.uuiServer.basePath }}{{ .Values.startup.path }} + failureThreshold: {{ .Values.startup.failureThreshold }} + periodSeconds: {{ .Values.startup.periodSeconds }} + {{- end }} {{- if eq .Values.liveness.enabled true }} livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + httpGet: + port: {{ index .Values.service.ports 0 "port" }} + path: {{ .Values.uuiServer.basePath }}{{ .Values.liveness.path }} periodSeconds: {{ .Values.liveness.periodSeconds }} + failureThreshold: {{ .Values.liveness.failureThreshold }} {{- end }} - resources: {{ include "common.resources" . | nindent 12 }} readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + httpGet: + port: {{ index .Values.service.ports 0 "port" }} + path: {{ .Values.uuiServer.basePath }}{{ .Values.readiness.path }} periodSeconds: {{ .Values.readiness.periodSeconds }} + resources: {{ include "common.resources" . | nindent 12 }} env: - name: MSB_ADDR value: {{tpl .Values.msbaddr .}} - name: MR_ADDR value: {{tpl .Values.mraddr .}} + - name: AAI_ADDR + value: {{tpl .Values.aaiaddr .}} - name: POSTGRES_IP value: {{.Values.postgres.service.name2}} - name: POSTGRES_PORT @@ -104,7 +120,7 @@ spec: value: --spring.config.location=file:/config/application.properties - name: POSTGRES_DB_NAME value: {{ .Values.postgres.config.pgDatabase }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - mountPath: /uui/run.sh name: entrypoint subPath: run.sh @@ -122,6 +138,4 @@ spec: configMap: name: {{ include "common.fullname" . }}-entrypoint defaultMode: 0755 - {{ include "common.certInitializer.volumes" . | nindent 6 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/components/uui-server/templates/ingress.yaml b/kubernetes/uui/components/uui-server/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/uui/components/uui-server/templates/ingress.yaml +++ b/kubernetes/uui/components/uui-server/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/components/uui-server/templates/job.yaml b/kubernetes/uui/components/uui-server/templates/job.yaml index 73bde037de..50cc0244c2 100644 --- a/kubernetes/uui/components/uui-server/templates/job.yaml +++ b/kubernetes/uui/components/uui-server/templates/job.yaml @@ -15,7 +15,15 @@ # apiVersion: batch/v1 kind: Job -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +metadata: + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + release: {{ include "common.release" . }} + {{- if .Values.jobAnnotations }} + annotations: {{- include "common.tplValue" (dict "value" .Values.jobAnnotations "context" $) | nindent 4 }} + {{- end }} spec: backoffLimit: 20 template: @@ -29,8 +37,8 @@ spec: - command: - /app/ready.py args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" + - --service-name + - "{{ .Values.postgres.service.name2 }}" env: - name: NAMESPACE valueFrom: @@ -40,6 +48,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy}} name: {{ include "common.name" . }}-readiness + resources: + limits: + cpu: "100m" + memory: "500Mi" + requests: + cpu: "3m" + memory: "20Mi" containers: - name: {{ include "common.name" . }}-job image: {{ include "repositoryGenerator.image.postgres" . }} @@ -58,10 +73,10 @@ spec: - name: init-data mountPath: /aaa/init/postgres.sql subPath: postgres.sql - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{ include "common.waitForJobContainer" . | indent 6 | trim }} + {{- include "common.imagePullSecrets" . | nindent 6 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: init-data configMap: name: {{ include "common.fullname" . }} - diff --git a/kubernetes/uui/components/uui-server/templates/service.yaml b/kubernetes/uui/components/uui-server/templates/service.yaml index 157dac396d..fd6a25408d 100644 --- a/kubernetes/uui/components/uui-server/templates/service.yaml +++ b/kubernetes/uui/components/uui-server/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,40 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "usecaseui-server", - "version": "v1", - "url": "/api/usecaseui-server/v1", - "protocol": "REST", - "port": "{{.Values.service.internalPort}}", - "visualRange":"1", - "enable_ssl": true - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.uuiPortPrefix | default .Values.uuiPortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} diff --git a/kubernetes/uui/components/uui-server/values.yaml b/kubernetes/uui/components/uui-server/values.yaml index 44f4399d10..83dabb3b9b 100644 --- a/kubernetes/uui/components/uui-server/values.yaml +++ b/kubernetes/uui/components/uui-server/values.yaml @@ -20,7 +20,11 @@ # Global configuration defaults. ################################################################# global: - uuiPortPrefix: 303 + tracing: + collector: + baseUrl: http://jaeger-collector.istio-config:9411 + sampling: + probability: 1.0 secrets: - uid: pg-root-pass @@ -37,46 +41,6 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: uui-server-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: uui - fqi: uui@uui.onap.org - fqi_namespace: org.onap.uui - public_fqdn: uui.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_p12}" \ - -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }} - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - - ################################################################# # Application configuration defaults. ################################################################# @@ -88,13 +52,15 @@ flavor: small # application image repository: nexus3.onap.org:10001 -image: onap/usecase-ui-server:5.1.3 +image: onap/usecase-ui-server:15.0.3 pullPolicy: Always +revisionHistoryLimit: 1 # application configuration -msbaddr: msb-iag.{{include "common.namespace" .}}:443 +msbaddr: msb-iag.{{include "common.namespace" .}}:80 mraddr: message-router.{{include "common.namespace" .}}:3904 +aaiaddr: aai.{{include "common.namespace" .}}:80 # application configuration override for postgres postgres: @@ -129,32 +95,45 @@ nodeSelector: {} affinity: {} # probe configuration parameters +startup: + enabled: true + path: /actuator/health + periodSeconds: 1 + failureThreshold: 60 + liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container + # disable this for remote debugging enabled: true + path: /actuator/health + periodSeconds: 10 readiness: - initialDelaySeconds: 60 + path: /actuator/health/readiness periodSeconds: 10 service: - type: NodePort + type: ClusterIP name: uui-server - portName: http - internalPort: 8082 - nodePort: 99 + ports: + - name: http + port: 8082 ingress: enabled: false service: - - baseaddr: uui-server-api + - baseaddr: "uui-server-api" name: "uui-server" port: 8082 - config: - ssl: "redirect" + +## +## Use this to override the global defaults +tracing: +# enabled: false + collector: {} +# baseUrl: http://jaeger-collector.istio-config:9411 + sampling: {} +# probability: 1.0 # percentage of requests that are sampled (between 0-1/0%-100%) + # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -169,18 +148,18 @@ ingress: resources: small: limits: - cpu: 1.5 - memory: 350Mi + cpu: "1.5" + memory: "2Gi" requests: - cpu: 1 - memory: 245Mi + cpu: "300m" + memory: "1Gi" large: limits: - cpu: 2 - memory: 500Mi + cpu: "2" + memory: "4Gi" requests: - cpu: 1 - memory: 500Mi + cpu: "1" + memory: "2Gi" unlimited: {} serviceAccount: @@ -190,4 +169,50 @@ serviceAccount: securityContext: user_id: 100 - group_id: 655533 \ No newline at end of file + group_id: 655533 + +wait_for_job_container: + containers: + - '{{ include "common.name" . }}-job' + +# Annotations to control the execution and deletion of the job +# Can be used to delete a job before an Upgrade +# +# jobAnnotations: +# # In case of an ArgoCD deployment this Hook deletes the job before syncing +# argocd.argoproj.io/hook: Sync +# argocd.argoproj.io/hook-delete-policy: BeforeHookCreation +# +# # In case of an Helm/Flux deployment this Hook deletes the job +# # This is what defines this resource as a hook. Without this line, the +# # job is considered part of the release. +# "helm.sh/hook": "pre-upgrade,pre-rollback,post-install" +# "helm.sh/hook-delete-policy": "before-hook-creation" +# "helm.sh/hook-weight": "1" + +uuiServer: + basePath: /api/usecaseui-server/v1 + client: + aai: + baseUrl: http://aai.onap + username: AAI + password: AAI + apiVersion: v29 + so: + baseUrl: http://so.onap:8080 + username: InfraPortalClient + password: password1$ + sdc: + baseUrl: http://sdc-be:8080 + username: aai + password: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U + slicing: + serviceInvariantUuid: defaultServiceInvariantUuid + serviceUuid: defaultServiceUuid + globalSubscriberId: defaultGlobalSubscriberId + serviceType: defaultServiceType + ccvpn: + globalCustomerId: defaultGlobalCustomerId + serviceType: defaultServiceType + subscriberName: defaultSubscriberName + subscriberType: defaultSubscriberType diff --git a/kubernetes/uui/resources/config/server.xml b/kubernetes/uui/resources/config/server.xml index 275fcd8b14..f464074769 100644 --- a/kubernetes/uui/resources/config/server.xml +++ b/kubernetes/uui/resources/config/server.xml @@ -24,7 +24,7 @@ --> - + @@ -61,11 +61,7 @@ APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> - - - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + org.apache.catalina.servlets.DefaultServlet + + debug + 0 + + + listings + false + + 1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + jsp + org.apache.jasper.servlet.JspServlet + + fork + false + + + xpoweredBy + false + + 3 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + default + / + + + + + jsp + *.jsp + *.jspx + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 30 + + + + + + + + + + + + + 123 + application/vnd.lotus-1-2-3 + + + 3dml + text/vnd.in3d.3dml + + + 3ds + image/x-3ds + + + 3g2 + video/3gpp2 + + + 3gp + video/3gpp + + + 7z + application/x-7z-compressed + + + aab + application/x-authorware-bin + + + aac + audio/x-aac + + + aam + application/x-authorware-map + + + aas + application/x-authorware-seg + + + abs + audio/x-mpeg + + + abw + application/x-abiword + + + ac + application/pkix-attr-cert + + + acc + application/vnd.americandynamics.acc + + + ace + application/x-ace-compressed + + + acu + application/vnd.acucobol + + + acutc + application/vnd.acucorp + + + adp + audio/adpcm + + + aep + application/vnd.audiograph + + + afm + application/x-font-type1 + + + afp + application/vnd.ibm.modcap + + + ahead + application/vnd.ahead.space + + + ai + application/postscript + + + aif + audio/x-aiff + + + aifc + audio/x-aiff + + + aiff + audio/x-aiff + + + aim + application/x-aim + + + air + application/vnd.adobe.air-application-installer-package+zip + + + ait + application/vnd.dvb.ait + + + ami + application/vnd.amiga.ami + + + anx + application/annodex + + + apk + application/vnd.android.package-archive + + + appcache + text/cache-manifest + + + application + application/x-ms-application + + + apr + application/vnd.lotus-approach + + + arc + application/x-freearc + + + art + image/x-jg + + + asc + application/pgp-signature + + + asf + video/x-ms-asf + + + asm + text/x-asm + + + aso + application/vnd.accpac.simply.aso + + + asx + video/x-ms-asf + + + atc + application/vnd.acucorp + + + atom + application/atom+xml + + + atomcat + application/atomcat+xml + + + atomsvc + application/atomsvc+xml + + + atx + application/vnd.antix.game-component + + + au + audio/basic + + + avi + video/x-msvideo + + + avx + video/x-rad-screenplay + + + aw + application/applixware + + + axa + audio/annodex + + + axv + video/annodex + + + azf + application/vnd.airzip.filesecure.azf + + + azs + application/vnd.airzip.filesecure.azs + + + azw + application/vnd.amazon.ebook + + + bat + application/x-msdownload + + + bcpio + application/x-bcpio + + + bdf + application/x-font-bdf + + + bdm + application/vnd.syncml.dm+wbxml + + + bed + application/vnd.realvnc.bed + + + bh2 + application/vnd.fujitsu.oasysprs + + + bin + application/octet-stream + + + blb + application/x-blorb + + + blorb + application/x-blorb + + + bmi + application/vnd.bmi + + + bmp + image/bmp + + + body + text/html + + + book + application/vnd.framemaker + + + box + application/vnd.previewsystems.box + + + boz + application/x-bzip2 + + + bpk + application/octet-stream + + + btif + image/prs.btif + + + bz + application/x-bzip + + + bz2 + application/x-bzip2 + + + c + text/x-c + + + c11amc + application/vnd.cluetrust.cartomobile-config + + + c11amz + application/vnd.cluetrust.cartomobile-config-pkg + + + c4d + application/vnd.clonk.c4group + + + c4f + application/vnd.clonk.c4group + + + c4g + application/vnd.clonk.c4group + + + c4p + application/vnd.clonk.c4group + + + c4u + application/vnd.clonk.c4group + + + cab + application/vnd.ms-cab-compressed + + + caf + audio/x-caf + + + cap + application/vnd.tcpdump.pcap + + + car + application/vnd.curl.car + + + cat + application/vnd.ms-pki.seccat + + + cb7 + application/x-cbr + + + cba + application/x-cbr + + + cbr + application/x-cbr + + + cbt + application/x-cbr + + + cbz + application/x-cbr + + + cc + text/x-c + + + cct + application/x-director + + + ccxml + application/ccxml+xml + + + cdbcmsg + application/vnd.contact.cmsg + + + cdf + application/x-cdf + + + cdkey + application/vnd.mediastation.cdkey + + + cdmia + application/cdmi-capability + + + cdmic + application/cdmi-container + + + cdmid + application/cdmi-domain + + + cdmio + application/cdmi-object + + + cdmiq + application/cdmi-queue + + + cdx + chemical/x-cdx + + + cdxml + application/vnd.chemdraw+xml + + + cdy + application/vnd.cinderella + + + cer + application/pkix-cert + + + cfs + application/x-cfs-compressed + + + cgm + image/cgm + + + chat + application/x-chat + + + chm + application/vnd.ms-htmlhelp + + + chrt + application/vnd.kde.kchart + + + cif + chemical/x-cif + + + cii + application/vnd.anser-web-certificate-issue-initiation + + + cil + application/vnd.ms-artgalry + + + cla + application/vnd.claymore + + + class + application/java + + + clkk + application/vnd.crick.clicker.keyboard + + + clkp + application/vnd.crick.clicker.palette + + + clkt + application/vnd.crick.clicker.template + + + clkw + application/vnd.crick.clicker.wordbank + + + clkx + application/vnd.crick.clicker + + + clp + application/x-msclip + + + cmc + application/vnd.cosmocaller + + + cmdf + chemical/x-cmdf + + + cml + chemical/x-cml + + + cmp + application/vnd.yellowriver-custom-menu + + + cmx + image/x-cmx + + + cod + application/vnd.rim.cod + + + com + application/x-msdownload + + + conf + text/plain + + + cpio + application/x-cpio + + + cpp + text/x-c + + + cpt + application/mac-compactpro + + + crd + application/x-mscardfile + + + crl + application/pkix-crl + + + crt + application/x-x509-ca-cert + + + cryptonote + application/vnd.rig.cryptonote + + + csh + application/x-csh + + + csml + chemical/x-csml + + + csp + application/vnd.commonspace + + + css + text/css + + + cst + application/x-director + + + csv + text/csv + + + cu + application/cu-seeme + + + curl + text/vnd.curl + + + cww + application/prs.cww + + + cxt + application/x-director + + + cxx + text/x-c + + + dae + model/vnd.collada+xml + + + daf + application/vnd.mobius.daf + + + dart + application/vnd.dart + + + dataless + application/vnd.fdsn.seed + + + davmount + application/davmount+xml + + + dbk + application/docbook+xml + + + dcr + application/x-director + + + dcurl + text/vnd.curl.dcurl + + + dd2 + application/vnd.oma.dd2+xml + + + ddd + application/vnd.fujixerox.ddd + + + deb + application/x-debian-package + + + def + text/plain + + + deploy + application/octet-stream + + + der + application/x-x509-ca-cert + + + dfac + application/vnd.dreamfactory + + + dgc + application/x-dgc-compressed + + + dib + image/bmp + + + dic + text/x-c + + + dir + application/x-director + + + dis + application/vnd.mobius.dis + + + dist + application/octet-stream + + + distz + application/octet-stream + + + djv + image/vnd.djvu + + + djvu + image/vnd.djvu + + + dll + application/x-msdownload + + + dmg + application/x-apple-diskimage + + + dmp + application/vnd.tcpdump.pcap + + + dms + application/octet-stream + + + dna + application/vnd.dna + + + doc + application/msword + + + docm + application/vnd.ms-word.document.macroenabled.12 + + + docx + application/vnd.openxmlformats-officedocument.wordprocessingml.document + + + dot + application/msword + + + dotm + application/vnd.ms-word.template.macroenabled.12 + + + dotx + application/vnd.openxmlformats-officedocument.wordprocessingml.template + + + dp + application/vnd.osgi.dp + + + dpg + application/vnd.dpgraph + + + dra + audio/vnd.dra + + + dsc + text/prs.lines.tag + + + dssc + application/dssc+der + + + dtb + application/x-dtbook+xml + + + dtd + application/xml-dtd + + + dts + audio/vnd.dts + + + dtshd + audio/vnd.dts.hd + + + dump + application/octet-stream + + + dv + video/x-dv + + + dvb + video/vnd.dvb.file + + + dvi + application/x-dvi + + + dwf + model/vnd.dwf + + + dwg + image/vnd.dwg + + + dxf + image/vnd.dxf + + + dxp + application/vnd.spotfire.dxp + + + dxr + application/x-director + + + ecelp4800 + audio/vnd.nuera.ecelp4800 + + + ecelp7470 + audio/vnd.nuera.ecelp7470 + + + ecelp9600 + audio/vnd.nuera.ecelp9600 + + + ecma + application/ecmascript + + + edm + application/vnd.novadigm.edm + + + edx + application/vnd.novadigm.edx + + + efif + application/vnd.picsel + + + ei6 + application/vnd.pg.osasli + + + elc + application/octet-stream + + + emf + application/x-msmetafile + + + eml + message/rfc822 + + + emma + application/emma+xml + + + emz + application/x-msmetafile + + + eol + audio/vnd.digital-winds + + + eot + application/vnd.ms-fontobject + + + eps + application/postscript + + + epub + application/epub+zip + + + es3 + application/vnd.eszigno3+xml + + + esa + application/vnd.osgi.subsystem + + + esf + application/vnd.epson.esf + + + et3 + application/vnd.eszigno3+xml + + + etx + text/x-setext + + + eva + application/x-eva + + + evy + application/x-envoy + + + exe + application/octet-stream + + + exi + application/exi + + + ext + application/vnd.novadigm.ext + + + ez + application/andrew-inset + + + ez2 + application/vnd.ezpix-album + + + ez3 + application/vnd.ezpix-package + + + f + text/x-fortran + + + f4v + video/x-f4v + + + f77 + text/x-fortran + + + f90 + text/x-fortran + + + fbs + image/vnd.fastbidsheet + + + fcdt + application/vnd.adobe.formscentral.fcdt + + + fcs + application/vnd.isac.fcs + + + fdf + application/vnd.fdf + + + fe_launch + application/vnd.denovo.fcselayout-link + + + fg5 + application/vnd.fujitsu.oasysgp + + + fgd + application/x-director + + + fh + image/x-freehand + + + fh4 + image/x-freehand + + + fh5 + image/x-freehand + + + fh7 + image/x-freehand + + + fhc + image/x-freehand + + + fig + application/x-xfig + + + flac + audio/flac + + + fli + video/x-fli + + + flo + application/vnd.micrografx.flo + + + flv + video/x-flv + + + flw + application/vnd.kde.kivio + + + flx + text/vnd.fmi.flexstor + + + fly + text/vnd.fly + + + fm + application/vnd.framemaker + + + fnc + application/vnd.frogans.fnc + + + for + text/x-fortran + + + fpx + image/vnd.fpx + + + frame + application/vnd.framemaker + + + fsc + application/vnd.fsc.weblaunch + + + fst + image/vnd.fst + + + ftc + application/vnd.fluxtime.clip + + + fti + application/vnd.anser-web-funds-transfer-initiation + + + fvt + video/vnd.fvt + + + fxp + application/vnd.adobe.fxp + + + fxpl + application/vnd.adobe.fxp + + + fzs + application/vnd.fuzzysheet + + + g2w + application/vnd.geoplan + + + g3 + image/g3fax + + + g3w + application/vnd.geospace + + + gac + application/vnd.groove-account + + + gam + application/x-tads + + + gbr + application/rpki-ghostbusters + + + gca + application/x-gca-compressed + + + gdl + model/vnd.gdl + + + geo + application/vnd.dynageo + + + gex + application/vnd.geometry-explorer + + + ggb + application/vnd.geogebra.file + + + ggt + application/vnd.geogebra.tool + + + ghf + application/vnd.groove-help + + + gif + image/gif + + + gim + application/vnd.groove-identity-message + + + gml + application/gml+xml + + + gmx + application/vnd.gmx + + + gnumeric + application/x-gnumeric + + + gph + application/vnd.flographit + + + gpx + application/gpx+xml + + + gqf + application/vnd.grafeq + + + gqs + application/vnd.grafeq + + + gram + application/srgs + + + gramps + application/x-gramps-xml + + + gre + application/vnd.geometry-explorer + + + grv + application/vnd.groove-injector + + + grxml + application/srgs+xml + + + gsf + application/x-font-ghostscript + + + gtar + application/x-gtar + + + gtm + application/vnd.groove-tool-message + + + gtw + model/vnd.gtw + + + gv + text/vnd.graphviz + + + gxf + application/gxf + + + gxt + application/vnd.geonext + + + gz + application/x-gzip + + + h + text/x-c + + + h261 + video/h261 + + + h263 + video/h263 + + + h264 + video/h264 + + + hal + application/vnd.hal+xml + + + hbci + application/vnd.hbci + + + hdf + application/x-hdf + + + hh + text/x-c + + + hlp + application/winhlp + + + hpgl + application/vnd.hp-hpgl + + + hpid + application/vnd.hp-hpid + + + hps + application/vnd.hp-hps + + + hqx + application/mac-binhex40 + + + htc + text/x-component + + + htke + application/vnd.kenameaapp + + + htm + text/html + + + html + text/html + + + hvd + application/vnd.yamaha.hv-dic + + + hvp + application/vnd.yamaha.hv-voice + + + hvs + application/vnd.yamaha.hv-script + + + i2g + application/vnd.intergeo + + + icc + application/vnd.iccprofile + + + ice + x-conference/x-cooltalk + + + icm + application/vnd.iccprofile + + + ico + image/x-icon + + + ics + text/calendar + + + ief + image/ief + + + ifb + text/calendar + + + ifm + application/vnd.shana.informed.formdata + + + iges + model/iges + + + igl + application/vnd.igloader + + + igm + application/vnd.insors.igm + + + igs + model/iges + + + igx + application/vnd.micrografx.igx + + + iif + application/vnd.shana.informed.interchange + + + imp + application/vnd.accpac.simply.imp + + + ims + application/vnd.ms-ims + + + in + text/plain + + + ink + application/inkml+xml + + + inkml + application/inkml+xml + + + install + application/x-install-instructions + + + iota + application/vnd.astraea-software.iota + + + ipfix + application/ipfix + + + ipk + application/vnd.shana.informed.package + + + irm + application/vnd.ibm.rights-management + + + irp + application/vnd.irepository.package+xml + + + iso + application/x-iso9660-image + + + itp + application/vnd.shana.informed.formtemplate + + + ivp + application/vnd.immervision-ivp + + + ivu + application/vnd.immervision-ivu + + + jad + text/vnd.sun.j2me.app-descriptor + + + jam + application/vnd.jam + + + jar + application/java-archive + + + java + text/x-java-source + + + jisp + application/vnd.jisp + + + jlt + application/vnd.hp-jlyt + + + jnlp + application/x-java-jnlp-file + + + joda + application/vnd.joost.joda-archive + + + jpe + image/jpeg + + + jpeg + image/jpeg + + + jpg + image/jpeg + + + jpgm + video/jpm + + + jpgv + video/jpeg + + + jpm + video/jpm + + + js + application/javascript + + + jsf + text/plain + + + json + application/json + + + jsonml + application/jsonml+json + + + jspf + text/plain + + + kar + audio/midi + + + karbon + application/vnd.kde.karbon + + + kfo + application/vnd.kde.kformula + + + kia + application/vnd.kidspiration + + + kml + application/vnd.google-earth.kml+xml + + + kmz + application/vnd.google-earth.kmz + + + kne + application/vnd.kinar + + + knp + application/vnd.kinar + + + kon + application/vnd.kde.kontour + + + kpr + application/vnd.kde.kpresenter + + + kpt + application/vnd.kde.kpresenter + + + kpxx + application/vnd.ds-keypoint + + + ksp + application/vnd.kde.kspread + + + ktr + application/vnd.kahootz + + + ktx + image/ktx + + + ktz + application/vnd.kahootz + + + kwd + application/vnd.kde.kword + + + kwt + application/vnd.kde.kword + + + lasxml + application/vnd.las.las+xml + + + latex + application/x-latex + + + lbd + application/vnd.llamagraphics.life-balance.desktop + + + lbe + application/vnd.llamagraphics.life-balance.exchange+xml + + + les + application/vnd.hhe.lesson-player + + + lha + application/x-lzh-compressed + + + link66 + application/vnd.route66.link66+xml + + + list + text/plain + + + list3820 + application/vnd.ibm.modcap + + + listafp + application/vnd.ibm.modcap + + + lnk + application/x-ms-shortcut + + + log + text/plain + + + lostxml + application/lost+xml + + + lrf + application/octet-stream + + + lrm + application/vnd.ms-lrm + + + ltf + application/vnd.frogans.ltf + + + lvp + audio/vnd.lucent.voice + + + lwp + application/vnd.lotus-wordpro + + + lzh + application/x-lzh-compressed + + + m13 + application/x-msmediaview + + + m14 + application/x-msmediaview + + + m1v + video/mpeg + + + m21 + application/mp21 + + + m2a + audio/mpeg + + + m2v + video/mpeg + + + m3a + audio/mpeg + + + m3u + audio/x-mpegurl + + + m3u8 + application/vnd.apple.mpegurl + + + m4a + audio/mp4 + + + m4b + audio/mp4 + + + m4r + audio/mp4 + + + m4u + video/vnd.mpegurl + + + m4v + video/mp4 + + + ma + application/mathematica + + + mac + image/x-macpaint + + + mads + application/mads+xml + + + mag + application/vnd.ecowin.chart + + + maker + application/vnd.framemaker + + + man + text/troff + + + mar + application/octet-stream + + + mathml + application/mathml+xml + + + mb + application/mathematica + + + mbk + application/vnd.mobius.mbk + + + mbox + application/mbox + + + mc1 + application/vnd.medcalcdata + + + mcd + application/vnd.mcd + + + mcurl + text/vnd.curl.mcurl + + + mdb + application/x-msaccess + + + mdi + image/vnd.ms-modi + + + me + text/troff + + + mesh + model/mesh + + + meta4 + application/metalink4+xml + + + metalink + application/metalink+xml + + + mets + application/mets+xml + + + mfm + application/vnd.mfmp + + + mft + application/rpki-manifest + + + mgp + application/vnd.osgeo.mapguide.package + + + mgz + application/vnd.proteus.magazine + + + mid + audio/midi + + + midi + audio/midi + + + mie + application/x-mie + + + mif + application/x-mif + + + mime + message/rfc822 + + + mj2 + video/mj2 + + + mjp2 + video/mj2 + + + mk3d + video/x-matroska + + + mka + audio/x-matroska + + + mks + video/x-matroska + + + mkv + video/x-matroska + + + mlp + application/vnd.dolby.mlp + + + mmd + application/vnd.chipnuts.karaoke-mmd + + + mmf + application/vnd.smaf + + + mmr + image/vnd.fujixerox.edmics-mmr + + + mng + video/x-mng + + + mny + application/x-msmoney + + + mobi + application/x-mobipocket-ebook + + + mods + application/mods+xml + + + mov + video/quicktime + + + movie + video/x-sgi-movie + + + mp1 + audio/mpeg + + + mp2 + audio/mpeg + + + mp21 + application/mp21 + + + mp2a + audio/mpeg + + + mp3 + audio/mpeg + + + mp4 + video/mp4 + + + mp4a + audio/mp4 + + + mp4s + application/mp4 + + + mp4v + video/mp4 + + + mpa + audio/mpeg + + + mpc + application/vnd.mophun.certificate + + + mpe + video/mpeg + + + mpeg + video/mpeg + + + mpega + audio/x-mpeg + + + mpg + video/mpeg + + + mpg4 + video/mp4 + + + mpga + audio/mpeg + + + mpkg + application/vnd.apple.installer+xml + + + mpm + application/vnd.blueice.multipass + + + mpn + application/vnd.mophun.application + + + mpp + application/vnd.ms-project + + + mpt + application/vnd.ms-project + + + mpv2 + video/mpeg2 + + + mpy + application/vnd.ibm.minipay + + + mqy + application/vnd.mobius.mqy + + + mrc + application/marc + + + mrcx + application/marcxml+xml + + + ms + text/troff + + + mscml + application/mediaservercontrol+xml + + + mseed + application/vnd.fdsn.mseed + + + mseq + application/vnd.mseq + + + msf + application/vnd.epson.msf + + + msh + model/mesh + + + msi + application/x-msdownload + + + msl + application/vnd.mobius.msl + + + msty + application/vnd.muvee.style + + + mts + model/vnd.mts + + + mus + application/vnd.musician + + + musicxml + application/vnd.recordare.musicxml+xml + + + mvb + application/x-msmediaview + + + mwf + application/vnd.mfer + + + mxf + application/mxf + + + mxl + application/vnd.recordare.musicxml + + + mxml + application/xv+xml + + + mxs + application/vnd.triscape.mxs + + + mxu + video/vnd.mpegurl + + + n-gage + application/vnd.nokia.n-gage.symbian.install + + + n3 + text/n3 + + + nb + application/mathematica + + + nbp + application/vnd.wolfram.player + + + nc + application/x-netcdf + + + ncx + application/x-dtbncx+xml + + + nfo + text/x-nfo + + + ngdat + application/vnd.nokia.n-gage.data + + + nitf + application/vnd.nitf + + + nlu + application/vnd.neurolanguage.nlu + + + nml + application/vnd.enliven + + + nnd + application/vnd.noblenet-directory + + + nns + application/vnd.noblenet-sealer + + + nnw + application/vnd.noblenet-web + + + npx + image/vnd.net-fpx + + + nsc + application/x-conference + + + nsf + application/vnd.lotus-notes + + + ntf + application/vnd.nitf + + + nzb + application/x-nzb + + + oa2 + application/vnd.fujitsu.oasys2 + + + oa3 + application/vnd.fujitsu.oasys3 + + + oas + application/vnd.fujitsu.oasys + + + obd + application/x-msbinder + + + obj + application/x-tgif + + + oda + application/oda + + + + odb + application/vnd.oasis.opendocument.database + + + + odc + application/vnd.oasis.opendocument.chart + + + + odf + application/vnd.oasis.opendocument.formula + + + odft + application/vnd.oasis.opendocument.formula-template + + + + odg + application/vnd.oasis.opendocument.graphics + + + + odi + application/vnd.oasis.opendocument.image + + + + odm + application/vnd.oasis.opendocument.text-master + + + + odp + application/vnd.oasis.opendocument.presentation + + + + ods + application/vnd.oasis.opendocument.spreadsheet + + + + odt + application/vnd.oasis.opendocument.text + + + oga + audio/ogg + + + ogg + audio/ogg + + + ogv + video/ogg + + + + ogx + application/ogg + + + omdoc + application/omdoc+xml + + + onepkg + application/onenote + + + onetmp + application/onenote + + + onetoc + application/onenote + + + onetoc2 + application/onenote + + + opf + application/oebps-package+xml + + + opml + text/x-opml + + + oprc + application/vnd.palm + + + org + application/vnd.lotus-organizer + + + osf + application/vnd.yamaha.openscoreformat + + + osfpvg + application/vnd.yamaha.openscoreformat.osfpvg+xml + + + otc + application/vnd.oasis.opendocument.chart-template + + + otf + font/otf + + + + otg + application/vnd.oasis.opendocument.graphics-template + + + + oth + application/vnd.oasis.opendocument.text-web + + + oti + application/vnd.oasis.opendocument.image-template + + + + otp + application/vnd.oasis.opendocument.presentation-template + + + + ots + application/vnd.oasis.opendocument.spreadsheet-template + + + + ott + application/vnd.oasis.opendocument.text-template + + + oxps + application/oxps + + + oxt + application/vnd.openofficeorg.extension + + + p + text/x-pascal + + + p10 + application/pkcs10 + + + p12 + application/x-pkcs12 + + + p7b + application/x-pkcs7-certificates + + + p7c + application/pkcs7-mime + + + p7m + application/pkcs7-mime + + + p7r + application/x-pkcs7-certreqresp + + + p7s + application/pkcs7-signature + + + p8 + application/pkcs8 + + + pas + text/x-pascal + + + paw + application/vnd.pawaafile + + + pbd + application/vnd.powerbuilder6 + + + pbm + image/x-portable-bitmap + + + pcap + application/vnd.tcpdump.pcap + + + pcf + application/x-font-pcf + + + pcl + application/vnd.hp-pcl + + + pclxl + application/vnd.hp-pclxl + + + pct + image/pict + + + pcurl + application/vnd.curl.pcurl + + + pcx + image/x-pcx + + + pdb + application/vnd.palm + + + pdf + application/pdf + + + pfa + application/x-font-type1 + + + pfb + application/x-font-type1 + + + pfm + application/x-font-type1 + + + pfr + application/font-tdpfr + + + pfx + application/x-pkcs12 + + + pgm + image/x-portable-graymap + + + pgn + application/x-chess-pgn + + + pgp + application/pgp-encrypted + + + pic + image/pict + + + pict + image/pict + + + pkg + application/octet-stream + + + pki + application/pkixcmp + + + pkipath + application/pkix-pkipath + + + plb + application/vnd.3gpp.pic-bw-large + + + plc + application/vnd.mobius.plc + + + plf + application/vnd.pocketlearn + + + + pls + audio/x-scpls + + + pml + application/vnd.ctc-posml + + + png + image/png + + + pnm + image/x-portable-anymap + + + pnt + image/x-macpaint + + + portpkg + application/vnd.macports.portpkg + + + pot + application/vnd.ms-powerpoint + + + potm + application/vnd.ms-powerpoint.template.macroenabled.12 + + + potx + application/vnd.openxmlformats-officedocument.presentationml.template + + + ppam + application/vnd.ms-powerpoint.addin.macroenabled.12 + + + ppd + application/vnd.cups-ppd + + + ppm + image/x-portable-pixmap + + + pps + application/vnd.ms-powerpoint + + + ppsm + application/vnd.ms-powerpoint.slideshow.macroenabled.12 + + + ppsx + application/vnd.openxmlformats-officedocument.presentationml.slideshow + + + ppt + application/vnd.ms-powerpoint + + + pptm + application/vnd.ms-powerpoint.presentation.macroenabled.12 + + + pptx + application/vnd.openxmlformats-officedocument.presentationml.presentation + + + pqa + application/vnd.palm + + + prc + application/x-mobipocket-ebook + + + pre + application/vnd.lotus-freelance + + + prf + application/pics-rules + + + ps + application/postscript + + + psb + application/vnd.3gpp.pic-bw-small + + + psd + image/vnd.adobe.photoshop + + + psf + application/x-font-linux-psf + + + pskcxml + application/pskc+xml + + + ptid + application/vnd.pvi.ptid1 + + + pub + application/x-mspublisher + + + pvb + application/vnd.3gpp.pic-bw-var + + + pwn + application/vnd.3m.post-it-notes + + + pya + audio/vnd.ms-playready.media.pya + + + pyv + video/vnd.ms-playready.media.pyv + + + qam + application/vnd.epson.quickanime + + + qbo + application/vnd.intu.qbo + + + qfx + application/vnd.intu.qfx + + + qps + application/vnd.publishare-delta-tree + + + qt + video/quicktime + + + qti + image/x-quicktime + + + qtif + image/x-quicktime + + + qwd + application/vnd.quark.quarkxpress + + + qwt + application/vnd.quark.quarkxpress + + + qxb + application/vnd.quark.quarkxpress + + + qxd + application/vnd.quark.quarkxpress + + + qxl + application/vnd.quark.quarkxpress + + + qxt + application/vnd.quark.quarkxpress + + + ra + audio/x-pn-realaudio + + + ram + audio/x-pn-realaudio + + + rar + application/x-rar-compressed + + + ras + image/x-cmu-raster + + + rcprofile + application/vnd.ipunplugged.rcprofile + + + rdf + application/rdf+xml + + + rdz + application/vnd.data-vision.rdz + + + rep + application/vnd.businessobjects + + + res + application/x-dtbresource+xml + + + rgb + image/x-rgb + + + rif + application/reginfo+xml + + + rip + audio/vnd.rip + + + ris + application/x-research-info-systems + + + rl + application/resource-lists+xml + + + rlc + image/vnd.fujixerox.edmics-rlc + + + rld + application/resource-lists-diff+xml + + + rm + application/vnd.rn-realmedia + + + rmi + audio/midi + + + rmp + audio/x-pn-realaudio-plugin + + + rms + application/vnd.jcp.javame.midlet-rms + + + rmvb + application/vnd.rn-realmedia-vbr + + + rnc + application/relax-ng-compact-syntax + + + roa + application/rpki-roa + + + roff + text/troff + + + rp9 + application/vnd.cloanto.rp9 + + + rpss + application/vnd.nokia.radio-presets + + + rpst + application/vnd.nokia.radio-preset + + + rq + application/sparql-query + + + rs + application/rls-services+xml + + + rsd + application/rsd+xml + + + rss + application/rss+xml + + + rtf + application/rtf + + + rtx + text/richtext + + + s + text/x-asm + + + s3m + audio/s3m + + + saf + application/vnd.yamaha.smaf-audio + + + sbml + application/sbml+xml + + + sc + application/vnd.ibm.secure-container + + + scd + application/x-msschedule + + + scm + application/vnd.lotus-screencam + + + scq + application/scvp-cv-request + + + scs + application/scvp-cv-response + + + scurl + text/vnd.curl.scurl + + + sda + application/vnd.stardivision.draw + + + sdc + application/vnd.stardivision.calc + + + sdd + application/vnd.stardivision.impress + + + sdkd + application/vnd.solent.sdkm+xml + + + sdkm + application/vnd.solent.sdkm+xml + + + sdp + application/sdp + + + sdw + application/vnd.stardivision.writer + + + see + application/vnd.seemail + + + seed + application/vnd.fdsn.seed + + + sema + application/vnd.sema + + + semd + application/vnd.semd + + + semf + application/vnd.semf + + + ser + application/java-serialized-object + + + setpay + application/set-payment-initiation + + + setreg + application/set-registration-initiation + + + sfd-hdstx + application/vnd.hydrostatix.sof-data + + + sfs + application/vnd.spotfire.sfs + + + sfv + text/x-sfv + + + sgi + image/sgi + + + sgl + application/vnd.stardivision.writer-global + + + sgm + text/sgml + + + sgml + text/sgml + + + sh + application/x-sh + + + shar + application/x-shar + + + shf + application/shf+xml + + + + sid + image/x-mrsid-image + + + sig + application/pgp-signature + + + sil + audio/silk + + + silo + model/mesh + + + sis + application/vnd.symbian.install + + + sisx + application/vnd.symbian.install + + + sit + application/x-stuffit + + + sitx + application/x-stuffitx + + + skd + application/vnd.koan + + + skm + application/vnd.koan + + + skp + application/vnd.koan + + + skt + application/vnd.koan + + + sldm + application/vnd.ms-powerpoint.slide.macroenabled.12 + + + sldx + application/vnd.openxmlformats-officedocument.presentationml.slide + + + slt + application/vnd.epson.salt + + + sm + application/vnd.stepmania.stepchart + + + smf + application/vnd.stardivision.math + + + smi + application/smil+xml + + + smil + application/smil+xml + + + smv + video/x-smv + + + smzip + application/vnd.stepmania.package + + + snd + audio/basic + + + snf + application/x-font-snf + + + so + application/octet-stream + + + spc + application/x-pkcs7-certificates + + + spf + application/vnd.yamaha.smaf-phrase + + + spl + application/x-futuresplash + + + spot + text/vnd.in3d.spot + + + spp + application/scvp-vp-response + + + spq + application/scvp-vp-request + + + spx + audio/ogg + + + sql + application/x-sql + + + src + application/x-wais-source + + + srt + application/x-subrip + + + sru + application/sru+xml + + + srx + application/sparql-results+xml + + + ssdl + application/ssdl+xml + + + sse + application/vnd.kodak-descriptor + + + ssf + application/vnd.epson.ssf + + + ssml + application/ssml+xml + + + st + application/vnd.sailingtracker.track + + + stc + application/vnd.sun.xml.calc.template + + + std + application/vnd.sun.xml.draw.template + + + stf + application/vnd.wt.stf + + + sti + application/vnd.sun.xml.impress.template + + + stk + application/hyperstudio + + + stl + application/vnd.ms-pki.stl + + + str + application/vnd.pg.format + + + stw + application/vnd.sun.xml.writer.template + + + sub + text/vnd.dvb.subtitle + + + sus + application/vnd.sus-calendar + + + susp + application/vnd.sus-calendar + + + sv4cpio + application/x-sv4cpio + + + sv4crc + application/x-sv4crc + + + svc + application/vnd.dvb.service + + + svd + application/vnd.svd + + + svg + image/svg+xml + + + svgz + image/svg+xml + + + swa + application/x-director + + + swf + application/x-shockwave-flash + + + swi + application/vnd.aristanetworks.swi + + + sxc + application/vnd.sun.xml.calc + + + sxd + application/vnd.sun.xml.draw + + + sxg + application/vnd.sun.xml.writer.global + + + sxi + application/vnd.sun.xml.impress + + + sxm + application/vnd.sun.xml.math + + + sxw + application/vnd.sun.xml.writer + + + t + text/troff + + + t3 + application/x-t3vm-image + + + taglet + application/vnd.mynfc + + + tao + application/vnd.tao.intent-module-archive + + + tar + application/x-tar + + + tcap + application/vnd.3gpp2.tcap + + + tcl + application/x-tcl + + + teacher + application/vnd.smart.teacher + + + tei + application/tei+xml + + + teicorpus + application/tei+xml + + + tex + application/x-tex + + + texi + application/x-texinfo + + + texinfo + application/x-texinfo + + + text + text/plain + + + tfi + application/thraud+xml + + + tfm + application/x-tex-tfm + + + tga + image/x-tga + + + thmx + application/vnd.ms-officetheme + + + tif + image/tiff + + + tiff + image/tiff + + + tmo + application/vnd.tmobile-livetv + + + torrent + application/x-bittorrent + + + tpl + application/vnd.groove-tool-template + + + tpt + application/vnd.trid.tpt + + + tr + text/troff + + + tra + application/vnd.trueapp + + + trm + application/x-msterminal + + + tsd + application/timestamped-data + + + tsv + text/tab-separated-values + + + ttc + font/collection + + + ttf + font/ttf + + + ttl + text/turtle + + + twd + application/vnd.simtech-mindmapper + + + twds + application/vnd.simtech-mindmapper + + + txd + application/vnd.genomatix.tuxedo + + + txf + application/vnd.mobius.txf + + + txt + text/plain + + + u32 + application/x-authorware-bin + + + udeb + application/x-debian-package + + + ufd + application/vnd.ufdl + + + ufdl + application/vnd.ufdl + + + ulw + audio/basic + + + ulx + application/x-glulx + + + umj + application/vnd.umajin + + + unityweb + application/vnd.unity + + + uoml + application/vnd.uoml+xml + + + uri + text/uri-list + + + uris + text/uri-list + + + urls + text/uri-list + + + ustar + application/x-ustar + + + utz + application/vnd.uiq.theme + + + uu + text/x-uuencode + + + uva + audio/vnd.dece.audio + + + uvd + application/vnd.dece.data + + + uvf + application/vnd.dece.data + + + uvg + image/vnd.dece.graphic + + + uvh + video/vnd.dece.hd + + + uvi + image/vnd.dece.graphic + + + uvm + video/vnd.dece.mobile + + + uvp + video/vnd.dece.pd + + + uvs + video/vnd.dece.sd + + + uvt + application/vnd.dece.ttml+xml + + + uvu + video/vnd.uvvu.mp4 + + + uvv + video/vnd.dece.video + + + uvva + audio/vnd.dece.audio + + + uvvd + application/vnd.dece.data + + + uvvf + application/vnd.dece.data + + + uvvg + image/vnd.dece.graphic + + + uvvh + video/vnd.dece.hd + + + uvvi + image/vnd.dece.graphic + + + uvvm + video/vnd.dece.mobile + + + uvvp + video/vnd.dece.pd + + + uvvs + video/vnd.dece.sd + + + uvvt + application/vnd.dece.ttml+xml + + + uvvu + video/vnd.uvvu.mp4 + + + uvvv + video/vnd.dece.video + + + uvvx + application/vnd.dece.unspecified + + + uvvz + application/vnd.dece.zip + + + uvx + application/vnd.dece.unspecified + + + uvz + application/vnd.dece.zip + + + vcard + text/vcard + + + vcd + application/x-cdlink + + + vcf + text/x-vcard + + + vcg + application/vnd.groove-vcard + + + vcs + text/x-vcalendar + + + vcx + application/vnd.vcx + + + vis + application/vnd.visionary + + + viv + video/vnd.vivo + + + vob + video/x-ms-vob + + + vor + application/vnd.stardivision.writer + + + vox + + application/x-authorware-bin + + + vrml + model/vrml + + + vsd + application/vnd.visio + + + vsf + application/vnd.vsf + + + vss + application/vnd.visio + + + vst + application/vnd.visio + + + vsw + application/vnd.visio + + + vtu + model/vnd.vtu + + + vxml + application/voicexml+xml + + + w3d + application/x-director + + + wad + application/x-doom + + + wav + audio/x-wav + + + wax + audio/x-ms-wax + + + + wbmp + image/vnd.wap.wbmp + + + wbs + application/vnd.criticaltools.wbs+xml + + + wbxml + application/vnd.wap.wbxml + + + wcm + application/vnd.ms-works + + + wdb + application/vnd.ms-works + + + wdp + image/vnd.ms-photo + + + weba + audio/webm + + + webm + video/webm + + + webp + image/webp + + + wg + application/vnd.pmi.widget + + + wgt + application/widget + + + wks + application/vnd.ms-works + + + wm + video/x-ms-wm + + + wma + audio/x-ms-wma + + + wmd + application/x-ms-wmd + + + wmf + application/x-msmetafile + + + + wml + text/vnd.wap.wml + + + + wmlc + application/vnd.wap.wmlc + + + + wmls + text/vnd.wap.wmlscript + + + + wmlsc + application/vnd.wap.wmlscriptc + + + wmv + video/x-ms-wmv + + + wmx + video/x-ms-wmx + + + wmz + application/x-msmetafile + + + woff + font/woff + + + woff2 + font/woff2 + + + wpd + application/vnd.wordperfect + + + wpl + application/vnd.ms-wpl + + + wps + application/vnd.ms-works + + + wqd + application/vnd.wqd + + + wri + application/x-mswrite + + + wrl + model/vrml + + + wsdl + application/wsdl+xml + + + wspolicy + application/wspolicy+xml + + + wtb + application/vnd.webturbo + + + wvx + video/x-ms-wvx + + + x32 + application/x-authorware-bin + + + x3d + model/x3d+xml + + + x3db + model/x3d+binary + + + x3dbz + model/x3d+binary + + + x3dv + model/x3d+vrml + + + x3dvz + model/x3d+vrml + + + x3dz + model/x3d+xml + + + xaml + application/xaml+xml + + + xap + application/x-silverlight-app + + + xar + application/vnd.xara + + + xbap + application/x-ms-xbap + + + xbd + application/vnd.fujixerox.docuworks.binder + + + xbm + image/x-xbitmap + + + xdf + application/xcap-diff+xml + + + + xdm + application/vnd.syncml.dm+xml + + + xdp + application/vnd.adobe.xdp+xml + + + xdssc + application/dssc+xml + + + xdw + application/vnd.fujixerox.docuworks + + + xenc + application/xenc+xml + + + xer + application/patch-ops-error+xml + + + xfdf + application/vnd.adobe.xfdf + + + xfdl + application/vnd.xfdl + + + xht + application/xhtml+xml + + + xhtml + application/xhtml+xml + + + xhvml + application/xv+xml + + + xif + image/vnd.xiff + + + xla + application/vnd.ms-excel + + + xlam + application/vnd.ms-excel.addin.macroenabled.12 + + + xlc + application/vnd.ms-excel + + + xlf + application/x-xliff+xml + + + xlm + application/vnd.ms-excel + + + xls + application/vnd.ms-excel + + + xlsb + application/vnd.ms-excel.sheet.binary.macroenabled.12 + + + xlsm + application/vnd.ms-excel.sheet.macroenabled.12 + + + xlsx + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + + + xlt + application/vnd.ms-excel + + + xltm + application/vnd.ms-excel.template.macroenabled.12 + + + xltx + application/vnd.openxmlformats-officedocument.spreadsheetml.template + + + xlw + application/vnd.ms-excel + + + xm + audio/xm + + + xml + application/xml + + + xo + application/vnd.olpc-sugar + + + xop + application/xop+xml + + + xpi + application/x-xpinstall + + + xpl + application/xproc+xml + + + xpm + image/x-xpixmap + + + xpr + application/vnd.is-xpr + + + xps + application/vnd.ms-xpsdocument + + + xpw + application/vnd.intercon.formnet + + + xpx + application/vnd.intercon.formnet + + + xsl + application/xml + + + xslt + application/xslt+xml + + + xsm + application/vnd.syncml+xml + + + xspf + application/xspf+xml + + + xul + application/vnd.mozilla.xul+xml + + + xvm + application/xv+xml + + + xvml + application/xv+xml + + + xwd + image/x-xwindowdump + + + xyz + chemical/x-xyz + + + xz + application/x-xz + + + yang + application/yang + + + yin + application/yin+xml + + + z + application/x-compress + + + Z + application/x-compress + + + z1 + application/x-zmachine + + + z2 + application/x-zmachine + + + z3 + application/x-zmachine + + + z4 + application/x-zmachine + + + z5 + application/x-zmachine + + + z6 + application/x-zmachine + + + z7 + application/x-zmachine + + + z8 + application/x-zmachine + + + zaz + application/vnd.zzazz.deck+xml + + + zip + application/zip + + + zir + application/vnd.zul + + + zirz + application/vnd.zul + + + zmm + application/vnd.handheld-entertainment+xml + + + + + + + + + + + + + + + + + + index.html + index.htm + index.jsp + + + + + diff --git a/kubernetes/uui/templates/deployment.yaml b/kubernetes/uui/templates/deployment.yaml index 5d8c7b32b5..abbd35dc63 100644 --- a/kubernetes/uui/templates/deployment.yaml +++ b/kubernetes/uui/templates/deployment.yaml @@ -16,39 +16,25 @@ apiVersion: apps/v1 kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} spec: - selector: - matchLabels: - app: {{ include "common.name" . }} + selector: {{- include "common.selectors" . | nindent 4 }} replicas: {{ .Values.replicaCount }} template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} + metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: - {{- if .Values.global.aafEnabled }} - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + initContainers: - command: - sh args: - -c - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) cd /config-input && for PFILE in `ls -1` do envsubst <${PFILE} >/config/${PFILE} done cat /config/server.xml - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + volumeMounts: - mountPath: /config-input name: config-input - mountPath: /config @@ -56,7 +42,6 @@ spec: image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-update-config - {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} @@ -69,33 +54,29 @@ spec: ls -lh /opt/ echo "*** /opt/app" ls -lh /opt/app/ - echo "*** /opt/app/osaaf/" - ls -lh /opt/app/osaaf/ - echo "*** /opt/app/osaaf/local" - ls -lh /opt/app/osaaf/local/ /home/uui/uuiStartup.sh - ports: - - containerPort: {{ .Values.service.internalPort }} + ports: {{ include "common.containerPorts" . | nindent 10 }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ index .Values.service.ports 0 "port" }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ index .Values.service.ports 0 "port" }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} - {{- if .Values.global.aafEnabled }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} + volumeMounts: - mountPath: /home/uui/server.xml name: config subPath: server.xml - {{- end }} + - mountPath: /home/uui/web.xml + name: config + subPath: web.xml env: - name: MSB_ADDR value: {{ tpl .Values.msbaddr . }} @@ -106,14 +87,11 @@ spec: {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} - {{- if .Values.global.aafEnabled }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} + volumes: - name: config-input configMap: name: {{ include "common.fullname" . }} - name: config emptyDir: medium: Memory - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" + {{- include "common.imagePullSecrets" . | nindent 6 }} diff --git a/kubernetes/uui/templates/ingress.yaml b/kubernetes/uui/templates/ingress.yaml index 8f87c68f1e..1f6ec7ab0e 100644 --- a/kubernetes/uui/templates/ingress.yaml +++ b/kubernetes/uui/templates/ingress.yaml @@ -1 +1,17 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + {{ include "common.ingress" . }} diff --git a/kubernetes/uui/templates/service.yaml b/kubernetes/uui/templates/service.yaml index 222100d8c8..143f1c39d5 100644 --- a/kubernetes/uui/templates/service.yaml +++ b/kubernetes/uui/templates/service.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada +# Modifications Copyright © 2018 AT&T, ZTE # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,41 +15,4 @@ # limitations under the License. */}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} - annotations: - msb.onap.org/service-info: '[ - { - "serviceName": "usecaseui-ui", - "version": "v1", - "url": "/usecase-ui", - "path":"/iui/usecaseui", - "protocol": "UI", - "port": "{{ .Values.service.internalPort }}", - "visualRange":"1", - "enable_ssl": true - } - ]' -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.uuiPortPrefix | default .Values.uuiPortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} +{{ include "common.service" . }} \ No newline at end of file diff --git a/kubernetes/uui/values.yaml b/kubernetes/uui/values.yaml index 55dc6a16ce..8f7c6cd3cb 100644 --- a/kubernetes/uui/values.yaml +++ b/kubernetes/uui/values.yaml @@ -17,40 +17,10 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: - uuiPortPrefix: 303 - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: uui-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: uui - fqi: uui@uui.onap.org - fqi_namespace: org.onap.uui - public_fqdn: uui.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ - -storepass "${cadi_keystore_password_p12}" \ - -keystore {{ .Values.fqi_namespace }}.p12 - keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** save the generated passwords" - echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop - echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} + tracing: + enabled: false + collectorHost: jaeger-collector.istio-system + collectorPort: 9411 subChartsOnly: enabled: true @@ -58,7 +28,7 @@ subChartsOnly: flavor: small # application image -image: onap/usecase-ui:5.1.1 +image: onap/usecase-ui:15.0.1 pullPolicy: Always # application configuration @@ -89,18 +59,18 @@ readiness: periodSeconds: 10 service: - type: NodePort + type: ClusterIP name: uui - portName: http - internalPort: 8443 - nodePort: 98 + ports: + - name: http + port: 8080 ingress: - enabled: false + enabled: true service: - - baseaddr: "uui-ui" - name: "uui" - port: 8443 + - baseaddr: uui + name: uui-proxy + port: 80 config: ssl: "redirect" @@ -117,16 +87,63 @@ ingress: resources: small: limits: - cpu: 250m - memory: 1Gi + cpu: "250m" + memory: "1Gi" requests: - cpu: 250m - memory: 1Gi + cpu: "250m" + memory: "1Gi" large: limits: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" requests: - cpu: 500m - memory: 1Gi + cpu: "500m" + memory: "1Gi" unlimited: {} + +nginx: + fullnameOverride: uui-proxy + serverBlock: |- + server { + listen 8080; + listen [::]:8080; + + # Redirect root path to /usecase-ui + location = / { + return 301 /usecase-ui; + } + + # frontend + location /usecase-ui { + proxy_pass http://uui:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + # uui-server + location /api/usecaseui-server { + proxy_pass http://uui-server:8082; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + # intent-service + location /api/usecaseui-intent-analysis { + proxy_pass http://uui-intent-analysis:8083; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + # llm-service + location /api/usecaseui-llm-adaptation { + proxy_pass http://uui-nlp:33011; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + } diff --git a/kubernetes/vfc/.helmignore b/kubernetes/vfc/.helmignore deleted file mode 100644 index 7ddbad7ef4..0000000000 --- a/kubernetes/vfc/.helmignore +++ /dev/null @@ -1,22 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj -components/ diff --git a/kubernetes/vfc/Chart.yaml b/kubernetes/vfc/Chart.yaml deleted file mode 100644 index cbc5bf4fe3..0000000000 --- a/kubernetes/vfc/Chart.yaml +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Virtual Function Controller (VF-C) -name: vfc -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' - - name: vfc-generic-vnfm-driver - version: ~12.x-0 - repository: 'file://components/vfc-generic-vnfm-driver' - condition: vfc-generic-vnfm-driver.enabled - - name: vfc-huawei-vnfm-driver - version: ~12.x-0 - repository: 'file://components/vfc-huawei-vnfm-driver' - condition: vfc-huawei-vnfm-driver.enabled - - name: vfc-nslcm - version: ~12.x-0 - repository: 'file://components/vfc-nslcm' - condition: vfc-nslcm.enabled - - name: vfc-redis - version: ~12.x-0 - repository: 'file://components/vfc-redis' - condition: vfc-redis.enabled - - name: vfc-vnflcm - version: ~12.x-0 - repository: 'file://components/vfc-vnflcm' - condition: vfc-vnflcm.enabled - - name: vfc-vnfmgr - version: ~12.x-0 - repository: 'file://components/vfc-vnfmgr' - condition: vfc-vnfmgr.enabled - - name: vfc-vnfres - version: ~12.x-0 - repository: 'file://components/vfc-vnfres' - condition: vfc-vnfres.enabled - - name: vfc-zte-vnfm-driver - version: ~12.x-0 - repository: 'file://components/vfc-zte-vnfm-driver' - condition: vfc-zte-vnfm-driver.enabled diff --git a/kubernetes/vfc/components/Makefile b/kubernetes/vfc/components/Makefile deleted file mode 100644 index 9544d70f33..0000000000 --- a/kubernetes/vfc/components/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) -OUTPUT_DIR := $(ROOT_DIR)/../../dist -PACKAGE_DIR := $(OUTPUT_DIR)/packages -SECRET_DIR := $(OUTPUT_DIR)/secrets - -EXCLUDES := -HELM_BIN := helm -ifneq ($(SKIP_LINT),TRUE) - HELM_LINT_CMD := $(HELM_BIN) lint -else - HELM_LINT_CMD := echo "Skipping linting of" -endif - -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) - -.PHONY: $(EXCLUDES) $(HELM_CHARTS) - -all: $(HELM_CHARTS) - -$(HELM_CHARTS): - @echo "\n[$@]" - @make package-$@ - -make-%: - @if [ -f $*/Makefile ]; then make -C $*; fi - -dep-%: make-% - @if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi - -lint-%: dep-% - @if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi - -package-%: lint-% - @mkdir -p $(PACKAGE_DIR) - @if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi - @sleep 3 - #@$(HELM_BIN) repo index $(PACKAGE_DIR) - -clean: - @rm -f */Chart.lock - @rm -f *tgz */charts/*tgz - @rm -rf $(PACKAGE_DIR) -%: - @: diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/.helmignore b/kubernetes/vfc/components/vfc-generic-vnfm-driver/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml deleted file mode 100644 index 3655c82dbd..0000000000 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - Generic VNFM Driver -name: vfc-generic-vnfm-driver -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml deleted file mode 100644 index b5ab1fb93c..0000000000 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/templates/deployment.yaml +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_HOST - value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: REG_TO_MSB_WHEN_START - value: "{{ .Values.global.config.reg_to_msb_when_start }}" - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: "{{ .Values.log.path }}" - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/vfc/gvnfmdriver/config/log.yml - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml deleted file mode 100644 index 6a4a802028..0000000000 --- a/kubernetes/vfc/components/vfc-generic-vnfm-driver/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - config: - ssl_enabled: false - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/gvnfmdriver:1.4.4 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-generic-vnfm-driver - portName: http - externalPort: 8484 - internalPort: 8484 -# nodePort: 30484 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1000Mi - requests: - cpu: 200m - memory: 500Mi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/.helmignore b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml deleted file mode 100644 index 2ca97f8722..0000000000 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - Huawei VNFM Driver -name: vfc-huawei-vnfm-driver -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml deleted file mode 100644 index f96d4d664b..0000000000 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/templates/deployment.yaml +++ /dev/null @@ -1,108 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_PROTO - value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}" - {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: MSB_ADDR - value: "{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - - name: REG_TO_MSB_WHEN_START - value: "{{ .Values.global.config.reg_to_msb_when_start }}" - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: {{ .Values.log.path }} - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/vfc/hwvnfmdriver/config/log4j.properties - subPath: log4j.properties - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml deleted file mode 100644 index 32221692e3..0000000000 --- a/kubernetes/vfc/components/vfc-huawei-vnfm-driver/values.yaml +++ /dev/null @@ -1,94 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - config: - ssl_enabled: false - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/nfvo/svnfm/huawei:1.3.9 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-huawei-vnfm-driver - portName: http - externalPort: 8482 - internalPort: 8482 - externalPort2: 8483 - internalPort2: 8483 -# nodePort: 30482 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 2000Mi - requests: - cpu: 100m - memory: 1000Mi - large: - limits: - cpu: 400m - memory: 4000Mi - requests: - cpu: 200m - memory: 2000Mi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/components/vfc-nslcm/.helmignore b/kubernetes/vfc/components/vfc-nslcm/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-nslcm/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-nslcm/Chart.yaml b/kubernetes/vfc/components/vfc-nslcm/Chart.yaml deleted file mode 100644 index 51939a8107..0000000000 --- a/kubernetes/vfc/components/vfc-nslcm/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - NS Life Cycle Management -name: vfc-nslcm -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml b/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml deleted file mode 100644 index f9faa7e845..0000000000 --- a/kubernetes/vfc/components/vfc-nslcm/templates/deployment.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_HOST - value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: MYSQL_ADDR - value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' - - name: MYSQL_ROOT_USER - value: "{{ .Values.global.config.mariadb_admin }}" - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - - name: REDIS_HOST - value: "{{ .Values.global.config.redisServiceName }}" - - name: REDIS_PORT - value: "{{ .Values.global.config.redisPort }}" - - name: REG_TO_MSB_WHEN_START - value: "{{ .Values.global.config.reg_to_msb_when_start }}" - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/vfc/nslcm/config/log.yml - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-nslcm/values.yaml b/kubernetes/vfc/components/vfc-nslcm/values.yaml deleted file mode 100644 index 0cd3ce178a..0000000000 --- a/kubernetes/vfc/components/vfc-nslcm/values.yaml +++ /dev/null @@ -1,111 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - config: - ssl_enabled: false - mariadbGalera: - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' - type: password - password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' - policy: required - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/nslcm:1.4.7 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# Local mariadb galera instance default name -mariadb-galera: - rootUser: - externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' - nameOverride: vfc-mariadb - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-nslcm - portName: http - externalPort: 8403 - internalPort: 8403 -# nodePort: 30403 - -ingress: - enabled: false - - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1000Mi - requests: - cpu: 200m - memory: 500Mi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/components/vfc-redis/.helmignore b/kubernetes/vfc/components/vfc-redis/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-redis/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-redis/Chart.yaml b/kubernetes/vfc/components/vfc-redis/Chart.yaml deleted file mode 100644 index 9b53ef9ed5..0000000000 --- a/kubernetes/vfc/components/vfc-redis/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright (C) 2018 Verizon. All Rights Reserved. -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - REDIS -name: vfc-redis -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml b/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml deleted file mode 100644 index 787c62c3c5..0000000000 --- a/kubernetes/vfc/components/vfc-redis/templates/deployment.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{/* -# Copyright (C) 2018 Verizon. All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-redis/values.yaml b/kubernetes/vfc/components/vfc-redis/values.yaml deleted file mode 100644 index 1c6c4b4cce..0000000000 --- a/kubernetes/vfc/components/vfc-redis/values.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# Copyright (C) 2018 Verizon. All Rights Reserved -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/db:1.3.5 -pullPolicy: Always - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 120 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-redis - portName: http - externalPort: 6379 - internalPort: 6379 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1000Mi - requests: - cpu: 200m - memory: 500Mi - unlimited: {} \ No newline at end of file diff --git a/kubernetes/vfc/components/vfc-vnflcm/.helmignore b/kubernetes/vfc/components/vfc-vnflcm/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-vnflcm/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml b/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml deleted file mode 100644 index 79d77d0347..0000000000 --- a/kubernetes/vfc/components/vfc-vnflcm/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - VNF Life Cycle Management -name: vfc-vnflcm -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml deleted file mode 100644 index 8c414ffc59..0000000000 --- a/kubernetes/vfc/components/vfc-vnflcm/templates/deployment.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_HOST - value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: MYSQL_ADDR - value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' - - name: MYSQL_ROOT_USER - value: "{{ .Values.global.config.mariadb_admin }}" - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - - name: REDIS_HOST - value: "{{ .Values.global.config.redisServiceName }}" - - name: REDIS_PORT - value: "{{ .Values.global.config.redisPort }}" - - name: REG_TO_MSB_WHEN_START - value: "{{ .Values.global.config.reg_to_msb_when_start }}" - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: {{ .Values.log.path }} - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/vfc/gvnfm-vnflcm/config/log.yml - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-vnflcm/values.yaml b/kubernetes/vfc/components/vfc-vnflcm/values.yaml deleted file mode 100644 index fcad261817..0000000000 --- a/kubernetes/vfc/components/vfc-vnflcm/values.yaml +++ /dev/null @@ -1,111 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - config: - ssl_enabled: false - mariadbGalera: - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' - type: password - password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' - policy: required - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/vnflcm:1.4.3 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# Local mariadb galera instance default name -mariadb-galera: - rootUser: - externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' - nameOverride: vfc-mariadb - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-vnflcm - portName: http - externalPort: 8801 - internalPort: 8801 -# nodePort: 30801 - -ingress: - enabled: false - - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1000Mi - requests: - cpu: 200m - memory: 500Mi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/components/vfc-vnfmgr/.helmignore b/kubernetes/vfc/components/vfc-vnfmgr/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-vnfmgr/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml b/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml deleted file mode 100644 index 076155f01e..0000000000 --- a/kubernetes/vfc/components/vfc-vnfmgr/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - VNF Manager -name: vfc-vnfmgr -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml deleted file mode 100644 index 9fcf9b923d..0000000000 --- a/kubernetes/vfc/components/vfc-vnfmgr/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_HOST - value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: MYSQL_ADDR - value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' - - name: REDIS_HOST - value: "{{ .Values.global.config.redisServiceName }}" - - name: REDIS_PORT - value: "{{ .Values.global.config.redisPort }}" - - name: MYSQL_ROOT_USER - value: "{{ .Values.global.config.mariadb_admin }}" - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - - name: REG_TO_MSB_WHEN_START - value: "{{ .Values.global.config.reg_to_msb_when_start }}" - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: {{ .Values.log.path }} - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/vfc/gvnfm-vnfmgr/config/log.yml - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-vnfmgr/values.yaml b/kubernetes/vfc/components/vfc-vnfmgr/values.yaml deleted file mode 100644 index 528bbe0c01..0000000000 --- a/kubernetes/vfc/components/vfc-vnfmgr/values.yaml +++ /dev/null @@ -1,110 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - config: - ssl_enabled: false - mariadbGalera: - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' - type: password - password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' - policy: required - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/vnfmgr:1.4.1 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# Local mariadb galera instance default name -mariadb-galera: - rootUser: - externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' - nameOverride: vfc-mariadb - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-vnfmgr - portName: http - externalPort: 8803 - internalPort: 8803 -# nodePort: 30803 - -ingress: - enabled: false - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1000Mi - requests: - cpu: 200m - memory: 500Mi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/components/vfc-vnfres/.helmignore b/kubernetes/vfc/components/vfc-vnfres/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-vnfres/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-vnfres/Chart.yaml b/kubernetes/vfc/components/vfc-vnfres/Chart.yaml deleted file mode 100644 index 2c9c14e7f9..0000000000 --- a/kubernetes/vfc/components/vfc-vnfres/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - VNF Resource Manager -name: vfc-vnfres -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml b/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml deleted file mode 100644 index 5723b0f322..0000000000 --- a/kubernetes/vfc/components/vfc-vnfres/templates/deployment.yaml +++ /dev/null @@ -1,135 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - '{{ ternary (index .Values "mariadb-galera" "nameOverride") .Values.global.mariadbGalera.service .Values.global.mariadbGalera.localCluster }}' - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - command: - - sh - args: - - -c - - 'MYSQL_AUTH=${MYSQL_ROOT_USER}:${MYSQL_ROOT_PASSWORD} ./docker-entrypoint.sh' - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_HOST - value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: MYSQL_ADDR - value: '{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}' - - name: REDIS_HOST - value: "{{ .Values.global.config.redisServiceName }}" - - name: REDIS_PORT - value: "{{ .Values.global.config.redisPort }}" - - name: MYSQL_ROOT_USER - value: "{{ .Values.global.config.mariadb_admin }}" - - name: MYSQL_ROOT_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-root-pass" "key" "password") | indent 14}} - - name: REG_TO_MSB_WHEN_START - value: "{{ .Values.global.config.reg_to_msb_when_start }}" - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: /var/log/onap - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/vfc/gvnfm-vnfres/config/log.yml - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-vnfres/values.yaml b/kubernetes/vfc/components/vfc-vnfres/values.yaml deleted file mode 100644 index c2954d5517..0000000000 --- a/kubernetes/vfc/components/vfc-vnfres/values.yaml +++ /dev/null @@ -1,111 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - config: - ssl_enabled: false - mariadbGalera: - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - externalSecret: '{{ ternary (index .Values "mariadb-galera" "rootUser" "externalSecret") (include "common.mariadb.secret.rootPassSecretName" (dict "dot" . "chartName" (default "mariadb-galera" .Values.global.mariadbGalera.nameOverride))) .Values.global.mariadbGalera.localCluster }}' - type: password - password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' - policy: required - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/vnfres:1.4.1 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# Local mariadb galera instance default name -mariadb-galera: - rootUser: - externalSecret: '{{ include "common.release" . }}-vfc-db-root-pass' - nameOverride: vfc-mariadb - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-vnfres - portName: http - externalPort: 8802 - internalPort: 8802 -# nodePort: 30802 - -ingress: - enabled: false - - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 200m - memory: 500Mi - requests: - cpu: 100m - memory: 250Mi - large: - limits: - cpu: 400m - memory: 1000Mi - requests: - cpu: 200m - memory: 500Mi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/.helmignore b/kubernetes/vfc/components/vfc-zte-vnfm-driver/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml deleted file mode 100644 index 6fb5a7d0c1..0000000000 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/Chart.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VFC - ZTE VNFM Driver -name: vfc-zte-vnfm-driver -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml deleted file mode 100644 index 855532ddf3..0000000000 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/templates/deployment.yaml +++ /dev/null @@ -1,105 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - annotations: - sidecar.istio.io/inject: "{{.Values.istioSidecar}}" - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{ if .Values.liveness.enabled }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end }} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: MSB_HOST - value: "{{ .Values.global.config.msbprotocol }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}://{{ .Values.global.config.msbServiceName }}:{{ .Values.global.config.msbPort }}" - {{- if and (include "common.needTLS" .) (eq .Values.global.config.ssl_enabled true) }} - - name: SSL_ENABLED - value: "true" - {{- else }} - - name: SSL_ENABLED - value: "false" - {{- end }} - - name: REG_TO_MSB_WHEN_START - value: "{{ .Values.global.config.reg_to_msb_when_start }}" - volumeMounts: - - name: {{ include "common.fullname" . }}-localtime - mountPath: /etc/localtime - readOnly: true - - name: {{ include "common.fullname" . }}-logs - mountPath: {{ .Values.log.path }} - - name: {{ include "common.fullname" . }}-logconfig - mountPath: /opt/vfc/ztevnfmdriver/config/log.yml - subPath: log.yml - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: - - name: {{ include "common.fullname" . }}-localtime - hostPath: - path: /etc/localtime - - name: {{ include "common.fullname" . }}-logs - emptyDir: {} - - name: {{ include "common.fullname" . }}-logconfig - configMap: - name : {{ include "common.fullname" . }}-logging-configmap - {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix . )) | nindent 8 }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml b/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml deleted file mode 100644 index 258407b6ba..0000000000 --- a/kubernetes/vfc/components/vfc-zte-vnfm-driver/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - config: - ssl_enabled: false - -################################################################# -# Application configuration defaults. -################################################################# -# application image -flavor: small - -image: onap/vfc/ztevnfmdriver:1.4.1 -pullPolicy: Always - -#Istio sidecar injection policy -istioSidecar: true - -# flag to enable debugging - application support required -debugEnabled: false - -# application configuration -config: {} - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: ClusterIP - name: vfc-zte-vnfm-driver - portName: http - externalPort: 8410 - internalPort: 8410 - -ingress: - enabled: false - - -# Configure resource requests and limits -resources: - small: - limits: - cpu: 100m - memory: 500Mi - requests: - cpu: 50m - memory: 250Mi - large: - limits: - cpu: 200m - memory: 1000Mi - requests: - cpu: 100m - memory: 500Mi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap -logConfigMapNamePrefix: '{{ include "common.fullname" . }}' diff --git a/kubernetes/vfc/values.yaml b/kubernetes/vfc/values.yaml deleted file mode 100644 index a0b69e0c94..0000000000 --- a/kubernetes/vfc/values.yaml +++ /dev/null @@ -1,113 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -global: - config: - ssl_enabled: false - msbprotocol: http - msbServiceName: msb-iag - msbPort: 443 - redisServiceName: vfc-redis - redisPort: 6379 -# Becaue now oom can register the microservice to msb automatically, -# If it is set to false, vfc contanier will not register again, if it is -# set to true, vfc will register by itself. -# we use this flag to determine who is responbile for serice registeration -# and it can reduce duplicate registration. - reg_to_msb_when_start: False - mariadb_admin: &mariadbAdmin root - persistence: - mountPath: /dockerdata-nfs - mariadbGalera: &mariadbGalera - #This flag allows VFC to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - centralizedLoggingEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: db-root-pass - name: &dbRootPassSecret '{{ include "common.release" . }}-vfc-db-root-pass' - externalSecret: '{{ ternary "" (tpl (default "" (index .Values "mariadb-galera" "rootUser" "externalSecret")) .) (hasSuffix "db-root-pass" (index .Values "mariadb-galera" "rootUser" "externalSecret"))}}' - login: '{{ index .Values "mariadb-galera" "rootUser" "user" }}' - password: '{{ index .Values "mariadb-galera" "rootUser" "password" }}' - type: password - -# application configuration -config: - logstashServiceName: log-ls - logstashPort: 5044 - -mariadb-galera: &localMariadb - rootUser: - user: *mariadbAdmin - # password: - externalSecret: *dbRootPassSecret - nameOverride: &dbServer vfc-mariadb - nfsprovisionerPrefix: vfc - persistence: - mountSubPath: vfc/data - enabled: true - disableNfsProvisioner: true - serviceAccount: - nameOverride: *dbServer - replicaCount: 1 - -vfc-generic-vnfm-driver: - enabled: true - logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' - -vfc-huawei-vnfm-driver: - enabled: true - logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' - -vfc-nslcm: - enabled: true - mariadb-galera: *localMariadb - logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' - -vfc-redis: - enabled: true - -vfc-vnflcm: - enabled: true - mariadb-galera: *localMariadb - logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' - -vfc-vnfmgr: - enabled: true - mariadb-galera: *localMariadb - logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' - -vfc-vnfres: - enabled: true - mariadb-galera: *localMariadb - logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' - -# sub-chart configuration -vfc-workflow: - service: - externalPort: 10550 - -vfc-workflow-engine: - config: - workflowPort: 10550 - -vfc-zte-vnfm-driver: - enabled: true - logConfigMapNamePrefix: '{{ include "common.release" . }}-vfc' diff --git a/kubernetes/vid/.helmignore b/kubernetes/vid/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/kubernetes/vid/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/kubernetes/vid/Chart.yaml b/kubernetes/vid/Chart.yaml deleted file mode 100644 index 67eb0be0c4..0000000000 --- a/kubernetes/vid/Chart.yaml +++ /dev/null @@ -1,42 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP Virtual Infrastructure Deployment -name: vid -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - # local reference to common chart, as it is - # a part of this chart's package and will not - # be published independently to a repo (at this point) - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: mariadb-galera - version: ~12.x-0 - repository: '@local' - condition: global.mariadbGalera.localCluster - - name: mariadb-init - version: ~12.x-0 - repository: '@local' - condition: not global.mariadbGalera.localCluster - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vid/resources/config/db_cmd.sh b/kubernetes/vid/resources/config/db_cmd.sh deleted file mode 100755 index daa1f8b6ea..0000000000 --- a/kubernetes/vid/resources/config/db_cmd.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/sh -{{/* -# Copyright © 2018 AT&T -# Copyright © 2020 Aarna Networks -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -DB={{index .Values "mariadb-galera" "db" "name" | upper }} -eval "MYSQL_USER=\$MYSQL_USER_${DB}" -eval "MYSQL_PASSWORD=\$MYSQL_PASSWORD_${DB}" - -#echo "Going to run mysql ${DB} -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${DB_HOST} -P${DB_PORT} ..." -mysql -u${MYSQL_USER} -p${MYSQL_PASSWORD} -h${DB_HOST} -P${DB_PORT} <<'EOD' -CREATE TABLE IF NOT EXISTS `{{index .Values "mariadb-galera" "db" "name" }}`.`schema_info` ( -`SCHEMA_ID` VARCHAR(25) NOT NULL, -`SCHEMA_DESC` VARCHAR(75) NOT NULL, -`DATASOURCE_TYPE` VARCHAR(100) NULL DEFAULT NULL, -`CONNECTION_URL` VARCHAR(200) NOT NULL, -`USER_NAME` VARCHAR(45) NOT NULL, -`PASSWORD` VARCHAR(45) NULL DEFAULT NULL, -`DRIVER_CLASS` VARCHAR(100) NOT NULL, -`MIN_POOL_SIZE` INT(11) NOT NULL, -`MAX_POOL_SIZE` INT(11) NOT NULL, -`IDLE_CONNECTION_TEST_PERIOD` INT(11) NOT NULL) -ENGINE = InnoDB -DEFAULT CHARACTER SET = utf8; -EOD - -if [ $? -ne 0 ];then - echo "ERROR: Failed to run cmd vid-pre-init.sql" - exit 1 -else - echo "INFO: Database initialized successfully" -fi diff --git a/kubernetes/vid/resources/config/log/filebeat/filebeat.yml b/kubernetes/vid/resources/config/log/filebeat/filebeat.yml deleted file mode 100644 index 9a721a885e..0000000000 --- a/kubernetes/vid/resources/config/log/filebeat/filebeat.yml +++ /dev/null @@ -1,57 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -filebeat.prospectors: -#it is mandatory, in our case it's log -- input_type: log - #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. - paths: - - /var/log/onap/*/*/*/*.log - - /var/log/onap/*/*/*.log - - /var/log/onap/*/*.log - #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive - ignore_older: 48h - # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit - clean_inactive: 96h - - -# Name of the registry file. If a relative path is used, it is considered relative to the -# data path. Else full qualified file name. -#filebeat.registry_file: ${path.data}/registry - - -output.logstash: - #List of logstash server ip addresses with port number. - #But, in our case, this will be the loadbalancer IP address. - #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. - hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] - #If enable will do load balancing among availabe Logstash, automatically. - loadbalance: true - - #The list of root certificates for server verifications. - #If certificate_authorities is empty or not set, the trusted - #certificate authorities of the host system are used. - #ssl.certificate_authorities: $ssl.certificate_authorities - - #The path to the certificate for SSL client authentication. If the certificate is not specified, - #client authentication is not available. - #ssl.certificate: $ssl.certificate - - #The client certificate key used for client authentication. - #ssl.key: $ssl.key - - #The passphrase used to decrypt an encrypted key stored in the configured key file - #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/vid/resources/config/log/vid/logback.xml b/kubernetes/vid/resources/config/log/vid/logback.xml deleted file mode 100644 index 17af1c990f..0000000000 --- a/kubernetes/vid/resources/config/log/vid/logback.xml +++ /dev/null @@ -1,386 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ${debugLoggerPattern} - - - - - - - - - - ${logDirectory}/${generalLogName}.log - - ${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${applicationLoggerPattern} - - - - - - ${queueSize} - true - - - - - - - - - - - - - - ${logDirectory}/${auditLogName}.log - - ${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${auditLoggerPattern} - - - - ${queueSize} - - true - - - - - - INVOKE - INVOKE-RETURN - - DENY - ACCEPT - - ${logDirectory}/${metricsLogName}.log - - ${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${metricsLoggerPattern} - - - - ${queueSize} - - true - - - - - ERROR - ACCEPT - NEUTRAL - - - WARN - ACCEPT - DENY - - ${logDirectory}/${errorLogName}.log - - ${logDirectory}/${errorLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${errorLoggerPattern} - - - - - ${queueSize} - - true - - - - ${logDirectory}/${debugLogName}.log - - ${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${debugLoggerPattern} - - - - ${queueSize} - - true - - - - ${logDirectory}/${outgoingRequestsLogName}.log - - ${logDirectory}/${outgoingRequestsLogName}.%d{yyyy-MM-dd}.%i.log - - ${maxFileSize} - - ${maxHistory} - ${totalSizeCap} - - - ${debugLoggerPattern} - - - - ${queueSize} - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/kubernetes/vid/templates/NOTES.txt b/kubernetes/vid/templates/NOTES.txt deleted file mode 100644 index a209ea8f29..0000000000 --- a/kubernetes/vid/templates/NOTES.txt +++ /dev/null @@ -1,33 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ include "common.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.name" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ include "common.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc -w {{ include "common.name" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.namespace" . }} {{ include "common.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.service.externalPort }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ include "common.namespace" . }} -l "app={{ .Chart.Name }},release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl port-forward $POD_NAME 8080:{{ .Values.service.internalPort }} -{{- end }} diff --git a/kubernetes/vid/templates/configmap.yaml b/kubernetes/vid/templates/configmap.yaml deleted file mode 100644 index 5c423e61cc..0000000000 --- a/kubernetes/vid/templates/configmap.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-log-configmap - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/log/vid/*").AsConfig . | indent 2 }} ---- -{{ include "common.log.configMap" . }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-db-init - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/db_cmd.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml deleted file mode 100644 index 116a7cdfed..0000000000 --- a/kubernetes/vid/templates/deployment.yaml +++ /dev/null @@ -1,171 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - replicas: {{ .Values.replicaCount }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - /app/ready.py - args: - - --job-name - - {{ include "common.fullname" . }}-mariadb-init-config-job - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }} - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if .Values.global.aafEnabled }} - command: - - sh - args: - - -c - - | - export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export VID_TRUSTSTORE_PLAIN_PASSWORD=${VID_TRUSTSTORE_PASSWORD} - export VID_TRUSTSTORE_PASSWORD=`java -cp /usr/local/tomcat/webapps/vid/WEB-INF/lib/jetty-util-9.4.20.v20190813.jar org.eclipse.jetty.util.security.Password ${VID_TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"` - /tmp/vid/localize.sh - {{- end }} - ports: - - containerPort: {{ .Values.service.internalPort }} - # disable liveness probe when breakpoints set in debugger - # so K8s doesn't restart unresponsive container - {{- if eq .Values.liveness.enabled true }} - livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} - periodSeconds: {{ .Values.liveness.periodSeconds }} - {{ end -}} - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - env: - - name: ASDC_CLIENT_REST_HOST - value: sdc-be.{{ include "common.namespace" . }} - - name: ASDC_CLIENT_REST_AUTH - value: "{{ .Values.config.asdcclientrestauth }}" - - name: ASDC_CLIENT_REST_PORT - value: "{{ .Values.config.asdcclientrestport }}" - - name: ASDC_CLIENT_REST_PROTOCOL - value: "https" - - name: VID_AAI_URL - value: https://aai.{{ include "common.namespace" . }}:{{ .Values.config.vidaaiport }} - - name: VID_ECOMP_SHARED_CONTEXT_REST_URL - value: http://portal-app.{{ include "common.namespace" . }}:{{ .Values.config.onapport }}/ONAPPORTAL/context - - name: VID_MSO_SERVER_URL - value: http://so.{{ include "common.namespace" . }}:{{ .Values.config.msoport }}/onap/so/infra - - name: VID_MSO_PASS - value: "{{ .Values.config.vidmsopass }}" - - name: MSO_DME2_SERVER_URL - value: "{{ .Values.config.msodme2serverurl }}" - - name: MSO_DME2_ENABLED - value: {{ .Values.global.debugEnabled | default .Values.debugEnabled | quote }} - - name: VID_ECOMP_REDIRECT_URL - value: https://{{ .Values.config.portalhost }}:{{ .Values.config.onapport }}/ONAPPORTAL/login.htm - - name: VID_ECOMP_REST_URL - value: https://portal-app:{{ .Values.config.onapportrest }}/ONAPPORTAL/auxapi - - name: VID_ROLE_ACCESS_CENTRALIZED - value: "{{ .Values.config.roleaccesscentralized }}" - - name: VID_CONTACT_US_LINK - value: "{{ .Values.config.vidcontactuslink }}" - - name: VID_UEB_URL_LIST - value: message-router.{{ include "common.namespace" . }} - - name: VID_MYSQL_HOST - value: {{ include "common.mariadbService" . }} - - name: VID_MYSQL_PORT - value: "{{ include "common.mariadbPort" . }}" - - name: VID_MYSQL_DBNAME - value: {{ index .Values "mariadb-galera" "db" "name" }} - - name: VID_MYSQL_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "login") | indent 14 }} - - name: VID_MYSQL_PASS - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }} - - name: VID_MYSQL_MAXCONNECTIONS - value: "{{ .Values.config.vidmysqlmaxconnections }}" - {{- if .Values.global.aafEnabled }} - - name: VID_KEYSTORE_FILENAME - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks" - - name: VID_TRUSTSTORE_FILENAME - value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks" - {{- end }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - - mountPath: /etc/localtime - name: localtime - readOnly: true - - mountPath: "{{ .Values.log.path }}" - name: vid-logs - - mountPath: /tmp/logback.xml - name: vid-logback - subPath: logback.xml - - mountPath: /opt/app/vid - name: vid-cache - resources: -{{ include "common.resources" . | indent 12 }} - {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 10 }} - {{- end -}} - {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 10 }} - {{- end }} - # side car containers - {{ include "common.log.sidecar" . | nindent 8 }} - volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - - name: localtime - hostPath: - path: /etc/localtime - {{ include "common.log.volumes" . | nindent 8 }} - - name: vid-cache - emptyDir: {} - - name: vid-logs - emptyDir: {} - - name: vid-logback - configMap: - name: {{ include "common.fullname" . }}-log-configmap - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/vid/templates/ingress.yaml b/kubernetes/vid/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/vid/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml deleted file mode 100644 index 670838c6cf..0000000000 --- a/kubernetes/vid/templates/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{ include "common.secretFast" . }} diff --git a/kubernetes/vid/templates/service.yaml b/kubernetes/vid/templates/service.yaml deleted file mode 100644 index e62f64d366..0000000000 --- a/kubernetes/vid/templates/service.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} - {{- end}} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }}-http - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: ClusterIP - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - ports: - - name: {{ .Values.service.portName }}-http - port: {{ .Values.service.externalHttpPort }} - targetPort: {{ .Values.service.internalHttpPort }} - protocol: TCP diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml deleted file mode 100644 index f2ca8143a3..0000000000 --- a/kubernetes/vid/values.yaml +++ /dev/null @@ -1,202 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Copyright © 2020 Samsung Electronics -# Copyright © 2021 Orange -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Default values for vid. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -global: - nodePortPrefix: 302 - mariadbGalera: &mariadbGalera - #This flag allows VID to instantiate its own mariadb-galera cluster - localCluster: false - service: mariadb-galera - internalPort: 3306 - nameOverride: mariadb-galera - centralizedLoggingEnabled: true - -################################################################# -# Secrets metaconfig -################################################################# -secrets: - - uid: vid-db-user-secret - name: &dbUserSecretName '{{ include "common.release" . }}-vid-db-user-secret' - type: basicAuth - externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' - login: '{{ .Values.config.db.userName }}' - password: '{{ .Values.config.db.userPassword }}' - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: vid-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: vid - fqi: vid@vid.onap.org - public_fqdn: vid.onap.org - fqi_namespace: "org.onap.vid" - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** retrieving password for keystore and trustore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - echo "*** changing them into shell safe ones" - export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) - cd {{ .Values.credsPath }} - keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ - -storepass "${cadi_keystore_password_jks}" \ - -keystore {{ .Values.fqi_namespace }}.jks - keytool -storepasswd -new "${TRUSTORE_PASSWD}" \ - -storepass "${cadi_truststore_password}" \ - -keystore {{ .Values.fqi_namespace }}.trust.jks - echo "*** set key password as same password as keystore password" - keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ - -keystore {{ .Values.fqi_namespace }}.jks \ - -keypass "${cadi_keystore_password_jks}" \ - -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} - echo "*** save the generated passwords" - echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop - echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop - echo "*** change ownership of certificates to targeted user" - chown -R 1000 . - fi - -subChartsOnly: - enabled: true - -# application image -image: onap/vid:8.0.2 -pullPolicy: Always - -# application configuration -config: - db: - userName: vidadmin -# userCredentialsExternalSecret: some secret -# userPassword: password - asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=" - asdcclientrestport: "8443" - vidaaiport: "8443" - onapport: "30225" - onapportrest: "8443" - portalhost: "portal.api.simpledemo.onap.org" - msoport: "8080" - vidmsopass: OBF:1ih71i271vny1yf41ymf1ylz1yf21vn41hzj1icz - msodme2serverurl: http://localhost:8081 - vidcontactuslink: https://todo_contact_us_link.com - vidmysqlmaxconnections: "5" - logstashServiceName: log-ls - logstashPort: 5044 - roleaccesscentralized: remote - -mariadb-galera: - db: - # password: - externalSecret: *dbUserSecretName - name: &mysqlDbName vid_openecomp_epsdk - nameOverride: &vid-galera vid-galera - replicaCount: 3 - persistence: - enabled: true - mountSubPath: vid/maria/data - externalConfig: |- - [mysqld] - lower_case_table_names = 1 - serviceAccount: - nameOverride: *vid-galera - -mariadb-init: - config: - userCredentialsExternalSecret: *dbUserSecretName - mysqlDatabase: *mysqlDbName - nameOverride: vid-mariadb-init - # A configMap of same name is created. It points to file that will be run after - # The DB has been created. - dbScriptConfigMap: '{{ include "common.release" . }}-vid-db-init' - -# default number of instances -replicaCount: 1 - -nodeSelector: {} - -affinity: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 120 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 10 - periodSeconds: 10 - -service: - type: NodePort - name: vid - portName: vid - externalPort: 8443 - internalPort: 8443 - nodePort: "00" - externalHttpPort: 8080 - internalHttpPort: 8080 - -ingress: - enabled: false - service: - - baseaddr: "vid-ui" - name: "vid-http" - port: 8443 - plain_port: 8080 - config: - ssl: "redirect" - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 200m - memory: 2Gi - requests: - cpu: 100m - memory: 1Gi - large: - limits: - cpu: 400m - memory: 4Gi - requests: - cpu: 200m - memory: 2Gi - unlimited: {} - -# Log configuration -log: - path: /var/log/onap diff --git a/kubernetes/vnfsdk/Chart.yaml b/kubernetes/vnfsdk/Chart.yaml deleted file mode 100644 index 1c67281798..0000000000 --- a/kubernetes/vnfsdk/Chart.yaml +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# Modifications Copyright © 2021 Orange -# Modifications Copyright © 2021 Nordix Foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v2 -description: ONAP VNF SDK -name: vnfsdk -version: 12.0.0 - -dependencies: - - name: common - version: ~12.x-0 - repository: '@local' - - name: certInitializer - version: ~12.x-0 - repository: '@local' - - name: postgres - version: ~12.x-0 - repository: '@local' - - name: repositoryGenerator - version: ~12.x-0 - repository: '@local' diff --git a/kubernetes/vnfsdk/resources/nginx/nginx.conf b/kubernetes/vnfsdk/resources/nginx/nginx.conf deleted file mode 100644 index d26cc5d813..0000000000 --- a/kubernetes/vnfsdk/resources/nginx/nginx.conf +++ /dev/null @@ -1,63 +0,0 @@ -# Copyright 2020 Huawei Technologies Co., Ltd. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -daemon off; - -#pid /run/nginx.pid; - -events { - worker_connections 500; - # multi_accept on; -} -http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - #Comment or disable the access_log once tested to avoid runtime logs -# access_log /var/log/nginx/access.log format gzip; - access_log off; - error_log /var/log/nginx/error.log; - - server { - listen *:8703 ssl; - server_name - ssl on; - ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.pem; - ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; - ssl_session_cache builtin:1000 shared:SSL:80m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; - ssl_prefer_server_ciphers on; - ssl_session_timeout 10m; - keepalive_timeout 70; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://localhost:8702; - proxy_read_timeout 90; - proxy_redirect off; - } - } -} \ No newline at end of file diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml deleted file mode 100644 index 89eba2f360..0000000000 --- a/kubernetes/vnfsdk/templates/deployment.yaml +++ /dev/null @@ -1,101 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "common.fullname" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - selector: - matchLabels: - app: {{ include "common.name" . }} - template: - metadata: - labels: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} - name: {{ include "common.name" . }} - spec: - initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - - command: - - sh - args: - - -c - - "cd /config-input && for PFILE in `find . -not -type d | grep -v -F ..`; do envsubst <${PFILE} >/config/${PFILE}; done" - env: - - name: PG_USER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: PG_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - volumeMounts: - - mountPath: /config-input - name: init-data-input - - mountPath: /config - name: init-data - image: {{ include "repositoryGenerator.image.envsubst" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-update-config - - - command: - - /app/ready.py - args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }}-readiness - containers: - - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - name: {{ include "common.name" . }} - resources: -{{ include "common.resources" . | indent 12 }} - volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml - name: init-data - subPath: configuration.xml - - mountPath: /etc/nginx/nginx.conf - name: nginx - subPath: nginx.conf - readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} - initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} - periodSeconds: {{ .Values.readiness.periodSeconds }} - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - - name: init-data-input - configMap: - name: {{ include "common.fullname" . }} - - name: nginx - configMap: - name: {{ include "common.fullname" . }}-nginx - - name: init-data - emptyDir: - medium: Memory diff --git a/kubernetes/vnfsdk/templates/ingress.yaml b/kubernetes/vnfsdk/templates/ingress.yaml deleted file mode 100644 index 8f87c68f1e..0000000000 --- a/kubernetes/vnfsdk/templates/ingress.yaml +++ /dev/null @@ -1 +0,0 @@ -{{ include "common.ingress" . }} diff --git a/kubernetes/vnfsdk/templates/job.yaml b/kubernetes/vnfsdk/templates/job.yaml deleted file mode 100644 index 7c320fc86f..0000000000 --- a/kubernetes/vnfsdk/templates/job.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "common.fullname" . }}-init-postgres - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }}-job - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - backoffLimit: 20 - template: - metadata: - labels: - app: {{ include "common.name" . }}-job - release: {{ include "common.release" . }} - spec: - restartPolicy: Never - initContainers: - - command: - - /app/ready.py - args: - - --container-name - - "{{ .Values.postgres.nameOverride }}" - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - image: {{ include "repositoryGenerator.image.readiness" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy}} - name: {{ include "common.name" . }}-readiness - containers: - - name: {{ include "common.name" . }}-job - image: {{ include "repositoryGenerator.image.postgres" . }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: PGUSER - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "login") | indent 10 }} - - name: PGPASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 10 }} - command: - - /bin/sh - - -c - - | - psql -h $(VNFSDK_DBPRI_SERVICE_HOST) -f /aaa/init/marketplace_tables_postgres.sql - volumeMounts: - - name: init-data - mountPath: /aaa/init/marketplace_tables_postgres.sql - subPath: marketplace_tables_postgres.sql - imagePullSecrets: - - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: - - name: init-data - configMap: - name: {{ include "common.fullname" . }} diff --git a/kubernetes/vnfsdk/templates/service.yaml b/kubernetes/vnfsdk/templates/service.yaml deleted file mode 100644 index 25786bd7ad..0000000000 --- a/kubernetes/vnfsdk/templates/service.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "common.servicename" . }} - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.service.type }} - ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} - nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - {{- end}} - name: {{ .Values.service.portName | default "http" }} - selector: - app: {{ include "common.name" . }} - release: {{ include "common.release" . }} diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml deleted file mode 100644 index a19f15d991..0000000000 --- a/kubernetes/vnfsdk/values.yaml +++ /dev/null @@ -1,147 +0,0 @@ -# Copyright © 2017 Amdocs, Bell Canada -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -################################################################# -# Global configuration defaults. -################################################################# -global: - nodePortPrefix: 302 - -secrets: - - uid: pg-root-pass - name: &pgRootPassSecretName '{{ include "common.release" . }}-vnfsdk-pg-root-pass' - type: password - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgRootPasswordExternalSecret) .) (hasSuffix "vnfsdk-pg-root-pass" .Values.postgres.config.pgRootPasswordExternalSecret) }}' - password: '{{ .Values.postgres.config.pgRootpassword }}' - policy: generate - - uid: pg-user-creds - name: &pgUserCredsSecretName '{{ include "common.release" . }}-vnfsdk-pg-user-creds' - type: basicAuth - externalSecret: '{{ ternary "" (tpl (default "" .Values.postgres.config.pgUserExternalSecret) .) (hasSuffix "vnfsdk-pg-user-creds" .Values.postgres.config.pgUserExternalSecret) }}' - login: '{{ .Values.postgres.config.pgUserName }}' - password: '{{ .Values.postgres.config.pgUserPassword }}' - passwordPolicy: generate - -################################################################# -# AAF part -################################################################# -certInitializer: - nameOverride: refrepo-cert-initializer - aafDeployFqi: deployer@people.osaaf.org - aafDeployPass: demo123456! - # aafDeployCredsExternalSecret: some secret - fqdn: refrepo - fqi: refrepo@refrepo.onap.org - fqi_namespace: org.onap.refrepo - public_fqdn: refrepo.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" - app_ns: org.osaaf.aaf - credsPath: /opt/app/osaaf/local - aaf_add_config: | - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - echo "keystore password: $$cadi_keystore_password_p12" - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key" - cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ - {{ .Values.credsPath }}/certs/cert.key - echo "*** change ownership of certificates to targeted user" - chown -R 999 {{ .Values.credsPath }}/certs - - -################################################################# -# Application configuration defaults. -################################################################# -# application image -image: onap/vnfsdk/refrepo:1.6.3 -pullPolicy: Always - -# application configuration override for postgres -postgres: - nameOverride: vnfsdk-postgres - service: - name: vnfsdk-dbset - name2: vnfsdk-dbpri - name3: vnfsdk-dbrep - container: - name: - primary: vnfsdk-dbpri - replica: vnfsdk-dbrep - persistence: - mountSubPath: vnfsdk/data - mountInitPath: vnfsdk - config: - pgUserName: postgres - pgDatabase: postgres - pgUserExternalSecret: *pgUserCredsSecretName - pgRootPasswordExternalSecret: *pgRootPassSecretName - -# flag to enable debugging - application support required -debugEnabled: false - -nodeSelector: {} - -affinity: {} - -# Resource Limit flavor -By Default using small -flavor: small -# Segregation for Different environment (Small and Large) -resources: - small: - limits: - cpu: 2000m - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi - large: - limits: - cpu: 4000m - memory: 8Gi - requests: - cpu: 1000m - memory: 2Gi - unlimited: {} - -# probe configuration parameters -liveness: - initialDelaySeconds: 10 - periodSeconds: 10 - # necessary to disable liveness probe when setting breakpoints - # in debugger so K8s doesn't restart unresponsive container - enabled: true - -readiness: - initialDelaySeconds: 60 - periodSeconds: 30 - -service: - type: NodePort - name: refrepo - portName: https - nodePort: 97 - internalPort: 8703 - -ingress: - enabled: false - service: - - baseaddr: "vnfsdk-refrepo-api" - name: "refrepo" - port: 8703 - config: - ssl: "redirect" diff --git a/requirements.txt b/requirements.txt index a849267b23..b5cdcc0c10 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,6 +9,7 @@ PyEnchant pylint autopep8 gitlint-core +sh==1.14.3 sphinxcontrib-blockdiag sphinxcontrib-seqdiag sphinxcontrib-swaggerdoc diff --git a/tox.ini b/tox.ini index d90f545f92..050a9b09f0 100644 --- a/tox.ini +++ b/tox.ini @@ -9,13 +9,13 @@ envlist = skipsdist=true [doc8] -ignore-path-errors=docs/helm-search.txt;D001 +ignore-path-errors=docs/sections/resources/helm/helm-search.txt;D001 [testenv:doc8] basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = - doc8 docs/ @@ -24,28 +24,36 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt +allowlist_externals = sudo commands = - sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html + sudo apt install graphviz + sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html [testenv:docs-linkcheck] basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt -commands = sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck +allowlist_externals = sudo +commands = + sudo apt install graphviz + sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck [testenv:spelling] basepython = python3.8 -whitelist_externals = wget +allowlist_externals = + wget + sudo deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt changedir={toxinidir}/docs commands = + sudo apt install graphviz wget -nv https://git.onap.org/doc/plain/docs/spelling_wordlist.txt -O spelling_wordlist.txt sphinx-build -b spelling -d {envtmpdir}/doctrees . _build/spelling @@ -53,14 +61,14 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = gitlint [testenv:checkbashisms] deps = -whitelist_externals = +allowlist_externals = {toxinidir}/.ci/check-bashisms.sh commands = {toxinidir}/.ci/check-bashisms.sh @@ -68,7 +76,7 @@ commands = [testenv:shellcheck] basepython = python3 deps = shellcheck-py -whitelist_externals = find +allowlist_externals = find commands = find . -not -path '*/\.*' -name *.sh -exec shellcheck \{\} + @@ -76,7 +84,7 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt commands = autopep8 --max-line-length 120 --in-place --recursive kubernetes/ TOSCA/ docs/ @@ -85,9 +93,9 @@ commands = basepython = python3.8 deps = -r{toxinidir}/requirements.txt - -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt + -chttps://releases.openstack.org/constraints/upper/yoga -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt -whitelist_externals = find +allowlist_externals = find commands = find kubernetes/ TOSCA/ docs/ -name *.py -exec pylint --max-line-length=120 --disable=missing-docstring --method-rgx="(([a-z_][a-zA-Z0-9_]{2,})|(_[a-z0-9_]*)|(__[a-zA-Z][a-zA-Z0-9_]+__))$" --variable-rgx="[a-zA-Z_][a-zA-Z0-9_]{1,30}$" --reports=y --score=y --output-format=colorized \{\} +